Category Archives: Concept

Vulnerability Assessment without Vulnerability Scanner

Vulnerability Assessment without Vulnerability Scanner. This will be a practical confirmation of my thesis from “Vulnerability scanners: a view from the vendor and end user side“: the scanner for one operating system is easy to make. I also want to demonstrate that data collection and data analysis for Vulnerability Assessment may be successfully performed separately. There is no need to take the data directly from the vulnerable hosts, when it is already stored somewhere else, for example in IT monitoring systems.

Assessment without vulnerability scanner

The opacity of data collection and the need to have a privileged account on the remote host, traditionally causes conflicts between IS and IT departments and complicates implementation of VM process.

So, to detect vulnerabilities on our Linux host we need to know what version of the packages contain vulnerabilities, which versions of packages are installed on our hosts, and learn how to compare versions.

How do I know which versions of packages are vulnerable?

Vulnerable versions of packages are listed in official security bulletins:
RHEL – https://access.redhat.com/errata/RHSA-2016:0304
CentOS – https://lists.centos.org/pipermail/centos-announce/2015-April/021064.html
Debian – http://www.debian.org/security/2015/dsa-3197
Ubuntu – http://www.ubuntu.com/usn/usn-2537-1/

CESA bulletin example

Of course, you will need to parse them first. Or you can just download the same content already parsed and presented in JSON format with Vulners.
download CESA bulletins from Vulners
Continue reading

Vulnerability scanners: a view from the vendor and end user side

Vulnerability scanners: a view from the vendor and end user side. Original article was published in Information Security Magazine #2, 2016 (in Russian)

Vulnerability scanner is a computer program or hardware appliance designed to detect security problems on hosts in computer network. What kind of problems? Well, problems that may occur if some critical security updates were not installed on time or the system was not configured securely. In practice, this situation often occurs and it makes hacking the systems easy even for inexperienced attacker.

If it is all about checking, maybe it’s possible to do it manually? Yes, sure, but it requires a lot of specific expertise, accuracy and time. That’s why vulnerability scanners, which can automate network audit, have become standard tools in the arsenal of information security experts.

I worked for a long time in the development department of well-known vulnerability scanning vendor and was making a lot of competitive analysis as well. At current time, I use vulnerability scanners as an end user. So, in this article I will try to look at the main problems of this class of products from the vendor and from the end user side.

how-users-see-the-vm-vendors-how-vm-vendors-see-the-users

How vulnerability scanner detects vulnerabilities?

Detection methods are usually well known and uncomplicated: vulnerability scanner somehow detects software version installed on a host. If version is less then secure version of this software (known from the public bulletin) – vulnerability exists and the software should be updated. If not – everything is ok. As a rule, vulnerability scanners try to guess installed versions by opened ports and service banners, or scanner may just have a full remote access to the host and able to perform all necessary commands (it is the most accurate and effective way).
Continue reading

VM Remediation using external task tracking systems

VM Remediation using external task tracking systems. In previous post I have briefly reviewed built-in remediation capabilities of vulnerability management systems. Continuing the theme, today I want to share some basic concepts how vulnerability remediation can be managed using external task tracking systems (Jira, TFS, Testrack, etc).

Jira Vulnerability Management ticket

Pros: it makes possible to implement any logic of remediation/patch management process.
Cons: you should make it by yourself; scripting skills and API knowledge required.

Tickets in buit-in remediation systems are usually assigned per host or per vulnerability. However, for large size networks making “one vulnerability on one host – one ticket” quickly become impractical. With universal task trackers we can do it in a different ways. I find it most convenient to make tickets on principle “one category of vulnerabilities, one ip range, one scanning iteration – one ticket”.
Continue reading

Remediation capabilities of Vulnerability Management products

Remediation capabilities of Vulnerability Management products. Vulnerability scanning and vulnerability management. This terms are often used synonymously. However, most top security vendors and institutions, express an opinion, that vulnerability management is a more complex process that includes vulnerability scanning (vulnerability assessment in general), remediation and some other stages, like asset management and risk assessment.

Vulnerability Management Lifecycle

Remediation in most cases, does not mean that the vulnerability management product automatically tries to patch vulnerable system, but rather provide functionality to control remediation process. In other words, it contains a built-in task tracker, where security administrators could assign tickets (manually or automatically) on system administrators to patch or reconfigure vulnerable systems. For example, such functionality is implemented in Tenable Security Center and Qualys Cloud Suite.

NB: In most cases, but there are exceptions, as ERPScan, Secpod Saner or ConfigOS. This solutions can actually update vulnerable systems automatically.

Continue reading