GARBAGE NEWS. Vulnerability Management with the GSM. Vulnerability Management (Engl. Vulnerability Management) provides a real added value in the organization of IT security in general and the preventive hardening of IT systems against successful attacks from internal and external perpetrators in particular. In order to develop the added value of the vulnerability management must also be integrated into a security process. Recognizing the vulnerability must be followed by the elimination (update, patch or reconfiguration) or treatment over another security mechanism (IDS, firewall rule). Vulnerabilities are identified for system administration through vulnerability management. For IT management a useful tool for risk management and compliance and quality monitoring for IT security is offered.
vulnerability scanning tool
Under "Vulnerability Assessment" means the identification of vulnerabilities in IT systems. This may be caused by incorrect configuration or programming errors. By vulnerability assessment they are determined and documented. Through a patch or a re-configuration of these vulnerabilities be parked. Should a re-configuration is not possible, can be at least mitigated the vulnerability by precautions such as firewall rule or a so-called. "Intrusion Prevention" rule.
vulnerability scanning tool
Once the vulnerabilities were identified, related information be embedded in a management process. This process is called "Vulnerability Management", ie vulnerability management. Through this process, a documentation of the security status and change of security status and benchmark security is enabled. By transferring the scan results in the management process, it is possible to show with simple indicators or lights if vulnerabilities exist, whether they have been closed in the meantime by the IT administration or whether were revealed new vulnerabilities in the context of the ongoing vulnerability assessments.
Patching does not replace a Vulnerability Management. Even carefully patched systems continues to be an equally thorough vulnerability management necessary.
- Firstly, due to system dependencies, it is often not possible einzupflegen a current patch level, otherwise special database or other business-critical applications can not be executed or lose the certification.
- Second, it must be noted that for some, there is no patch vulnerabilities, or vulnerabilities can be created, despite the current software version by pure misconfiguration. An administrator password "12345678" is a classic example, another is file system approvals which are opened accidentally in the internet.
Vulnerability scans alone are not enough, action is needed
The security of an IT infrastructure is not only improved in that all vulnerabilities are recorded and documented by Vulnerability Assessment. The vulnerabilities are always suffice on an organizational process by the relevant person in charge on. Accompanying a management process is set up, which guarantees the follow up of weaknesses with possibly also technological or management implications. The countermeasures are documented in this process and to examine the technical effectiveness. This can be done by a new vulnerability assessment scan or a detailed test with another software tool.
A vulnerable service which is not necessary for a core business process, can be completely switched off temporarily or be protected by a firewall or IPS or rule set. Through documentation with control and monitoring of vulnerable services such may also be covered if they can not be protected by other alternatives. For example, a log rule in the firewall documented evidence of an entitlement and unauthorized access to potentially vulnerable systems and refute allegations attack.
Vulnerability Management is not technically solved
The basis for successful vulnerability management are the organizational processes through which lead the technical knowledge of Vulnerability Assessment in a work process leading to the closure of vulnerabilities. It must, depending on the risk of system administration suitable tools are made available to reflect these security process. Likewise must the technical IT department are provided with means to close the identified weaknesses or at least to defuse. Also suitable security policies, which help to prevent misconfiguration are to map on an organizational process.
Organisational framework of vulnerability management and security policies
As part of the organization process of testing guidelines in Greenbone test scripts can be transferred. The order finally automated inspection for compliance with security policies (in English "Compliance") means a considerable workload.
Where to start and how high is the risk?
-It has proved in practice to be helpful to begin where operational risk is highest.
-This risk can be determined by a Group's own risk management system. For less complex requirements a simple rule of thumb can be used:
-Risk = threat probability * Potential damage
-This is also applicable to the individual become known vulnerabilities (here: S) relate:
-Risk (S) = threat probability (S) * Potential damage (S)
In this case, the threat likelihood is actually composed of the threat scenario and the vulnerability severity. The threat scenario describes how easy it is for an attacker to exploit the vulnerability. So:
Risk (S) = Threat scenario (S) * Vulnerability Severity (S) * damage (S)
vulnerability scanning tool
The threat scenario of a Web server in a DMZ, and thus connected to the Internet is certainly higher than that which is within a Web server only via a telephone dial-up line. The damage to a production machine much higher than the loss of the company's own web server for image films.
This gives itself with simplistic categories of threat scenario, vulnerability severity and damage a code already allows for prioritizing where to start working. The vulnerability severity is already included for each vulnerability information. You have to assign the threat scenario and the damage a category so just yet.
New tool, new risk
It should be noted that also any new IT security tool brings an inherent risk. Such software tools can impair the business operations as they are used in sensitive and safety-related points. Even weak points in such a software can be quickly even a safety hazard. Some vulnerability scanners need the administrator password for the domain, quasi a master key. It is not clear what the scanning software so that everything still makes, or even if this could be malignant accessible via a back door or even for maintenance unauthorized
Centralist solutions are ineffective and bring additional risks
The core of a vulnerability scanner is the so-called. "Scan engine". With some providers it is operated centrally in the data center. The placed by customers scanning appliance makes a so-called. "Layer 2 Tunnel" between one's own IT network, the aim of the scanner, and the data center of the provider to scan.
vulnerability scanning tool
Then all the information is made available to found vulnerabilities via a web portal via the Internet. It is often difficult or impossible to understand contract where the information about the vulnerability of their own company are stored. In many cases, they are stored on central servers in the United States or India. Such a concentration of known vulnerabilities is an extremely attractive destination and a covetous data source for insider attacks.
From the perspective of risk management is hardly understood that in sensitive infrastructure such tunnels are introduced, and then all vulnerabilities are stored outside of the operational guidelines and controllable areas. Neither the deletion nor to archiving the customer of such a solution an immediate impact. Operational Guidelines for the control of the IT sector have a very real background get: For online auction houses such as Ebay can be obtained from bankruptcies originating or simply purchase only discarded hard drives from different data centers. In general, the data is restorable, if any deletion was carried out.
In contrast, if the scan engine is fully operated on an appliance in its own data center of the company, then this means some additional effort to maintain the scan engine. Is obtained but when the safety, because the operational and operational risks can be reduced by eliminating uncertainties.
Proprietary solutions are not transparent
The unique selling point of Greenbone Security Manager is its demonstrable and independently verifiable security. Since the complete scan engine and all routines in the source code, they can be audited fully available as open source available by customers and third parties.
Where proprietary solutions marketing promises and - offer assurances sets Greenbone on facts that can be verified by any third party in the customer confidence. By opening up the process a customer to assess the risk associated with the use of Greenbone Security Managers better. The transparent scanning engine provides proven security and the subscription of daily routines to uncover the most relevant vulnerabilities and immediate insight into the technical testing procedures.