Chapter 18: Audit Vulnerability Scan Policy
Chapter Overview:
This chapter begins with an overview of a Vulnerability Assessment, followed by an example tier 2 Audit Vulnerability Scan Policy. Vulnerability Assessments are an essential tool for determining the security posture of an Enterprise and arean integral part of a security program. Vulnerability Assessments can be performed in house or by an independent 3rd party. Many organizations choose to use both in order to gain a broader perspective of their security posture.
Please Note: Never perform a Vulnerability Assessment without explicit and preferably written permission from your employer. Network and security administrators with the best intentions have been fired for performing Vulnerability Assessment without proper authority to do so.
A Vulnerability Assessment is a technique of evaluating the security posture of an Enterprise or network using passive and active analysis of the target systems for known weaknesses, technical flaws, or vulnerabilities. Vulnerability Assessments provides a level of assurance that script kiddies, skilled intruders and malicious users cannot compromise an organization’s systems. Vulnerability Assessments should be performed on all supporting computers and networking gear that touch the Terminal Server environment. It isnot uncommon for organizations to perform a Vulnerability Assessment monthly or immediately after vulnerabilities are discovered or become publicized on the Internet. For example, if there is a mis-configured Terminal Server, it could be compromised by a well known vulnerability and used as a hacking vector to other systems behind thefirewall.
The Vulnerability Assessment process involves passive and active analysis of the target systems for known weaknesses, technical flaws or vulnerabilities. All of the discovered security issues will be presented to the system owners, together with a detailed assessment of the impact and a proposal for mitigation.
Vulnerability Assessments follows the typical pattern that an intruder or malicious user would use to gain information about a target host or network. This first step starts with reconnaissance. Reconnaissance can be a quick ping sweep to see what IP addresses on the network respond; searching newsgroups on the Internet looking for ill-advised employees divulging useful information; or it can be dumpster diving to find useful information like passwords, employee names and contacts. Basic reconnaissance can be performed by visiting an organization’s website and gathering as much information as possible about the company. Public websites generally yield a wide variety of information that could be used to exploit systems and trick employees. For example, many organizations list the names of their management team on their public website. This information can be used for a social engineering attack, allowing an attacker to call or email employees using the names of the management staff to trick an employee into giving the attacker valuable information. Many public websites provide hints as to the type of systems an organization uses, which can be used to craft an attack against known vulnerabilities. Other reconnaissance techniques include using publicly available tools, such as InterNIC (http://www.internic.net/) and ARIN (http://www.arin.net/), to collect additional information about the domain registrations. Reconnaissance can also include theft, deception, tapping phones and networks, impersonations, or even leveraging falsified relationships to gather data about a target. The search for information is only limited by the extremes an attacker is willing to go.
Note: Social engineering is a method used to obtain confidential information by manipulation and deception.
After an intruder has collected enough information, the next step is to scan the target organization’s external facing systems or network for open ports and services. The scanning process can yield important information, such as ports open through the router and firewall, available services and applications on hosts’ or network appliances, and possibly the version of the operation system or application. After an intruder has mapped out available hosts, ports, applications and services, the next step is to test for known vulnerabilities that might exist on a host or network. When vulnerabilities are discovered, attacks are crafted and launched against systems. If attackers are able to compromise a system and gain access, they do their thing (whatever that is), and then they try to cover their tracks and leave a back door.
List 18.1 shows the pattern an attacker usesto penetrate systems:
- Reconnaissance
- Scanning
- Craft an attack
- Cover their tracks
There are many reasons why an organization would choose to perform a Vulnerability Assessment.
List 18.2 highlights some of the reasons:
- Identify threats facing an organization’s information assets so they can be quantified to produce a risk analysis.
- Provide an organization with assurances that they have a thorough and comprehensive assessment of their organizational security policies.
- Gain and maintain certification to industry regulations (BS7799, Sarbanes-Oxley, HIPAAA, etc).
- Adopt best practice by conforming to legal and industry regulations.
A Vulnerability Assessment involves the systematic analysis of an organization’s IT portfolio. It iscrucial to set expectations, scope the project and have the explicit permission from management to perform the Vulnerability Assessment. The exact requirements should be agreed upon in a formal document or Statement of Work (SOW) prior to starting the project.
The real value of a Vulnerability Assessment is in the final report and executive summaries that are delivered to management and system owners. The deliverables need to be clear and easy to understand. The reports and executive summaries should be broken into sections that specifically target their intended audience, i.e. management, system owners, and so forth. Non-technical stakeholders will need the risks and possible solutions clearly described in layman's terms; technical managers need a broad overview of the situation without being confused with too much detail; and system administrators need a host-by-host list of technical vulnerabilities to address.
List 18.3 shows the minimum deliverables of a Vulnerability Assessment:
- Executive summary.
- Detailed results of the testing performed.
- What the results indicate.
- Recommendations on types of corrective actions suggested.
The next example shows an Audit Vulnerability Scan Policy from the SANS Policy Project that defines the agreement to perform network security scanning. The example policy starts with a Purpose and Scope statement and then proceeds with the Policy. This policy is intended for informational purposes only.
Audit Vulnerability Scan Policy
Purpose
The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the <Internal or External Audit Name> to the <Company Name>. <Internal or External Audit Name> shall utilize <Approved Name of Software> to perform electronic scans of Client’s networks and/or firewalls or on any system at <Company Name>.
Audits may be conducted to:
- Ensure integrity, confidentiality and availability of information and resources.
- Investigate possible security incidents ensure conformance to <Company Name> security policies.
- Monitor user or system activity where appropriate.
Scope
This policy covers all computer and communication devices owned or operated by <Company Name>. This policy also covers any computer and communications device that are presently on <Company Name> premises, but which may not be owned or operated by <Company Name>. The <Internal or External Audit Name> will not perform Denial of Service activities.
Policy
When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of <Internal or External Audit Name>. <Company Name> hereby provides its consent to allow <Internal or External Audit Name> to access its networks and/or firewalls to the extent necessary to allow [Audit organization] to perform the scans authorized in this agreement. <Company Name> shall provide protocols, addressing information and network connections sufficient for <Internal or External Audit Name> to utilize the software to perform network scanning.
This access may include:
- User level and/or system level access to any computing or communications device.
- Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on <Company Name> equipment or premises.
- Access to work areas (labs, offices, cubicles, storage areas, etc.).
- Access to interactively monitor and log traffic on <Company Name> networks.
Network Control
If Client does not control their network and/or Internet service is provided via a second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the <Company Name’s> LAN. By signing this agreement, all involved parties acknowledge that they authorize <Internal or External Audit Name> to use their service networks as a gateway for the conduct of these tests during the dates and times specified.
Service Degradation and/or Interruption
Network performance and/or availability may be affected by the network scanning. <Company Name> releases <Internal or External Audit Name> of any and all liability for damages that may arise from network availability restrictions caused by the network scanning, unless such damages are the result of <Internal or External Audit Name>’s gross negligence or intentional misconduct.
Client Point of Contact during the Scanning Period
<Company Name> shall identify in writing a person to be available if the <Internal or External Audit Name> Scanning Team has questions regarding data discovered or requires assistance.
Scanning period
<Company Name> and <Internal or External Audit Name> Scanning Team shall identify in writing the allowable dates for the scan to take place.
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
The above Audit Vulnerability Scan Policy example shows how a policy can provide an organization with a strategy to engage in network security scanning.
This chapter discussed Vulnerability Assessment and concluded with an example Audit Vulnerability Scan Policy.
- A Vulnerability Assessment is a technique of evaluating the security posture of an Enterprise or network by simulating a variety of known attacks.
- A Vulnerability Assessment provides a level of assurance that script kiddies, skilled intruders and malicious users cannot compromise an organization’s systems.
- A Vulnerability Assessment should be performedon all systems, including computers, storage and networking gear.
- It isnot uncommon for organizations to perform a Vulnerability Assessment monthly or immediately after vulnerabilities are discovered or become publicized on the Internet.
- The Vulnerability Assessment process involves passive and active analysis of the target systems for known weaknesses, technical flaws or vulnerabilities.
- A Vulnerability Assessment follows the typical pattern that an intruder or malicious user would use to gain information about a target host or network.
- The real value of a Vulnerability Assessment is in the final report and executive summaries that are delivered to management and system owners at the end.
- An organization’s Enterprise Architecture should include policies on conducting a Vulnerability Assessment, such as an Audit Vulnerability Scan Policy.
Resources:
The SANS Policy Project
ISECOM - Institute for Security and Open Methodologies
