Vulnerability assessment tools are important to our network and computer defensive arsenal. They are especially useful for verification testing. But, we have to do more than hand over $60,000 to some outside firm in exchange for a 100 page, boiler-plated document. Vulnerability assessment reports are most useful after we classify critical systems, and then comprehend what the report is telling us, critique its applicability to our organization, and customize what we test in future assessments.
So, you -- or someone to whom you've paid a lot of money -- have run some tool or tools against your network, firewall, and key servers, or perhaps against your one and only web-site. You have a report that has a graph showing you that the severity of 20% of the vulnerabilities are "high," 30% are "medium," and 50% are "low."
If you are lucky, or properly negotiated the contract, you also have a written analysis by an expert, with recommendations. The report will contain false alarms -- things that could be problems but are not. If you scanned your whole network for vulnerabilities, you have alerts relating to each of the systems, with no consideration of the importance of the system. Where to begin?
To make reports like this useful, you need to start before the scan. I want to give you 4 recommendations to enhance the usefulness of vulnerability reports.
Suppose this error came up against a web server: "The remote host is using a version of OpenSSL which is older than 0.9.6e or 0.9.7-beta3. This version is vulnerable to a buffer overflow which may allow an attacker to obtain a shell on this host." This is a serious concern. We would add this to a list for system administrators of all Linux web servers to check and fix
Joel Snyder tested five VA scanners for Information Security Magazine's March 2003 edition. Find it at http://www.infosecuritymag.com/2003/mar/cover.shtml
A search on searchSecurity.com will turn up some VA vendors. A year ago, Information Security Magazine, for whom I write, reviewed some assessment products. (http://www.infosecuritymag.com/2002/apr/solutions.shtml.) There are also numerous freely available products such as "nessus" (www.nessus.org).
I reviewed the Sidewinder G2 Firewall Appliance in the April 2003 issue of Information Security Magazine. Find it at http://www.infosecuritymag.com/2003/apr/testcenter.shtml.
On April 28, at Networld+Interop in Las Vegas, I'll again be teaching (an updated) "VPN Day 1: Fundamentals" class with my pal, and fellow security consultant, Dave Piscitello ( http://www.interop.com/lasvegas2003/). I am also teaching a new course, "Advanced Firewalls," on April 29.