No. of false passwords Time elapsed between discovery of
intrusion and initiation of corrective Existence of appropriate password policies measures No. of virus infections per month No. of firewalls per external access points Frequency and compliance with virus No. of successful external network detection updates penetrations No. of infected components per virus No. of external users required to use strong incident (measures response) identification and authentication (I&A) Use of regular audit reviews No. of system accesses by unauthorized Frequency of audit reviews users through channels protected by strong I&A Use of automated intrusion detection system with alarms
I.2 Must-Haves Metrics for Vulnerability Management:
Know Your Assets: Do you know where all your assets and applications are? What is your current assessment coverage? How do you discover new assets? Know Your Business: Are you performing threat modelling? What threats exist to your business? Are you a target? Know Your Risk: Where are your security weaknesses and vulnerabilities, and which ones are the most likely to be exploited? How do you determine likelihood and impact? Know Your Resources: What can you get done with the resources you have? Are you accounting for budget, time, and people? Know Your Direction: Are you getting better or worse over time? Given the other must haves above, what is an achievable goal for risk reduction The Old Ways are No Longer enough the old methods of vulnerability managementusing spreadsheets and counting vulnerabilitiesstill have their place. But for a new world of rising threats and attacks, a new set of metrics is necessary in order to keep pace with the rising cadence of critical vulnerabilities.
I.3 Patch and Vulnerability Metrics
I.4 Metrics Users
Project managers and leadsfor operational or development environments or process improvement Chain of command and funding sources to influence budgets, priorities, and allocation of resources Community at largefor awareness, competition, coordination, best practices Procurement (e.g., Department of Defense [DoD])looking for services or products Hostile entitiesas a deterrent to those who either might attack or who are in competition Product vendorsfor assessing security product effectiveness based on engineering process improvement.
II.1 the Architecture of Vulnerability Scanners.
In general, a vulnerability scanner is made up of four main modules, namely, a Scan Engine, a Scan Database, a Report Module and a User Interface. 1. The Scan Engine executes security checks according to its installed plug-ins, identifying system information and vulnerabilities. It can scan more than one host at a time and compares the results against known vulnerabilities. 2. The Scan Database stores vulnerability information, scan results, and other data used by scanner. The number of available plug-ins, and the updating frequency of plug-ins will vary depending on the corresponding vendor. Each plug-in might contain not only the test case itself, but also a vulnerability description, a Common Vulnerabilities and Exposures (CVE) 2 identifier; and even fixing instructions for a detected vulnerability. Scanners with an "auto-update" feature can download and install the latest set of plug-ins to the database automatically. 3. The Report Module provides different levels of reports on the scan results, such as detailed technical reports with suggested remedies for system administrators, summary reports for security managers, and high-level graph and trend reports for executives. 4. The User Interface allows the administrator to operate the scanner. It may be either a Graphical User Interface (GUI), or just a command line interface.
II.2 Choosing a Vulnerability Scanner
The following factors should be considered when selecting a vulnerability scanner: 1. Updating Frequency and Method of Plug-in Updates Usually, a vulnerability scanner cannot identify a vulnerability if its corresponding plug-in is not available. As a result, the faster a vendor can produce updated and new plug-ins, the more capable a scanner is in spotting new flaws. Also, scanners with an "auto-update" feature can automatically download and install the latest plug-ins on a regular basis. This should be considered when choosing a vulnerability scanner. 2. Quality versus Quantity of Vulnerabilities Detected The accuracy with which critical vulnerabilities are identified is more important than the number of vulnerability checks, because the same vulnerability may be counted more than once by the scanner. The effective number of vulnerabilities in terms of Common Vulnerabilities and Exposures (CVE)3 can be compared in a list of standardised names for vulnerabilities and other information security exposures. The content of a CVE is a result of a collaborative effort by the CVE Editorial Board. 3. Quality of Scanning Reports Apart from the details of detected vulnerabilities, a useful scanning report should give clear and concise information about fixing the problems uncovered. When administrators need to perform subsequent scans after initial scanning or configuration changes, or make comparison between the results of previous scans, a scanner with a back-end database that can keep an archive scanning results for trend analysis is preferable.
III.1 Word on Vulnerability and Risk Management:
Executive Summary Vulnerabilities in the report are classified into 3 categories: high, medium or low. This classification is based on industry standards and is endorsed by the major credit card companies. The following is the categories definitions: High risk vulnerabilities are defined as being in one or more of the following categories: Backdoors, full Read/Write access to files, remote Command Execution, Potential Trojan Horses, or critical Information Disclosure (e.g. passwords) Medium risk vulnerabilities are vulnerabilities that are not categorized as high risk, and belong to one or more of the following categories: Limited Access to files on the host, Directory Browsing and Traversal, Disclosure of Security Mechanisms (Filtering rules and security mechanisms), Denial of service, Unauthorized use of services (e.g. Mail relay). Low risk vulnerabilities are those that do not fall in the "high" or "medium" categories. Specifically, those will usually be: Sensitive information gathered on the server's configuration, Informative tests. Host information - provided by different tests that discover information about the target host, results of those test are not classified as vulnerabilities. Guessed Platform - Detection of the operation system running on the host, via TCP/IP Stack Fingerprinting, this test is not very accurate, thus it is guessing. Internal Scan o Ineffective Procedures: The results from the internal scan indicate that the current security configuration procedures are ineffective. Old Passwords: There are several accounts with passwords older than thirty days and some are even close to a year old. IV.1 Scan Sample V. Examples of Common Vulnerability Scanners A number of open source freeware or commercial vulnerability scanners are available for download or trial. The following are examples: 1. Network-based scanners a. Port scanners Nmap: http://insecure.org/nmap/ Superscan: http://www.foundstone.com/us/resources/proddesc/superscan4.htm b. Network vulnerability scanners Nessus : http://www.nessus.org/nessus/ GFI LANguard Network Security Scanner (N.S.S.) (commercial) : http://www.gfi.com/languard/ c. Web server scanners Nikto : http://www.cirt.net/code/nikto.shtml Wikto : http://www.sensepost.com/research/wikto/ d. Web application vulnerability scanners Paros : http://parosproxy.org/index.shtml Acunetix Web Vulnerability Scanner (commercial) : http://www.acunetix.com/ 2. Host-based scanners a. Host vulnerability scanners Microsoft Baseline Security Analyser (MBSA): http://www.microsoft.com/technet/security/tools/mbsahome.mspx Altiris SecurityExpressions (commercial): http://www.altiris.com/Products/SecurityExpressions.aspx b. Database scanners Scuba by Imperva Database Vulnerability Scanner: http://www.imperva.com/application_defense_center/scuba/default.asp Shadow Database Scanner http://www.safety-lab.com/en/products/6.htm VI. Glossary port scan is the process of using an automated tool to attempt to locate all TCP or UDP ports on a host that are advertising a service Security Gurus Scanning Methodology This service scans a Security Gurus Customer site via the Internet from outside its perimeter security controls to search for vulnerabilities that may exist within specifically identified components accessible from the Internet, including firewalls, web servers, and exposed hosts. Vulnerability Scan Tools are used to scan for and detect vulnerabilities that exist within a customer's site. References: The Government of the Hong Kong Special Administrative Region, an overview of vulnerability scanners, February 2008. Kormos, Gallagher, Givans, Bartol, Booz-Allen & Hamilton, Inc., Using Security Metrics to Assess Risk Management Capabilities Wolfgang Kandek, CTO, Qualys, Inc. http://laws.qualys.com, July 28, 2009. http://www.csoonline.com/article/2899169/cyber-crime/measuring-the-effectiveness-of-your- vulnerability-management-program.html https://en.wikipedia.org/wiki/CVSS https://nvd.nist.gov/cvss.cfm https://www.iso.org/standard/39612.html https://en.wikipedia.org/wiki/ISO/IEC_27002 https://www.sans.org/score/checklists/iso-17799-2005