Appendix-

I.1 Metrics

No. of false passwords Time elapsed between discovery of

intrusion and initiation of corrective
Existence of appropriate password policies
measures
No. of virus infections per month
No. of firewalls per external access points
Frequency and compliance with virus
No. of successful external network
detection updates
penetrations
No. of infected components per virus
No. of external users required to use strong
incident (measures response)
identification and authentication (I&A)
Use of regular audit reviews
No. of system accesses by unauthorized
Frequency of audit reviews users through channels protected by strong
I&A
Use of automated intrusion detection system
with alarms

I.2 Must-Haves Metrics for Vulnerability Management:

Know Your Assets: Do you know where all your assets and applications are? What is your
current assessment coverage? How do you discover new assets?
Know Your Business: Are you performing threat modelling? What threats exist to your
business? Are you a target?
Know Your Risk: Where are your security weaknesses and vulnerabilities, and which ones are
the most likely to be exploited? How do you determine likelihood and impact?
Know Your Resources: What can you get done with the resources you have? Are you
accounting for budget, time, and people?
Know Your Direction: Are you getting better or worse over time? Given the other must haves
above, what is an achievable goal for risk reduction
The Old Ways are No Longer enough the old methods of vulnerability managementusing
spreadsheets and counting vulnerabilitiesstill have their place. But for a new world of rising
threats and attacks, a new set of metrics is necessary in order to keep pace with the rising
cadence of critical vulnerabilities.

I.3 Patch and Vulnerability Metrics

I.4 Metrics Users

Project managers and leadsfor operational or development environments or process improvement
Chain of command and funding sources to influence budgets, priorities, and allocation of resources
Community at largefor awareness, competition, coordination, best practices
Procurement (e.g., Department of Defense [DoD])looking for services or products
Hostile entitiesas a deterrent to those who either might attack or who are in competition
Product vendorsfor assessing security product effectiveness based on engineering process
improvement.

II.1 the Architecture of Vulnerability Scanners.

In general, a vulnerability scanner is made up of four main modules, namely, a Scan Engine, a Scan
Database, a Report Module and a User Interface.
1. The Scan Engine executes security checks according to its installed plug-ins, identifying system
information and vulnerabilities. It can scan more than one host at a time and compares the results against
known vulnerabilities.
2. The Scan Database stores vulnerability information, scan results, and other data used by scanner. The
number of available plug-ins, and the updating frequency of plug-ins will vary depending on the
corresponding vendor. Each plug-in might contain not only the test case itself, but also a vulnerability
description, a Common Vulnerabilities and Exposures (CVE) 2 identifier; and even fixing instructions for
a detected vulnerability. Scanners with an "auto-update" feature can download and install the latest set of
plug-ins to the database automatically.
3. The Report Module provides different levels of reports on the scan results, such as detailed technical
reports with suggested remedies for system administrators, summary reports for security managers, and
high-level graph and trend reports for executives.
4. The User Interface allows the administrator to operate the scanner. It may be either a Graphical User
Interface (GUI), or just a command line interface.

II.2 Choosing a Vulnerability Scanner

The following factors should be considered when selecting a vulnerability scanner:
1. Updating Frequency and Method of Plug-in Updates
Usually, a vulnerability scanner cannot identify a vulnerability if its corresponding plug-in is not
available. As a result, the faster a vendor can produce updated and new plug-ins, the more capable a scanner
is in spotting new flaws. Also, scanners with an "auto-update" feature can automatically download and
install the latest plug-ins on a regular basis. This should be considered when choosing a vulnerability
scanner.
2. Quality versus Quantity of Vulnerabilities Detected
The accuracy with which critical vulnerabilities are identified is more important than the number of
vulnerability checks, because the same vulnerability may be counted more than once by the scanner. The
effective number of vulnerabilities in terms of Common Vulnerabilities and Exposures (CVE)3 can be
compared in a list of standardised names for vulnerabilities and other information security exposures. The
content of a CVE is a result of a collaborative effort by the CVE Editorial Board.
3. Quality of Scanning Reports
Apart from the details of detected vulnerabilities, a useful scanning report should give clear and concise
information about fixing the problems uncovered. When administrators need to perform subsequent scans
after initial scanning or configuration changes, or make comparison between the results of previous scans,
a scanner with a back-end database that can keep an archive scanning results for trend analysis is preferable.

III.1 Word on Vulnerability and Risk Management:

Executive Summary Vulnerabilities in the report are classified into 3 categories: high, medium
or low. This classification is based on industry standards and is endorsed by the major credit card
companies. The following is the categories definitions:
High risk vulnerabilities are defined as being in one or more of the following categories:
Backdoors, full Read/Write access to files, remote Command Execution, Potential Trojan
Horses, or critical Information Disclosure (e.g. passwords)
Medium risk vulnerabilities are vulnerabilities that are not categorized as high risk, and belong
to one or more of the following categories: Limited Access to files on the host, Directory
Browsing and Traversal, Disclosure of Security Mechanisms (Filtering rules and security
mechanisms), Denial of service, Unauthorized use of services (e.g. Mail relay).
Low risk vulnerabilities are those that do not fall in the "high" or "medium" categories.
Specifically, those will usually be: Sensitive information gathered on the server's configuration,
Informative tests.
Host information - provided by different tests that discover information about the target host,
results of those test are not classified as vulnerabilities.
Guessed Platform - Detection of the operation system running on the host, via TCP/IP Stack
Fingerprinting, this test is not very accurate, thus it is guessing.
Internal Scan o Ineffective Procedures: The results from the internal scan indicate that the
current security configuration procedures are ineffective. Old Passwords: There are several
accounts with passwords older than thirty days and some are even close to a year old.
IV.1 Scan Sample
V. Examples of Common Vulnerability Scanners
A number of open source freeware or commercial vulnerability scanners are available for download or trial.
The following are examples:
1. Network-based scanners
a. Port scanners
Nmap: http://insecure.org/nmap/
Superscan: http://www.foundstone.com/us/resources/proddesc/superscan4.htm
b. Network vulnerability scanners
Nessus : http://www.nessus.org/nessus/
GFI LANguard Network Security Scanner (N.S.S.) (commercial) : http://www.gfi.com/languard/
c. Web server scanners
Nikto : http://www.cirt.net/code/nikto.shtml
Wikto : http://www.sensepost.com/research/wikto/
d. Web application vulnerability scanners
Paros : http://parosproxy.org/index.shtml
Acunetix Web Vulnerability Scanner (commercial) : http://www.acunetix.com/
2. Host-based scanners
a. Host vulnerability scanners
Microsoft Baseline Security Analyser (MBSA):
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Altiris SecurityExpressions (commercial):
http://www.altiris.com/Products/SecurityExpressions.aspx
b. Database scanners
Scuba by Imperva Database Vulnerability Scanner:
http://www.imperva.com/application_defense_center/scuba/default.asp
Shadow Database Scanner
http://www.safety-lab.com/en/products/6.htm
VI. Glossary
port scan is the process of using an automated tool to attempt to locate all TCP or UDP ports on a host that
are advertising a service
Security Gurus Scanning Methodology This service scans a Security Gurus Customer site via the Internet
from outside its perimeter security controls to search for vulnerabilities that may exist within specifically
identified components accessible from the Internet, including firewalls, web servers, and exposed hosts.
Vulnerability Scan Tools are used to scan for and detect vulnerabilities that exist within a customer's site.
References:
The Government of the Hong Kong Special Administrative Region, an overview of vulnerability
scanners, February 2008.
Kormos, Gallagher, Givans, Bartol, Booz-Allen & Hamilton, Inc., Using Security Metrics to
Assess Risk Management Capabilities
Wolfgang Kandek, CTO, Qualys, Inc. http://laws.qualys.com, July 28, 2009.
http://www.csoonline.com/article/2899169/cyber-crime/measuring-the-effectiveness-of-your-
vulnerability-management-program.html
https://en.wikipedia.org/wiki/CVSS
https://nvd.nist.gov/cvss.cfm
https://www.iso.org/standard/39612.html
https://en.wikipedia.org/wiki/ISO/IEC_27002
https://www.sans.org/score/checklists/iso-17799-2005