Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1, the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of choice for vulnerability scanning. In this case, the discussion focuses around Tripwire IP360.
Stage 2: Asset Discovery and Inventory
Asset discovery and inventory account for Critical Security Control numbers one and two. This is the foundation for any security program – information security or otherwise – as the defenders cannot protect what they do not know about. Critical Security Control number one is to have an inventory of all authorized and unauthorized devices on the network. Critical Security Control number two is to have an inventory of authorized and unauthorized software installed on the assets on the organization’s network. These two go hand in hand as attackers are always trying to identify systems that are easily exploitable to get into an organization’s network. Once they are in, they can leverage the control they have on that system to attack other systems and further infiltrate the network. Ensuring that the information security team is aware of what is on the network allows them to better protect those systems and provide guidance to the owners of those systems to reduce the risk those assets pose. There have been many cases where users deploy systems without informing the information security team. These could range from test servers to wireless routers plugged under an employee’s desk for added convenience. Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the internal network. Tripwire IP360 conducts a discovery of assets within defined ranges, as well as discovers what applications are running on those discovered assets prior to conducting a vulnerability scan.
Stage 3: Vulnerability Detection
Once all the assets on the network are identified, the next step is to identify the vulnerability risk posture of each asset. Vulnerabilities can be identified through unauthenticated and authenticated methods. Typically, an attacker would view a system with an unauthenticated view. Therefore, scanning without credentials would provide a similar view to a primitive attacker. This method is good for identifying some extremely high-risk vulnerabilities that an attacker could detect remotely and exploit to gain deeper access to the system. There is, however, a higher likelihood for false positives, as it is very difficult to validate the presence of a vulnerability without exploiting it. A much more comprehensive and recommended method for vulnerability scanning is to scan with credentials. This allows for increased accuracy in the determination of the vulnerability risk of the organization. Vulnerability signatures specific to the operating system and installed applications that were detected in the discovery and inventory stage are run to identify which vulnerabilities are present. Vulnerabilities in locally installed applications can only be detected with authenticated scans. An authenticated IP360 vulnerability scan also identifies vulnerabilities that an attacker would see from an external unauthenticated vulnerability scan. Many vulnerability scanners simply detect the patch levels or application versions to provide a vulnerability posture reading. Tripwire IP360, however, provides a much more detailed analysis as the vulnerability signatures are able to determine factors, such as the removal of vulnerable libraries, registry keys, as well as (but not limited to) whether or not a reboot of the system took place for the remediation to apply. Take a look at the final instalment of the series here. Alternatively, if you missed part one you can catch up here. Interested in learning more about building a mature vulnerability management program? Click here to discover more. Title image courtesy of ShutterStock