Around twenty years ago, several individuals associated with Universities started building the first vulnerability checkers.
Ironically, these nascent tools were designed mainly to scan the configuration of Unix workstations and servers instead of looking for actual vulnerabilities in the code.
The latter functionality was developed commercially a few years later. I said “ironically” because the industry has now moved in the reverse direction; several vulnerability management vendors are now developing configuration checks within their vulnerability scanners or even developing or acquiring full configuration auditing scanners.
I have seen two main types of organizations where the technology has turned a full circle. In the first type, organizations relatively new to vulnerability management require vendors to included basic configuration checks in their vulnerability scanners. Basic configuration checks typically include identification of easy—to-guess credentials and detection of shared file systems.
The second type of organization has deployed an Enterprise-grade vulnerability scanner, but they have additional configuration auditing and reporting needs that cannot be met with the existing solution. On the one hand, vulnerability scanners work mainly (but not exclusively) in binary mode, their job is to answer with a simple “yes” or “no” whether a given vulnerability is present or not (a binary answer).
As a result, vulnerability data is fairly compact (e.g. Vulnerability ID 1234 is present) and can be presented in a few pages, assuming some level of de-duplication is used when generating a report.
On the other hand, configuration auditing scanners can execute tens of thousands of technical configuration checks across many heterogeneous IT platforms. In addition, configuration data is multi-value, instead of being just binary. Let’s take a Directory Service like Microsoft Active Directory as (AD) an example.
When the configuration scanner interrogates AD for a list of users, AD will return a variable number of usernames in addition to a variable amount of configuration information for each username, including group memberships and access rights. This process generates enormous amounts of data that far exceeds the amount of vulnerability data collected by a similar or the same scanner.
Another platform that can return widely variable amount of configuration information is a Web Server. One of the first queries the scanner will have to send to the server is a request for each one of the virtual web servers. This is followed for a query requesting the configuration information from each web server; e.g. folders and access rights, URLs, installed plug-ins, etc.
The amount and complexity of the data gathered by a configuration auditing solution is significant. If the vulnerability data is merged into the compliance data, the former would become a tiny subset of the overall configuration of each asset.
Configuration reports on a specific asset could include operating system configuration, including hotfixes, and middleware and Enterprise application configuration, as well as vulnerability information sitting side by side with the other, larger slices of configuration data.
The integration of vulnerability and compliance solutions will bring tremendous benefits to organizations. First, it could reduce administrative overhead and facilitate credentials management, as currently each scanner might require a separate set of credentials to scan a given asset.
Second, an integrated solution would simplify vulnerability and compliance data correlation, analysis and reporting. Finally, an integrated view would allow risk managers to easily visualize vulnerability and configuration issues that, when combined, would increase the overall risk of the asset e.g. a password policy issue that combined with a remotely exploitable vulnerability in the operating system that could lead to full remote access.
- Wireless Pen Testing and Assessments
- Your Enterprise Vulnerability Management Reality Check
- Vulnerabilities in Application Whitelisting
- The OWASP Top Ten and Vulnerability Management
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock