One of the most important steps in devising a strategy is knowing what you’re up against. This helps in the planning stage, and also helps enterprises make educated decisions on their actions and policies. For example, realizing that a number of computers currently have LimeWire installed would be a good reason to implement a policy that kills that application. The logical way you’re going to know if systems have this installed is by looking at the reporting.
When it comes to understanding the current state of your devices, two categories are commonly used: the attributes the system currently has and
54 Chapter 2 ■ The Technical Components of NAC Solutions
the items that are missing and should be on the system. Following are some current system attribute examples:
The operating system and version (such as Windows XP SP2) The version of the BIOS
How much room is left on the drive space
The brand and version of antivirus software installed The brand and version of antispyware software installed The brand version of personal firewall software installed The version of Internet Explorer installed
The username of the account logged into the system LimeWire is installed on the system
Kazaa is installed on the system
Following are some missing system attribute examples: The system needs Microsoft Patch MS07-026. The system needs Microsoft Patch MS03-023. Adobe Reader is in need of a critical security hotfix. The Java application is in need of a critical security hotfix.
The instant messaging application is in need of a critical security hotfix. Updated antivirus definition signatures are available.
The system allows NULL sessions.
The system uses LM hashes to store passwords. There isn’t an encryption solution on the system.
You may find it difficult to find a NAC/NAP solution that is able to provide reporting on these examples. If you look at something like SMS, it can provide a lot of the information from the first list, and it could be used as a companion to a NAC/NAP solution. SMS may not be an official part of a particular NAC/NAP solution, but it could help with information gathering. It’s important for you to know how you will handle that task.
N O T E Real-time reporting data should be collected from all devices, regardless of their location, and should not be dependent upon mobile devices being physically on the LAN or connected to the LAN via a remote access solution.
In my mind, a really good NAC/NAP solution will also show information regarding what is missing on the machine. Microsoft Patch Tuesday patches,
The Reporting Mechanism 55 virus definition updates, hot fixes to third-party applications, vulnerable configurations, and so on, need to all be communicated. The ‘‘Real Examples from the Field’’ sidebar shows why this is important.
REAL EXAMPLES FROM THE FIELD
About a year ago, I was working with a very well-known company in Chicago. I’m sure that many of you have used their products, and you would likely know their name if I told you, but I won’t for security reasons. We were working with this company to get them to realize that it was very likely that their mobile devices were not receiving all of the necessary updates and patches when they were mobile.
From our own experience, we knew this to be the case. As in a lot of companies, mobile devices only received patches and antivirus updates when the machines physically came back to the LAN. In that type of scenario, we always see those mobile devices missing patches and updates. It never fails with that topology.
This particular company had a bunch of really good guys working for it, and they were very nice and capable people. They just didn’t think that they had a problem with patching mobile devices. Their internal system always did a good job and that sufficed for them.
After pushing them for quite some time, they finally told us to stop talking about the patching of mobile devices. They felt they had it covered and we were starting to annoy them. Rather than give up, we made them a deal. We would run a vulnerability assessment against a sampling of their mobile systems and show the objective and factual reporting data. If that data showed that they had it covered, we would buy them a lunch (we would have bought lunch anyway; they are the customer). If they didn’t have it covered, then they would talk to us further about how we could help them.
So, I ran my analysis against a number of their mobile systems. These were the same mobile systems that they insisted were covered with their LAN-based patching system. The data came back and we found the following:
◆ Six Critical Microsoft patches were missing.
◆ One Important Microsoft patch was missing.
◆ Some missing Critical patches were new, and some were a few years old.
◆ The antivirus definition files were out of date.
◆ The systems had four SANS Top Ten Security Vulnerabilities, which are more
than just patches.
Clearly, the systems were not in an ideal state. This was an eye-opener for them. Particularly, they noticed the point about some missing patches being new and some of them being old. What did that mean?
56 Chapter 2 ■ The Technical Components of NAC Solutions
REAL EXAMPLES FROM THE FIELD (continued)
Missing new patches is representative of enterprises having difficulty with getting patches disseminated in a timely manner. If a machine is mobile and not on the LAN, and the only way to get a patch is to be on the LAN, a long time is going to pass before that system gets the patch. This is very bad, because the mobile machines are the ones that need the most protection.
What really shocked them were the old patches that weren’t installed. In
particular, they were missing the patch that took care of the GDI+DLL issue
from a few years ago. (There was a vulnerability where the simple act of viewing a malicious graphic file could allow a hacker to completely exploit a system.) They knew they had pushed out this patch years ago and certainly remembered this well-known vulnerability.
What happened is that they did push out the patch. The machines did receive it, and they were protected. At some point afterward, however, they also pushed out Microsoft Office and Visio applications and updates, which
overwrote the fix that the patch had implemented. The systems were no longer protected. This really opened their eyes.
I’m pleased to say that they did realize our original point that they had an issue with their mobile devices. Without us being able to prove it with reporting, they wouldn’t have believed us.
This is also a really good example of the value of being able to report on what is missing on systems. The fact that these devices were missing the Critical patches and antivirus updates had a direct impact on the company’s security strategy and policies. It all came down to reporting capability.