Citadel Security Software Inc.

(1)

(2)

(3)

Citadel

™

Security Software Inc.

Hercules

®

Vulnerability Assessment

and Remediation Overview

Document Number: 205-01-0007

Hercules® v3.5.1

Document Version: 1.0

(4)

Acknowledgements

THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR

DOCUMENTATION.

The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders.

AssetGuard, Citadel, and ConnectGuard are trademarks of Citadel Security Software Inc. Hercules is a registered trademark of Citadel Security Software Inc. Hercules software is copyrighted by Citadel Security Software Inc. Hercules software is a patent-pending Automated Vulnerability Remediation solution.

Active Directory, Notepad, Microsoft, Windows, Windows NT, Windows Server, and SQL Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. AIX and PowerPC are trademarks or registered trademarks of International Business Machines Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Apache is a trademark of the Apache Software Foundation. AppSight is a trademark of Insight Software Ltd. CVE and MITRE are registered

trademarks of the MITRE Corporation. Foundstone and FoundScan Engine are either trademarks or registered trademarks of Foundstone, Inc. HP-UX and PA-RISC are trademarks or registered trademarks of Hewlett Packard Company in the United States. Intel and Pentium are registered trademarks of Intel. Internet Security Systems, System Scanner, Internet Scanner, and SiteProtector are either trademarks or registered trademarks of Internet Security Systems, Inc. Linux is a registered trademark of Linus Torvalds. Mac OS X is a registered trademark of Apple Computer, Inc. nCircle and nCircle IP360 are either registered trademarks or trademarks of nCircle Network Security, Inc. QualysGuard and Qualys are trademarks of Qualys, Inc. Red Hat is a registered trademark of Red Hat, Inc. Retina and eEye are registered trademarks of eEye Digital Security. SAINT is a registered trademark of the Saint Corporation. SANS is a trademark of SANS/ESCAL. SecureScoutSP is a trademark of NexantiS Corporation. Shavlik and HfNetChk are either trademarks or registered trademarks of Shavlik Technologies, LLC. STAT is a registered trademark of Harris Corporation. Sun and Solaris are trademarks of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. WinZip is a registered trademark of WinZip Computing, Inc.

W3C® SOFTWARE NOTICE AND LICENSE

http://www.w3.org/Consortium/Legal/

This W3C work (including software, documents, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions:

Permission to use, copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications, that you make.

The full text of this NOTICE in a location viewable to users of the redistributed or derivative work.

Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, a short notice of the following form (hypertext is preferred, text is permitted) should be used within the body of any redistributed or derivative code: "Copyright © 2004 World Wide Web Consortium http://www.w3.org, (Massachusetts Institute of Technology http://www.lcs.mit.edu/, Institut National de Recherche en Informatique et en Automatique http:// www.inria.fr/, Keio University http://www.keio.ac.jp/). All Rights Reserved. http://www.w3.org/Consortium/ Legal/"

Notice of any changes or modifications to the W3C files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.)

All other products are trademarks of their respective holders.

Citadel Security Software Inc. * Two Lincoln Centre * 5420 LBJ Freeway, Suite 1600 * Dallas, TX 75240 Phone: (214) 520-9292 * Fax: (214) 520-9293 * Email: [email protected] * Website: http://www.citadel.com

(5)

Support

When you purchase a Customer Support Agreement and register your Citadel software product, you are eligible to receive technical support according to the terms of the contract you purchased. Registered users may reach Citadel Customer Support through the toll-free hot line at 888-9-CITADEL, (888-924-8233), by e-mail at [email protected], or through the Customer Support Portal on the Citadel website at http://www.citadel.com/.

Business hours for telephone support are Monday through Friday, excluding holidays, from 8 a.m. until 6 p.m., U.S. Central Standard Time. When you call, please have the following information available:

• Hercules version number • Hercules serial number • Type of hardware

(7)

Overview

Promoting network security involves adopting proactive practices that identify and eliminate risks before they can be exploited. Vulnerabilities that can be exploited within an enterprise network include software defects, unnecessary services, unsecured accounts, backdoors, and misconfigurations.

Remediating security vulnerabilities must be automated—manual remediation has become cost prohibitive. Consider these metrics:

• When the average Microsoft® Windows® device is scanned for the first time it contains 70-100 vulnerabilities.

• It takes a security administrator an average of one hour to fix each vulnerability or approximately 100 hours of manual remediation for each computer.

If you apply these metrics to an enterprise network with several hundred or thousands of computers the timeframes, resources, and dollar amounts associated with manual vulnerability remediation become astronomical.

This guide describes how to achieve a high level of network security at a low cost. The proposed best practice includes the following steps:

1. Device Discovery

2. Vulnerability Assessment 3. Vulnerability Review 4. Vulnerability Remediation 5. Vulnerability Management

Device discovery is the process of identifying all devices on the network by IP address. Vulnerability assessment is the process of detecting known vulnerabilities on network computers. This process is performed with automated scanning software or auditing practices. Vulnerability review is the process of selecting the vulnerabilities to fix based on risk assessment, and determining whether the remediation can be automated. Vulnerability remediation is the process of eliminating the security flaws. Vulnerability management is the process of developing and implementing a policy compliance plan and scheduling automated vulnerability remediation. Such plans ensure these steps are performed as often as required to maintain a secure network.

This guide is designed to help you devise an effective scanning and remediation strategy using Citadel’s Hercules® software and its supported assessment tools. Hercules automated vulnerability remediation solution is the first vulnerability remediation solution to automate the resolution of all classes of vulnerabilities.

(8)

Device Discovery

Wireless access points, laptops and other mobile computing devices are proliferating in networks due to their ease of use and low acquisition costs. These devices can contain sensitive data assets and are easily exploitable

Device discovery enables you to map your network, set a baseline for the identified devices, and track rogue devices as they enter or leave the network. Use an assessment tool or other network mapping software that scans all networks and sub-networks to identify all devices with their associated IP addresses.

Information typically collected during device discovery includes the following: • The number of devices

• The type of devices (such as computers with Windows® operating systems, UNIX® operating systems, Linux® operating systems, Mac OS X® operating system, and edge devices, printers, etc.)

• Unexpected or rogue devices • Wireless networks

It is important to match the devices found to internal IT asset tracking or equipment lists to validate each piece of equipment. Any devices found that are not accounted for via asset tracking require additional research. Such devices should either be added to the IT asset inventory or removed from the network. In large computing environments, discovery can take a substantial amount of time. You should perform device discovery on a regular basis as part of centralized IT security control. Device discovery represents the first step to eliminating one of the biggest threats to corporate networks today—that of exploiting devices that are “under the radar” of IT security.

(9)

Vulnerability Assessment

Selecting a Vulnerability Assessment Tool

You typically perform vulnerability assessment with an automated vulnerability assessment tool. Vulnerability assessment tools can be classified as follows:

• Network-based • Host-based

Network-based assessment tools scan a range of IP addresses from a centralized computer. They probe

and detect vulnerabilities through port scanning and other remote access methods.

Host-based assessment tools require the installation of a client software component on each device you

want to scan. The client software is responsible for inspecting the system for vulnerabilities and reporting findings to a centralized database or management console.

Both of these architectures have advantages and disadvantages. In making a selection of the type of assessment tool to use, keep the following in mind:

• Determine which networks will be scanned and the transport routes used for assessment. • Determine the appropriate rights required to perform the assessment. Many tools require

administrative privileges to obtain complete scan results. Often this requirement determines who is responsible for scanning which devices.

• When evaluating host based vulnerability assessment tools, consider whether the tool includes client deployment tools and the method of client distribution.

• Evaluate the computing environment as a whole based on the device discovery process.

• Determine if the selected scanner provides an acceptable level of assessment for your platforms. Consider the types of checks that are performed

• Consider the operating systems that are supported.

The quantity and quality of assessment intelligence data provided by the available tools varies greatly. Citadel recommends you perform scans using multiple tools to get a clear picture of your organizations’

(10)

current security posture. Using multiple tools provides some overlap in data. It also provides the benefit of performing additional checks that may not be identified by the primary scanner of choice.

Preparing for Assessment

After selecting an appropriate vulnerability assessment tool, you must install and configure it to work appropriately in your environment. The configuration process requires an understanding of what knowledge is gained during device discovery. You must understand the appropriate audits or checks to perform against each device.

Most scanners perform tests based on non-destructive and destructive methodologies. Non-destructive methodologies assess the device without attempting to break in or exploit the system. Destructive

methodologies attempt to exploit the vulnerability on the system. In cases where the system is vulnerable, it can actually cause damage or downtime to the system. This is most notable when running assessments for denial of service attacks or buffer overflows that cause the device to stop responding.

To prepare for the assessment, do the following:

• Carefully analyze the assessment policies available from the vendor • Disable any destructive tests to prevent unwanted side effects

• Become intimately familiar with the testing process on the majority of the vulnerabilities being scanned

Bandwidth requirements and CPU overhead should be taken into consideration before performing a scan. Performing an assessment of a medium to large size network with about 1500 devices can provide significant bandwidth utilization. Depending on the test selected, it can also generate moderate to high CPU utilization on the device being scanned.

Additionally, it is best to schedule or run the assessment during non-peak business hours. This ensures the scanning software does not compete for bandwidth with normal daily business traffic.

Running the Assessment

After determining the devices to scan, the type of assessment to perform, and the best time of day to run the assessment, the next step is to implement the assessment process by distinct network segments. That is, use the assessment tool to scan each segment separately. Performing a phased assessment minimizes the bandwidth utilization when assessing a network composed of many devices

Please refer to the assessment tool documentation for detailed instructions on how to perform an assessment.

(11)

Vulnerability Review

Depending on the number of devices scanned and the number of vulnerabilities scanned for, most

assessment tools produce large volumes of data. During the vulnerability review process, you analyze the data generated during assessment to determine which devices and vulnerabilities will be remediated, in what order, and whether there are exceptions that must be handled manually. Almost all remediations can be automated. An example of a manual remediation is installing a patch to a third party application. Citadel suggests you perform the review by the segments used for assessment. Consider the following approach:

1. During the initial review, the security team performs tasks such as the following:

a. Create a list of unique, identified vulnerabilities. (Eliminate duplicate or extraneous data.) b. Devise a risk scale, such as 1 – 5, 1 being the highest risk.

c. Determine the risk associated with each vulnerability and assign a risk rank to each. d. Prioritize the vulnerability list, beginning with the highest risk items.

e. Hand off the list to the system owners and business unit directors.

2. System owners and business unit directors then take responsibility for the following: a. Review the risk to vulnerability assignments and revise as needed.

b. Determine the acceptable level of risk to the network when weighed against requirements for accessibility.

c. Define the cutoff in the prioritized list that divides vulnerabilities that will be remediated from those that will be tolerated.

d. Review the revised list with the security assessment team for consensus. Use change control procedures, where applicable, to track updates.

3. Finally, the security assessment team make final decisions and perform handoffs as follows: a. Identify the vulnerabilities for which remediation can be automated; update the list. b. Plan automated remediation by subnetwork; hand off list for automated remediations to

the individual who will use Hercules software.

c. Assign any remaining vulnerability remediation tasks to the team who will perform the manual remediations.

(12)

Vulnerability Remediation

Remediation is defined as the process of correcting a fault or deficiency, or, in this case, a vulnerability. Hercules software provides relief by automating the remediation of the vulnerabilities identified during the assessment process. It also provides reports and management tools to track the vulnerabilities that must be handled manually. Performing remediation using Hercules software significantly reduces the amount of time required to research and deploy remediation to vulnerable systems.

To manage manual remediations, a process should be created that determines when systems will be remediated and by which technician. In addition to the when, what, and who variables, the following items must also be addressed:

• Where is the device physically located? • Can it be accessed after hours?

• Is travel time involved?

• Does the technician have the necessary access rights (administrative etc.) to the system? • Has the research been performed to know what is required to implement the fix?

• Does the fix involve updating software?

• Is the software downloadable from the Internet? Does the computer have access to the Internet? • What happens after the fix is implemented?

• Does it require the system to be rebooted?

• If so, can it be rebooted without creating downtime for mission critical applications?

Fortunately, Hercules vulnerability assessment system eliminates the majority of research related work required for manual remediations. After the process and plan has been developed, you can proceed with remediation as follows:

1. Use Hercules to perform all automated remediations. 2. Execute the process for manual remediation.

(13)

Vulnerability Management

Management of vulnerabilities and remediation is important to keep the network operating securely and efficiently. Vulnerability assessment and remediation is not a one-time process. Regularly scheduled vulnerability assessment and remediation must be consistently performed and managed to produce any level of success.

Effectively managing vulnerabilities includes performing routine assessment and remediation as well as device discovery. Each company should review the personnel and resources within their organization to develop a security team to manage this process. Security personnel should be well trained and

knowledgeable of industry best practices and the tools available. Citadel recommends you have at least one certified security professional available to assist with crises and provide knowledge assistance. Most importantly when managing vulnerability assessment and remediation, a plan must be developed to maintain the assessment checks performed by the assessment tools. This includes periodic updates via Internet enabled software downloads and upgrades from the software vendor. It is also highly

recommended to maintain support contracts for commercially available security tools. This ensures that the product is maintained and updated in a timely manner and provides knowledgeable support staff when needed.

Security news and vulnerability intelligence must be continually monitored to identify new threats as they emerge. Numerous free and subscription type services offer browser-based and direct feeds that supply timely security intelligence information.

Implementing these procedures and practices will ensure that vulnerabilities are eliminated before they are exploited by malicious hackers to gain confidential data or induce downtime on the network.

(14)

Vulnerability Assessment Tools

Hercules enterprise security software uses supported vulnerability assessment tools to assess the network and discover vulnerabilities on the devices it scans. After the assessment is complete, Hercules

technology uses the results to build remediation profiles for the devices that were assessed. To simplify the remediation process, the Hercules vulnerability assessment and remediation system includes an import wizard for the following supported vulnerability assessment tools:

• eEye® Digital Security Retina® Network Security Scanner • Foundstone, Inc.® FoundScan Engine™

• Harris STAT® Scanner

• Internet Security Systems™ Internet Scanner® • Internet Security Systems™ SiteProtector™ • Internet Security Systems™ System Scanner™ • Microsoft® Baseline Security Analyzer (MBSA) • nCircle® IP360™ Vulnerability Management System • Nessus Scanner

• NexantiS SecureScout SP™

• Qualys™, Inc. QualysGuard® Scanner • Saint Corporation SAINT® Scanning Engine • Tenable NeWT Scanner

Vulnerability assessment data from several different scanners can be combined to create a single view of all assessment data. This is accomplished by importing the data from several different sources. During the import process, the Hercules software automatically combines the vulnerability information and

associates it with the appropriate device.

eEye Digital Security Retina Network Security Scanner

The eEye Digital Security Retina Network Security Scanner is a network based vulnerability assessment tool. It can be used to perform assessments on all devices on the network including Windows, UNIX, Linux, and edge devices. Retina can be used to schedule scans from the command line. It also offers a graphical user interface to assist users in managing assessment policies and scan sessions. For details on this product, see http://www.eeye.com/html/products/retina/index.html. While Retina is performing a scan, it stores the results of the scan in a proprietary .rtd file or within an ODBC database connected by a DSN. Hercules Import Wizard for Retina uses this .rtd file or an ODBC database connection to import the results and create Remediation profiles.

(15)

Foundstone FoundScan Engine

Foundstone FoundScan Engine(http://www.foundstone.com) discovers and maps your complete network environment—including routers, firewalls, servers and custom Web applications—and then probes these areas for vulnerabilities. FoundScan consists of three components: an SQL database that holds scan data, an engine that scans for vulnerabilities, and a Web portal that allows users to access the information in the database through their Web browser. FoundScan imports the data directly from the FoundScan database into the Hercules database.

Harris STAT Scanner

The Harris STAT Scanner (http://www.statonline.com) is a network based vulnerability assessment tool. It can be used to perform assessments on most network devices including Windows, UNIX, Linux, and edge devices. STAT Scanner offers a graphical user interface to assist users in managing assessment policies and scan sessions.

While STAT is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for STAT Scanner uses this database file to import the results and create remediation profiles.

ISS Internet Scanner

The Internet Security Systems (ISS) Internet Scanner is a network based vulnerability assessment tool. It can be used to perform assessments on all devices on the network including Windows, UNIX, Linux, and edge devices. Internet Scanner can be used to schedule scans from the command line. It also offers a graphical user interface to assist users in managing assessment policies and scan sessions. For details, see:

http://www.iss.net/products_services/enterprise_protection/vulnerability_assessment/scanner_internet.php While Internet Scanner is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for Internet Scanner uses this database file to import the results and create remediation profiles.

ISS System Scanner

ISS System Scanner is a host based vulnerability assessment tool. It can be used to perform assessments on devices that it supports including Windows, UNIX, and Linux. System Scanner offers a graphical user interface to assist users in managing assessment policies and scan sessions.

While System Scanner is performing a scan, it stores the results of the scan in a database file. Hercules Import Wizard for System Scanner uses this database file to import the results and create Remediation profiles. For details on the ISS System Scanner, see:

http://www.iss.net/products_services/enterprise_protection/vulnerability_assessment/scanner_system.php

ISS SiteProtector

The Internet Security Systems™ SiteProtector™ management system enables you to monitor and control network security systems across multiple sites from a central location. You can monitor your networks for intrusion activity, assess vulnerabilities, and prioritize events. For details on SiteProtector, see: http://www.iss.net/products_services/enterprise_protection/rssite_protector/siteprotector.php

(16)

Microsoft Baseline Security Analyzer

The Microsoft® Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security patches as well as common security misconfigurations. MBSA includes a graphical and command line interface that can perform local or remote scans of Windows operating systems (Windows® 2000, Windows® XP, and Windows Server™ 2003).

MBSA scans for missing security updates and service packs for Windows, IE, Internet Information Services (IIS), SQL Server™, Exchange, and Windows Media Player. MBSA will create and store individual XML security reports for each computer scanned and will display the reports in the graphical user interface in HTML. For details on MBSA, see:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx)

You need a dedicated folder for the XML files generated by the MBSA scan. The Hercules software browses the folder for the files, rather than browsing for each file individually.

nCircle IP360 Vulnerability Management System

The IP360 Vulnerability Management System from nCircle (http://www.ncircle.com) is an appliance-based vulnerability management solution that discovers, assesses, and protects devices within the enterprise network against common vulnerabilities. The IP360 Device Profilers track changes to the network environment, discover new vulnerabilities, and report network status using a non-disruptive scanning technology that accurately reveals the scope of your infrastructure without taxing network bandwidth. The IP360 Vulnerability Management System minimizes false positives and negatives associated with some scanners.

The nCircle IP360 scanner can export the results of a scan in an XML file. Hercules Import Wizard for nCircle uses this XML file to import the results and create Remediation profiles.

Nessus Scanner

Nessus (http://www.nessus.org) is a network based vulnerability assessment tool that is supported by the Open Source community. It is free to download and use on any network and can be customized to fit specific environments.

Nessus is installed and runs on Linux or UNIX hosts. It can scan a variety of different platforms including Windows, UNIX, Linux, and edge devices. It is recommended that before attempting to install and use Nessus that you have a good understanding of UNIX or Linux and are comfortable with installing and configuring software on those platforms. Through the support of the Open Source communities, several Nessus clients have been developed that allow users to control and manage Nessus scans from platforms other than Linux. For example, NessusWx provides a Windows interface that allows scheduling and running of vulnerability assessments. These clients communicate with the Nessus server installed on a Linux or UNIX computer to perform the scan and reporting functions.

NexantiS SecureScout SP

NexantiS SecureScout SP (http://www.securescout.com/securescoutsp) is a multi-user software product for enterprise vulnerability assessment needs. SecureScout SP provides automation, control and

management of security testing. SecureScout SP users can enjoy an unprecedented level of Managed Security through the on-going testing of internal and public-facing IP addresses. For Managed Security Service Providers, SecureScout SP can be rebranded.

SecureScout SP imports the data directly from the SecureScout database into the Hercules database.

(17)

Qualys QualysGuard Scanner

The QualysGuard (http://www.qualys.com) scanner is currently offered as an ASP solution for customers to perform scans of devices accessible through an outward facing internet connection. QualysGuard performs various assessments on Windows, UNIX, Linux, Solaris™, and network devices.

Hercules software integrates with QualysGuard by allowing the import of previously saved scans from a local XML file or by authenticating to the QualysGuard service and downloading the appropriate scan reports for import.

SAINT Scanning Engine

The SAINT Scanning engine (http://www.saintcorporation.com/products/saint_engine.html) is a vulnerability scanner that pinpoints security risks accurately, while being easy to use. It finds targets, does a port scan, and then a vulnerability check.

SAINT Scanning Engine imports the data directly from the SAINT database into the Hercules database.

Tenable NeWT Scanner

Tenable Network Security (www.tenablesecurity.com) produces NeWT, a Windows version of the Nessus scanner used with Windows 2000 and Windows XP machines. NeWT stands for "Nessus for Windows Technology". Hercules accepts NeWT data as an XML file.

(18)

Citadel Security Software Inc.

Citadel

Security Software Inc.

Hercules

®

Vulnerability Assessment

and Remediation Overview

Table of Contents

Support

Overview

Device Discovery

Vulnerability Assessment

Selecting a Vulnerability Assessment Tool

Preparing for Assessment

Running the Assessment

Vulnerability Review

Vulnerability Remediation

Vulnerability Management

Vulnerability Assessment Tools

eEye Digital Security Retina Network Security Scanner

Foundstone FoundScan Engine

Harris STAT Scanner

ISS Internet Scanner

ISS System Scanner

ISS SiteProtector

Microsoft Baseline Security Analyzer

nCircle IP360 Vulnerability Management System

Nessus Scanner

NexantiS SecureScout SP

Qualys QualysGuard Scanner

SAINT Scanning Engine

Tenable NeWT Scanner