Transcription
Vulnerability Management Service (VMS)User GuideAugust 2014 Copyright IBM Corporation 2012, 2014
Table of ContentsUSING VMS FOR THE FIRST TIME . 4NAVIGATING THE VMS HOME PAGE . 4USING THE SEARCH FUNCTION IN VMS . 6USING WIZARDS IN VMS . 6SETTING UP SITES AND RUNNING SCANS . 8SPECIFYING GENERAL SITE INFORMATION. 8SPECIFYING ASSETS TO SCAN. 8SPECIFYING SCAN SETUP SETTINGS . 9SETTING UP ALERTS. 17ESTABLISHING SCAN CREDENTIALS . 18Using HTML forms and HTTP headers to authenticate VMS on Web sites . 19Creating a logon for Web site form authentication . 19Creating a logon for Web site session authentication with HTTP headers . 20GRANTING ACCESS TO USERS . 21RUNNING A MANUAL SCAN . 21PAUSING, RESUMING, AND STOPPING A SCAN . 22VIEWING SCAN RESULTS . 22Viewing the scan log . 23WORKING WITH DATA FROM SCANS. 24VIEWING ASSETS . 24Viewing assets by sites . 24Viewing assets by groups . 25Viewing assets by operating system . 26Viewing assets by service . 26Viewing assets by software . 26CREATING ASSET GROUPS . 26W ORKING WITH VULNERABILITIES . 27Viewing active vulnerabilities . 27Viewing vulnerability details . 28Working with vulnerability exceptions . 29 Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 2 of 54
USING TICKETS . 33Viewing tickets . 33Creating and updating tickets . 34WORKING WITH REPORTS . 35VIEWING AN EXISTING REPORT . 35CREATING AND EDITING A REPORT . 35REPORT TEMPLATES AND SECTIONS . 39BUILT-IN REPORT TEMPLATES AND INCLUDED SECTIONS. 39Asset Report Format (ARF) template . 39Audit Report template . 39Baseline Comparison template . 40Executive Overview template . 41Highest Risk Vulnerabilities template . 41PCI Attestation of Compliance template . 41PCI Executive Summary template . 42PCI Host Details template . 43PCI Vulnerability Details template . 43Policy Evaluation template . 43Remediation Plan template . 44Report Card template . 44Top 10 Assets by Vulnerability Risk template . 44Top 10 Assets by Vulnerabilities template . 44Top Remediations template . 45Top Remediations with Details templates . 45GLOSSARY . 46INDEX . 51 Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 3 of 54
Using VMS for the first timeVMS includes a Web-based user interface for configuring and operating VMS. Familiarizing yourself withthe interface will help you to find and use its features quickly.Navigating the VMS Home pageWhen you log on to the VMS Home page for the first time, you see place holders for information, but noinformation contained in them.The Home page shows sites, asset groups, tickets, and statistics about your network assets, based onVMS scan data. If you are an administrator, you can view and edit site and asset group information, andrun scans for your entire network on this page.The Home page also displays a chart that shows trends of risk score over time. As you add assets to yourenvironment your level of risk can increase because the more assets you have, the more potential there isfor vulnerabilities.Each point of data on the chart represents a week. The blue line and measurements on the left show howmuch your risk score has increased or decreased over time. The purple line displays the number of assets.Note: This interactive chart shows a default of a year’s worth of data when available; if you have beenusing VMS for a shorter historical period the chart will adjust to show only the months applicable.The following are some additional ways to interact with charts: In the search filter at the top left of the chart, you can enter a name of a site or asset group to narrowthe results that appear in the chart pane to only show data for that specific site or group. Click and drag to select a smaller, specific timeframe and view specific details. Click the Reset/Zoombutton to reset the view to the previous settings. Hover your mouse over a point of data to show the date, the risk score, and the number of assets forthe data point. To export and print a chart image, click the sidebar menu icon on the top left of the chart window.A row of navigation links appears at the top of the Home page, as well as every page of the consoleinterface. Use these navigation links to navigate to the main pages for each area of the interface.NOTE:If the logged-on account is a security manager, site administrator, or system administrator, only the information foraccessible sites and asset groups will be visible. If the logged in account is a non-administrative user, only tickets andasset groups will be visible on the Home page. Non-administrative users do not have access to sites. The Assets page links to pages for viewing assets organized by different groupings, such as the sitesthey belong to or the operating systems running on them. The Vulnerabilities page lists all vulnerabilities discovered by VMS. The Policies page lists policy compliance results for all assets that have been tested for compliance. The Reports page lists all reports generated by VMS and provides controls for editing and creatingreport templates. The Tickets page lists remediation tickets and their status. The Administration page is the starting point for all management activities in VMS, such as creatingand editing, asset groups, and scan and report templates. Only administrators see this navigation link.On the Site Listing pane, you can click controls to view and edit site information, run scans, and start tocreate a new site, depending on your role and permissions. Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 4 of 54
Information for any currently running scan appears in the pane labeled Current Scan Listings for All Sites.On the Asset Group Listing pane, you can click controls to view and edit information about asset groups,and start to create a new asset group.On the Asset Tag Listing pane, you can click tags to view and edit information about the assets, sites, andasset groups associated with the selected tag.On the Ticket Listing pane, you can click controls to view information about tickets and assets for whichthose tickets are assigned.On the Home page and throughout the site, you can use various controls for navigation and administration.ControlDescriptionMinimize any pane so that only its title bar appears.Expand a minimized pane.Close a pane.Reverse the sort order of listed items in a given column. You also can click column headings toproduce the same affect.Generate a Microsoft Excel spreadsheet of any listed site, asset group, or ticket.Start a manual scan.Pause a scan.Resume a scan.Stop a scan.Edit properties for a site, report, or user account.Preview a report template.Delete a site, report, or user account.Exclude a vulnerability from a report.Search the VMS database for assets, asset groups, and vulnerabilities. Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 5 of 54
Using the search function in VMSWith the powerful full-text search feature, you can search the database using a variety of criteria, such asthe following: full or partial IP addresses asset names site names asset group names vulnerability titles vulnerability CVE IDs internal vulnerability IDs user-added tags criticality tags Common Configuration Enumerator (CCE) IDs operating system namesTo search the VMS database:1. Enter your search criteria in the Search box on any a page of the security console interface,and click the magnifying glass icon.VMS displays search results on the Search page, which includes panes for different groupingsof results. For example, the table in the Vulnerability Results pane includes all the columns thatappear on the Vulnerabilities page. At the bottom of each category pane, you can view the totalnumber of results and change settings for how results are displayed.2. In the Search Criteria pane, you can refine and repeat the search. You can change the searchphrase and select check boxes to allow partial word matches and to specify that all words in thephrase appear in each result. After refining the criteria, click the Search Again button.Note: When you run initial searches with partial strings in the Search box that appears in the upper-right corner of most pages in theWeb interface, results include all terms that even partially match those strings. It is not necessary to use an asterisk (*) on theinitial search. For example, you can enter Win to return results that include the word Windows, such as any Windowsoperating system. Or if you want to find all IP addresses in the 10.20 range, you can enter 10.20 in the Search text box.An asterisk is appended to the string in the Search Criteria pane that appears with the results. If you leave the asterisk in, themodified search will still return partial matches. If you want the next set of results to match the string exactly, remove theasterisk.Using wizards in VMSVMS provides wizards for configuration and administration tasks: creating and editing asset groups creating and editing scan templates creating and editing report templates configuring VMS settings troubleshooting and maintaining VMS Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 6 of 54
All wizards have the same navigation scheme. You can either use the navigation buttons in each wizardpage to progress through each page of the wizard, or you can click a page link listed on the left column ofeach wizard page to go directly to that page.1. To save configuration changes, click the Save button that appears on every page.2. To discard changes, click the Cancel button.Note: Parameters labeled in red denote required parameters on all wizard pages. Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 7 of 54
Setting up sites and running scansYou must set up at least one site containing at least one asset in order to run scans in VMS. Doing soinvolves the following steps: Specifying general site information Specifying assets to scan Specifying scan settings Setting up alerts Establishing scan credentialsSpecifying general site information1. To begin setting up a site, click the New static site button on the Home page.OR2. Click the Assets navigation link.3. In the upper-right corner of the Assets page, click the number link next to Sites. On the Site Listingpage, click New static site.4. On the Site Configuration – General page, type a name for your site. You may wish to associate thename with the type of scan that you will perform on the site, such as Full Audit, or Denial of Service.5. Select a level of importance from the dropdown list, and type a brief description for the site.The importance level corresponds to a risk factor that VMS uses to calculate a risk index for each site.The Very Low setting reduces a risk index to 1/3 of its initial value. The Low setting reduces the riskindex to 2/3 of its initial value. High and Very High settings increase the risk index to 2x and 3x timesits initial value, respectively. A Normal setting does not change the risk index.Specifying assets to scan1. On the Site Configuration page, go to the Assets page to list assets for your new site. You canmanually enter addresses and host names in the text box labeled Included Assets.2. If you are an administrator, you may edit or delete addresses already listed in the site detail page.3. To prevent assets within an IP address range from being scanned, manually enter addresses and hostnames in the text box labeled Excluded Assets from scanning.NOTE:If you specify a host name for exclusion, VMS will attempt to resolve it to an IP address prior to a scan. If it is initially unableto do so, it will perform one or more phases of a scan on the specified asset, such as pinging or port discovery. In theprocess, VMS may be able to determine that the asset has been excluded from the scope of the scan, and it willdiscontinue scanning it. However, if VMS is unable to make that determination, it will continue scanning the asset.You also can exclude specific assets from scans in all sites throughout your deployment on the globalAsset Exclusions page. See Managing global settings in the VMS Administrator Guide. Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 8 of 54
Specifying scan setup settings1. On the Site Configuration page, go to the Scan Setup page to select a scan template and/or scanengine other than the default settings. You also can enable scans to run on a specified schedule.NOTE:Schedule times are reflected in the local time of the PC being used to schedule the scan.A scan template is a predefined set of scan attributes that you can select quickly rather thanmanually define properties, such as target assets, services, and vulnerabilities.An administrator can customize scan templates for your organization's specific needs. When youmodify a template, all sites that use that scan template will use the modified settings. SeeModifying and creating scan templates in the VMS Administrator Guide for more information.2. Select an existing scan template from the dropdown list. The boxes that follow list descriptionsand attributes for each default template. You also can create a custom scan template. SeeModifying and creating scan templates in the VMS Administrator Guide for more information.Denial of serviceDescription: This basic audit of all network assets uses both safe and unsafe (denial-of-service) checks. This scan does notinclude in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing.Why use this template:You can run a denial of service scan in a preproduction environment to test the resistance of assets todenial-of- service conditions.Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389,5900, 8080UDP ports used for device discovery: 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900,4500, 49152Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: Well known numbers 1-1040TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: Well-known numbersSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: Local, patch, policy check types Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 9 of 54
Discovery scanDescription: This scan locates live assets on the network and identifies their host names and operating systems. VMS does notperform enumeration, policy, or vulnerability scanning with this template.Why use this template:You can run a discovery scan to compile a complete list of all network assets. Afterward, you can targetsubsets of these assets for intensive vulnerability scans, such as with the Exhaustive scan template.Asset/vulnerability/Web spidering/policy scan: Y/N/N/NMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 80, 88, 110, 111, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636,993, 995, 1433, 1521, 1723, 3389, 8080, 9100UDP ports used for device discovery: 53, 67, 68, 69, 111, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1701,1900, 4500, 49152Device discovery performance: 5 ms send delay, 2 retries, 3000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: 21, 22, 23, 25, 80, 110, 113, 139, 143, 220, 264, 443, 445, 449, 524, 585, 993, 995, 1433, 1521, 1723, 8080, 9100TCP port scan performance: 0 ms send delay, 25 blocks, 500 ms block delay, 3 retriesUDP ports to scan: 123, 161, 500Simultaneous port scans: 10Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: NoneDiscovery scan (aggressive)Description: This fast, cursory scan locates live assets on high-speed networks and identifies their host names and operatingsystems. VMS sends packets at a very high rate, which may trigger IPS/IDS sensors, SYN flood protection, and exhauststates on stateful firewalls. VMS does not perform enumeration, policy, or vulnerability scanning with this template.Why use this template:This template is identical in scope to the discovery scan, except that it uses more threads and is, therefore,much faster. The tradeoff is that scans run with this template may not be as thorough as with the Discoveryscan template.Asset/vulnerability/Web spidering/policy scan: Y/N/N/NMaximum # scan threads: 25ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 80, 88, 110, 111, 135, 139, 143, 220, 264, 389, 443, 445, 449, 524, 585, 636,993, 995, 1433, 1521, 1723, 3389, 8080, 9100UDP ports used for device discovery: 53, 67, 68, 69, 111, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1701,1900, 4500, 49152Device discovery performance: 0 ms send delay, 2 retries, 3000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: 21, 22, 23, 25, 80, 110, 113, 139, 143, 220, 264, 443, 445, 449, 524, 585, 993, 995, 1433, 1521, 1723, 8080, 9100TCP port scan performance: 0 ms send delay, 25 blocks, 500 ms block delay, 3 retriesUDP ports to scan: 123, 161, 500Simultaneous port scans: 25Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: None Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 10 of 54
ExhaustiveDescription: This thorough network scan of all systems and services uses only safe checks, including patch/hotfix inspections,policy compliance assessments, and application-layer auditing. This scan could take several hours, or even days, tocomplete, depending on the number of target assets.Why use this template: Scans run with this template are thorough, but slow. Use this template to run intensive scans targeting alow number of assets.Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389,5900, 8080UDP ports used for device discovery: 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900,4500, 49152Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: VMS determines optimal methodTCP optimizer ports: 21, 23, 25, 80, 110, 111, 135, 139, 443, 445, 449, 8080TCP ports to scan: All possible (1-65535)TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: Well-known numbersSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: NoneFull auditDescription: This full network audit of all systems uses only safe checks, including network-based vulnerabilities, patch/hotfixchecking, and application-layer auditing. VMS scans only default ports and disables policy checking, which makesscans faster than with the Exhaustive scan. Also, VMS does not check for potential vulnerabilities with this template.Why use this template:This is the default VMS scan template. Use it to run a fast, thorough vulnerability scan right "out of thebox."Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389,5900, 8080UDP ports used for device discovery: 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900,4500, 49152Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: Well known numbers 1-1040TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: Well-known numbersSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: Policy check type Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 11 of 54
HIPAA complianceDescription: VMS uses safe checks in this audit of compliance with HIPAA section 164.312 ("Technical Safeguards"). The scan willflag any conditions resulting in inadequate access control, inadequate auditing, loss of integrity, inadequateauthentication, or inadequate transmission security (encryption).Why use this template:Use this template to scan assets in a HIPAA-regulated environment, as part of a HIPAA complianceprogram.Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389,5900, 8080UDP ports used for device discovery: 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900,4500, 49152Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: Well known numbers 1-1040TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: Well-known numbersSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): NoneSpecific vulnerability checks disabled: NoneInternet DMZ auditDescription: This penetration test covers all common Internet services, such as Web, FTP, mail (SMTP/POP/IMAP/Lotus Notes),DNS, database, Telnet, SSH, and VPN. VMS does not perform in-depth patch/hotfix checking and policy complianceaudits will not be performed.Why use this template:Use this template to scan assets in your DMZ.Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): NTCP ports used for device discovery: NoneUDP ports used for device discovery: NoneDevice discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: Well-known numbersTCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: NoneSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): DNS, database, FTP, Lotus Notes/Domino, Mail, SSH,TFTP, Telnet, VPN, Web check categoriesSpecific vulnerability checks disabled: None Copyright IBM Corporation 2012, 2014Managed Security ServicesPage 12 of 54
Linux RPMsDescription: This scan verifies proper installation of RPM patches on Linux systems. For optimum success, use administrativecredentials.Why use this template:Use this template to scan assets running the Linux operating system.Asset/vulnerability/Web spidering/policy scan: Y/Y/Y/YMaximum # scan threads: 10ICMP (Ping hosts): YTCP ports used for device discovery: 21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389,5900, 8080UDP ports used for device discovery: 53, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514, 520, 631, 1434, 1900,4500, 49152Device discovery performance: 5 ms send delay, 4 retries, 1000 ms block timeoutTCP port scan method: Stealth scan (SYN)TCP optimizer ports: NoneTCP ports to scan: 22, 23TCP port scan performance: 0 ms send delay, 10 blocks, 10 ms block delay, 5 retriesUDP ports to scan: NoneSimultaneous port scans: 5Specific vulnerability checks enabled (which disables all other checks): RPM check typeSpecific vulnerability checks disabled: NoneMicrosoft HotfixDescription: This scan verifies proper installation of hotfixes and service packs on Microsoft Windows systems. For optimumsuccess, use administrative credentials.Why use this template:Use this template to verify that assets running Windows have hotfix patches installed on them.Asset/vulnerability/Web s
vulnerability titles vulnerability CVE IDs internal vulnerability IDs user-added tags criticality tags Common Configuration Enumerator (CCE) IDs operating system names To search the VMS database: 1. Enter your search criteria in the Search box on any a page of the security console interface,
