Transcription
ON-DEMAND SECURITY AUDITS ANDVULNERABILITY MANAGEMENTA Proactive Approach toNetwork Security Qualys, Inc. All Rights Reserved1
ContentsEXECUTIVE SUMMARY . 3THE NETWORK SECURITY CHALLENGE. 4Factors Contributing to Escalating Risk.4Prevalence and Consequences of Security Breaches .5Growing Costs.6THE "FOUR PILLARS" OF NETWORK SECURITY . 7Virus Detection .8Firewalls.8Intrusion Detection Systems .8Vulnerability Assessment.9COMPARING APPROACHES TO VULNERABILITY ASSESSMENT . 11Product-Based vs. Service-Based Solutions.11Tree-Based vs. Inference-Based Assessment .12Criteria for an Effective Vulnerability Assessment Solution .13QUALYSGUARD ON-DEMAND SECURITY AUDITS ANDVULNERABILITY MANAGEMENT . 14Audits and Manages Vulnerabilities Inside and Outside the Firewall .15Discovery: Dynamic Identification of All Network Devices.15Analysis: Inference-Based Vulnerability Scanning.17Reporting: In-Depth Technical or Summary Data and Trend Analysis .19Remedy: Links to Verified Fixes.20Remediation Management .21Open API - Third Party Integration .22On-Demand Security Audits are an Iterative Process .23CONCLUSION . 24APPENDIXESAppendix A: QualysGuard Web Services Architecture .25Appendix B: Glossary.29ABOUT QUALYS . 31 Qualys, Inc. All Rights Reserved2
Executive SummaryHacker attacks are no longer limited to high-profile organizations such asbanks and governments. Automated tools have made it easier to identifyand exploit network exposures, swelling the rate of attacks on networksattached to the Internet. At the same time, viruses, worms and trojanshave evolved into sophisticated, self-propagating attacks resistant todetection. Newer worms complete global attack cycles and exploitvulnerable hosts in just seconds, so securing networks requires identifyingand fixing vulnerabilities in advance.“99% of networkintrusions result fromexploitation of knownvulnerabilities orconfiguration errorswhere countermeasureswere available.”Source: CERT, Carnegie MellonUniversityIT groups rely on four main technologies to protect their networks: virusdetection, firewalls, intrusion detection systems (IDS), and vulnerabilityassessment. Each has a place in a comprehensive security strategy. Onlyon-demand Security Audits and Vulnerability Management provide aproactive approach, identifying network and device vulnerabilities beforenetworks are compromised.Companies can choose from several approaches for vulnerabilityassessment: manual testing using software-based products, consultants’penetration testing, and self-service automated third-party solutions. Withthe latter approach, called on-demand Security Audits & VulnerabilityManagement, scans are conducted by remote servers that are hosted andmaintained by a trusted third party while control over each security auditis maintained by the user. Automated security audits offer clear cost andsecurity advantages over other methods of vulnerability assessment.This white paper explains the value of the various approaches to networksecurity. It focuses on the unique role of vulnerability management, andautomated security audits in particular. The paper concludes with adescription of the QualysGuard solution. Qualys, Inc. All Rights Reserved3
Network IntrusionsInterrupt Business,Inflict Financial Damageand Adversely ImpactCustomer ConfidenceThe Network Security ChallengeFollowing are just a fewexamples:Not too long ago, most hacker attacks targeted highprofile organizations such as banks and governments.Times have changed, and now every Internetconnected enterprise is vulnerable, whether it hasthousands of IP addresses or just one. SQL Slammer infected morethan 120,000 hosts in 10minutes, disabling cashmachines, disrupting 911 callcenter operations andcausing widespreadinterruptions in Internetoperations (Associated Press,1/27/03). Microsoft IIS vulnerabilitiescaused credit card issuers toreplace over 150,000accounts at a cost of 5- 10per card (USA Today,8/10/02). Code Red and Nimda wormscompromised 800,000servers worldwide at a costin excess of 3 billion (ABCNews, 1/22/02). Hackers compromised theState of California personneldatabase, stealing 265,000employees’ names, SocialSecurity numbers, andpayroll information (SanFrancisco Chronicle,5/25/02). About 13,000 customerrecords—including names,work and home addresses,Social Security numbers,account numbers, and credithistories—were stolen fromExperian InformationSolutions through Ford MotorCredit Company (New YorkTimes, 5/17/02).Factors Contributing to Escalating RiskCompanies face increasing risk from network security breaches, for thefollowing reasons: Networks increasingly have multiple entry points—for example, VPNsand wireless access points used by remote employees. This exposesnetworks to threats from unknown software and unprotectedconnections. Networks and applications have grown more complex and difficult tomanage, even as qualified security professionals are scarce and ITbudgets have come under pressure. Compressed software development lifecycles result in flawed or poorlytested releases. As a result, the number of newly discovered andexploitable vulnerabilities has grown 1,149 percent in the past fiveyears. Hacking tools have become automated and require less skill to use,increasing the ranks of hackers. And because these tools areautomated and designed for large-scale attacks, a single hacker canrapidly inflict widespread damage. (see Figure 2: CERT SecurityIncident Reports) Malicious self-propagating worms, viruses, and trojans boost damagethrough a multiplier effect: they keep on “giving” long after the initialincident. The lifecycle for network attacks is shorter (see Figure 1: AcceleratingVulnerability and Exploit Lifecycle). Therefore, companies have lesstime to identify and correct vulnerabilities before they are exploited byhackers and worms. Qualys, Inc. All Rights Reserved4
Figure 1—Accelerating Vulnerability and Exploit LifecycleThe window of exposure between a vulnerability emerging and being exploited isnarrowing from weeks to just a few days. Early detection is key to preventingintrusion and compromise of data assets.Prevalence and Consequences of Security BreachesThe 2003 Computer Crime and Security Survey, conducted by theComputer Security Institute (CSI) and the San Francisco Federal Bureau ofInvestigation’s (FBI) Computer Intrusion Squad, reported the followingresults from a small survey of 530 large corporations and governmentagencies: 92% of respondents had detected computer security breaches withinthe last 12 months. 75% of those acknowledged financial losses due to computer breaches. 47% (251 respondents) quantified their financial losses: a total of 201,797,340 – with the most serious financial losses occurringthrough theft of proprietary information or denial of service. 78% identified their Internet connection as a more frequent point ofattack than their internal systems. Only 30% reported intrusions to law enforcement agencies; most didnot to avoid potential risks of negative publicity and competitors usingthe information to their advantage.As a consequence of these trends, companies must be increasingly vigilantto protect their networks from surging numbers of vulnerabilities that canbe exploited by worms and automated attack methods. Qualys, Inc. All Rights Reserved5
Growing CostsThe threat from hacking is rampant. The Computer Emergency ResponseTeam (CERT) reports that the number of “security incidents” filed at itscoordination center at Carnegie Mellon University rose 1,149 percent from1999 through 20031 – an average annual compounded rate of 65.7percent. (CERT defines an incident as an “attempt, either failed orsuccessful, to gain unauthorized access to a system or its data.”) Eachsuch attempt represents a potential threat to corporate system dataintegrity, service availability, and information confidentiality.Figure 2—CERT Security Incident ReportsAnnual intrusions are growing geometrically.The cost of security breaches measures in the billions of dollars: indowntime, repairs, siphoning of IT resources, and incalculable damagefrom loss of customer confidence. The ultimate cost of network securityfailures can be loss of business. Online retailer Egghead.com ceasedoperations less than a year after it discovered that a hacker had accessedits computer systems, forcing it to turn over to issuing banks the names of3.7 million credit card holders whose data might have been compromised.1Assumes a projected growth rate of 50 percent from 2002 through 2003 forunaccounted Q4 data; growth through Q3 was 40 percent. Qualys, Inc. All Rights Reserved6
Gartner RecommendsVulnerabilityManagementThe “Four Pillars” of Network SecuritySecurity Demands Drive Shiftto Vulnerability Management“Enterprises that practicesound vulnerabilitymanagement, rather thanonly intrusion detection, willexperience fewercyberattacks and suffer lessdamage from them.”M. Nicolett, J. Pescatore(11/19/2003)Yankee RecommendsVulnerabilityManagementVulnerability Management:Processes Strengthen IT'sSecurity PerformanceCompanies can take advantage of a combination ofstrategies to ensure network security: virus detection,firewalls, intrusion detection systems (IDS), andvulnerability assessment. All four play distinct,important roles.Most organizations have deployed firewalls that deny unauthorizednetwork traffic. Some organizations have also deployed intrusion detectionsystems. And virtually all organizations have anti-virus solutions. With allthese security technologies, how do intruders continue to successfullypenetrate networks and create havoc? The answer: by exploiting thevulnerabilities of the applications that organizations employ to run theirbusinesses. Therefore, identifying and correcting these vulnerabilitiesbefore they can be exploited is an operational necessity.The following table lists the four major approaches to network security,their function and their limitation when used alone.“The Yankee Grouprecommends vulnerabilitymanagement services forenterprises that would incurfinancial risk if their networkor key business applicationswere to become unavailabledue to a misconfiguration orcyberattack.”Eric Ogren(12/10/2003)Table 1—Four Pillars of SecurityVirus detection, firewalls, IDS, and vulnerability assessment represent four distinctnetwork security technologies. Each is useful; none is a complete solution. Qualys, Inc. All Rights Reserved7
CERT RecommendsVulnerability AssessmentCERT states that vulnerabilityassessment improves computersecurity by detecting roguesystems and monitoring fornew access points. “Periodically executevulnerability scanning toolson all systems to check forthe presence of knownvulnerabilities and eliminateall vulnerabilities identifiedby these tools.” “Periodically executenetwork mapping andscanning tools to understandwhat intruders who use suchtools can learn about yournetworks and systems.”Virus DetectionAnti-virus software operates on file servers and desktops to monitor filesystems and memory for patterns that indicate the presence of a virus.Anti-virus software also operates on email-servers, the entry point foralmost 90 percent of viruses. Virus detection requires frequent orautomated updates for accuracy. However, new multi-part worms—containing a self-propagating outer layer that exploits vulnerabilities tocircumvent security systems and an inner layer “payload” that might havea malicious viral component—like Code Red—avoid anti-virusmethodologies by exploiting application vulnerabilities. When anti-virustools were updated to cleanse Code Red from systems and networks, thesame vulnerability exploited by Code Red was soon used by Nimda—theidentical open door used twice. Identifying and resolving vulnerabilitiesclearly requires a technology other than anti-virus tools.FirewallsFirewalls serve as security beachheads that define the network perimeterwhere an enterprise meets the Internet. Because firewalls determine whattraffic is allowed to pass into an enterprise from the Internet, they are theessential first line of defense against hackers. A firewall that is a perfectbrick wall admits no outside traffic and ensures perfect security for anenterprise. It is hardly practical, however, because it isolates the companyfrom its customers and partners. Rather, the firewall must selectivelyadmit traffic based on the guidelines a company defines. This opens thedoor for potential intruders. What’s more, whenever the company modifiesits firewall policies—for example, to permit new services or devices toaccess the Internet, or to update policy—it might inadvertently create newsecurity vulnerabilities.Intrusion Detection SystemsIntrusion detection systems (IDS) monitor and analyze system andnetwork events to find and warn network administrators of unauthorizedattempts to access system resources. With IDS, an organization discovershacking attempts or actual break-ins by analyzing its networks or hosts forinappropriate data or other anomalous activity.There are two approaches to IDS: Host-based IDS operates by monitoring hosts for suspicious activity.The monitoring often takes place at the file or operating system level,usually via additional software that runs on the monitored host. Forexample, a monitoring process might scrutinize system logs, files orother resources for unexpected changes, and raise alarms or othernotifications when it detects unusual activity. Host-based IDS productsare installed atop a host’s operating system; they intercept andvalidate software and user calls made into the operating system andkernel. Qualys, Inc. All Rights Reserved8
Network-based IDS operate by monitoring network packets as theypass across the network. This type of solution can be implemented inhardware or software. Network-based IDS can also detect when wormscompromise systems by “seeing” the worm try to propagate itself fromthe host.IDS solutions play a valuable role as rearguard sentries. That is, they raisealerts that an attack may be taking place. However, corporate informationsecurity professionals would naturally prefer to prevent attacks rather thanlearning that they have already occurred. Other limitations of IDS include: Insufficient data—The data present in the network packets or systemcalls often isn’t enough to determine conclusively whether an intrusionis taking place. Flawed processing assumptions—When network IDS are located in ademilitarized zone (DMZ) or on outward-facing networks, they mightinterpret behavior as belligerent that is, in fact, harmless to the insidefacing, protected networks. For example, a malformed packet receivedon an outside network isn’t necessarily capable of inflicting damage onprotected networks. Throughput issues—Both host-based and network-based IDS arerequired to filter or examine large quantities of data. Today’snetworking equipment often runs at speeds of 100 Mbps or greater andcan overwhelm the processing capability of IDS products, which oftenlack sufficient throughput to examine all data. Active evasion—Hackers most often initiate this type of attack by subtlyrewriting packets to confuse the IDS. Among the techniques attackersuse are denial of service attacks, so-called “insertion” attacks thatcreate false-positives in the IDS, and “evasion” attacks that slip pastthe IDS to wreak havoc on the target system.Vulnerability AssessmentIDS is reactive, detecting attacks while or after they occur. Vulnerabilityassessment is proactive, determining susceptibility to attacks beforenetworks are exploited. With early vulnerability detection, companies cantake corrective action before damaging network attacks can take place.Vulnerability assessment has traditionally been conducted with techniquessuch as annual or quarterly penetration testing by expert consultants.Now, with on-demand security audits and vulnerability management,organizations can detect and eliminate vulnerabilities frequently and at areasonable cost, closing their networks’ windows of exposure.Vulnerability assessment is a methodical approach to identifying andprioritizing vulnerabilities, enabling IT organizations to non-intrusively testtheir networks from the “hacker’s perspective” and automatically: Identify vulnerabilities and network misconfigurations. Qualys, Inc. All Rights Reserved9
Identify rogue devices, including wireless and VPN-access points. Detect and prioritize vulnerability exposures. Provide remedies for known vulnerabilities. Validate firewall and IDS configurations.Companies that perform vulnerability assessment typically scan newsystems when they are attached to the network, after software is installedor reconfigured, and at regular intervals thereafter. When a vulnerability isdetected, the company corrects it and then performs another scan toconfirm that the vulnerability is gone.Vulnerability assessment works hand in hand with anti-virus, firewall, andIDS. The vulnerability assessment identifies potential vulnerabilities beforethey can be exploited, and the intrusion detection system notifies thecompany when anomalous activity has occurred. The two approaches aresynergistic: vulnerability assessment enables IT to identify and closeobvious holes so that the intrusion detection system produces amanageable volume of alerts.Vulnerability assessment also works in conjunction with firewalls tocontinuously and seamlessly monitor for vulnerabilities that may haveinadvertently been introduced by firewall policy changes.The process of vulnerability management incorporates a combination ofprocesses and technologies which includes asset discovery, vulnerabilityassessment, analysis of audit results, and the management of correctiveactions/remediation. Qualys, Inc. All Rights Reserved10
Gartner RecommendsNear ContinuousScanning“Near continuous scanning isneeded to quickly identify newvulnerabilities becauseapplication, network andsystem changes invariablyintroduce configuration errors,and new vulnerabilities arefrequently announced bysystem and applicationvendors. Becausecyberattackers are continuallyscanning for openings,enterprises need to find thesevulnerabilities before theattackers do.”M. Nicolett, J. Pescatore(11/
Vulnerability Management Security Demands Drive Shift to Vulnerability Management “Enterprises that practice sound vulnerability management, rather than only intrusion detection, will experience fewer cyberattacks and suffer less damage from them.” M. Nicolett, J. Pescatore (11/19/2003) Ya
