Using Passive Vulnerability Scanning during end-of-year IT change freezes

Many corporations, particularly in the financial industry, impose an end of year "freeze" on all network changes. This means that no new products or systems may be deployed and any exceptions must be authorized by executive management. This mandate provides unique challenges to an IT director: maintaining a secure network; ensuring compliance with the freeze policy; and evaluating exceptions. Tenable's Passive Vulnerability Scanner can help.

There are no industry standards or requirements for end of year freezes. Many companies impose them to ensure that there are no activities that will impact operations that provide fiscal and/or calendar end of year accounting. Processing problems caused by changes in the environment could impact that capability. The more complicated the financial structure of the organization, the more likely it is that management will impose a freeze on IT activities.

A freeze can last anywhere from two weeks to a month. Anything longer would impact productivity. Some companies have a two level freeze - a soft freeze and a hard freeze. The soft freeze prohibits major implementations that can impact books and records systems. New product applications, transaction processing applications, application modifications or new feeds into core systems are some of the activities that would be restricted in a soft freeze. Any major network implementations or modifications would also be restricted. The hard freeze is a moratorium on all implementations. Exceptions to these restrictions usually must be in writing from the executive level - and few managers want to take responsibility for the consequences of permitting an exception unless they are certain the risk of a network impact is low.

The Passive Vulnerability Scanner (PVS) behaves like a security motion detector on the network. It maps new hosts and services as they appear on the network and monitors for vulnerabilities, providing virtual real-time security monitoring. The PVS does this without generating any traffic, which makes it compliant with network freeze restrictions. It behaves like a hybrid of an active scanner, such as Nessus, and an Intrusion Detection System (IDS). The PVS analyzes the traffic generated from its defined focus network and reports any anomalies or vulnerabilities observed. Unlike an active scanner, it does not target network devices with port scans or queries - it simply observes the traffic that these devices are generating as a normal part of their operation. An IDS looks at traffic targeting the network and reports the parameters of the attack. It does not report the parameters of the target. While attack information is useful to know, it says nothing about the actual state of the network.

Since the PVS maps new network devices as they appear on the network, it can help ensure compliance with the corporate freeze policy. Freeze conditions mandate that no changes be made to the network, so any new devices that appear should be investigated. The PVS also has built-in checks to determine if a port scan has been launched from the focus network. This could indicate that an administrator or user launched a network scan in violation of the freeze policy. Another useful aspect of the PVS is the ability to write custom plugins for the PVS to identify applications that may be prohibited from running during the freeze.

For example, you may have an application to test failover to a disaster recover site, called ‘disaster_recovery_test’. This example application begins by sending a broadcast message to all hosts on the broadcast domain. The protocol used is UDP with a source port of 5155 and a destination of 255.255.255.255:5155. Within this initial broadcast packet is the command string 'DRP:Switch:BackupDataCenter:CommandIP:TargetNet:Mask'. The PVS plugin to detect this application could look as follows:

name=Disaster Recovery Test initialization detection
daddr=255.255.255.255
sport=5155
dport=5155
clientissue
udp
family=Generic
description=Synopsis :<br><br>The remote host has just initiated a disaster recovery protocol to switch production servers to the backup datacenter<br><br>The remote server - %L - just initiated the Disaster Recovery Test. Ensure that this command was not issued during a freeze period or outside of a valid change control window.
solution=Ensure that this behavior is authorized for your network.
risk=HIGH
match=>DRP
match=DRP:Switch:BackupDataCenter:
regex=DRP:Switch:BackupDataCenter:([0-9]+\.){3}[0-9]+:

A plugin like this wouldn't just be limited to 'freeze' periods. It could also be used to detect any change which occurs outside a change control window or within a highly secured environment .

For more information on writing PVS rules, please refer to the online documentation.

The PVS can also aid in evaluating when it is necessary to authorize an exception to the freeze policy. The PVS is updated daily with plugins from Tenable, similar to how an IDS or Anti-Virus system is updated with signatures (an activity that is normally permitted during a freeze). During the course of passively observing network traffic, the PVS could provide an alert on a system that is vulnerable to a new exploit. Depending on the nature of the exploit and the vulnerability of the system, it may be determined that there is a greater risk of a network impact if the system is left unpatched than if it is patched.

Many security applications generate so much network traffic that they themselves become part of the problem. A major challenge in the IT security field is to get a handle on all the data that is generated. Tenable's Passive Vulnerability Scanner is a versatile tool that can be a valuable aid for a variety of security challenges. Its key aspects are that it provides real-time event monitoring without generating traffic. This aspect is critical in situations, such as a freeze, where it is important that network activity remain as static as possible.