icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Vulnerability Top Ten

by Cody Dumont
May 11, 2016

Organizations starting a new security campaign are often left asking “Where do I start?”  First, the security team will set up new discovery and vulnerability scans.  As the security team begins to strategically plan out the Vulnerability Assessment (VA) methodology, they will need to create plans for scanning local networks using both active and passive methods.  Additionally, the security team will need to create a plan for performing VA on remote systems or mobile users.  SecurityCenter Continuous View (CV) fully integrates to provide solutions for active scanning using Nessus vulnerability scanner, and can assess remote systems with Nessus Cloud and agent based scanning.  To identify vulnerabilities passively,  the Passive Vulnerability Scanner (PVS) operates through SecurityCenter CV to perform deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.

Establishing the scanning methodology will lead to creating assets, or groups of systems with a common attribute, such as Windows 8 workstations.  The common attribute can be collected using both passive and active methods, but whichever method is used, the security team will need to perform regular scanning with credentials or agents.  Without credentialed scans, the true status of a system cannot be known, and therefore the risk cannot be not fully assessed.  As new systems are being detected using Nessus and PVS, the results of the scan need to be analyzed, and the question becomes “What’s next?

A vulnerability management program is a key process for finding and remediating security issues and misconfigurations.  The objective of such a program is to find vulnerabilities and mitigate them before an adversary finds the issue and exploits it. Implementing new technologies, applying patches, or modifying configurations are methods of mitigating risks, but which vulnerabilities should the organization mitigate first?

This dashboard can help answer these questions by offering a Top Ten summary of the most vulnerable systems within a network, most prevalent vulnerabilities, most needed patches, anti-virus client updates, and most vulnerable hosts.  The data presented within this dashboard provides security professionals with a clear list of first steps and target areas to address within the network.  The bar charts at the top of the dashboard provide a summary of the Top Ten networks separated by operating systems, while the other tables provide details about the vulnerabilities and remediation tasks.  This dashboard is helpful for those getting started with SecurityCenter.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets.  The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments. The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.6.1
  • PVS 5.0.0

SecurityCenter Continuous View (CV) allows for the most comprehensive and integrated view of network health. With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, SecurityCenter CV provides a unique combination of detection, reporting and pattern recognition utilizing industry recognized algorithms and models. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits.  PVS is able to collect network metadata through passive monitoring, finding inappropriate activity, identifying assets and vulnerabilities from network traffic, and detect hard to profile assets including Virtual, BYOD and SCADA.

Components

Vulnerability Top Ten - Top 10 Most Vulnerable Windows Networks: This chart provides a summary of the top ten most vulnerable Windows systems by subnet. The chart provides a vulnerability summary count by severity level.  The filter uses the plugin families for Windows, and severities of medium through critical.  When reviewing this chart, analysts can easily see the networks with the most concerns and allocate mitigation resources accordingly.

Vulnerability Top Ten - Top 10 Most Vulnerable Hosts: This component shows the top ten hosts with exploitable vulnerabilities of high or critical severity. Editing the filters in the component and changing the tool from IP Summary to Class C Summary or Port Summary can give information on exploitable vulnerabilities per subnet or per port, respectively.

Vulnerability Top Ten - Top 10 Exploitable Vulnerabilities: This table displays the top 10 exploitable vulnerabilities on the network. The list is sorted so that the most critical vulnerability is at the top of the list. For each vulnerability, the severity and the number of hosts affected is shown.

Vulnerability Top Ten - Top 10 Most Vulnerable Linux/Unix Networks: This chart provides a summary of the top ten most vulnerable Linux/Unix systems by subnet. The chart provides a vulnerability summary count by severity level.  The filter uses the plugin families for Linux/Unix, and severities of medium through critical.  When reviewing this chart, analysts can easily see the networks with the most concerns and allocate mitigation resources accordingly.

Executive Vulnerability Metrics - Top 10 Previously Mitigated Hosts: This component presents a table of the top 10 hosts with previously mitigated vulnerabilities of high or critical severity. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to “Previously Mitigated.” Recurring vulnerabilities can appear for several reasons including systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Filters can be modified to include additional severities, exploitable vulnerabilities, and more. Organizations may find this component useful in identifying blind spots, prioritizing remediation efforts, and strengthening current patch management policies.

Anti-Virus Summary - Outdated Anti-Virus Clients: The Outdated Anti-Virus Clients component can assist organizations in monitoring the network for outdated anti-virus clients. Information provided within this component may indicate systems with anti-virus clients that are offline, disconnected, or out-of-date. Analysts can use the information provided to ensure that all anti-virus clients remain connected and up-to-date.

Vulnerability Top Ten - Top 10 Most Vulnerable Apple Networks: This chart provides a summary of the top ten most vulnerable Apple systems by subnet. The chart provides a vulnerability summary count by severity level.  The filter uses the plugin families for Apple, and severities of medium through critical.  When reviewing this chart, analysts can easily see the networks with the most concerns and allocate mitigation resources accordingly.

Vulnerability Top Ten - Top 10 Remediations: This table displays the top 10 remediations for the network. For each remediation, the risk reduction for the network if the remediation is implemented is shown, along with the number of hosts affected. The list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the vulnerability of the network.

Vulnerability Top Ten - Top 10 Mobile Vulnerabilities Vulnerability Top Ten: This table displays the top 10 vulnerabilities of mobile devices on the network. The list is sorted so that the most critical vulnerability is at the top of the list. For each vulnerability, the severity and the number of devices affected is shown.