Constantly assessing the security of your own systems is an important task in maintaining a secure network. I relate regular security assessments to personal hygiene, such as brushing your teeth everyday (and even more "in-depth" maintenance such as flossing and using mouthwash). All of these actions are an effort to prevent "bad things" from happening. Often, the "bad thing" hasn't happened yet, and you are trying to get ahead of the curve to protect yourself from cavities, gum disease, or worst-case, all of your teeth falling out. Vulnerability management plays the same role in your organization. By regularly assessing your systems, finding problems, and fixing them, you hope to get ahead of the curve and prevent bad things from happening, such as data leakage, breaches, and compromises of your systems by “evil bad guys”.
As I stated above, finding the vulnerabilities is just the first step. You must have a process in place to fix the vulnerabilities that you've identified. After that, your processes need to check to be certain that a vulnerability was remediated. Your plan for network health has to track vulnerability remediation, and empower those responsible to be in the loop and fix the problems before something "bad" happens (if it were only so easy as brushing, flossing, and using mouthwash). Tenable has a suite of tools to help you both find as many vulnerabilities as possible and implement a process for continued remediation. Below are some examples:
- SecurityCenter - Nessus vulnerability scanning can be accomplished on an enterprise scale, allowing you to customize reports, alert on any number of given conditions, load balance scanners, and allow members of your organization to have private accounts to initiate scans and review the results.
- Passive Vulnerability Scanning - PVS will further expand your "network preventative hygiene" by passively monitoring your network for vulnerabilities and conditions which violate usage policies. Some systems will use firewalls to prevent scanning across the network, and using credentials to scan unmanaged systems is unlikely to happen. However, if it communicates on the network you can find vulnerabilities based on the network traffic with PVS (browser User-Agent strings, services banners, and more).
- Scanning with Credentials - By logging into the remote system, Nessus will identify missing patches in local software, or compare your systems settings to those of known security standards (e.g. PCI, CIS benchmarks, or DISA). Credentialed scans also reveal conditions on the remote host that could present security risks, such as USB device history, attached modems, or even the pretense of select malware.
Many companies are using the ability to exploit a given vulnerability as a factor in their evaluation of risk. This occurs at different levels, the most extreme being "it will get attention when someone can prove that it can be exploited in our environment". I liken this to a conversation with your doctor (and a page from the Marcus Ranum book on information security). Few people when confronting their dentist will use the words "prove it". For example, if your dentist tells you a cavity exists, few will let it go until it hurts really bad, or ask the dentist to further prove a cavity exists by drinking large quantities of extremely hot or cold liquids. Another interesting aspect of risk management and security is when you feel "pain".
Typically, when you experience a toothache, the longer you wait, the more painful it becomes. You may have a cavity that does not cause you pain now, but at some point it will certainly become painful. Your remediation strategy becomes drastically different when you experience pain, as you will visit the doctor immediately and undergo any procedure they recommend to end the pain. Unfortunately, I've seen this all too often when it comes to security. You can explain to an organization that the problem they have now, although not causing any immediate "pain", should be remediated. Often, this recommendation will get put off, until such time they notice a major breach or experience network downtime. Then your phone is ringing off the hook to implement whatever it takes to fix the problem (e.g. "Can you implement all those patches across all of the systems right now?").
This scenario seems to be part of human nature; we need to see or experience something "bad" before we do anything to prevent it. Rather than fight human nature, we have many tools at our disposal to show an exploit in action. Sometimes folks just need to see something in action, and rather than argue with staff in your organization, you can more easily demonstrate an exploit.
However, if you are constantly challenged to "prove it" in your organization, or only implement security post-security breach, I strongly recommend working to improve risk management methods by relying on exploitability data. For example, Nessus supports several ways in which to determine if a vulnerability has an exploit associated with it. This functionality has undergone several enhancements recently, including support for identifying vulnerabilities for which there is an exploit in Metasploit, Core IMPACT, CANVAS, CANVAS D2 & White phosphorus exploit packs, Exploit Hub, and Exploit DB. We also identify vulnerabilities that are exploitable, but no exploit code is required (the best example of this is an authentication bypass vulnerability in a web application). Further, you can now select plugins or results that will identify not only if an exploit exists, but how easy or difficult it is to exploit a given vulnerability (See the filter called "exploitability ease"). Armed with this information you can produce some excellent metrics on "exploitability" in your environment, and directly apply it to your risk management program.
Penetration testing is an exercise that goes beyond exploitation. While pen-testing is incorporated in the process, it includes activities that go more in-depth. For example, a penetration test should include some element of social engineering, tying together vulnerabilities to accomplish goals, and working with IT security professionals to test your defenses and incident response procedures. This is similar to the visit to your dentist where an x-ray is performed of your entire mouth, gums and tongue are checked for any abnormalities, and each tooth is given a gentle prod to determine if a cavity exists.
In talking with many penetration testers, or reading about how Anonymous was able to penetrate a major company, I am always curious how they were able to gain unauthorized access. Too many times the answer ends up being a weak or default password, an unprotected network share, or a missing critical patch. Nessus, and by extension SecurityCenter, can be used very successfully to find the "low hanging fruit" before your penetration testing team shows up and hopefully before the evil bad guys exploit these weaknesses. With the new plugin filtering inside Nessus, you can very carefully construct targeted scans that will run more frequently, with less impact, and pinpoint the vulnerabilities that are the easiest to find, and do the most damage. Take for example discovering weak or default passwords on systems and services. By creating a custom policy and using a plugin filter that searches the "solutions" section for the term "password", it will find over 250 plugins that look for default or weak passwords. This type of scan can be run with little impact to the network and your targets, and when it finds a vulnerability it is typically an easy fix.
By constantly assessing your environment for vulnerabilities you force attackers and penetration testers to work harder. So when it comes time for your penetration test, it can be much more effective and focus on vulnerabilities that are more difficult to find and become an extension of your vulnerability management program.
While some of this post may be a "tongue in cheek" look (sorry, I couldn't resist) at security, risk, and vulnerability management, it underscores some important points. Self-assessments play an important role in the security of your organization. Vulnerability management is a process that fits into your overall IT management strategy and aims at helping your systems administrators provide stable systems with the highest integrity. Proving that "bad things" can happen, while isn't the best model, can be accomplished in many ways, including using data already available on given vulnerabilities and exploits. Finally, automating as much as possible the discovery and remediation of vulnerabilities in the "low hanging" fruit category will not only make your environment more secure, but also lead to better penetration testing.