Vulnerability scanning and research

Cristian Florian is a product manager at GFI Software in charge of GFI LANguard, a network security scanning and patch management solution. In this interview he discusses vulnerability scanning and research.

Many upcoming security professionals are interested in hunting for vulnerabilities. What advice would you give to those just starting out?
A good start is to make sure they understand the basic terms used in the industry: ports, port scanning, vulnerability, vulnerability assessment, exploit, penetration testing, security patch, and so on.

Looking for vulnerabilities is today much easier than it used to be in the past because there are a lot of good vulnerability scanners available on the market. And they save a lot of time in the process to assess the security of the network. But this does not mean that people working in the field should not have a solid background in computer networks and security. It is a must to know how networks can be attacked and what the recommended actions are. This is important because severity, prioritization and solutions for security issues are highly dependent of the environment and only humans can see and factor in all environmental constraints.

It might sound easy: you find as many vulnerabilities as possible using vulnerability scanners and you fix them. In reality you will find vulnerabilities that specialized tools won’t because they do not have the big picture of your network. And you will often encounter security issues that cannot be fixed because that would prevent some business critical software from functioning properly. In these cases the administrator’s task is to build the necessary defenses to make sure that nobody will be in a position to exploit the vulnerabilities that remain.

Security is so challenging because it is all about keeping a fine balance between policies enforcement and productivity.

Users always wonder how to find the vulnerability scanner that is best for their needs. What criteria should they base their decision on?
Finding the vulnerability scanner that fits best your environment is a hard task. There are a lot of products on the market but none of them stands out as the absolute leader. It is very difficult to name which is the best of them. According to an IDC study published last month (February 2011) the top 15 competitors on security and vulnerability management market only cover 52.3% of the total market, with none of the vendors having even 8% market share.

Some important points to consider are:

Environment – One of the main things is to ensure that the product works with the devices, operating systems and applications that you have in your network. Some of the tools support only Windows environments, others only Linux and others both.

Special environments might need specialized tools. There are applications specialized in auditing databases, wireless networks or web applications only.

Scalability – For large or distributed networks the deployment options are very important. The product must cope with high loads or work with low bandwidth availability.

The common options are:

On premise – Gives you full control over the solution and it is easy to scale to work with a network that is increasing in size over time. But it takes more time and experience to deploy as compared with hosted services and appliances. On premise solutions can further be split into agent based or agent less solutions (some of them support both approaches). Agent less solutions are designed for easy management, while agent based are optimized for better performance and large networks.

Hosted services – Are easy to setup and can be very flexible regarding licensing. The downside is that there is less control as compared to on-premise solutions and critical security information about your network is going outside the company and into third-party’s hands.

Hardware appliances – They are easy to setup, but they are harder to evaluate when compared with the other options and they only scale in large steps

Results accuracy – Analysis, prioritization and remediation of security issues can be quite time consuming. It is important to use this time wisely and secure the network as fast as possible. A low rate of detection of critical security issues, failure to update vulnerability definitions in a timely manner, reporting a large number of false positives or duplicates are all barriers that slow down the process to secure the network.

A good approach to vulnerability assessment is to start by using a patch management solution to detect and deploy missing security updates first. Patch management solutions usually have more rigorous results simply because they need to deploy fixes based on the findings. This leads to optimization such as the following:

• Instead of showing a report with 10 different vulnerabilities to analyze, it generates a report for one patch that fixes the 10 vulnerabilities
• Instead of showing 10 missing hot fixes that need to be analyzed, it generates a report showing a cumulative patch that includes the 10 missing hot fixes.

Remediation options – Some tools focus only on finding vulnerabilities and generating reports with the findings, others assist with remediation as well. This assistance can consist of a ticketing system to help keep track of the remediation progress; or mean path management; or the automatic uninstall of software that is not authorized in the network; or easy network wide deployment of custom software and scripts, etc.

Usability and reporting – It’s simpler to analyze the security status of the network if the information is presented in a well structured form and easy to follow.

Pricing and licensing – The cost is important especially in small businesses where IT budgets are limited. Some products target large enterprises and the price increases accordingly, others are focused on small and medium businesses and their prices are lower.

Not all licensing models are the same: some products are licensed per instance and other per node; some licenses are perpetual, while others are subscription based.

How important is vulnerability scanning in the overall security architecture of an organization? Why do you think some tend to overlook its usefulness?
While software like antivirus solutions, for example, are dealing with malware once it is detected in your network, the aim of vulnerability scanning is to point to those holes in the network that malware can use to penetrate the network. Vulnerability scanning is vital to maintain security of a network because it is the most important way to measure how secure that IT network is and it also assists with the remediation operations that minimize the risks of security breaches. During the process, computers are checked against the latest known security threats and the administrator is told what the latest security fixes are.

I think the most common reasons why some companies are overlooking vulnerability assessment is either because they don’t have the necessary expertise to be aware that they need it or because they are underestimating the risks and see it as an unnecessary cost.

Unfortunately, for a large number of companies a security incident is what makes them realize they need the tools to assess and improve their security.

How often should one run vulnerability scans on their network?
New vulnerabilities are discovered every day and software vendors release security updates all the time. Microsoft alone has released 106 security bulletins in 2010. Other vendors of popular tools like Mozilla, Adobe, Apple, Google and Oracle also released an impressive number of security updates.

This means that a system which is secure today will become less and less secure as each day passes, unless it is not updated with latest security fixes on regular basis.

It is very important that an administrator is aware of security issues as soon as possible because remediation cannot be done instantly and needs some foreword planning. The longer the delay between vulnerability disclosure date and the moment you learn about it, the greater are the risks.

A good vulnerability scanner should be able to scan in the background your network on daily basis and notify users when new security issues are found. This ensures almost real-time vulnerability detection and allows for efficient remediation planning.

If the company does not have the resources or the right tool to do this daily then probably a weekly scan is a good compromise. Scanning a network less frequently will put the network at risk.

What advice would you give to those presenting the results of the vulnerability scan to upper management? How can they make sure the results are understandable to a less technical audience?
The technical results of a vulnerability scan are a snapshot of the network security status. What senior management usually is interested in getting from these results are current security status and vulnerability trends. If the vulnerability scanner tool has good reporting capabilities then this should be easy to achieve.

However senior management needs to see what benefits regular vulnerability scanning can bring to the company. And these are:

• It greatly helps to improve security of the IT infrastructure. Security breaches can lead to data theft, data loss, downtime, reputation issues or even legal penalties.
• Improved productivity of the IT department. They were responsible with security anyway, but now a lot of their tasks are automated and they can do it faster and better.
• Achieve compliance. There are a lot of regulations (like PCI DSS, HIPAA, GCSx CoCo, etc.) that impose regular vulnerability assessment. Prove with these reports that your network is secure.