Printer Friendly Version

Vulnerabilities and threats pose on-going risks to enterprise networks. Finding vulnerabilities on your systems and networks is the first step to mitigating potentially extensive damage through network attacks. It is important to pro-actively look for vulnerabilities on a regular basis so that they can be resolved before persistent threats exploit them.

Vulnerabilities, Threats, and Safeguards

A computer vulnerability is a weakness in an operating system, application code, or configuration that makes it possible for threats to exploit the system (or underlying network) thereby creating negative impact or damage.

Threats are entities that act upon vulnerabilities for the purpose of trying to exploit it. A threat may be an unauthorized user such as a hacker, or even a system administrator trying to obtain access above and beyond their authorized level of privilege. Errant application or system processes can also act as threats and could possible erase valuable data if files and directories are not set with the correct permissions. Today's threats can prevent organizations from accomplishing their mission by causing significant downtime, altering information and inserting fraudulent information in its place, or removing and destroying information altogether. While it is clearly illegal to destroy data that does not belong to you, this has not stopped hackers from taking part in these irreverent and disruptive crimes.

According the CSI/FBI 2003 Computer Crime and Security Survey, the total amount of annual losses caused by computer crime for the 251 organizations that responded was $201,797,340. According to this same survey, the largest loss came from theft of proprietary information.

Pro-Actively Finding Vulnerabilities

Before organizations can resolve vulnerabilities, they need to be pro-active in discovering them. It's not prudent to wait until a network engineer announces that an intruder has been discovered traipsing through valuable network resources — by that time it's too late. It is essential to determine what your systems' vulnerabilities are for the purpose of correcting them, before hackers discover what they are for the purpose of exploiting them. The best way to find system and network vulnerabilities is to audit your systems and networks bi-annually using vulnerability assessment tools.

IT organizations should rely on automated vulnerability assessment tools to find the vulnerabilities in their systems and networks. Vulnerability assessment tools, also known as scanning tools, can be targeted to run against an IP address, a range of IP addresses, hostnames, Web sites, firewalls, routers, and other critical infrastructure for the purpose of discovering the vulnerabilities associated with those systems and networks. Leading system and network scanners produce in depth reports that provide detailed information on the particular vulnerabilities discovered, their criticality, and also how to resolve them.

Online network scanners are updated on the backend, which means they are always current and up-to-date. Leading vendors of online scanners typically add new exploits that the scanner works for each week. While scanners that you install on your own infrastructure are still heavily used today, the popularity of online scanners is rapidly increasing due to their ease of use and the fact that manual updates are not required as new vulnerabilities are discovered. Originally, online scanners could only scan your network from outside your network perimeter, and were not well-suited for insider threat scans. However many online scanners today offer appliance solutions that you can plug into your internal network, and still take advantage of the nice Web interface and all the online capabilities including dynamic updates.

Tools That Detect Vulnerabilities and Threats
Vendor Name	Product Name	Vendor Web Site
eEye	Retina	http://www.eeye.com/
Foundstone	FS1000	http://www.foundstone.com/
Harris	STAT	http://www.harris.com/
Nessus	Nessus	http://www.nessus.org/
nCircle	IP360	http://www.ncircle.com/
ISS	Internet Scanner	http://www.iss.net/
Qualys	QualysGuard	http://www.qualys.com/

Nessus is a robust, open-source scanner that is available for free to all organizations. With Nessus available, even small organizations with limited budgets can scan their systems and networks for vulnerabilities.

Today's leading scanners are able to scan for thousands of vulnerabilities at a time. While you can often scan one system in less than an hour, if you're scanning a large enterprise network, you may need to let the scanner run for a couple days. Scanners are either intrusive, or non-intrusive. If you are using an intrusive scanner, you should only scan your network during off hours such as late at night or on the weekend. While intrusive scanners may perform additional tests, searching for deeper vulnerabilities, they also have the potential to bring down applications and servers. If you scan your network using a non-intrusive scanner, the only affect you should see on the operation of your systems and networks is increased network traffic, and possibly minute performance delays from the systems currently being scanned. Some scanners are designed specifically to scan applications, while others are designed to scan operating systems and applications.

Prioritizing Resolutions and Determining Impact to Infrastructure

Once vulnerabilities have been determined, your organization will not be able to resolve all of them at once. Therefore, you'll want to prioritize the vulnerabilities according to which ones are most likely to be exploited, and which ones would have the highest damage impact if they were in fact exploited. Vulnerabilities that have a low likelihood (or probability) of occurring, and vulnerabilities that would have a low impact on your infrastructure if they were exploited pose the least risk and should be put at the bottom of your list.

In prioritizing which vulnerabilities to resolve first, one thing you'll want to take into consideration is the sensitivity of the data on the systems that are impacted. For example, if you have an isolated lab environment that is used to test and stage new products that you are thinking of deploying on your network, the data on these systems is likely not as sensitive as the data on your primary DNS server. You need to have an understanding of what data on your network is highly sensitive. Even though you may not be able to rank the sensitivity of all the data from, say, 1 to 100, you should be able to at least assign sensitivity labels to data on your systems on a relative scale such as the following:

• Extremely sensitive
• Highly sensitive
• Moderately sensitive
• Minimally sensitive
• Non-sensitive

Any data that puts lives at stake should be categorized as extremely sensitive. Data that can be easily re-created, and is public read-only information, is non-sensitive. Some organizations make the mistake of fixing the most easy to exploit vulnerabilities first, instead of first fixing the vulnerabilities that can result in the highest impact of damage. Organizations need to inventory the data on all mission critical servers and assign sensitivity levels to it.

Calculating Data Sensitivity and Impact of Threats
Data Sensitivity	Moderately High Sensitivity and Impact	High Sensitivity and Impact
High
Low	Less Sensitive Low Impact	Moderately-Low Sensitivity and Impact
	Low	High
	Likelihood or Probability of Vulnerability Being Exploited

Common Information Security Vulnerabilities and Threats

The MITRE Corporation, a not-for-profit Federally Funded Research and Development Center, has put together a dictionary of Common Vulnerabilities and Exposures (CVE) related to information security. The dictionary is available free, to the public at http://cve.mitre.org/cve/index.html

CVE is a naming system and was put together due to the confusion surrounding the fact that different information technology vendors began putting in place different names for the same vulnerabilities. Today, many security vulnerability assessment scanning vendors, and intrusion detection vendors, have adopted MITRE's naming convention in the reports that their products generate.

CERT, a part of the Software Engineering Institute at Carnegie Mellon, does a nice job of advising the information technology community of current information security vulnerabilities that are often new and unreported elsewhere. In the event that vulnerabilities in your organization have already been exploited, CERT also includes information on incident response related to security break-ins. CERT makes its information available for free to the general public and provides information on the vulnerability impact as well as recommendations for resolution.

The nice thing about both CVE and CERT is that they are both vendor-neutral resources that are not aligned with any sort of products or saleable services. Both resources include searchable archives.

The US-CERT Web site provides computer security vulnerability information geared towards U.S. Federal Agencies. However, this information is also freely available and includes information that can be useful to private organizations and non-federal agencies. US-CERT is accessible from http://www.us-cert.gov/index.html.

US-CERT is hosted by the U.S. Department of Homeland Security and also includes information about malicious code and viruses.

A Word to the Wise

Today's IT organizations cannot take the time to look for vulnerabilities manually. Using an automated scanning tool for the purpose of resolving vulnerabilities is an absolute necessity. Once vulnerabilities are discovered, it is important to prioritize the resolution of them according to risk exposure and damage impact. If your organization is a federal agency, a financial institution, or an organization that is responsible for the stewardship of life-critical data, it is irresponsible not to conduct periodic security vulnerability assessments.