|
Home - Industry Article - Jun 06 Issue |
Effective Ways to Decrease Cyber Attacks continued... page 3 |
- Top Down Method: In a top down methodology, the AVR solution provides the process and automation for an organization to specify the required security policies and configuration of devices in the organization as well as audit and enforce compliance with those policies.
For example, ACME Widgets wants to use an AVR tool to audit and enforce the NSA hardening policy for Windows XP. The AVR solution should provide a baseline version of the NSA and other policies that ACME can selectively deploy in an automated fashion to check compliance of devices as well as enforce the configuration of the policy on devices on the network.
- Bottom Up Method: In a bottom up methodology, the AVR solution provides the necessary process and automation for organizations to aggregate necessary vulnerability information from independent assessment tools and provides associated automated remediation capabilities for the detected vulnerabilities. The method of aggregation from the various sources could be via native formats that the independent assessment tool provides to standard data exchange formats such as SQL, XML, CSV or industry standards such as OVAL (Open Vulnerability Assessment Language) or AVDL (Application Vulnerability Definition Language).
To demonstrate a bottom up methodology let's consider the following example. ACME Widgets has used a well-known vulnerability assessment tool to assess their network for vulnerabilities. ACME now wants to use an AVR solution to remediate the vulnerabilities identified by the scanner. In order to perform effective remediation, the AVR solution must import and aggregate the vulnerability information from the assessment tool with an associated remedy and provide selective automated deployment of remedies to targeted devices on the network.
- Targeted Method: For the targeted methodology, the AVR solution provides the collection and storage of asset inventory information for managed devices on the network. The inventory information that is collected is used for the purpose of rapid detection of vulnerable devices as well as various risk calculations and prioritization of remediation and auditing activities.
This targeted methodology is most easily demonstrated through the following example. On August 9, 2005, Microsoft released six security patches, four of them rated as critical. On August 11, 2005, an exploit was released for a vulnerability found in the PnP architecture, which was resolved by one of the newly released Microsoft patches (MS05-039). On August 14, 2005, the Zotob worm was found propagating in the wild taking advantage of this new exploit. Given that the time to remediate window in this real life example was highly compressed (3 days), organizations did not have time to perform a scan of the network in order to detect devices requiring the associated patches. Using standard scan and patch techniques can often take days and sometimes weeks before a full assessment of a large network can be completed. An AVR solution that collects asset inventory information can easily detect devices with the associated vulnerability and provide rapid deployment of missing patches upon notification of patch release by the vendor.
Remediation Best Practices (Best Remediation Practices)
Now that you have a better understanding of the methodologies and tools surrounding vulnerability detection and remediation, you can begin planning your remediation efforts using the tools of choice. Keep in mind that remediation touches many aspects of an organization, and requires its own set of best practices. Remediation will require resources and involvement from a number of departments; these best practices will help keep you on track.
- Identify Mission Critical Resources
Before beginning the remediation process, systems should be identified and prioritized. Start with the perimeter of the organization. The perimeter devices are typically the gatekeepers that control access into the organization via web servers, mail servers, VPN routers, etc. By identifying these resources and concentrating on them first, you can assure that your remediation efforts are being used to prevent unwanted outside attacks.
After securing the perimeter of the organization you should then focus attention on the internal networks. Many security issues arise not just from external breaches but also through current and previous employees that have inside knowledge of systems, applications and processes. These users appear to be trusted within the system but can be the weakest link in any security strategy. For example, network security personnel who are analyzing network traffic to gather passwords, or accounting personnel who tape passwords to their monitor, or even disgruntled ex-employees whose user accounts have not been terminated, all represent security risks where confidential information can be accessed and transmitted internal or external to the company.
- Analyze the Vulnerabilities
After identifying the priority resources, correlate the vulnerability assessment data for these systems. During the analysis phase, you must take into consideration the severity of the vulnerability, the intended use of the system, and any applications that are running on the system. Due to the tightened security measures enforced during remediation, blindly entering into remediation by fixing all vulnerabilities identified by vulnerability assessments can lead to systems that no longer function as users intended. For instance, remediating many of the low and some medium risk vulnerabilities reported by vulnerability assessment tools, can make a Windows system unusable in a normal network environment. However, leaving those vulnerabilities open on that same system directly connected to the internet would pose a serious security threat and likely result in a compromised system within a matter of hours. Analyze your remediation options carefully.
- Prioritize the Work
After analyzing the vulnerabilities and their intended remediation effort, prioritize the deployment of the remediation. Certain systems are more critical to the organization. These are top priority and get attention first to make sure they are secured against internal and external threats. During the prioritization phase, you may also consider scheduling of remediation activities. If the remediation is to be performed on critical systems, when will it be performed to minimize system downtime and prevent customer outages?
Another factor in prioritizing is the risk of exposure. Has the vulnerability been exploited? Does it have a published exploit code? Consider once again, the Microsoft PnP buffer overflow vulnerability (MS05-039) reported on August 9, 2005 and exploited by the Zotob worm on August 14 2005. The shortened window of opportunity to remediate before likely exploit in situations such as these help security and operations personnel prioritizes the remediation of targeted systems.
Prioritization can also include the order in which vulnerabilities are remediated. For instance, some organizations choose to perform remediation in stages. This ensures that high-risk vulnerabilities are repaired first. Additional vulnerability assessments are conducted post remediation to determine the improved security posture of the network.
- Execute
After analyzing and prioritizing, it's finally time to execute a remediation strategy. Even at this phase there are several decisions to be made, most importantly, the change control strategy. You will not want to blindly roll out remediations without first testing them against common configurations representing the computing population as a whole. In doing so, you are able to test the remediation results for undesired affects on the system's usability and application performance. Once the proposed remediation has been tested against common platforms, it is safe to roll the remediation out to other devices in the network.
Even when you decide how and when remediation is going to be performed, there is an additional dimension that many organizations fall victim to – system ownership and responsibilities. Many organizations maintain separate IT security and IT operations departments. The security team audits and assesses the security posture of the network, and the IT operations personnel maintain it through monitoring and controlled configuration changes, updates and repairs.
The line of business owners often do not understand the ramifications of security issues and reject remediation efforts in the name of uptime until it is too late. This mindset is a perfect example of how organizations fall victim to some of the easiest and well-known attacks that any malicious actor can read about or download an automated attack tool to gain unauthorized access to systems for personal or financial gain.
Conclusion
When it comes to risk mitigation for vulnerabilities, it is up to individual organizations to decide how much risk they are willing to accept. If systems are compromised, is an organization liable to shareholders, federal agencies or others?
The task of risk mitigation does not fall squarely on the IT or security departments" shoulders – they should be the facilitator and implementer of these best practices, but the entire organization must participate for the effective security of the network.
When followed, the practices outlined above should provide repeatable results for insuring that systems are secured and that business objectives are met.
Carl E. Banzhof is Chief Technology Officer of Citadel Security Software Inc. He is an appointee to the OVAL (Open Vulnerability Assessment Language) Board and is a frequent speaker at various security conferences including RSA, InfoSec and SANs. In April 2005, InfoWorld magazine named Carl as one of the Top 25 Most Influential CTOs, and he frequently appears in broadcast and print media as well as in national technology publications, commenting on trends in security. For article feedback, contact Carl at cbanzhof@citadel.com
|
|
|