SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT

by Tim Jett and Mike Townes

Conducting Vulnerability Assessments Without Disrupting Your Network

Notice: The views and opinions expressed in this

presentation are those of the presenters and do not necessarily represent any organization or company they will be associated with in the future.

May the force be with you!

WHY VULNERABILITY MANAGEMENT?

Ensure protection of critical data Meet compliance regulations Reduce risk or minimize impact by

addressing vulnerabilities in a timely manner

Prepare to meet future security

What is a Vulnerability Scanner

A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. They can be run either as part of vulnerability management by those tasked with protecting systems - or by black hat attackers looking to gain unauthorized access.

Types of Vulnerability Scanners

• Agent verses Agentless• Active verses Passive

Vulnerability Scanners - Benefits

• Very good at checking for hundreds (or thousands) of potential problems quickly– Automated– Regularly

• Can help identify rogue machines• Helpful in inventory devices on the network

What Vulnerability Scanner Do Well

Provide a generic risk level Explain why the item is a risk Provide detailed information on how to

remediate

The differences of how your scanner does the above items are some of the key differences between the scanners.

How Vulnerability Scanners Work Similar to virus scanning software:– Contain a database of vulnerability

signatures that the tool searches for on a target system

– Cannot find vulnerabilities not in the database• New vulnerabilities are discovered often• Vulnerability database must be updated

regularly

Challenges

Security resources are often decentralized

The security organization often doesn’t own the network or system

Always playing catch-up to changing threats

Determining if the fix was actually made

Ignoring it – accepting it

Decisions for your First Scan

Full Scan Verses Known Segment Time and bandwidth verses Unknown

devices

Is Your Network Ready for This? Poor Network Configuration can lead to

Security getting blamed for bandwidth issues (what to look for – how to resolve)

Dream Vs. Reality

Dream of vulnerability scanner Plug in Get data Network/Endpoint Teams Act on

Information Network Secured You Emerge as Security Hero!

Dream Vs. Reality

Proper planning : Policies and Procedures for the Scanning

Process Track Inventory and Categorize Assets Identify and Understand your business

processes To the network team it looks like an

attack

So You Scanned – Now What

Can’t expect folks to act on 1,000 page reports.

Need to provide some prioritization What are the biggest risks in your

environment What is the level of risk that is

acceptable in your environment What is the threat level that exists in

your industry.

What Vulnerability Scanners Can’t Do

Scan items not connect to the network Tell you how bad a vulnerability is in your

environment. (ratings are universal) Tell you exactly where a device is

Major Players

Tenable (Nessus) Rapid 7 Qualys Tripwire (nCircle) OPenVAS

Questions?

Game Over