Wednesday, January 25, 2012

How to Use a Vulnerability Scanner

Vulnerability scanners can do so many different tasks that not having a clear strategy how to use them on your network can result in a lot of wasted time. So how does one use a vulnerability scanner?

A vulnerability scanner will search your network for various vulnerabilities and it does this by analyzing a number of things, including:

• Open Ports
• Applications
• Configurations
• Scripts
• Devices
• Users
• Shares
• Groups
• Ports
• Security Software

Once a vulnerability scanner finishes analyzing a particular machine it will use the data collected to determine and report on vulnerabilities and potential vulnerabilities. There is an important distinction to be made here.

If your vulnerability scanner were to detect a user who hasn’t logged on in quite a while, this will be reported as a vulnerability. While this could certainly be the case, there may be a legitimate reason for it and it is up to the administrator to decide which reported vulnerabilities are to be acted upon and which can be ignored for business purposes (potentially incurring minor risks).

After a scan the administrator now has a list of vulnerabilities sorted according to what needs to be done and what level of risk wehave to accept because of legacy elements in the system and other reasons.

The vulnerabilities we want to act upon require a straightforward approach. The vulnerability scanner will most likely provide an explanation on what the issue is and suggest resources that the administrator can refer to for more details and how to solve the problem.

Sometimes not all vulnerabilities can be fixed and the administrator must decide whether the benefits outweigh the risks. Vulnerabilities may be left untreated for various reasons: it may be due to legacy applications that have known vulnerabilities but are considered important for the business or system configurations and protocols with known insecurities are required. The administrator’s role is to identify what the risk is and find ways to limit the risk without compromising business operations or security.

For example, let’s say that for legacy purposes you need to support SSH protocol Version 1, which has numerous known vulnerabilities. The application you are using that requires SSH 1 support has no viable replacement and is critical to the business. In this example, you have no choice but to leave the vulnerabilities in the system. However, although you cannot really avoid using a vulnerable application or protocol, you still need to do something to minimize the risk.

You need to analyze how the application is used and, where possible, restrict its use and access. If you need to support SSH 1 for a legacy application make sure your firewall only allows exclusive access from the location where the application is runningand blocks any other source.

Security is a process. A vulnerability scanner is not simply a matter of running a program and following the onscreen instructions; you could miss out on important details and create additional risks. As an administrator you need to ask: how do you use your vulnerability scanner? How do you tailor the security process to your needs? Once you have the answers to these questions you can effectively secure your environment from a huge range of threats.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs.