726
Chapter 16
■
Managing Security Operations
One of the most common vulnerabilities within
an organization is an
unpatched system, and so a vulnerability management program will often
work in conjunction with a patch management program. In many cases,
duties of the two programs are separated between different employees.
One person or group would be responsible for keeping systems patched,
and another person or group would be responsible for verifying that the
systems are patched. As with other separation of duties implementations,
this provides a measure of checks and balances within the organization.
Vulnerability Scans
Vulnerability scanners
are software tools used to test systems
and networks for known
security issues. Attackers use vulnerability scanners to detect weaknesses in systems and
networks, such as missing patches or weak passwords. After they detect the weaknesses,
they launch attacks to exploit them. Administrators in many organizations use the same
types of vulnerability scanners to detect vulnerabilities on their network. Their goal is to
detect the vulnerabilities and mitigate them before an attacker discovers them.
Just as antivirus software uses a signature fi le to detect known viruses, vulnerability
scanners include a database of known security issues and they
check systems against this
database. Vendors regularly update this database and sell a subscription for the updates
to customers. If administrators don’t keep vulnerability scanners up-to-date, they won’t
be able to detect newer threats. This is similar to how antivirus software won’t be able to
detect newer viruses if it doesn’t have current virus signature defi nitions.
Nessus is a popular vulnerability scanner managed by Tenable Network Security, and
it combines multiple techniques to detect a wide range of vulnerabilities. Nessus analyzes
packets sent out from systems to determine the system’s operating system and other details
about these systems. It uses port scans to detect open ports and
identify the services and
protocols that are likely running on these systems. Once Nessus discovers basic details
about systems, it can then follow up with queries to test the systems for known vulnerabili-
ties, such as if the system is up-to-date with current patches. It can also discover potentially
malicious systems on a network that are using IP probes and ping sweeps.
It’s important to realize that vulnerability scanners do more than just check unpatched
systems. For example, if a system is running a database server application,
scanners can
check the database for default passwords with default accounts. Similarly, if a system is
hosting a website, scanners can check the website to determine if it is using input validation
techniques to prevent different types of injection attacks such as SQL injection or cross-site
scripting.
In some large organizations, a dedicated security team will
perform regular vulnerabil-
ity scans using available tools. In smaller organizations, an IT or security administrator
may perform the scans as part of their other responsibilities. Remember, though, if the
person responsible for deploying patches is also responsible for running scans to check
for patches, it represents a potential confl ict. If something prevents an administrator from
deploying patches, the administrator can also skip the scan that
would otherwise detect the
unpatched systems.
Managing Patches and Reducing Vulnerabilities
727
Scanners include the ability to generate reports identifying any vulnerabilities they dis-
cover. The reports may recommend applying patches or making specifi c confi guration or
security setting changes to improve or impose security. Obviously, simply recommending
applying patches doesn’t reduce the vulnerabilities. Administrators need to take steps to
apply the patches.
However, there may be situations where it isn’t feasible or desirable to do so.
For exam-
ple, if a patch fi xing a minor security issue breaks an application on a system, management
may decide not to implement the fi x until developers create a workaround. The vulner-
ability scanner will regularly report the vulnerability, even though the organization has
addressed the risk.
Management can choose to accept a risk rather than mitigate it. Any risk
that remains after applying a control is residual risk.
Any losses that occur
from residual risk are the responsibility of management.
In contrast, an organization that never performs vulnerability scans will likely have
many vulnerabilities. Additionally, these vulnerabilities will remain unknown, and manage-
ment will not have the opportunity to decide which vulnerabilities to mitigate and which
ones to accept.
Do'stlaringiz bilan baham: 
