This is Part 4 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with SANS’ Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. In Part 2 we looked at Inventory of Authorized and Unauthorized Software. In Part 3 we looked at Secure Configurations. Now we'll move on to Part 4: Continuous Vulnerability Assessment and Remediation.
4-1 Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk.
Free Tools
- AlienVault OSSIM - What can't it do???
- OpenVAS - Comes in AlienVault, but if you JUST need a vulnerability scanner, this is it.
- Nessus Home Feed - For home use only. Can only scan internal addresses.
Commercial Tools
- Nessus - Industry known and trusted scanner.
4-2 Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. Second, personnel should be able to correlate attack detection events with earlier vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable.
Goes with the previous control.
4-3 - Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested.
Goes with the previous control
4-4 - Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization's vulnerability scanning activities on at least a monthly basis.
Free Tools
You must get these tools from each vendor you use. Usually these would be mailing lists, RSS feeds, etc.. A few I subscribe to:
- Help Net Security - RSS feeds for each published article on their site. IT security.
- Krebs on Security - Security Reporter Brian Krebs is a force in the IS security world, and stays up to date on security related events and passes the meat on to you.
- Darknet - A bit watered down, and little original content, but it does exist.
- CVE - Common Vulnerability and Exposures subject to National Vulnerability Database
- OpenSSL - Stay up to date for the next Heart Bleed
- Others
4-5 - Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe.
See control 3-2
4-6 - Carefully monitor logs associated with any scanning activity and associated administrator accounts to ensure that all scanning activity and associated access via the privileged account is limited to the timeframes of legitimate scans.
See tools for HIDS and Privilege Management
4-7 - Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk.
This is more of a process than a tool.
4-8 - Measure the delay in patching new vulnerabilities and ensure that the delay is equal to or less than the benchmarks set forth by the organization.
This is more of a process than a tool.
4-9 - Evaluate critical patches in a test environment before pushing them into production on enterprise systems.
This is more of a process than a tool.
4-10 - Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops).
This is more of a process than a tool.
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.
