Mitigating risk with vulnerability scans

Vulnerability assessment tools help you find the weakest link in your network, showing where firewalls, routers, servers, and clients have left the welcome mat out for troublemakers.

The two vulnerability assessment tools I looked at, Latis StillSecure VAM (Vulnerability Assessment and Management) 2.5 and Rapid7 NeXpose 3.0, are complex to install, however, both find lots of vulnerabilities.

What sets them apart are their methods of scheduling scans and reporting results.

NeXpose offers a helping hand to those who must look at vulnerable systems right away and to those who need a bit of assistance in finding the best way to deal with any found vulnerabilities. StillSecure VAM assumes that you want to make vulnerability assessment an ongoing part of your network maintenance, and that any remediation will be handled by your system programming group.

NeXpose  Exposed

NeXpose’s vulnerability assessment tool has a very informative user interface, a well-developed scripting tool, and the ability to issue reports suitable for various levels of company management. NeXpose also takes an open source approach in developing plug-ins to expand its functionality; users can write new rules, queries, remediation recommendations, and so on.

After installation — an automated process that requires a computer be dedicated to the risk assessment system — I began scanning portions of the network. You can define scans according to particular needs, focusing on specific ports, computers, or exploits. Within a range, particular subranges or individual addresses can be included or excluded, servers can be specified by name or address, and machines may be added to the scan list as discovered.

I quickly found the wisdom in accepting the “scan well-known ports” option rather than the more comprehensive “scan all ports” — scanning all ports takes a very long time. The vast majority of exploits happen on a fixed set of ports, and limiting the scan to those will cover virtually all situations.

Increasing scanning options can also increase your scan times, though they add significantly to the scanning range of the scans. The HTTP plug-in, for example, will spider any found site to a depth set by the administrator. This plug-in will also do other network checks, such as checking CGI scripts and form-mail spamming.

When a scan is complete, vulnerabilities are displayed in a color-coded list that indicates the severity of each potential problem. Clicking on individual vulnerabilities displays information on the name of the vulnerability, a detailed description, and suggested remediation methods.  It also shows whether the vulnerability was identified based solely on software version information or after being exploited by the NeXpose software.

Drill-down information on individual vulnerabilities varies in detail but was quite good on the exploits I explored. NeXpose provided clear instructions on finding and installing repairs for identified vulnerabilities. If someone new to security is assigned to fix holes in the network, the NeXpose system will be invaluable. It offers its instructions on closing exploits, a wide variety of reports on scan results, and easy-to-use interface.

When managers require reports on vulnerabilities, NeXpose delivers a wide variety of formats and information levels that can be tailored to different audiences.

The only problem I found was minor: When NeXpose was in discovery mode during a scan, it failed to determine the OS of many servers that turned out to be running Linux or Windows NT. That’s important because Windows NT has a different set of vulnerabilities (and a different track record on newly discovered vulnerabilities) than does Linux. Most administrators know what systems are deployed in their networks, so this would usually be a small concern, but in the case of a large university or when searching for a rogue server or client, it could be very inconvenient.

Overall, NeXpose is a good foundation for those who need vulnerability assessment software that makes it easy to respond to suspected problems, provides solid assistance on fixing problems, and creates a slew of detailed reports on the process.

StillSecure Suits Up

StillSecure VAM is a solid system based on Nessus, an open source vulnerability assessment tool that continues to be developed by a broad community. Latis Networks improves basic Nessus software with significant additions in user interface, scheduling, and change-tracking functions. The end result wraps open source software in an enterprise-ready package.

Installation of StillSecure VAM is similar to NeXpose: build a dedicated appliance from a small server. I soon began preparing for the first scan — only to find that it required a bit more planning than I first thought. Unlike NeXpose, StillSecure VAM isn’t designed for spontaneous network scans. It is, instead, intended to be part of an overall, long-term vulnerability assessment program, with regularly scheduled scans and results reported to a vulnerability remediation team.

I created a new policy, including schedules for scans, rules for address ranges to be scanned, and signatures to be used in identifying problems. These rules allow an administrator to exert extremely fine control over scans. The intelligent probing technology ensures that StillSecure VAM only uses exploits appropriate to the particular products and devices on your network, making it much quicker to scan large network segments.

StillSecure VAM performed well on all scans I ran. When vulnerabilities are found, notifications are sent to staff members based on their roles. If you’re running a large security- or systems-programming group, this division of roles and tasks should fit right in and help keep the remediation process organized. If you have a small group or a more informal remediation process, it’s a lot of overhead.

Vulnerability reports are Web-based; the central manager can manage the vulnerability repair process. The reports don’t extend to the sort of comprehensive management reports that NeXpose generates — reporting to executives is apparently considered the job of the network manager.

For regular scans and well-documented change management, StillSecure VAM is solid. If you need ad hoc scans in response to incidents, NeXpose’s immediate scans will be a better fit. It’s not hard to imagine a company using both systems at different stages of risk assessment, though the high overall cost of each means most organizations will end up choosing one or the other.