1 Introduction

Vulnerability Management

In IT security, the confluence of three basic elements forms the attack surface of an IT infrastructure.

  1. Cyber criminals with sufficient experience, equipment and money to carry out the attack.
  2. Access to the IT infrastructure.
  3. Vulnerabilities in IT systems, caused by errors in applications and operating systems or incorrect configurations.

If these three elements come together, a successful attack on the IT infrastructure is likely. The third element can be influenced, since 999 of 1,000 successfully exploited vulnerabilities are known for more than one year.

Vulnerability management is a core element in modern information technology (IT) compliance. IT compliance is defined as the adherence to legal, corporate and contractual rules and regulations related to IT infrastructures. Within its context IT compliance mainly relates to information security, availability, storage and privacy. Companies and agencies have to comply with many legal obligations in this area.

Controlling and improving IT security is an ongoing process consisting of at least the following steps:

  • Discovery of the current state
  • Improving the current state
  • Reviewing the taken measures

Greenbone Enterprise Appliance

The Greenbone Enterprise Appliance is an appliance for the vulnerability management of IT infrastructures, available as hardware or virtual models.

It assists companies and agencies with automated and integrated vulnerability assessment and management. Its task is to discover vulnerabilities and security gaps before potential cyber criminals do.

The Greenbone Enterprise Appliance consists of the Greenbone Operating System (GOS) on which the Greenbone Enterprise Feed is installed, a scan service, the web interface and, in case of hardware appliances, a special hardware.

The scan service uses over 100,000 vulnerability tests (VTs) to detect existing vulnerabilities on the inspected network. The found vulnerabilities are evaluated based on their severity which enables the setting of priorities for eliminating the vulnerabilities.

The Greenbone Enterprise Appliance is flexible in use and can be utilized for special audits and trainings as well as for small and medium companies up to large enterprises. Due to the master-sensor technology, the Greenbone Enterprise Appliance can also be deployed in high-security sectors.

The Greenbone Enterprise Appliance discovers vulnerabilities through different perspectives of cyber criminals:

External
The appliance can simulate an external attack to identify outdated or misconfigured firewalls.
Demilitarized Zone (DMZ)
The appliance can identify actual vulnerabilities that may be exploited by cyber criminals who get past the firewall.
Internal
The appliance can also identify exploitable vulnerabilities in the internal network, for example those targeted by social engineering or computer worms. Due to the potential impact of such attacks, this perspective is particularly important for the security of any IT infrastructure.

For DMZ and internal scans, a distinction can be made between authenticated and unauthenticated scans. When performing an authenticated scan, the appliance uses credentials and can discover vulnerabilities in applications that are not running as a service but have a high risk potential. This includes web browsers, office applications or PDF viewers. For the advantages and disadvantages of authenticated scans see Chapter 10.3.1.

Due to new vulnerabilities being discovered on a daily basis, regular updates and testing of systems are required. The Greenbone Enterprise Feed ensures that the appliance is provided with the latest testing routines and can discover the latest vulnerabilities reliably. Greenbone analyzes CVE 1 messages and security bulletins of vendors and develops new vulnerability tests daily.

When performing a vulnerability scan using the Greenbone Enterprise Appliance, the personnel responsible will receive a list of vulnerabilities that have been identified in the target systems. For the selection of remediation measures a prioritization is required. The most important measures are those that protect the system against critical risks and eliminate the corresponding security holes.

The Greenbone Enterprise Appliance utilizes the Common Vulnerability Scoring System (CVSS). CVSS is an industry standard for the classification and rating of vulnerabilities. It assists in prioritizing the remediation measures.

Fundamentally, there are two options to deal with vulnerabilities:

  • Eliminating the vulnerability by updating the software, removing the component or changing the configuration.

  • Implementing a rule in a firewall or a intrusion prevention system (virtual patching).

    Virtual patching is the apparent elimination of the vulnerability through a compensating control. The real vulnerability still exists and the cyber criminals can still exploit the vulnerability if the compensating control fails or if an alternate approach is used.

An actual patch or update of the affected software is always preferred over virtual patching.

The Greenbone Enterprise Appliance also supports the testing of the implemented remediation measures. With its help responsible personnel can document the current state of IT security, recognize changes and record these changes in reports.

Footnotes

[1]The Common Vulnerability and Exposures (CVE) project is a vendor neutral forum for the identification and publication of new vulnerabilities.