1. IntroductionΒΆ

Vulnerability management is a core element in modern information technology (IT) compliance. IT compliance is defined as the adherence to legal, corporate and contractual rules and regulations as they relate to IT infrastructures. Within its context IT compliance mainly relates to information security, availability, storage and privacy. Companies and agencies have to comply with many legal obligations in this area.

The control and improvement in IT security is an ongoing process that consists at a minimum of these three steps:

  • Discovery of the current state
  • Taking actions to improve the current state
  • Review of the measures taken

The Greenbone Security Manager (GSM) assists companies and agencies with automated and integrated vulnerability assessment and management. Its task is to discover vulnerabilities and security gaps before a potential attacker would. GSM can achieve this through different perspectives of an attacker:

The GSM attacks the network externally. This way it can identify badly configured or misconfigured firewalls.
Here the GSM can identify actual vulnerabilities. These could be exploited by attackers if they get past the firewall.
Many attacks are executed internally by insiders through methods of social engineering or a worm. This is why this perspective is very important for the security of the IT infrastructure.

For DMZ and internal scans it can be differentiated between authenticated and non-authenticated scans. When performing an authenticated scan the GSM uses credentials and can discover vulnerabilities in applications that are not running as a service but have a high risk potential. This includes web browsers, office applications or PDF viewers. For a further discussion on the advantages and disadvantages on authenticated scans see section Advantages and Disadvantages of Authenticated Scans.

Due to new vulnerabilities being discovered on a daily basis, regular updates and testing of systems are required. The Greenbone Security Feed ensures that the GSM is provided with the latest testing routines and can discover the latest vulnerabilities reliably. Greenbone analyzes CVE [1] messages and security bulletins of vendors and develops new testing routines daily.

With a scan using the Greenbone Security Manager, staff responsible for IT, receive a list of vulnerabilities that have been identified on the network. Especially if no vulnerability management has been practiced, the list is often extensive. For the selection of remediation measures a prioritization is inevitable. Most important are the measures that protect against critical risks and remediate those respective security holes.

The GSM utilizes the Common Vulnerability Scoring System (CVSS). CVSS is an industry standard for the classification and rating of vulnerabilities. This assists in prioritizing the remediation measures.

To deal with vulnerabilities fundamentally two options exist:

  1. Removal of the vulnerability through updating the software, removal of the component or a change in configuration.
  2. Implementation of a rule in a firewall or intrusion prevention system (virtual patching).

Virtual patching is the apparent remediation of the vulnerability through a compensating control. The real vulnerability still exists. The attacker can still exploit the vulnerability if the compensating control fails or by utilizing an alternate approach. An actual patch/update of the affected software is always preferred over virtual patching.

The Greenbone Security Manager supports the testing of the implemented remediation measures as well. With its help responsible IT staff can document the current state of IT security, recognize changes and document these changes in reports. To communicate with management the GSM offers abstraction of technical details in simple graphics or in the form of a traffic light that displays the state of security in the colours red, yellow and green. This way the IT security process can be visualized in a simplified way.


[1]The Common Vulnerability and Exposures (CVE) project is a vendor neutral forum for the identification and publication of new vulnerabilities.