National Webcast Initiative

Are You Secure?...Are You Sure?
Vulnerability Management

Wednesday, March 16, 2005

Question and Answer Transcript

The following is a compilation of questions submitted to the presenters through the written Q and A tool during the webcast. The transcript has been edited for relevance.

Question: Would the establishment of a centralized control center, that identifies threats and dispatches service calls, be a viable first step to vulnerability remediation?
Answer: This is a viable step, but it is recommend that it "not" be your first step. Instead, the first step is to establish the ability to accurately report on your systems and application inventory. You must know what exists in your environment before you can begin to successfully remediate and manage vulnerabilities. Then you can work on ensuring you are able to accurately and effectively assess your environment for known and potential vulnerabilities.

 

Question: What other approaches to Vulnerability Management are there besides Holistic? Does the holistic approach work the best?
Answer: The functional opposite to holistic vulnerability management would be an ad hoc approach, where an organization is purely reactive to real and potential threats in their environment. A holistic approach is believed to be the right way to tackle Vulnerability Management - there will be some time and resources invested up front, but this approach will most likely lead to reduced risk in the long run.

 

Question: What are some good products for Asset Management?
Answer: Most full-blown systems management applications (e.g. SMS, Tivoli) can be used to facilitate asset management. Additionally, many organizations will use customized applications (databases or spreadsheets based on organization size) for tracking assets. There are also a number of specialized asset management tools (e.g. GASP, LanDesk) that can be used to track IT assets.

 

Question: What are good Windows management tools?
Answer: A number of vendors offer management tools that can be used to assist in the implementation of a vulnerability management program.

Below are examples of guidance that can get you started as to what you should look for in the tools you use to automate and manage your systems administration processes:

  • Ability to arbitrarily report on asset (hardware and software inventory)
  • Ability to facilitate remote control of end systems (for IT support)
  • Ability to remotely install and configure applications and updates
  • Ability to remote configure system and security policy

Question: Any suggestions for locking down USB ports and CD ROMs?
Answer: The best way to address locking down USB ports and CD ROMs is to start with a policy that restricts what staff can or can not plug in. Then there may be some technological solutions that could be employed to enforce the policy but these may be able to be circumvented if users have administrative permissions.

 

Question: If a rogue device comes on the network, will your device pick it up? Scan for vulnerabilities and remediate? What platforms can you patch MS, Oracle, Novell, etc?
Answer: It depends on the Vulnerability Management technology you choose to deploy. Some will help pick up rogue devices that connect, better known as network access control. Others simply run scans over the available IP space and identify what is on a network at any given time. Very few Vulnerability Management technologies actually deploy patches. It is best to choose a best of breed solution for patch management.

 

Question: If your laptop eventually connects to the network, how can it be considered to NOT be a critical component?
Answer: The criticality of a device is not derived from the damage it can cost. The criticality of a device must be built from the value it brings to the organization. In other words, a laptop might be vulnerable to the next big worm, and it might be capable of infecting other devices, however if you patch or remediate your critical systems first, a laptop would not be able to infect them, protecting your most important data. However, a laptop could cause harm on the rest of your network. If you do not identify the critical systems in your network, you would not know how to react to pressing threats, in effect, all of your vulnerable systems would be critical.

 

Question: What tools or support are available to begin the process of influencing management to understand the degree of threats?
Answer: One of the ways to help management understand the degree of threats is to raise awareness, which could include highlighting how many critical vulnerabilities may exist or how many critical systems may have potential vulnerabilities.  It’s important for management to understand the pervasiveness of the threats, as well as the damage that cyber threats pose – from financial costs incurred to recover from an incident (Blaster or Slammer for example) to the damage to an organization’s ability to conduct its business.  There is a plethora of statistics available on the Internet to highlight these issues.  

 

Question: Are there some tips on keeping up-to-date on recent threats and to stay best informed?
Answer: There are a number of sources - you might want to start with your software vendors, US-CERT ( www.uscert.gov(New Window) ) and SANS ( www.incidents.org(New Window) )

 

Question: Does this view of Vulnerability Management work equally well for data systems as well as network systems?
Answer: Yes, this is a pretty adaptable framework. You should be able to use this for data systems, network systems, and even physical security.

 

Question: Can you define a vendor vulnerability?
Answer: This is a fault in the software a vendor provides that could be exploited to cause your computer to crash, act strangely or, in the worst case, allow someone to take control of your computer.

 

Question: What is the 'A' in AxVxT?
Answer: A=Asset

 

Question: (1) How do you actually scan for vulnerabilities? (2) Are virus scans a form of this?
Answer: (1)There are a number of open source and commercial tools for vulnerability scanning. You can perform a google search on vulnerability scanning and find a source of "free" vulnerability scanning tools as well. (2) This is not the same thing as virus scanning.

 

Question: Is there a written list for the Risk Guidelines?
Answer: The Risk Guidelines can be obtained by viewing the recording or downloading the powerpoint presentation by visiting the March 16th webcast home page .