Security Basics mailing list archives
Re: Vulnerability Scanning - Prioritising Remediation
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 21 Sep 2011 06:57:49 -0500
J Teddy <jteddylists () gmail com> writes:
I'm currently documenting how to prioritise remediation efforts from my last vulnerability scan. As my assets have all had information risk assessments conducted, I can easily calculate my CVSS score using the CVSS2 calculator. I then started thinking about compensating controls in my network where I could possibly lower the priority of the remediation. For example the SSH vulnerability priority may be lowered as there is a signature for prevention on my IPS.
But...can that signature be bypassed? If there's an exploit available for it in a framework you have access to (such as metasploit), this is where the value of human verification of the vulnerabilities using some of that frameworks encoding and signature evasion options can be useful to give you a better picture of how much compensation your compensating controls are really buying you. You may find yourself quite surprised on what sort of trivial attack modifications can punch through an IPS (or AV). Signatures generally blow, sad to say.
The question I can not answer is if my IPS has prevention for such a signature, and Im running a vulnerability scan through that IPS, will my IPS block those packets, with the end result being my VA scan does not detect the vulnerability?
This is a good thing to think about and you can be sure that an IPS is going to detect (and if configured to do so, block) the activity of most vuln scanners. After all, that's how most of them get tested by prospective buyers of IPS's (run a nessus scan or autopwn, and hope to see the console light up red). If you want an accurate assessment of your vulnerability stance, you'll want to place your scan behind IPS or on an IP that the IPS whitelists in order to get a picture of how your network may look to an attacker that is targetting you rather than one scanning randomly and looking for low hanging fruit. It's safest to assume that IPS (and AV for that matter) won't pose a significant barrier to an attacker who has put you in the crosshairs. Depending on the vendor, those who do comparative IPS testing have story upon story about trivial attack permutations that various IPS will let through. If this is an environment you own and manage as well, not only should your scanner go inside of or be whitelisted through the IPS protections, the scanning should be done with credentials, especially on desktop systems that have internet access. On those systems the biggest liability is generally the users themselves stumbling upon driveby malware. Having patched web browsers AND web plugins helps enormously to make those much harder targets. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Vulnerability Scanning - Prioritising Remediation J Teddy (Sep 20)
- RE: Vulnerability Scanning - Prioritising Remediation Mikhail A. Utin (Sep 20)
- Re: Vulnerability Scanning - Prioritising Remediation Todd Haverkos (Sep 21)
- Re: Vulnerability Scanning - Prioritising Remediation John Morrison (Sep 21)
- Re: Vulnerability Scanning - Prioritising Remediation ted fred (Sep 21)
- RE: Vulnerability Scanning - Prioritising Remediation Dominick Birolin (Sep 22)
- RE: Vulnerability Scanning - Prioritising Remediation Mikhail A. Utin (Sep 21)
- RE: Vulnerability Scanning - Prioritising Remediation Dominick Birolin (Sep 23)
- Re: Vulnerability Scanning - Prioritising Remediation J Teddy (Sep 23)
- Re: Vulnerability Scanning - Prioritising Remediation ted fred (Sep 21)
- Re: Vulnerability Scanning - Prioritising Remediation J Teddy (Sep 23)
- <Possible follow-ups>
- Re: Vulnerability Scanning - Prioritising Remediation krymson (Sep 22)