Re: Vulnerability Scanning - Prioritising Remediation

[Todd Haverkos <infosec () haverkos com>]

J Teddy <jteddylists () gmail com> writes:
> I'm currently documenting how to prioritise remediation efforts from
> my last vulnerability scan.  As my assets have all had information
> risk assessments conducted, I can easily calculate my CVSS score using
> the CVSS2 calculator.
>
> I then started thinking about compensating controls in my network
> where I could possibly lower the priority of the remediation.  For
> example the SSH vulnerability priority may be lowered as there is a
> signature for prevention on my IPS.

But...can that signature be bypassed?  If there's an exploit available
for it in a framework you have access to (such as metasploit), this is
where the value of human verification of the vulnerabilities using
some of that frameworks encoding and signature evasion options can be
useful to give you a better picture of how much compensation your
compensating controls  are really buying you.    You may find yourself
quite surprised on what sort of trivial attack modifications can punch
through an IPS (or AV).   Signatures generally blow, sad to say.  

> The question I can not answer is if my IPS has prevention for such a
> signature, and Im running a vulnerability scan through that IPS, will
> my IPS block those packets, with the end result being my VA scan does
> not detect the vulnerability?

This is a good thing to think about and you can be sure that an IPS is
going to detect (and if configured to do so, block) the activity of
most vuln scanners.  After all, that's how most of them get tested by
prospective buyers of IPS's (run a nessus scan or autopwn, and hope to
see the console light up red).  

If you want an accurate assessment of your vulnerability stance,
you'll want to place your scan behind IPS or on an IP that the IPS
whitelists in order to get a picture of how your network may look to
an attacker that is targetting you rather than one scanning randomly
and looking for low hanging fruit.  It's safest to assume that IPS
(and AV for that matter) won't pose a significant barrier to an
attacker who has put you in the crosshairs.  Depending on the vendor,
those who do comparative IPS testing have story upon story about
trivial attack permutations that various IPS will let through. 

If this is an environment you own and manage as well, not only should
your scanner go inside of or be whitelisted through the IPS
protections, the scanning should be done with credentials, especially
on desktop systems that have internet access.  On those systems the
biggest liability is generally the users themselves stumbling upon
driveby malware.  Having patched web browsers AND web plugins helps
enormously to make those much harder targets. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------