Layer 5: Vulnerability ManagementBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Layer 5: Vulnerability Management
Lines of defense are helpful, but it doesn't hurt to make the target smaller. Vulnerability management tools offer the potential to do just that. While network access control is focused on PCs and laptops, vulnerability assessment products cover a broader territory, scanning PCs, servers and network devices for missing security patches or botched configuration settings that could lead to an attack. The tools may be installed on PCs and servers, and are available as a bundled hardware/software appliance. Vulnerability assessment may also be purchased as a service. Code scanners review lines of software code to identify flaws an attacker could exploit.
Automated code analyzers let organizations build security into the software development process. Products from vendors such as Ounce Labs and Fortify Software look for design flaws in an application's source code, while vendors like Veracode analyze compiled binary code.
The objective of code analysis is to "reduce the attack surface of the application itself," says Matt Moynahan, chief executive officer of Burlington, Mass.-based Veracode. "You can't strip 100% of the risk out of an application there's not enough time or money to do it. But you can strip out the vast majority of risk and give perimeter defense a fighting chance."
Another component of vulnerability management: software for automating penetration tests. This technology gives organizations a view of enterprise networks and applications from an assailant's perspective.
Andre Gold, Continental Airlines' director of information security, says penetration testing helps the airline identify weakness in application design and security processes. The company also uses penetration testing to check for weaknesses in the security products it plans to purchase.
Vendors offering automated penetration testing products include Cenzic, Core Security, Immunity and Mu Security. The open-source Metasploit Project offers Metasploit Framework, for penetration testing.
Continental uses Core Security's Core Impact software to automate penetration tests. The product gathers information about the network to be tested, scans for TCP/IP port vulnerabilities, and catalogs the operating systems and services running on host systems. Core Impact then launches attacks, using information gleaned during the discovery phase.
Organizations tend to use penetration testing sparingly, typically once a year, due to cost outside consultants may charge $100,000 per test and the potential for network disruption.
Automated testing is considered faster than manual testing and less expensive than hiring a third party. Core Impact's annual licensing fee, for example, is $25,000. Manual testing, however, may be used to supplement tool-based reviews because it has the potential to "identify flaws in business logic that automated scanners are usually incapable of finding," according to the Open Web Application Security Project, a non-profit organization based in Columbia, Md., that focuses on software security.
By using an automated tool, Continental has been able to increase the frequency of penetration testing for a broader set of line-of-business applications such as Continental.com, its Web site, which generates $3 billion in sales, Gold says.
Continental also employs other testing methods to uncover security issues. The airline uses a black box approach to simulate an external attacker's perspective. An outside firm is hired to do the testing and is given no information about Continental's network, hence the black box label.
In-house tests using the Core Impact tool leverage insider information. Testers will consult data flow and system interconnect diagrams to target particular applications. Gold says the objective is to determine whether a weakness in one application can be exploited to infiltrate another system. Tests of this type simulate a malicious insider or an outsider with administrator-level access.
In an exercise, Continental discovered that one application contained a poorly designed user authentication mechanism. If that interface were exploited, the compromised system could be used to breach an application that contained data on about 42,000 Continental employees.
"If we hadn't run the test, we wouldn't have known about it," Gold says. The company remediated the security lapse.
But it's not enough to fix problems as they surface. Gold's security team also discusses its test findings with the affected parties. For example, if vulnerabilities in a given system stem from application design and programming, Gold sets up a meeting with the application's business unit sponsor.
The mistake that some organizations make, Gold points out, is to conduct a penetration test and focus on report generation. A report, presented without discussion, may end up on a shelf. "That is not the purpose of a penetration test," he says.