Security Ripcord

I noticed a question on a listserv that I monitor. The person asked for an opinion on how an auditor might look at a automated vulnerability scanner that logs into the target host and performs local checks. Many vendors have been doing this for a while now. It is a great feature that really allows these tools to help companies ensure that their systems are maintaining compliance with company policies and procedures. It also assists with change management and security validation as well.

But, as with any resource there are things to take into consideration. The following is just a quick list of things an auditor might focus on that I jotted down off the top of my head. This is just intended as a starter list and it definitely needs more order and word-smithing. But the intend should be clear.

1. Method of communication – is it encyrpted.
2. Authentication and authorization – does the application utilize a group account or an account of another administrator or does it have its own account? Does it elevate privileges after logging in or does it have administrative privileges immediately? Is the authentication mechanism a password/passphrase or is there a key.
3. Does the activity show up in the logs? Login/logout, file integrity checks, etc.
4. Are the scans automated or scheduled? Can they be initiated at anytime and by whom?
5. Who gets a copy of the report and when are they reviewed? Executives, security administrators, resource administrator?
6. How are problems mitigated and who is responsible for following up?
7. How often are the checks updated? How often are the checks examined to ensure they fit the system being scanned?
8. Do the checks accurately reflect company policies and procedures?
9. System hardening and other security considerations for the scanning system? Is it scanned and how?
10. Is the scanning system always online? What about physical security (whether on or off line)?
11. Some systems allow for role based controls. So, can system and device administrators log in and periodically scan their own systems? Can they see other administrator systems and reports?
12. How do the scans affect IDS/IPS, Network Behavioral Analysis systems, application firewalls? Is the data dropped or noted or just plain ignored?
13. How do scans affect production systems? Are check scaled back (less strict) so that they do not adversely affect production systems?
14. If the scans have to traverse firewalls and routers how has this affected the rules and ACLs?

Of course an auditor is most likely going to select the most critical areas to focus on. Or, the ones they perceive might give you the most problems. But that all depends on how through the assessment is going to be.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, vulnerability scanner, auditor, security, change management

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.