guide :The Top 10 Reports for ManagingVulnerabilities Top 10 Reports #1 Network Perimeter Map Report 4 #2 Unknown Internal Devices Report 5 #3 SANS Top 20 Vulnerabilities Report 7 #4 25 Most Vulnerable Hosts Report 8 #5 High Severity Technical Report 9 #6 Web Application Scan Report 10 #7 Vulnerability Trend Report 12 #8 Risk Analysis Report 13 #9 Open Tickets Report 15 #10 Executive Review - Remediation Report 16
The Top 10 Reports for Managing Vulnerabilities page 2IntroductionMost of us don’t think twice as we sweep the perimeter of our homes before retiringat night or leaving for work in the morning. Why would we want anything less forthe security of our networks and systems?An open door, unlocked window, or our keys lying on top of the Effective vulnerability management also serves to communicatefront door mat – these all represent openings for criminals (or the levels of IT risk to line-of-business owners and executives. ITeven neighbors we know) to unravel the security fabric in our administrators and operational staff are able to resolve problemslives. In our IT infrastructure, open ports, available wireless more quickly and accurately. The reality today is that newaccess points and unpatched servers may result in the theft or vulnerabilities appear constantly and the ability to handle newcompromise of critical customer data, along with the disruption flaws and misconfigurations requires an automated workflow andof business operations. While we often can manage the reporting structure. Pouring over extensive lists of raw vulnerabil-vulnerabilities around our homes by spending a few minutes ity data is of limited worth when trying to measure security levels.checking locks, etc., the task is much more difficult in a Instead, concise reports containing the severity and businessdistributed organization with tens or hundreds of thousands of criticality of vulnerabilities and IT assets are required. Further,networked devices. these allow access to proven remediation approaches and solutions. Security information needs to be collected, customizedVulnerabilities in the IT infrastructure environment consist of the and presented to company management, auditors and regulators,software flaws and configuration errors that are present in in addition to security professionals and system administrators.servers, desktops, notebooks, routers, wireless access points,networked printers and any other device with an IP address. The The audience for this paper includes security professionals andkey benefits and advantages in implementing a lifecycle managers, systems and network administrators, IT operationsapproach to vulnerability management are the increased staff and others who must document, review and resolveprotection across your environment before attacks occur and vulnerable networks. Out of literally hundreds of differentthe documented assurance that your networks (internal and vulnerability management reports available, this paper introducesexternal) are safe. The increased levels of security assure the 10 of the most important reports and uses reports generated bycontinuity of business across employees, customers and Qualys’ vulnerability management solution, QualysGuard, forpartners. reference purposes. The reports are organized across the four key steps in the vulnerability management lifecycle shown below. Asset Discovery and Inventory Reports Asset Discovery and Inventory – Build and maintain an up-to-date repository of IT asset information, including business impact and asset groupings. Vulnerability Assessment – Test and document the effectiveness of both security policies and controls. Analysis and Correlation – Add business intelligence through graphing, trending and understanding the relationships between vulnerabilities and asset types. Remediation and Verification – Prioritize and resolve the vulnerability issues that are found and retest the assets for proof of correctness.
The Top 10 Reports for Managing Vulnerabilities page 3 Asset Discovery and Inventory ReportsThe first step in the quest for managing vulnerabilities is to find where they exist.But even before that is achieved, an up-to-date repository of assets must be builtand maintained. This repository will include all hosts or devices with an IP address.The type of information populated in the repository includes hardware, software,applications, services and configurations. QualysGuard gathers all this informationin a two step process. The first step is network mapping, which identifies whichhosts are live. The result is an accurate baseline of all connected devices, be theyservers, destops, notebooks, routers, wireless access points, etc. After mapping,the second phase is initiated. This consists of powerful scans which gatheradditional information to round out the asset inventory.It’s also important to determine the business impact for each asset. Businessimpact simply means the value a particular device has in relation to all others. Allassets are not created equal; a test machine with individual access in a back roomcarries less risk of business interruption than a server with financial projections orpersonally identifiable information.Having current and accurate asset inventory information allows for greater accuracywhen identifying which assets are impacted by a particular vulnerability. It reducesthe time spent performing vulnerability scans as the vulnerability checks themselvesare applied only on those devices where they may exist. The number of falsepositives (defined as reporting a vulnerability where one does not exist) is reducedby eliminating the unrealistic case of a Windows server reporting a vulnerability onlyfound on Linux operating systems. Another benefit is in the remediation process.Efforts there will be more efficient when patches and fixes are applied tocorresponding assets.While smaller organizations with Class C sized networks (up to 256 devices) mayfind they can complete the task of accounting for all devices attached to theirnetwork manually, this same approach will quickly spiral out of control when thenetworks total 10,000, 50,000 or 100,000+ devices across multiple subnets. Themost time consuming task, however, lies in the appropriate classification of theassets once they have been identified. Since this is so arduous, companies withoutautomation must decide which segment or subset of their assets to classify, oftenleaving out critical devices. Systems and networks are dynamic, they change andmust be revisited. Rogue devices may added to the network without permissionsand must be dealt with appropriately.
The Top 10 Reports for Managing Vulnerabilities page 4#1 – Network Perimeter MapThe Network Perimeter Map provides a view into the topology of your network for reference and documentation, by developing abaseline of each connected device. With each asset properly identified, users of QualysGuard may group them in any way theydesire; by business unit, geography, platform, etc. These classifications are called asset groups. An asset may exist in multipleasset groups. Once discovered, a new device may be added to an existing asset group or a new asset group may be created.QualysGuard maps can be viewed in either graphical or text format. They show any device with an IP address that has beendiscovered; externally, or internally using an appliance. From within this report, users can drill down on a particular asset andview its detailed attributes, including what discovery method was used (DNS, ICMP, TCP, UDP or others), the domain name, theoperating system and whether the asset may be scanned for vulnerabilities. Administrators can also initiate either on demand orscheduled scans for security assessments against specific asset groups. Figure 1: QualysGuard Network Perimeter Map
The Top 10 Reports for Managing Vulnerabilities page 5#2 – Unknown Internal DevicesThis report lists all discovered devices which have not beenapproved by a company administrator. QualysGuard can detectrogue devices, including virtual hosts that could have possiblybeen placed on your network. This is important information tohave when security administrators are reviewing the network toclean up and eliminate devices placed on the network formalicious purposes or simply those that pose additional riskbecause of missing patches, unwanted services, etc. Thisreport should be run on daily basis to ensure maximumprotection levels are upheld. Once discovered, scans arenecessary to investigate the origin of these unknown devices.Lastly, the proper precautions must be taken to prevent further Figure 2: Unknown Devices Report Map Templateexposure from occurring.Let’s have a look at two screenshots involved in generating anUnknown Device Report. Figure 2 shows the map reporttemplate used to generate the actual report. Note the filteroptions which include multiple Host Types to include. Only“Rogue” host type is selected for this particular report.It should be noted that the column “A” is empty in Figure 3. “A”stands for “Approved”. In this case, all of the devices in thisreport have yet to be approved by a systems administrator. Figure 3: Unknown Devices Report Results
The Top 10 Reports for Managing Vulnerabilities page 6 Vulnerability Assessment ReportsVulnerability assessment is the process of testing and documenting the effectivenessof both security policies and controls, by examining the network infrastructure for“known bads”. The assessments are performed across network devices and hostsystems, as well as the services and applications that run on top of them. Scanreports will show what vulnerabilities are present and where they are located, inorder to direct administrators towards what needs fixing and in what priority order.This is the cornerstone for effective vulnerability management because this processidentifies and communicates the software flaws, missing patches and misconfigura-tions that exist and pose security risks. In scanning live hosts, the mappinggenerated from the asset discovery step will be used. Asset discovery is the preludeto asset classifications, or groupings, which are further defined by business impactratings. The severity assigned to each vulnerability will also be used to differentiatethe flaws which present the highest danger of exposure. Included in the scan resultsis information describing the properties of the vulnerability, such as the impact, thetype of device made vulnerable, cross references to external vulnerability classificationsystems (e.g. Bugtraq, CVSS, CVE) and links to other information sources. Also,solution recommendations are included to fix the exposure.
The Top 10 Reports for Managing Vulnerabilities page 7#3 – SANS Top20 VulnerabilitiesThe third report in our Top 10 list is the SANS Top 20. In June,2000, the SANS Institute, along with the FBI’s NationalInfrastructure Protection Center, began publishing a list of themost critical internet security vulnerabilities. The SANS Instituteis a trusted source for information security training, certificationand research. This list was quickly adopted by organizationsworldwide as a standard guide for understanding and assessingfor the most dangerous areas of exposures. The list is aconsensus of the flaws that require immediate attention, and isdeveloped by leading security experts from multiple countriesacross the globe. Nearly every year since its beginning, SANShas updated the list to reflect the changes in threat vectors, Figure 4: SANS Top 20 Report with Summary Vulnerability informationnoting the recent rise in client side, anti-virus and webapplication vulnerabilities.The QualysGuard SANS Top 20 Report shows the results ofvulnerability scans derived from the SANS list. Figure 4 showsthe total vulnerabilities found in this assessment, along with theaverage security risk score. Also note that Qualys offers aSANS Top 20 Scan at no charge to organizations who wish toregister: http://sans20.qualys.com.More detail into the specific SANS vulnerabilities that have beenidentified through the scan is present in Figure 5. This detailincludes descriptions, impact and recommended solution. Figure 5: SANS Top 20 Report with Detailed Vulnerability information
The Top 10 Reports for Managing Vulnerabilities page 8#4 – 25 Most Vulnerable HostsAcross any organization, there are those systems that are in worse shape than others. Having a current listing of the hosts withthe most critical flaws helps direct the efforts to resolve these issues and lowers the risk to the organization. QualysGuarddelivers a ranking - beginning with the most vulnerable asset – based upon the security risk of the assets. QualysGuarddetermines the security risk from the number and severity of vulnerabilities found during the last scan of each host. Vulnerabilitiesare weighted on a scale of 1 to 5, with 5 being the most severe. The business risk not only considers the security risk, but alsofactors in the business impact value placed on the asset. These business asset values are either Critical, High, Medium, Minoror Low. The 25 Most Vulnerable Hosts Report, as shown in Figure 6, lists those assets with the highest number of Severity 4and 5 vulnerabilities. The hosts are listed in order beginning with the most vulnerable. The report details the number of Severity4 and 5 vulnerabilities, the business risk and security risk ratings, and also all the asset groups associated with that host. Figure 6: 25 Most Vulnerable Hosts Report
The Top 10 Reports for Managing Vulnerabilities page 9#5 – High Severity Technical ReportWhenever full vulnerability reports are generated, there is a lotof information produced for each asset. While valuable, all thisinformation takes time to digest. In some instances, time is ofthe essence and it is critical to quickly identify and resolve themost dangerous areas of exposure. In these cases, only thehighest priority issues are able to garner scarce remediationresources, so only the most severe vulnerabilities are includedhere.This report presents information about the vulnerabilities withhigh severity levels only (4 and 5). As seen in Figure 7, only Figure 7: High Severity Report SummaryLevel 4 and 5 vulnerabilities are listed. The report templatefilters out all vulnerabilities with severity rankings below Level 4,as well as all potential vulnerabilities (defined as those thatcannot be fully verified) and those vulnerabilities categorized as“information only”.Each high severity vulnerability may be viewed in depth formore specific information. This information includes the name,the date first detected and last detected, the port it where itwas discovered, the vulnerability identifier, category, and lastupdate, plus other details. It also lists the status (new, active,ignore, etc.). Figure 8 is an example of this detailed informationfor a Level 5 Microsoft IIS vulnerability with a status of “New”. Figure 8: High Severity Vulnerability Details
The Top 10 Reports for Managing Vulnerabilities page 10#6 – Web Application ScanAccording to the SANS website at http://www.sans.org/top20, the number of vulnerabilities discovered in open source andcustom web applications has grown to account for almost 50% of all vulnerabilities now discovered. The danger here manifestsitself when trusted sites are transformed into masked areas used for phishing and other scams. Some of the web applicationvulnerabilities important to identify and remediate are cross site scripting, SQL injection and remote code execution. As a result,regularly scanning your Web applications is critical IT security component.As web application vulnerabilities are code related, frequent testing should occur during the development of applications as wellas their actual deployment. Figure 9 shows how Web Application security threats can be proactively identified to preventcompromise. Figure 9: Web Application Scan Results
The Top 10 Reports for Managing Vulnerabilities page 11 Analysis and Correlation ReportsAfter asset information has been gathered and vulnerabilities have been identified,further analysis is often necessary to provide more insight into the security information.This is made feasible through the use of automated solutions to collect, store,compute and present the information through multiple views and in graphicalformats. The vulnerability and asset information is kept in a repository where analyticalengines can process it further. Examples of this advanced processing includepresenting trends in vulnerabilities over time, and correlating known properties of avulnerability (operating system, ports, services) with those of devices to see whichare at highest risk for the presence of a specific vulnerability.As IT operations, systems administration and security move closer together for thegoal of improved operational performance, it’s critical for these groups to shareinformation and workflows. For example, IT operations (support staff, help deskpersonnel) can assist with remediation tasks such as system patching if they havethe necessary information about what systems are affected and what software todeploy. This information, along with an assigned individual responsible for actionand a date for completion, is summarized in trouble tickets created by QualysGuard.This trouble ticketing helps ensure the timely and proper follow-up to vulnerabilityand configuration issues, while coordinating the smooth integration of efforts acrossIT groups.The QualysGuard analysis capability extends into areas such as reviewing thelength of time trouble tickets remain open, the number of open trouble tickets intotal and by severity, the vulnerabilities by status and severity, and changes in thebusiness risk of asset groups over time. Correlating the severity of a vulnerabilitywith the business value of an asset is important when determining which systemsneed immediate remediation. This approach results in a better use of resources thanone where the most severe vulnerabilities are all resolved concurrently, regardless ofwhether a machine is used in a test bed or in a live production environment.In addition to the Analysis and Correlation Reports shown here, executivedashboards are a way to view business intelligence and trend results. As long asthe dashboards are current and adaptable to changing requirements, they provide“at-a-glance” insight into a company’s vulnerability and risk posture. Dashboardscan easily track how long it takes to patch vulnerable systems, for example, orwhich servers consistently underperform relative to security policy. This aidsmanagers in their understanding of how IT risk is being managed by security andadministration teams.
The Top 10 Reports for Managing Vulnerabilities page 12#7 – Vulnerability Trend ReportThe vulnerability trend report is based upon a specific timeperiod (established by the user) and displays the trends,increasing or decreasing, of vulnerabilities by severity andacross categories (types of assets). As with all QualysGuardreports, permissions to create and view the Vulnerability TrendReport is controlled by the user account settings. In Figure 10below, the trend report was configured for a four monthanalysis.Another section of the Vulnerability Trend Report (shown inFigure 11), graphs the changes in business risk by asset groupover time. QualysGuard allows you to create as many groups asyou like and group assets into specific business units in any Figure 10: Vulnerability Trend Summaryway desired (by geography, by function, by platform, etc.).Figure 12 shows two more trending graphs for vulnerabilitiesfound by QualysGuard scans. Users have the flexibility tocustomize graph formats (pie charts, bar charts, etc.). In the“Vulnerabilities by Severity over Time” graph, the total numberof vulnerabilities has decreased from June to September. Thiswas lead by a drop in the Severity 1, 4 and 5 vulnerabilities,which offset a rise in the Severity 2 and 3 vulnerabilities duringthis time. Figure 11: Vulnerability Trend Business Risk Graph Figure 12: Vulnerability Trending by Severity and Status
The Top 10 Reports for Managing Vulnerabilities page 13#8 – Risk Analysis ReportThis report may be run prior to an actual vulnerability scan. The user directs a vulnerability to be correlated with the attributes ofa specified host or asset group. Analysis is performed to determine the exposure level this asset contains. The more matchesthe vulnerability has with the asset, across attributes such as operating system, ports and services, the higher the risk level.The Risk Analysis Report identifies the hosts that are likely exposed to the specified vulnerability. By comparing vulnerabilityexploit data to known information from past scans, QualysGuard is able to determine whether hosts are likely to be at risk to anew vulnerability - even before a scan is launched! For example, if you receive new information on Microsoft’s Patch Tuesday,but cannot scan before the week-end to assess your environment, this report will deliver probabilities on which hosts will bemost impacted in the interim. This information can then be used to develop an emergency action plan to protect you until fullscanning and patching occurs. Figure 13: Risk Analysis Report
The Top 10 Reports for Managing Vulnerabilities page 14 Remediation and Validation ReportsOf course, it’s not enough to simply identify the vulnerabilities or track their growth.The bottom line in the vulnerability management lifecycle is more results oriented –to resolve the causes of those software flaws or configuration errors. At this point iswhere remediation comes into primary focus. Even when new patches are available,there may be a delay in applying them due to the time required for implementation,or fears about the potential impact to the availability and performance of IT assets.An example of this behavior is found in the Conficker Worm. The Conficker Wormexploits the MS08-67 vulnerability in the Microsoft Windows Server Service. Eventhough Microsoft released the patch for MS08-67 in October, 2008, the number ofPCs infected since that time is estimated to be in the range of 5 to 10 million,primarily on corporate and government computers.Coordination of remediation efforts, often by using an automated trouble ticketingsystem, helps organizations proactively manage what needs to be fixed, and bywhom. Automated notifications and reports allow for the workflow required to keepremediation tasks on target and prevent gaps in protection. The prioritization bybusiness impact ensures the most valuable systems are addressed first. Lesscritical assets then may be handled on regularly scheduled dates, such as amonthly patch or configuration change cycle.After patching or implementing other configuration changes, rescanning IP addressesis necessary to ensure the fix is complete and no other issues have been created asa result of the change.Accurate and timely reporting is important at this stage because remediation tasksare often performed by a different team than the security group which identified theexposure. IT security will most likely perform the scan. Then, systems administratorsor IT operations staff (helpdesk, support) will implement the fix. Remediation andvalidation reports are useful to achieve better understanding of how quickly andthoroughly your organization responds and resolves security issues. When resultsare less than desired, improvements in the incident management process can bemade.
The Top 10 Reports for Managing Vulnerabilities page 15#9 – Open Tickets ReportThe QualysGuard native ticketing and remediation functions ensure outstanding issues are scheduled for completion andvulnerabilities are resolved before further damage is done. Each vulnerability is individually tracked until it is fixed. Thisautomated remediation and trouble ticketing workflow generates tickets base on policy rules. These rules define specific criteriathat trigger response actions when met. For example, a rule can be created such that a trouble ticket is opened whenever aLevel 4 or 5 vulnerability is identified. The rule will establish the assigned individual, let’s say the administrator who ran the scan,and the time period (perhaps two days) for remediation.The ninth report in our Top 10 list is the Open Tickets. As seen below in Figure 14, this lists the tickets and may be sorted byticket number, status, due date or others. Each ticket is assigned a unique number with general information, vulnerabilitydetails, remediation history and required actions. Each ticket owner is also listed. Viewers of this report have the option ofdrilling down into the report to gain additional information associated with the ticket, such as its history. Figure 14: Open Tickets ReportQualysGuard further aids in the remediation process by delivering automated ticket notification emails. These notifications aresent to each user who has open trouble tickets assigned to them. The ticket statistics in the notification include the number ofopen tickets which are overdue (those past the scheduled resolution date) and the number which are not overdue, the ticketsresolved and the tickets closed. A QualysGuard hyperlink is also included for recipients to easily click and check on the detailsof their assigned tickets.
The Top 10 Reports for Managing Vulnerabilities page 16#10 – Executive Review –Remediation ReportIn addition to providing the detail by user of the status of opentickets, QualysGuard also makes available summary levels forreviewing trouble tickets. Users select which asset groups andwhich users to include in the report settings. Figure 15 below isan example of the trouble ticket statistics presented; you seenot only the number of tickets resolved and still open (byseverity level), but also view the number overdue and theaverage time in days for ticket resolution. These statistics arevery useful when assessing the performance of the groupsinvolved in vulnerability resolution, and deliver metrics to gaugeimprovements made over time. Figure 15: Remediation Report – Tickets by Severity and Open TicketsFigure 16 shows more ticket trending information in graphicalformat. These statistics are often required for weekly statusmeetings, presentations to management and to demonstrateachievement in Service Level Agreements (SLAs). You can seehere the drastic increase in the number of open (and closed)tickets during the last week of this report, alerting executives“at-a-glance” to the increased activity. Figure 16: Remediation Report – Aggregate Ticket Changes