Wednesday, December 31, 2008
Tuesday, December 30, 2008
Book: The Best Damn IT Security Management Book Period
This is a huge book with 958 pages! I only finished reading Part1: From Vulnerability to Patch, which includes 11 chapters and 200 pages. The rest parts are only for reference when needed.
The following is six stages of a Vulnerability Management plan cut from the book. This is what the Part 1 tells, and introduces some free and commerical tools for implementation.
Wednesday, December 3, 2008
McAfee Foundstone Enterprise Tryout
Foundstone is famous for its free security tools, such as fport, superscan and sqlscan. Long time ago the company started providing assessment service with their own assessment software, but even after it was acquired by McAfee, this software was not available on public.
Now McAfee are selling their appliance with vulnerability scanning and management software preinstalled, it’s impossible for a download and a try. Fortunately on Nov 28 the formerly Foundstone Enterprise software was released in 0day scene*, so I have a chance to try it.
After tryout of a whole day, I had to say that it’s really a true vulnerability management platform for large scale corporations. I’d suggest buying the appliance if we have budget.
From the installation I found it’s a product designed by security guys. The windows and database are required to have proper SP installed, new added assets admin password is forced to be strong, otherwise you cannot finish the configuration. Signatures updating is required to input username and password, which will help manage license and forbid pirate version usage. It’s a security product, why not?
Like other SaaS vendors such as IBM and Qualys, Foundstone has a web portal too, which provide assets management, vulnerability scanning, reporting and remediation. Here I list some functions that I think they are highlights of foundstone.
Assets are grouped by BU, echo group is assigned with an admin. Scans can be implemented by business function, asset value, owner or location. Security team could focus on the most valued assets easily.
Lots of scan templates, includes ISO17799, NIST SP800-68, SOX, PCI and wireless, etc.
Immediately verify that whether the vulnerability has been fixed or not, by examining the system in ticket management with a single click. This makes fix tracking damn efficiently! No need to launch new scan, or verify with other tools.
Now McAfee are selling their appliance with vulnerability scanning and management software preinstalled, it’s impossible for a download and a try. Fortunately on Nov 28 the formerly Foundstone Enterprise software was released in 0day scene*, so I have a chance to try it.
After tryout of a whole day, I had to say that it’s really a true vulnerability management platform for large scale corporations. I’d suggest buying the appliance if we have budget.
From the installation I found it’s a product designed by security guys. The windows and database are required to have proper SP installed, new added assets admin password is forced to be strong, otherwise you cannot finish the configuration. Signatures updating is required to input username and password, which will help manage license and forbid pirate version usage. It’s a security product, why not?
Like other SaaS vendors such as IBM and Qualys, Foundstone has a web portal too, which provide assets management, vulnerability scanning, reporting and remediation. Here I list some functions that I think they are highlights of foundstone.
Vulnerability management is a program with tools and processes. Many security vendors are selling their service today, with 7x24 supports. For enterprise environment, the single scanner software is dead now.
*The scene version is a 60 days trial one, no password provided for online updating.
Screenshots in my tryout, click for large view:
Tuesday, November 11, 2008
Book: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research
This book is a detailed user manual for Metaploit Framework except case studies on vulnerability research, but to me the most interesting part is appendix B: Building a Test Lab for Penetration Testing. The author has shared much experience about this, which deserves a read.
Thursday, November 6, 2008
Vulnerability Management with MS08-067
It’s already 2 weeks since Microsoft released patch for MS08-067. The company I am working for has already patched 88% windows servers in the first week, and till now, 98% servers were patched.
This time frame is well compliant with company security policy, and here I have some experience to share after this urgent patching period.
First of all, for a vulnerability management program, assets management is the most important. Asset inventory should be centralized and well maintained, the scope can be identified in first step, then all assigned owners and custodians will be notified immediately. This will speed up patch progress, especially for DMZ servers which are facing threats from internet.
Secondly, a well established patch process is needed, which should be effective in such urgent situation. Usually ops team has to submit change request to get change windows to perform patching task, but for urgent patch issue, there should be special process to gain support from upper management, pushing jobs done quickly.
Thirdly, security team should be armed with some tools, to identify vulnerability, check patch status, or exploit vulnerability for demonstration purpose. Except the commercial software our company bought, here I recommend the free Metasploit Framework that everyone can download freely. Metasploit is an open platform to do penetration test and vulnerability research. The project team was updating ms08-067 scanner and exploit in daily snapshot, we could finish the cycle of identification, assessment, checking and monitor in ms08-067 patch management easily.
This time frame is well compliant with company security policy, and here I have some experience to share after this urgent patching period.
First of all, for a vulnerability management program, assets management is the most important. Asset inventory should be centralized and well maintained, the scope can be identified in first step, then all assigned owners and custodians will be notified immediately. This will speed up patch progress, especially for DMZ servers which are facing threats from internet.
Secondly, a well established patch process is needed, which should be effective in such urgent situation. Usually ops team has to submit change request to get change windows to perform patching task, but for urgent patch issue, there should be special process to gain support from upper management, pushing jobs done quickly.
Thirdly, security team should be armed with some tools, to identify vulnerability, check patch status, or exploit vulnerability for demonstration purpose. Except the commercial software our company bought, here I recommend the free Metasploit Framework that everyone can download freely. Metasploit is an open platform to do penetration test and vulnerability research. The project team was updating ms08-067 scanner and exploit in daily snapshot, we could finish the cycle of identification, assessment, checking and monitor in ms08-067 patch management easily.
Subscribe to:
Posts (Atom)