1. Purpose
The development of Internet technology has originated a surge of new application solutions to improve business practices in corporations. This technology has allowed companies to be more competitive on a global scale and changed the way people do business.However, as businesses worldwide place increasing reliance on interconnected systems and electronic data, the risks of fraud, inappropriate disclosure of sensitive data, and disruption of critical operations and services increase. The same factors that benefit business operations also make it possible for individuals and organizations to inexpensively interfere with or eavesdrop on these operations from remote locations for purposes of fraud or sabotage, or other mischievous or malicious purposes.
Evidently, security and privacy protection are key issues for companies nowadays. Maintaining security and privacy requires corporate planning, training, implementing controls properly, monitoring the effectiveness of controls and taking necessary corrective action.
The Company IT’s Security Vulnerability Scanning and Correction Procedure contributes to the overall effort by providing a step-by-step guide to its IT staff, focusing specifically on scanning and correction measures. By proactively scanning for vulnerabilities, weaknesses in the current system can be detected and properly addressed. Moreover, system scanning also provides an overview of the current level of security. Comparing this with pre-established benchmarks, IT can develop a roadmap for raising its current security level to industry standards. In doing so, IT sustains the foundation on which The Company relies for its value creating activities.
2. Scope
The Security Vulnerability Scanning and Correction Procedure is applicable to the information network LAN in use by the Company. This also includes the local networks WLAN at several company factories. More specifically, all equipment connected to the network is subjected to this procedure. The Security Vulnerability Scanning and Correction Procedure, however, does not include WAN. Moreover, due to security reasons IT must never conduct scans that include the public WAN.
3. Owner
The Company, IT. Specifically, the Security Team is responsible for overseeing the proper execution of the Security Vulnerability Scanning and Correction Procedure. The system team will also perform the comprehensive quarterly scans, whereas other IT personnel may be assigned to perform the weekly scans.
4. Policy
The policy associated with the Security Vulnerability Scanning and Correction Procedure, as described in this section, necessitates the periodical execution of the procedure in question. More specifically, the Security Vulnerability Scanning and Correction procedure requires regular scans on three different levels:
4.1 Domain
1) Low-level scans for basic service-tracking purposes will be conducted on all networks within the range of the company domain. This is a comprehensive scan that is performed on a quarterly basis.
2) Moreover, weekly scans will be performed by IT personnel, focusing on specific problems that are a potential threat to the LAN & WLAN network.
4.2 Group
Specific groups of systems or departments perceived as being critical to daily operations are subjected to more frequent, and elaborated security scans. The factory, for example, uses wardialing and wardriving to scan its modem access and WLAN access points for vulnerabilities, respectively.
4.3 Individual.
- All new systems connected to the existing system are required to be scanned prior to being put into service.
- Systems identified by IT’s global scan as being infected, and disconnected from WAN as a result of it, will be scanned individually as well.
- Systems may also be subjected to a network scan in the wider context of an audit.
5. Roles and Responsibilities
.Role | Responsibilities |
System team |
|
Security Team |
|
PC Support Team |
|
6. Definition and Abbreviations
6.1. Definition
Network: An integrated, communication aggregation of computers and peripherals linked through communication facilities.
Privacy protection: The establishment of appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of data records against anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom such information is maintained.
Risk analysis: An analysis that examines an organization’s information resources, its existing controls, and its remaining organization and computer system vulnerabilities. It combines the loss potential for each resource or combination of resources with an estimated rate of occurrence to establish a potential level of damage in dollars or other assets.
Risk assessment: Synonymous with risk analysis.
Security audit: An examination of data security procedures and measures to evaluate their adequacy and compliance with established policy.
Security controls: Techniques and methods to ensure that only authorized users can access the computer information system and its resources.
Vulnerability scanners: Software packages that interrogate a machine over the network and determine whether it is vulnerable to any number of security holes.
Vulnerability scanning: The process of going through a list of known vulnerabilities.
Vulnerability: A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
Wardialing: The technique by which a computer would repeatedly dial a number (usually to a crowded modem pool) in an attempt to gain access immediately after another user had hung up.
Wardriving: The activity consisting of driving around with a laptop in one’s vehicle, detecting Wi-Fi wireless networks.
6.2. Abbreviations
IT: Information Technology
SO: Security Officer
VS: Vulnerability Scanner
Wi-Fi: Wireless Fidelity
WLAN: Wireless Local Area Network
7. Procedure details
7.1. Procedure definition
7.1.1. Domain-level scanning
The domain-level scanning procedure consists of (1) a quarterly, comprehensive scan, and (2) a weekly, narrow-scope scan.
Quarterly scans:
- The quarterly scans are performed by the system team, using a predefined vulnerability scanner. IT currently uses Nessus, which is the recommended vulnerability scanner.
- Scans using the Nessus program will be performed on scheduled dates by the security team, and will cover a subset of SANS Top 20 security benchmarks as well as X Windows Controls.
- When finished scanning, Nessus generates a report with identified vulnerabilities of the network. Based on these results, the security team will perform a risk analysis aimed at discriminating vulnerabilities.
- Critical security vulnerabilities (CIT: High Alerts) that are identified must be corrected within the timeframe required by IT.
- The remaining security vulnerabilities must be addressed and corrected within two months. The actual timeframe for each of these vulnerabilities, of course, depends on their relative importance as assessed by the risk analysis.
- Once a plan for follow-up actions is made, progress will be tracked and managed in the IT Helpdesk System.
Weekly scans:
- IT personnel assigned to this task by the Security team perform the weekly, narrow-scope, scans.
- The weekly scans are specialized scans focusing on specific vulnerabilities of the system. This, for example, may include scans for systems vulnerable to the Code Red Worm and the Mydoom Worm, as well as scans for mail servers configured as open relay.
- Depending on the specific objective of the scan, different tools are used to conduct to scan.
- Prior to performing the scan, the entire organization will be notified by email.
- Care will be taken to provide a reasonable amount of prior notice for these domain scans.
- Once executed, the scanning tool will generate a report highlighting whether or not the system is vulnerable to the specific threat.
- Critical vulnerabilities will be addressed and corrected within the time frame required by CIT, remaining vulnerabilities must be corrected within two months.
- Once again, progress of follow-up actions will be tracked in the IT Helpdesk System.
7.1.2. Group-level scanning
- Group-level scanning consists of in-depth security scans targeted at specific groups of systems or departments that are considered to be vital for our business.
- IT’s group-level scanning procedure currently focuses on the WLAN.
- More specifically, IT scans the system for unprotected modem access and unprotected WLAN access.
- This is done be scanning all modems and WLAN access points connected to the network, using wardialing and wardriving, respectively.
- IT will provide the list with numbers to Security Team, who then will run the wardialer program.
- Any identified vulnerable modems and access points will be corrected and secured within one week after detection.
- Progress will be tracked and managed through the IT Helpdesk System.
7.1.3. Individual-level scanning
- Individual-level scans are targeted at single systems (such as a desktop computer) and are performed on an ad-hoc basis.
- There are several cases that initiate the individual-level procedure:
1) A system will be put into service in the context of the Release Management Procedure,
2) A system administrator or IT requests a security scan,
3) A system is subjected to a security audit.
- Any vulnerability identified will be addressed and corrected, although IT does not guarantee completion within a specific timeframe.
7.2. Procedure flow chart
7.2.1. Domain-level scanning
TBD
7.2.2. Group-level scanning
TBD
7.2.3. Individual-level scanning
TBD
8. Appendix: SANS TOP 20
8.1. Top vulnerabilities to Windows systems
- Internet Information Services (IIS)
- Microsoft SQL Server (MSSQL)
- Windows Authentication
- Internet Explorer (IE)
- Windows Remote Access Services
- Microsoft Data Access Components (MDAC)
- Windows Scripting Host (WSC)
- Microsoft Outlook and Outlook Express
- Windows Peer to Peer File Sharing (P2P)
- Simple Networking Management Protocol (SNMP)
8.2. Top vulnerabilities to UNIX systems
- BIND Domain Name System
- Remote Procedure Calls (RPC)
- Apache Web Server
- General UNIX Authentication Accounts with No Passwords or Weak Passwords
- Clear Text Services
- Sendmail
- Simple Network Management Protocol (SNMP)
- Secure Shell (SSH)
- Misconfiguration of Enterprise Services (NIS/NFS)
- Open Secure Sockets Layer (SSL)