|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Handling new vulnerabilities like WebDav
Date: Sun Mar 30 2003 - 12:15:19 EST
Sorry for a late reply but I've very behind on my reading because of IDS project I'm working on.
At work we have a very distributed environment and varying service level agreements between the business units that own servers and the IT groups that run the data centers. The SLA's range from simple power, space and network connectivity to full support for the hardware and OS and up to the specific applications running on the servers. Beyond that, most employees build their own systems. We've also got virtually raw internet available to offices and labs if there's a business case. (And there are lots of business cases.) I know that's not terribly different from some small or medium businesses but that's not us. We've got 50,000+ employee's and 250,000+ systems on our network.
I say + because I have not work directly work on this remediation process for a few years now and don't know the exact numbers.
Given that environment, a strong inventory controls approach doesn't work well. There are places on our networks, especially labs, where systems are literally rebuilt every day.
Instead, we've developed a home grown scanner and inventorying system that feeds a large database. We also take feeds from other databases for relevant info like people's management chains, IT config data for IT managed systems etc. This database then tracks the communications to system owners and the progress or lack of progress made on fixing issues. Once we go live with the system's web site, managers can check their group status very quickly and see how their people and systems are doing right down to the individual desktops. That management view may be live now.
The scanner is modular. The main portion controls the scan and provides the output and then dll's are created for each specific scan if one of the existing dlls would not work. We craft the dlls such that they can work either like programs like hfnetchk or like some of the vuln scanners like nessus or ISS's scanner. Besides vuln checks for bugs like WebDav, we can also scan for things like weak admin passwords and other similar configuration issues.
When vulnerabilities come up. A quick assessment is done by environment. Data centers will probably treat things differently than we do end user space. Internal bulletins are crafted with a patching or exception request deadline. Usually time is allowed for the testing needed but on critical vulns, that time may require a request for a temporary exception. A couple of communication cycles are done, one broadcast and then targeted to non-compliant system owners. Eventually they are give a final notice and if that is ignored, they are either forcibly patched or cut off the network. Time spans may be days or they may stretch into weeks.
The system runs continuously and even when there aren't critical updates to be installed. Because of the way our environment is run
That's our approach in general. I don't anymore specific details since I don't work the process these days. I did create the original proof of concept tracking system but that version simply took the scanner output, determined system owners, sent the communications and tracked the follow up efforts (or lack of efforts). Another person developed the original scanner. We had the internal development skills to get that far and then it was turned over to an internal tools team to become the system we now have although I think the scanner and its modules are still done by the security team and not the tools development team.
Mike Lyman
CISSP
mlyman@west-point.org
pgp keyid 0xD7BBADAD
Received on Mon Mar 31 11:17:34 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:18 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |