Fixing vulnerabilities is an ongoing process that requires diligence — it's not something you can ever cross off your task list. However, there are plenty of excellent tools available that will assess your systems for known vulnerabilities. Let me introduce you to one of the best.
Finding and fixing vulnerabilities on your systems isn't a task you can complete once and then cross off your list — it's an ongoing process that requires diligence and consistent attention. There's never a point when you can feel confident you've discovered every possible vulnerability.
Of course, you've hopefully signed up to receive notifications on patches and security updates for every product deployed on your organization's network, which can go a long way toward keeping things secure. However, the only way you can verify that you've successfully closed the vulnerabilities is to perform a vulnerability assessment.
While the days of manual vulnerability assessments are long gone, there are plenty of excellent tools on the market that will assess your systems and determine whether they're up to date against known vulnerabilities. One of the best — and freely available — tools on the market is Nessus.
Nessus is an extremely popular tool commonly used to audit critical systems and applications for vulnerabilities. It offers an installation and client for the following platforms:
- Linux: Fedora FC5 and 6, Red Hat Enterprise 3 and 4, SuSE 9.3 and 10, Debian 3.1 (i386)
- FreeBSD: FreeBSD 5 and 6 (i386)
- Solaris: Solaris 9 and 10 (Sparc)
- Mac OS X: Mac OS X 10.4 (Intel and PPC)
- Windows: Windows 2000, XP, and 2003 (32 bits)
Once installed, Nessus is fairly simple to run. The tool simulates attacks against known vulnerabilities and weaknesses to produce an excellent report. But it's your job to turn the report into actionable information so your organization can decide whether to patch a reported vulnerability or accept the risk.
Nessus groups the vulnerabilities analyzed for each system into three classifications:
- Security Holes: The attack was a success and poses a great security risk.
- Security Warnings: The attack was a success but doesn't pose a great security problem.
- Security Notes: The tool found information about your system through scans and/or banners.
The tool further breaks down these classifications by risk factor:
- Critical: Something has already compromised the remote host.
- Serious: The vulnerability leaks information that can be extremely useful to an attacker.
- High: An attacker can gain a shell on the remote host or execute arbitrary commands.
- Medium: There's a security hole that can lead to privilege escalation.
- Low: The information found is useful but doesn't pose an immediate threat.
- None: There's no inherent risk.
Keep in mind that Nessus can report a vulnerability as having multiple risk factors. It's your job to determine the specific risk a vulnerability discovered by Nessus poses to your organization.
For each vulnerability discovered, the report may also list links for the BugTraq ID (BID), the Common Vulnerabilities and Exposures (CVE) number, and a Nessus ID. Each of these references can provide more information about a specific potential vulnerability.
Nessus creates its reports as HTML files. That means you can edit these files to include your comments prior to distributing them.
Analyzing reports is a tedious — but essential — duty. Make sure to base your recommendations for each vulnerable system on the overall security architecture that protects these systems.
It's important to analyze Nessus reports to determine whether vulnerabilities are really significant to your organization. You can fix some vulnerabilities by deploying a patch or update to the application.
However, some of the fixes might involve patching a custom application that could yield unknown results. For these instances, you can mitigate the risk by blocking the appropriate TCP and UDP ports at your perimeter security devices. And don't forget that some results may be false positives.
Nessus is a good tool, but before taking drastic action that could negatively impact your operations, I recommend conducting some manual testing to verify results. Then, once you're confident with the results, prioritize and repair your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.