Core Security Integration
Sometimes the simplest things make the biggest difference. A few weeks ago, I published a blog on Metasploit Integration and have had multiple inquiries on similar types of integration. First, I would personally like to thank the Core Security team for providing evaluation licenses and integration into Core Impact. Second, a big thank you for the security community (clients, blog comments, and direct emails) for suggestions around future blogs of this nature. Your feedback will help refine the subjects we write about and how we can better provide integrated solutions in the future. With that said, please watch this short video on integration between the Retina Network Security Scanner and Core Impact. If you need more information, please comment below or click here. – Cheers
What Do You Think About eEye’s Zero-Day Tracker?
What Do You Think About eEye’s Zero-Day Tracker (www.eeye.com/zdt)? More [...]
Microsoft Patch Tuesday – June 2011
Another even month, another huge security bulletin release by Microsoft. Those who took my advice and convinced their bosses to let them take vacation this month avoided 16 security bulletins – hopefully your co-workers will have them fully tested and deployed before you return.
For those of us not sitting on a beach somewhere, there is lots of work to be done. Not only did Microsoft release bulletins today, but it is also the quarterly release of Adobe security bulletins – patching Flash, Shockwave, Acrobat, Acrobat Reader, LiveCycle and ColdFusion.
Tomorrow’s Vulnerability Expert Forum (VEF) should be a good one. The eEye Research Team will have lots to cover this month, so be sure to join us for our complete anlaysis.
Here are our recommendations for the sixteen security updates. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.
Deploy Immediately
MS11-038 – Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent access to vbscript.dll, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.MS11-039 – Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2514842)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent partially trusted .NET applications from running, by using the caspol command. Prevent Internet Explorer, Firefox, and Chrome from running XAML applications.MS11-040 – Vulnerability in Threat Management Gateway Firewall Client Could Allow Remote Code Execution (2520426)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, prevent the TMG Client from being used by disabling it.MS11-042 – Vulnerabilities in Distributed File System Could Allow Remote Code Execution (2535512)
Recommendation: Deploy patches immediately as no forms of mitigation are available.MS11-043 – Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, block ports 139 and 445 at the network perimeter.MS11-045 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2537146)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, administrators can set a Microsoft Office File Block Policy to block all files from Office 2003 and earlier from unknown and untrusted sources. Additionally, files that do not pass Office File validation should be prevented from opening. CVE-2011-1275, CVE-2011-1277, and CVE-2011-1278 have no reasonable mitigations, so patching is the only way to protect against these vulnerabilities.MS11-046 – Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2503665)
Recommendation: Deploy patches immediately as no forms of mitigation are available.MS11-050 – Cumulative Security Update for Internet Explorer (2530548)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.MS11-052 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2544521)
Recommendation: Deploy patches immediately to prevent exploitation by attackers. Until the patches can be installed, read emails in plain text, block ActiveX controls and block/disable Active Scripting in both Internet and Local Internet zones.
Deploy As Soon As PossibleMS11-041 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
Recommendation: Deploy patches as soon as possible. Until the patches can be installed, disable the Preview Pane in Windows Explorer, the Details Pane in Windows Explorer, and the WebClient Service.MS11-044 – Vulnerability in .NET Framework Could Allow Remote Code Execution (2538814)
Recommendation: Deploy patches as soon as possible. Until the patches can be installed, prevent partially trusted .NET applications from running, by using the caspol command. Prevent Internet Explorer, Firefox, and Chrome from running XAML applications.MS11-048 – Vulnerability in SMB Server Could Allow Denial of Service (2536275)
Recommendation: Deploy patches as soon as possible. Until the patches can be installed, block ports 139 and 445 at the network perimeter.
Deploy At Earliest ConvenienceMS11-037 – Vulnerability in MHTML Could Allow Information Disclosure (2544893)
Recommendation: Deploy patches at the earliest convenience. Until the patches can be installed, disable the MHTML handler by deleting the HKCR\PROTOCOLS\Handler\mhtml registry key.MS11-047 – Vulnerability in Hyper-V Could Allow Denial of Service (2525835)
Recommendation: Deploy patches at the earliest convenience as no forms of mitigation are available.MS11-049 – Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
Recommendation: Deploy patches at the earliest convenience as no forms of mitigation are available.MS11-051 – Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege (2518295)
Recommendation: Deploy patches at the earliest convenience. Until the patches can be installed, turn on the IE8/9 XSS filter for the Intranet Zone.
Upcoming Standards – SCAP ARF Support
The Assessment Results Format (ARF) language is a general Security Content Automation Protocol (SCAP) results reporting language developed by the US Department of Defense (DoD) in conjunction with NIST and members of the SCAP vendor community. If you are unfamiliar with it, it provides a structured language for exchanging and exporting detailed, per-device assessment data between network assessment tools. ARF is intended to be used by vulnerability scanners, eXtensible Configuration Checklist Description Format (XCCDF) scanners, and other tools that collect detailed configuration data about IP enabled devices.
Simply, Asset Reporting Format (ARF) is a data model to express information about assets, and the relationships between assets and how to generate reports from the data. The standardized data model facilitates the reporting, correlating, and interoperability of asset information throughout environments and toolsets. ARF is a vendor neutral technology and one of the emerging standards for SCAP support.
So why is this so important ? Consider the following use cases:
- Report the results of an assessment using SCAP content using a data stream defined by NIST 800-126. This provides a vehicle for SCAP scans to report data regardless of technology used to perform the assessment or configuration audit.
- Report the results of any device in a standard format by platform, configuration, patches, and/or vulnerabilities when no SCAP content is available. This provides a standardized reporting output from any tool, vulnerability assessment scanner or even an asset inventory tool in the same format.
- Report the operational context metadata for any IT assets. This provides clarity into the assets operational runtime parameters and software in the same format.
- Collect all asset data in a central location and provide situational awareness reports based on any context.
The primary intent is to allow tools to become “best of breed” but allow the output to be generated in a single format such that data warehousing, reporting, and information integration can be achieved without supporting custom connectors and various proprietary data feeds.
eEye’s Retina Network Security Scanner has already taken the first step to achieving this vision. Version 5.12.0 and higher now supports the ability to export SCAP content in ARF. When the draft specification of ARF 1.1 becomes certified eEye looks to incorporate the other use cases into the product and allow transparency for all exported data regardless of scan type.
ARF is an emerging data standard that will enhance third party integrations and allow collaborative results to be shared and reported on between tools and vendors. eEye looks forward to this emerging data standard and our initial support of the draft specification. For more information on eEye and our support for SCAP or ARF, please click here.
Generic Third Party Integration
There is an inherent value to vulnerability assessment and attack data beyond the security team. Making relevant data available to other solutions, departments, and team members can streamline the vulnerability management process and ensure the workflow is seamless between departments and management. In addition, having tight data integration makes it easier to document workflow processes required by most regulatory compliance initiatives. Take for example this simple diagram for Retina CS and a generic integration into the Windows Application Log.
Critical events can be filtered as they entered into the management console and forwarded to the Application Log. Any third party event log watcher can trigger from these events to perform addition actions or notify appropriate individuals. This simple process can be documented as follows:
This type of generic integration can be used to tie virtually any system to eEye’s solutions and raise the value of the data being collected without the need for any custom code. In addition, eEye supports the following generic integration points into each of our solutions.
Based on these, a client can do everything from custom control of the scan engine to direct access of the data warehouse and integrated alerting functions. Some custom integrations that have been performed by our clients include:
To that end, eEye has embarked on an aggressive third party integration program (with our partners) the following out of the box integrations that go far beyond basic event log scraping.
These solutions work seamlessly with eEye to raise the awareness of vulnerability assessment data and provide a streamlined workflow for your business requirements. For more information regarding eEye and our third party integrations, please click here.
Better Security Management with a Consolidated View of AV and Vulnerabilities
We expect our smart phones to handle all of our business needs: phone calls, voicemail, email, and calendar functionality, at the very least. Why not expect the same consolidated approach with your security products? Take for example the relationship between vulnerabilities and malware. Most of the malware, trojans, worms, etc., get into a system by exploiting vulnerabilities in applications such as Adobe, IE, Firefox, etc. Vulnerabilities and malware really have a strong correlation and so should the products that manage each one.
Here at eEye, we have taken this consolidated approach for years, first with the introduction of the REM management console and most recently with Retina CS. These consoles, at their core, allow an IT professional to easily manage endpoint protection agents as wells as vulnerability assessment data from a single location.
eEye’s unified approach comes with many benefits:
Unfortunately, I have seen many environments where there is a disconnect between vulnerability management and endpoint protection. In some cases, vulnerability assessment is not part of the picture at all! These environments also tend to rely just on an anti-virus application for protection. This is equivalent to saying, “Let the vulnerabilities I don’t know of be exploited and let the malware be delivered. I only want to be protected against known threats and I want this protection to occur once the malware is on my system and has subsequently triggered a signature.” I’m not saying that you should not have an anti-virus, but rather that your endpoint protection agent should combine an AV layer with other layers of protection. These other layers should not be signature-based and should provide Zero-Day protection. Blink, eEye’s endpoint protection solution, is a clear example of this. Blink takes a multi-layered approach to security and combines vulnerability assessment as part of its package.
Want a consolidated view of your environment? See an On-demand Demo of Retina CS.
What Do You Think About the “In Configuration We Trust” Research Report?
Please use the Leave a Reply function below and send us your questions, comments, and thoughts regarding our research report “In Configuration We Trust.”
- One person will be selected at random to win a new Amazon Kindle and $25 gift card.
- Deadline to be entered into the contest is Friday 05/13/11 at noon PST.
- Please note that all email/contact info will be kept private from public view, but you will need to enter it so we can contact the winner.
Microsoft Patch Tuesday – May 2011
Oh how I am starting to enjoy the odd numbered months this year. Back in January Microsoft released 2 bulletins. February followed with 12, March with 3, and April with 17. Now May has arrived with only 2 bulletins. If you are looking to avoid piles of patch deployment work this summer, I’d bet on taking vacation in June or August.
MS11-035 covers a vulnerability in WINS. If you aren’t using WINS within your environment, it is a good idea to verify that it has been disabled on your servers. If you are using WINS internally, make sure that TCP/42 and UDP/42 are blocked on external-facing firewalls.
MS11-036 addressed two more vulnerabilities in Microsoft PowerPoint. As you may recall, Microsoft patched three vulnerabilities in PowerPoint last month. This time around, PowerPoint 2010 is not affected. eEye Research recently published a report analyzing the 2010 Microsoft Security Bulletins. One of the many findings is that upgrading your Microsoft software is a good security practice.
As a reminder, tomorrow’s Vulnerability Expert Forum (VEF) will be at 1PM PDT. Sign up to hear what the eEye Research team has to say about today’s security bulletins and other security related topics. As there are only two Microsoft bulletins to cover, there should be ample time to touch on other topics and answer your questions.
Here are our recommendations for the two security updates. Retina Network Security Scanner customers can view the list of audits associated with these bulletins.
Deploy Immediately
MS11-035 – Vulnerability in WINS Could Allow Remote Code Execution (2524426)
Recommendation: Deploy patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ports TCP/42 and UDP/42 on external-facing firewalls.
Deploy As Soon As Possible
MS11-036 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)
Recommendation: Deploy patches as soon as possible. Until the patches can be installed, Office File Validation should be enabled to prevent the loading of invalid PowerPoint 2003 and 2007 files. Additionally, use Microsoft Office File Block policy and Microsoft Office Isolated Conversion Environment (MOICE) to deter exploitation via Office 2003 and earlier binary files.
Role-Based Access for Your Teams
Regulatory controls all require the access restriction of sensitive data to the individuals that need to know. Many corporate policies also segregate users to access devices by geographical location or by platform and function. Vulnerability data is sensitive information. In the wrong hands, it provides a blueprint on how to potentially access systems without proper permissions and provisioning. Many discussions have occurred regarding how to safeguard this data internally and how trusting you should be of a SaaS solution to house this data. Regardless of the vulnerability management solution implementation, restricting improper access to assessment data has traditionally been IP address based. That is a list of IP addresses or host names which governs who has access to what vulnerability assessment data and assets. People generally refer to these as “Sites” or “Policies”. Within eEye we refer to them as “Smart Groups”.
In many organizations, IP addresses are not allocated per business function. Subnets can have a mix of printers, desktops, and occasionally servers. Subnets are generally allocated for the raised floor, DMZ, and other supporting infrastructure but the user space and supporting infrastructure is generally all over the board and not standardized. Many companies still do not even use standardized naming conventions for hosts and this represents another challenge for asset identification. So, how do you build role based access for a Desktop Administrator when they may have a dynamic IP list to manage; especially in consideration of DHCP? How would you delegate VA data to the infrastructure team for let’s say for only Cisco devices? Do you even have a list of all the devices that can be imported and is it maintained regularly for corrected assessment and ultimately proper role based access?
In a previous blog, I discussed advanced targeting techniques with Retina CS and how a Smart Group can be constructed on any OS, software installed, patterns in the host name, etc. Consider this technique also applies to the Role Based Access Model within Retina CS. Various Smart Groups can be constructed for only Desktop Operating Systems, Windows Servers, Red Hat Linux, or even only Cisco Devices completely independent of the IP addresses assigned to them. Retina CS will maintain the group automatically with each subsequent scan of the target and keep them up to date regardless of host name or any other traditional “Site” based techniques. The User Based Security Model within Retina CS allows you then to assign User Groups to the Smart Groups and control access based on business function rather than just traditional IP space. If users are uncomfortable with that model, Smart Groups can be built from Address Groups and Active Directory just like any other traditional VA solution or even better, a combination of both! Users can be restricted to a certain platform or device type and the IP range it may be present in. For an enterprise environment, this is priceless. A remote office can have VA data solely for a Desktop Admin in the building he/she works in regardless of DHCP and device type; workstation or laptop.
Consider that role based access for your vulnerability assessment data means so much more in the proper hands rather than in the wrong hands. It can improve your overall security posture and make sure individual teams are response for their security patches and not just the security team providing reports on how to fix the problem. Role based access is a fundamental part of Retina CS and will help you change the way you manage vulnerability data within your environment; secure, role based, and business function delegated. For more information on Retina CS, please click here.
Multiple Platform Configuration Compliance
Here is the problem. Most small businesses benefit from picking a standard platform like Microsoft Windows and exclusively using it from laptops to servers. There has always been, even in the smallest companies, some resistance to Windows including the rogue Mac users. Enterprises tend to pick the platform they need based on business requirements and standardization, and using the same platform becomes a secondary or even tertiary consideration. I am sure many of you have seen companies with “one of everything” and we use “these” platforms and if your application does not support it, we will not license “your” technology. It is similar to the infamous “religious” battle you hear between Windows and Unix staff. So with such a diverse requirement for monitoring proper configuration compliance, what is a business supposed to do? The small business can pick a simple tool, but an enterprise is left finding something that meets their unique needs. So, do they use different tools for different platforms? Deploy agents and entire infrastructure to support it? Or, use one tool that can serve multiple functions and platforms?
If you have read my blogs before, you will see that we promote using one tool for multiple functions within a business. Recently, with the release of Retina CS 2.1 and the Retina Network Security Scanner 5.12.0, we have begun to tackle the problem of configuration compliance on multiple platform platforms. Using OVAL as assessment language, eEye has expanded configuration compliance to Linux and has embarked on a strategic solution to support Unix and network devices all from one product. Vulnerability assessment and configuration compliance no longer need to be separate tools and no longer needs to be different products or agents depending on the platforms your business has selected to deploy and support.
In addition, eEye’s Configuration Compliance Add-On Module simplifies this process by shipping OVAL guidelines for FDCC, NIST, Microsoft, USGCB, RHEL, and importing third party guidelines from organizations like CIS. With all the templates directly in the solution, you’ll find it easier than ever to audit configuration settings against internal policies or external best practices, and to centralize reporting for monitoring and regulatory purposes. Below are some of the benefits of multiple platform configuration compliance within a vulnerability scanning solution:
- Single console approach ensures a more stable and secure infrastructure, proactively reducing the risks of security breaches and lowering costs by enabling enterprise-wide management.
- Configuration assessment for critical security settings that include audit settings, security settings, user rights, logging configuration, etc.
- Streamlined reporting for government and corporate standards with built-in vulnerability reporting and integration with Retina Insight for delta dashboards and drilldowns.
- Simple wizard for benchmark compliance leveraging a robust library of industry benchmarks encapsulating industry knowledge and experience.
- Built-in templates for configuration compliance from FDCC, NIST, STIGS, USGCB, RHEL, and Microsoft.
- OVAL 5.3 SCAP-certified scan engine and interpreter and OVAL 5.8 compatible for additional platform support.
Please contact us for more information on how your organization can benefit from multiple platform configuration compliance. eEye is pioneering the next-generation Unified Vulnerability Management solution and supporting a full- function, multi-platform configuration compliance engine and vulnerability assessment solution in one product. eEye believes in simplifying vulnerability management.
