intrusion_34
ICSA, Inc.
For more information, call 888-396-8348 34
An Introduction to Intrusion Detection and Assessment
Reporting
Reporting in vulnerability assessment holds the
key to understanding and rectifying security
holes. Reporting provides the opportunity to
document the security health of the systems
scanned, to publish problems to an appropriate
level of management so that resources and re-
sponsibilities are assigned to fix them, and to
educate everyone in the organization about the
importance of system security and how to achieve
it. Options provided include variable reporting
formats (with HTML offering the ability to
selectively drill down to a finer level of detail as
desired) and levels of detail, providing different
amounts of background information about the
vulnerabilities and associated fixes.
Deployment
Although it is easy to understand the require-
ments driving vulnerability-assessment products,
and easier still to understand how the products
might be used to support an organizational security
strategy, perhaps the most critical features in select-
ing a product are those regarding the deployment
of that product in an operational environment.
Most products provide user-friendly installation
features, supported by automated scripts and
strong technical support.
Configuration options for products vary widely.
Look for features such as network mapping,
menu-driven configuration of security checks
and network coverage, and on-screen help
mechanisms.
Most products allow system administrators to
set up schedules for scanning, an option that
allows them to schedule assessments for hours
of low system utilization (e.g. outside business
hours).
Regular updates to the security check database
is critical as new security holes are discovered
every day. Update processes that are automatic
and data-driven minimize the time required
to incorporate new updates.
Look for products that provide support of
routine, repeatable scanning. Some support this
with differential scan capabilities, which allow
users to automatically compare results of suc-
cessive scans, pointing out problems and in-
consistencies that surface.
Vulnerability-assessment products can provide
features that should be used only with caution
(e.g., security checks addressing network
denial-of-service attacks). These checks, in
replicating the attacks, can crash targets.
Products should inform users of this problem
when they select the denial-of-service checks.
Responses
Once the user has run vulnerability-assessment
tools and spotted vulnerabilities, the user can
specify responses. The response options provided
include the following:
Alarm mechanisms allow the system to send
real-time alerts via a variety of means (e.g.,
SNMP, pager, e-mail, etc.) of high-risk
vulnerabilities that have been discovered.
Report mechanisms allow the system to gen-
erate organized reports itemizing the results
of vulnerability assessments.
Some products have the ability to respond to
detected security holes by actively closing
them (by either amending file configurations
or settings or else applying security patches)
rather than simply reporting their existence.