HostedDB - Dedicated UNIX Servers
intrusion_34 ICSA, Inc. For more information, call 888-396-8348                 34 An Introduction to Intrusion Detection and Assessment Reporting Reporting in vulnerability assessment holds the key to understanding and rectifying security holes. Reporting provides the opportunity to document the security health of the systems scanned, to publish problems to an appropriate level of management so that resources and re- sponsibilities are assigned to fix them, and to educate everyone in the organization about the importance of system security and how to achieve it. Options provided include variable reporting formats (with HTML offering the ability to selectively “drill down” to a finer level of detail as desired) and levels of detail, providing different amounts of background information about the vulnerabilities and associated fixes. Deployment Although it is easy to understand the require- ments driving vulnerability-assessment products, and easier still to understand how the products might be used to support an organizational security strategy, perhaps the most critical features in select- ing a product are those regarding the deployment of that product in an operational environment. •  Most products provide user-friendly installation features, supported by automated scripts and strong technical support. •  Configuration options for products vary widely. Look for features such as network mapping, menu-driven configuration of security checks and network coverage, and on-screen help mechanisms. •  Most products allow system administrators to set up schedules for scanning, an option that allows them to schedule assessments for hours of low system utilization (e.g. outside business hours). •  Regular updates to the security check database is critical as new security holes are discovered every day. Update processes that are automatic and data-driven minimize the time required to incorporate new updates. •  Look for products that provide support of routine, repeatable scanning. Some support this with differential scan capabilities, which allow users to automatically compare results of suc- cessive scans, pointing out problems and in- consistencies that surface. •  Vulnerability-assessment products can provide features that should be used only with caution (e.g., security checks addressing network denial-of-service attacks). These checks, in replicating the attacks, can crash targets. Products should inform users of this problem when they select the denial-of-service checks. Responses Once the user has run vulnerability-assessment tools and spotted vulnerabilities, the user can specify responses. The response options provided include the following: •  Alarm mechanisms allow the system to send real-time alerts via a variety of means (e.g., SNMP, pager, e-mail, etc.) of high-risk vulnerabilities that have been discovered. •  Report mechanisms allow the system to gen- erate organized reports itemizing the results of vulnerability assessments. •  Some products have the ability to respond to detected security holes by actively closing them (by either amending file configurations or settings or else applying security patches) rather than simply reporting their existence.