Skip navigation
3

snow.jpg

The forecast is "More snow."

 

Hundreds of people abandoned their cars on Chicago's Lake Shore Drive after a storm left them stuck in more than a foot of snow.  Atlanta roads were nearly shut down and a Hawks game was canceled when snow overwhelmed the city's eight snow plows.  Municipalities across the nation are finding their already thin finances stretched to the limit by snow removal costs. 

 

A nearly endless blizzard overwhelming resources with no end in sight...does this remind anybody else of vulnerabilities on a corporate network?  I can envision you nodding your head in agreement, thinking of the last report with quadruple-digit vulnerability counts (even when filtered to just Severity 4 and 5).  It's not that you're not interested in get comprehensive scanning; it would just be nicer if you could easily focus on the most important issues.

 

At Qualys we've been looking for ways to help you filter and prioritize the vulnerabilities reported by QualysGuard into more actionable - and more concise - reporting.  Last year we introduced Exploitability Correlation to help focus on high-risk vulnerabilties, and over the past month we've worked closely with Trend Micro to introduce two new enhancements:  Malware Correlation and Virtual Patch Solutions.

 

QualysGuard 6.16 introduced Malware Correlation with the Trend Micro Threat Encyclopedia, allowing you to determine which vulnerabilities have associated Malware.  For example, the screenshot below shows that QualysGuard QID #90636 (MS10-061:  Microsoft Windows Print Spooler Remote Code Execution Vulnerability) is used by STUXNET:

StuxNet.jpg

 

Using Search Lists that filter on QIDs with associated Malware will allow you really target the big risk items in your environment that could lead to something like a Conficker outbreak, while still having all the information on other vulnerabilities that need to be tracked and patched.

 

After you've determined the vulnerabilities that need to be fixed you now need to...well, do the fixing.  QualysGuard provides comprehensive information on patches available and workarounds that can be used, and in QualysGuard 6.17 we've added information on the availability of virtual patches that can also help mitigate risks in your environment.  A virtual patch is not a software patch per se, but is actually a mechanism - such as a HIPS firewall rule - that doesn't actually patch the affected software but does still provide a mitigating control that reduces or eliminates the ability of an attacker to exploit the weakness.  We've leveraged the Trend Micro Threat Encyclopedia to determine which QIDs have virtual patching solutions provided by Trend Micro Deep Security and OfficeScan + IDF as shown in this screenshot:

VirtualPatch.jpg

 

We've also expanded our Search Lists to support filtering on both vendor-provided patches and virtual patches:

searching.jpg

 

This allows you to find alternatives to applying vendor patches, especially in cases where a software patch can't be applied (due to change control or software version dependencies) or isn't available yet.

 

We've also tried to make it easy for you to use these new capabilities by including a few new items in our Template Library:

 

  • Virtually Patchable Assets v.1:  A report template listing high-priority vulnerabilities that can be remediated only via a Trend Micro virtual patch.
  • Assets at risk of Malware v.1:  A report template listing assets that have vulnerabilities with associated Malware as described by Trend Micro.
  • Critical Vulnerabilities with Virtual Patches v.1:  A Search List of high severity vulnerabilities with virtual patches correlated from Trend Micro.
  • Critical Vulnerabilities with Associated Malware v.1: A Search List of High severity remotely-accessible vulnerabilities with associated Malware correlated from Trend Micro.

 

Please let us know how we can improve these capabilities to make them even more useful.  In the interim, we hope you find these new features helpful in weathering the blizzard of vulnerabilities you face every day!

0
Posted by malderman on Feb 14, 2011 in Qualys Technology

The Dissolvable Agent

With the release of QualysGuard 6.15, we briefly mentioned how we are using a “dissolvable agent” for trusted scans to collect user password information from target hosts on Windows Systems. Hmmm, that sounds mysterious! So what is a dissolvable agent and how does it work?

 

What is a dissolvable agent?

An agent is software that runs on the target host where it collects data locally to send back to the scanning engine.  An agent is used when the data on the target host cannot be accessed remotely. The agent is dissolvable because it is created as needed and removes itself when it’s done collecting data.

 

Information collected by the dissolvable agent is securely transmitted to the scanner using certificates and 256-bit encryption. The information is integrity-protected and stored in memory on the scanner only while the information is processed. The information is discarded as soon as it is no longer needed.

 

A Matter of Trust and Access

Permanent agents, i.e. agents that remain on the target hosts once installed, are not used by Qualys because of the maintenance, change control, and patching costs they incur. However, to collect certain data that is not accessible remotely, an agent is needed. This is where the dissolvable agent comes into play.

 

For Unix targets, remote access to the Unix shell gives the same functionality as local access. Given sufficient privileges, a remote scanner can access all the information it needs via remote access to the shell, so no agent software is needed.

 

For Windows targets, where there is no access to the local shell, there are two ways to access system information without agents:

  • SMB (Server Message Block) Protocol / CIFS (Common Internet File System) File access protocol can access file information such as version numbers.
  • RPC (Remote Procedure Call) can access registry values, security settings, and SAM (Security Accounts Manager).  RPC can also access DCOM (distributed component object model) objects to determine, for example, what processes are running.

 

On Windows XP, all of the needed RPC calls are available via external interfaces; however, on Windows Vista, there are a few RPC calls that are available only via internal interfaces, so the dissolvable agent is required. An example is the detection security settings for audit subcategories, as required by some compliance benchmarks including SAP.

 

The Dissolvable Agent is Fast

There are two ways to install dissolvable agents on a remote Windows system:

  • via DCOM (distributed component object model): but this has the disadvantage that the system admin can disable it.
  • instantiate as a service via the service API.

 

Qualys uses the second way, instantiating the agent as a service in a directory in the admin$ share on the target machine, using admin privileges just like any other third party would. The dissolvable agent service creates an RPC listening endpoint for SMB pipes, which allows communication from the scanner without interference from any firewalls.  The scanner connects to the pipe, through which it executes commands locally on the machine.

 

When the scan is complete, Qualys sends a command to the agent telling it to shut down and delete it so the machine is left the way it was.

 

Compared to a permanent agent, the dissolvable agent is less intrusive and less expensive because it requires no setup or management, and there is nothing to update.

 

How It Works for Password Auditing

In order to perform password auditing, the scanning engine needs to access user password information. On Windows hosts, this information is stored in in the SAM database which is only accessible locally, so the dissolvable agent will be used in this case.

 

The dissolvable agent retrieves the hashed password values stored in the SAM database and transfers them to the appliance. The appliance then compares those hashes against the hashes of the passwords users have selected.

 

Future Appearances

Qualys is working on adding new features to the dissolvable agent to enable safe, secure, remote access to additional information that would otherwise be inaccessible without installing permanent agents.

2

If you are one of the many customers requesting support for Cisco IOS scanning within QualysGuard, your request has been answered.  With the release of QualysGuard 6.17, which marks the beginning of QualysGuard Policy Compliance 3.0, users can now scan for configuration settings on Cisco IOS 12.x and 15.x devices within Policy Compliance.

Why Cisco IOS?

With the expansion of Policy Compliance technology coverage for Operating Systems and Databases over the past few years, the next logical technology coverage was network devices.  As the leader in networking devices, Cisco, and its operating system Cisco IOS, was the primary focus from our existing customers.  In addition, Cisco IOS has well established benchmarks, including the Center for Internet Security (CIS).

Scanning Cisco IOS

Traditional agent-based solutions have always struggled with collecting Cisco IOS configuration data as organizations would not allow a permanent agent to reside on the device.  Other tools, such as the Center for Internet Security (CIS) Router Audit Tool (RAT), pulled the configurations remotely, but could not scale to hundreds or thousands of devices easily.  Now with agentless, authenticated scanning, organizations can easily collect Cisco IOS configurations on a mass scale.

 

QualysGuard Policy Compliance 3.0 uses a new Cisco IOS record, which is a modified SSH/Telnet record used for Unix, to provide credentials for agentless, authenticated scanning of Cisco IOS devices.  The new record supports an optional, second password for the enable prompt to execute the following commands: show version, show logging, and show running-config.  The output of these commands are normalized into an XML file in memory on the scanner appliance where signatures are executed to verify configuration settings.  By storing the output on the scanner appliance, QualysGuard minimizes any impact to the actual device during the scan.  Once the signatures are completed, the XML file is deleted from memory.

Demo

To see a demo of this new feature, please view the Cisco IOS Scanning Demo.

0

Verifying the integrity of files from unauthorized changes has become one of the areas of focus due to the Payment Card Industry (PCI) Data Security Standard (DSS). Traditionally, the task of verifying file integrity has been reserved for agent-based solutions that run locally on devices. However, with the introduction of QualysGuard 6.10, Policy Compliance supports agent-less verification of file integrity.

The Need for File Integrity

Verifying the integrity of critical files has always been a concern of security professionals.  However, the introduction of the Payment Card Industry (PCI) Data Security Standard (DSS) has made this a focal point for compliance.  The original standard suggested software like Tripwire to meet this requirement, but over the years, this requirement has been updated to remove specific software recommendations.  The new standard, Version 2.0, states the following:

 

11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

 

Notice the change in language from the previous version: file-integrity monitoring software was replaced with file-integrity monitoring tools to clarify that software is not the sole means of meeting this requirement.

 

Although PCI has been a primary driver for file integrity, other regulations also require file integrity monitoring, including NIST SP 500-53 and SANS Consensus Audit Guidelines.  File integrity is a key requirement for IT policy compliance.

Traditional Methods for File Integrity

When PCI DSS Version 1.0 was introduced in 2004, the primary mechanism for meeting file integrity requirements was an agent-based solution, such as Tripwire.  Soon, other agent-based solutions quickly added file integrity capabilities to their agents to capitalize on the new PCI market.  The challenge with agent-based file integrity monitoring software is that it can be costly to implement and maintain.  Agents need to be deployed, maintained, and updated.  Some estimate that organizations can easily spend a quarter or more of their security budgets on high cost file-integrity monitoring products.  Organizations should consider more cost effective investments, such as leveraging existing technologies.

Agent-less File Integrity

Agent-less file integrity uses authenticated scans, not agents, to verify the integrity of files on a device.  During an authenticated scan, the scanner calculates an MD-5, SHA-1 or SHA-256 hash of the file.  From scan to scan, the hash values are compared to determine if a change to the file has occurred.  This approach eliminates the need for costly agents and minimizes performance impacts typically experienced with agents.

 

Using QualysGuard Policy Compliance, organizations can leverage their existing investment in QualysGuard to not only verify the integrity of files, but collect additional configuration settings needed for compliance.  This approach has a compounding affect on the Total Cost of Ownership for many reasons:

 

  1. The cost of Policy Compliance is a fraction of the cost for agent-based solutions, typically equal to the annual maintenance fees charged for the agent.
  2. Policy Compliance eliminates the cost of deploying, updating, and maintaining agents.
  3. File Integrity is included in Policy Compliance without an additional licensing.

Configuring QualysGuard Policy Compliance

To meet the requirements of file integrity monitoring, configure QualysGuard Policy Compliance as follows:

  1. Define critical Windows and/or Unix files as User Defined Controls.
  2. Add the User Defined Controls to a Policy.
  3. Update the Compliance Profile to enable File Integrity Monitoring.
  4. Scan files weekly.
  5. Report weekly.

Demo and Technical Paper

To see a demo of configuring file integrity within Policy Compliance, please view the File Integrity Check Demo.

 

For additional technical details on file integrity, please download the QualysGuard Tips and Techniques, File Integrity Check Document.

5

Is your organization using RSA Archer to manage your governance, risk and compliance program? Would you like to integrate vulnerability and configuration data from QualysGuard? RSA Archer integrates with both QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) through the QualysGuard XML APIs and RSA Archer's Data Feed Manager (DFM).

Why RSA Archer?

RSA Archer is the leading enterprise governance, risk and compliance (GRC) solution. Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions — delivered as a service. Since Qualys and RSA Archer have a large number of joint customers, it was logical to integrate our solutions, allowing customers to maximize their investment in both solutions.

RSA Archer Integration

The integration imports two types of data from QualysGuard into RSA Archer:

Vulnerability Management

Using the QualysGuard VM scanning infrastructure, vulnerability data can be collected for all enterprise assets in an automated and accurate manner. This integration automatically updates RSA Archer with asset vulnerability data to be used in remediation efforts.

Policy Compliance

The integration of QualysGuard PC with RSA Archer allows customers to automatically import compliance scan information into their RSA Archer environment. This allows asset owners to report on compliance issues identified on their assets in one single view.

 

RSA Archer's integration leverages the QualysGuard XML API v1 and v2 frameworks. In addition to the QualysGuard APIs, RSA Archer uses the Data Feed Manager to integrate data within RSA Archer.

Integration Guide

For full integration details with RSA Archer, please download the QualysGuard RSA Archer Integration Guide.

0

Do you ever want to see the control mappings in a report without doubling or tripling the size of the report? What about excluding certain control mappings from the control API to limit data exported? With the release of QualysGuard 6.17, users can now filter the frameworks at the subscription and/or report level within Policy Compliance.

The Need for Framework Filtering

The current control knowledgebase includes over 6,700 configuration checks mapped to dozens of frameworks, including the Center for Internet Security (CIS) benchmarks, the Control Objectives for Information and related Technology (CObIT) 4.0 and 4.1, the Health Insurance Portability and Accountability Act (HIPAA), etc.  These extensive mappings create a large number on control/mapping pairs available in the subscription.  For the majority of organizations that require only a subset of this data, the current data is too large to consume.

Filtering Frameworks with Policy Compliance

In order to limit the number of control/mapping pairs, QualysGuard 6.17 introduces the capability to limit which frameworks are displayed in the subscription and/or reports.  Each filter is described in detail below:

Subscription Filter

A subscription level filter will reduce the number of frameworks available for view in the subscription, which includes control search, reports, and the control API. Applying this filter will not filter the Controls knowledgebase, just the framework mappings visible in the subscription.

 

All available frameworks are enabled by default in the subscription. Change which frameworks are visible by selecting Setup/Frameworks… from the menu. Once the frameworks have been filtered, the following areas of the subscription will be affected:

 

  1. The Control API will limit the framework mappings in the output when the parameter “details=All” is set.
  2. The Search dialog within the Controls knowledgebase will limit the framework mappings based on the subscription settings.
  3. The Report Templates will limit the framework mappings based on the subscription settings if the Glossary or External Mappings sections are selected.

Report Template Filter

Frameworks are filtered in reports based on the subscription settings, but this feature also allows additional filtering in reports. The report level filter will reduce the number of frameworks available in the reports only.

 

All available frameworks in the subscription are enabled by default in reports. Change which frameworks are visible by selecting the new tab, Frameworks, in the report template.  Once the frameworks have been filtered, reports using this template will only show the selected frameworks in the Glossary or External Mappings sections, if selected.

Demo and Technical Paper

To see a demo of these steps, please view the Filter Framework Demo.

 

For full technical details on Filter Frameworks, please download the QualysGuard Tips and Techniques, Filter Frameworks Document.

0

With the continued growth and adoption of the Security Content Automation Protocol (SCAP), the National Institutes of Standards and Technology (NIST) is publishing more content to support the new United States Government Configuration Baseline (USGCB). With the release of QualysGuard 6.17, users can now import NIST content and scan Windows 7, Windows 7 Firewall, and Internet Explorer 8 in the QualysGuard FDCC Module.

Importing NIST Content

Since NIST has not finalized the content for Windows 7 and Internet Explorer 8, the FDCC Module does not currently have the new content available for import. However, the current content from NIST can be uploaded as a custom policy in the FDCC Module. To access the NIST content, please visit http://web.nvd.nist.gov/view/ncp/repository. Once you have the files downloaded, you can upload the content by performing the following steps:

 

  1. From the Tools section, select Policies
  2. From the menu, select New, FDCC Policy…
  3. Choose the following files downloaded from the NIST website.          
      • XCCDF Content
      • CPE OVAL Definitions
      • CPE 2.0 Dictionary
      • OVAL Compliance Definitions
  4. 

    NOTE: Since the NIST content is still in draft, Schematron Validation is not currently supported for Windows 7 and Internet Explorer 8.

    

     

    FDCC - Win 7.png

    Figure 1: New FDCC Policy: Validate

     

  5. Click Validate to create the policy.
  6. Once validated, verify the Title, FDCC Profile, and Description. Click Save.
  7.  

    FDCC - Policy.png

    Figure 2: New FDCC Policy : Save

     

  8. Add Asset Group(s) to the new FDCC policy.

Scanning Targets

Once the FDCC policy has been created, you are ready to scan targets by performing the following steps:

 

  1. From the Navigation section, select FDCC Scan
  2. From the menu, select New, Scan
  3. Enter the following information and click Launch:
    • Title
    • FDCC Policy
    • Compliance Profile
    • Scanner Appliance
    • Asset Group(s)



 

FDCC - Launch.png

Figure 3: Launch FDCC Scan

Bookmarked By (1)

Actions