CHAPTER 6, PART 1
VULNERABILITY SCAN PROCEDURES
1 BACKGROUND
Global network connectivity is commonplace for information exchange and is crucial for conducting many everyday operations. However, the benefits can be overshadowed by the increase in network vulnerabilities. The number of Information Technology (IT) related incidents that have occurred in the past year, along with the increase and complexity of threats, requires that USDA take their security protection measures seriously. Networks and information technology resources are continually vulnerable to illegal/ malicious activity or exploitation by internal and external sources.
Vulnerability Scan Procedures are a critical component of the
Overall Security Protection Plan within the Department. Regular IT inventories and vulnerability
scans have proven to be an effective tool in combating IT incidents and
exploits of USDA information assets.
The purpose of this document is to establish the policy and procedures
for the inventory and vulnerability scans of all USDA managed networks,
systems, and servers.
2 POLICY
All USDA agencies and mission areas will establish and implement
the following procedures for accomplishing vulnerability scanning of all
networks, systems, servers, and desktops for which they have
responsibility. Each agency/mission
area will report to CS all Critical Vulnerabilities (High and Medium) found as
a result of the scan. Internet
Security Systems (ISS) Internet Scanner software will be used to scan networks,
systems and servers that will be obtained from the Department-wide Contract
Vehicle established for this purpose. The ISS Software already classifies the
vulnerabilities into high, medium and lows with default values from the vendor. Vulnerability Scans are to be performed on a
monthly basis for all existing and new networks, systems, servers, and desktops by duly authorized users
in accordance with established procedures.
Cyber Security also requires that Discovery Scans be performed monthly
to ensure that there are no “unauthorized devices” on agency networks. Agencies will run scans inside USDA using
USDA owned IP addresses, unless they have an approved exception to deviate from this policy. Physical
or electronic inventories can be done of network, systems, servers, and
workstations. However, electronic
inventories are preferable. Each agency
will designate authorized personnel to conduct software scans. All authorized users will be trained in the
use of the scanner software prior to conducting any internal or external scans
and will notify the CS before running scans.
The National Intrusion Detection System (IDS) managed by CS detects all
scans whether they originate externally or internally. Agencies/staff offices will identify the
range of Internet Protocol (IP) addresses to be scanned and the IP address of
the platform being used to launch the scan.
Agencies and staff offices will not attempt to scan networks, systems,
servers or desktops for which they are not responsible.
Agencies and staff offices will produce and
retain inventory and vulnerability scan reports for all scans conducted in
compliance with agency record management guidelines. The Monthly Scan Certification form, Appendix B, will be
completed by the agency ISSPM and sent to CS at the end of each month. Critical vulnerabilities are those that have
the potential to disrupt the operation of networks, servers and desktops used to transport USDA data. A summary of the vulnerabilities
identified will be provided to the agency Chief Information Officer (CIO) for
review to ensure that corrective action plans are developed within 30 days and
implemented for critical vulnerabilities identified. A Plan of Action and Milestones (POA&M) will be developed
in according with Federal Information Security Management Act (FISMA) reporting
requirements for any unresolved critical vulnerabilities existing for more than
30 days from the date of the scan.
Agencies do not need to request exceptions for “false positives”.
Policy Exception Requirements – Agencies will submit all policy exception
requests directly to the ACIO for Cyber Security. Exceptions to policy will be considered only in terms of
implementation timeframes; exceptions will not be granted to the requirement to
conform to this policy. Exceptions that
are approved will be interim in nature and will require that each agency report
this Granted Policy Exception (GPE) as a Plan of Action & Milestone
(POA&M) in their FISMA reporting, with a GPE notation, until full compliance
is achieved. Interim exceptions
expire with each fiscal year.
Compliance exceptions that require longer durations will be renewed on
an annual basis with a updated
timeline for completion.
CS will monitor all approved exceptions.
3 RESPONSIBILITIES
a The
Associate Chief Information Officer for Cyber Security will:
(1)
Provide
customer support to agencies and staff offices in obtaining Internet Security
Scanners, Scanning Software and Keys from the USDA Enterprise License Contract.
(2)
Assist
agencies/staff offices in obtaining training on the
use
of scanning equipment on their networks, systems, and servers;
(3)
Provide
technical guidance in scanner use to agencies and staff offices, as required,
after training
of
authorized users has taken place;
(4)
Conduct
oversight reviews of agencies and staff offices
to
review vulnerability reports and corrective actions taken to ensure that
networks, systems, and servers are protected in accordance with this policy; CS
also reserves the right to review Discovery Scans;
(5)
Monitors
Scan Certification forms to ensure that agencies and staff offices comply with
this policy; and
(6) Review all
exceptions requesting exceptions to this policy in a timely manner and
coordinate the response to the agency.
b Agency
Chief Information Officer will:
(1)
Implement
and enforce this policy and procedures within all internal agency/staff office
activities who are responsible for network, systems, workstations, and servers;
(2)
Ensure that
all agency/staff offices order and use the
Internet
Security Scanner software and keys in conducting internal and external scans on
a monthly basis and that inventories of networks, systems, servers, software
and Internet Protocol (IP) addresses are maintained;
(3)
Designate
and notify CS of personnel authorized to conduct agency/staff office scans;
ensure that these
personnel
are trained; notify Cyber security prior to
conducting
any scans;
(4)
Review Scan
Certification information on a monthly
basis
to ensure that critical vulnerabilities identified are
corrected
in a timely manner;
(5)
Provide a
completed Scan Certification Report (Appendix B) to CS for all agency systems
and desktops scanned on a monthly basis;
(6) Submit a exception
package, including a strong justification, for all critical vulnerabilities
when corrective actions are not taken and forward to the Associate CIO for CS
for review and action; and
(6)
Take
necessary action to archive IP addresses, IT equipment inventory and
vulnerability reports in compliance with agency records management guidelines.
c The
agency Information Systems Security Program Managers
(ISSPM), Systems/Network Administrators or
Authorized Users will:
(1)
Assist in
performing monthly inventories and vulnerability and discovery scans of all
agency/staff office managed networks, systems, workstations, server, and
desktops as the authorized user;
(2)
Assist in
performing vulnerability scans of all new systems, network, or servers prior to
production deployment and to existing systems after major changes are made;
(3)
Assist in
producing/updating inventory and vulnerability reports for all agency/staff
office managed networks, servers, software and IP addresses on a monthly basis;
(4) Complete the Scan Certification
(Appendix b) on a monthly basis for all agency systems and desktops;
(5) Forward
the report to the agency Chief Information Officer for review and further
action; and
(6) Document the status of actions taken by
all Authorized
Users
to mitigate vulnerabilities identified or prepare a written exception package
with a strong justification to agency/staff office IT Manager/CIO for actions
not taken.
(7) Update quarterly POA&Ms in accordance with Federal Information Security Management Act (FISMA) reporting requirements with any unresolved critical vulnerabilities existing for more than 30 days from the date of the scan.
d Agency
System/Network Administrators (not Authorized Users)
will:
(1)
Deploy new
systems into production or operational
status
only after critical vulnerabilities are resolved through security mitigations
or accreditation by the Designated Accrediting Authority (DAA)/agency CIO;
(2)
Apply
patches or fixes to agency/staff office managed
networks, systems, servers, and desktops in a timely manner as appropriate;
(3)
Keep a
written record of all patches and fixes applied to agency/staff office managed
networks, systems, and desktops,
including the version and date; Cyber Security reserves the right to
verify all written records of system/network/server patches;
(4)
Collaborate
with the ISSPM/Authorized Users in ensuring that IP Address updates, inventory
of IT equipment and vulnerability scans are conducted/updated on a monthly
basis; and
(5)
Assist the
ISSPM/Authorized Users in ensuring that mitigation actions are taken promptly
for all critical vulnerabilities or that a persuasive and cogent written
justification is provided to agency CIO for actions not taken.
-END-
Internet Scanner is a
vulnerability assessment product that analyzes the security of devices on an
enterprise-wide network, checking for vulnerabilities on routers, Web servers,
Unix servers, and Windows servers, desktop systems, and firewalls.
Internet Scanner can be used
on all TCP/IP-based networks, networks connected to the Internet, and on
stand-alone networks and machines.
This user’s guide will
provide the basic steps in the basic installation and operation of the Internet
Scanner 7.0 Service Pack 2 (SP2). If
you require more detailed information, please refer to the PDF document
entitled “Internet Scanner User’s Guide”, provided by Internet Security
Solutions (ISS).
There are many benefits that
Internet Scanner provides. Some
include:
Internet Scanner is divided
into two areas of functionality:
There are seven major
components of the Internet Scanner console.
They are:
Component |
Description |
Client – Scanner GUI Scanner_Console.exe |
Controls the sensor and
scan options from a GUI front end. |
Client – 7.0 CLI/Engine
Manager EngineMgr.exe |
Controls the sensor and
multiple scan options from the command line for scheduling and
scripting. |
Client – 6.2.1 CLI ISS_WinNT.exe |
Provides backward
compatibility to support custom scripts written to control older versions of
Internet Scanner. |
Policy Editor CPE.exe |
Used to customize
policies. |
Policy Migration PolicyMigration.exe |
Used to migrate custom
policies from Internet Scanner 6.2.1 |
X-Press Update Installer XpressUpdate.exe |
Used to download and
install updates to the current version of Internet Scanner |
Report Engine ReportEngine.exe |
Runs reports in various
formats based on vulnerability scans.
|
Component |
Description |
Scan Controller ISSDaemon.exe |
Directs job requests to
the appropriate sensor components. |
Database Scan7db.mdf |
Stores scan results |
Flex Checks FlexCheck.exe |
The engine responsible for
running custom vulnerability checks.
|
Discovery Discovery.exe |
The engine responsible for
enumerating live hosts. |
OS Identification Discovery.exe |
The engine responsible for
identifying remote operating systems.
Part of Discovery. |
Assessment Checks Builtin MicroEngine.exe Plugin MicroEngine.exe |
Engines responsible for
checking for specific vulnerabilities.
|
This user guide does not
cover using SiteProtector with Internet Scanner. For more information on Site Protector and Internet Scanner,
please see the “Internet Scanner User’s Guide”, provided by ISS.
These items are required
when installing Internet Scanner.
Item |
Minimum Requirement |
Processor |
1.2 GHz Pentium III (2.4
GHz Dual XEON Processor Recommended) |
Operating System |
The installation of
Internet Scanner is not supported on Windows 2000 Server or Windows XP
Service Pack 2. |
Other software |
|
Memory |
512 MB (1 GB Recommended) |
Hard disk |
345 MB for installation
from file. NTFS file partition
required. |
User privileges |
Local or domain
administrator. |
Database |
MSDE SP3 Standard
Installation. |
Microsoft MDAC |
Version 2.8 If MSDE is automatically
installed, it will also install MDAC 2.8. |
These steps detail the
installation of Internet Scanner SP2 on a Windows XP system SP1 without MSDE
installed.
The Welcome screen
appears. Click Next to continue.
The Remove Installation
Files window appears. Select “Unpack
the files used to perform the installation to a temporary location, and
automatically remove these files after the setup is completed. Select this option if you are not planning
to run the setup again later.” Click
Next to continue.
Internet Scanner will start
the extraction process. The window
below will appear.
The Welcome screen appears
again. Click Next to continue.
Step 5:
|
Step 6:
The Installation Options
window appears. SelectStandard
option, and Click Next to continue.
Step 7:
The MSDE and MDAC question
window appears. Click Yes to continue.
This will automatically install an instance of Microsoft SQL Desktop
Engine and MDAC 8.0. MDAC will be
installed first.
The MDAC 2.8 installation
window may appear.
Step 8:
Step 9:
Step 10:
The Welcome to the
InstallShield Wizard for Internet Scanner 7.0 Service Pack 2 window
appears. Click Next to
continue.
|
Step 12:
The Installation Options
window appears again. SelectStandard option, and Click Next to continue.
|
Step 13:
Uncheck “I would like to view the README file” and Click Finish
to complete the installation.
You must reboot your
computer after installation, even if it does not prompt you to restart your
computer.
Using Internet Scanner
An Internet Security Systems
Software license key is necessary for Internet Scanner to function
properly. Without the iss.key file, the
scanners cannot analyze activity across your network and on your computer system. Before you can use Internet Scanner, you
must obtain and install your license key.
Your Security Officer or ISSPM will most likely email you your license
key as a Key File email attachment.
What is a Key File? A key file defines your licensing for
Internet Scanner. It contains information
such as the products licensed, creation date, maintenance expiration date, and
license expiration date.
Note: With
Internet Scanner version 7.0, you will be able to scan any valid IP address,
regardless of the IP restriction in the license key. If you wish to restrict IP addresses to be run by Internet
Scanner, you must deploy SiteProtector.
Refer to the Internet Scanner 7.0 User’s guide from ISS for more information.
Step 1:
|
You must start Internet
Scanner to finish installing and registering the key. To start Internet Scanner, Click Start|Programs|ISS|Internet
Scanner 7.0 Service Pack 2|Internet Scanner. This will launch the Internet Scanner software.
Step 3:
You should receive a message
stating that Internet Scanner has detected a license from a previous
installation. Click OK to
continue.
Step 4:
You may receive a warning
message regarding your message license.
Click “Display License Report”.
Step 5:
The License Status Report
window may appear. Click Close.
Step 6:
You may get a warning window
stating that the scanning machine was unable to contact a domain
controller. Click OK.
Step 5:
Step 7:
The Internet Scanner Console
appears with the session window. Click Cancel.
Exit out of the application and continue to X-Press Updates.
|
|
The License Registration
window appears with a list of licenses.
Click Unregister to unregister all licenses. An “X” should disappear under the Status
column. Click Close when
complete. Exit out of Internet
Scanner.
Step 3:
X-Press Updates
automatically update your system with the latest checks and latest product
updates available for Internet Scanner.
To install new X-Press Updates not currently on your system, follow
these steps:
Step 1:
Click Start|Program|ISS|Internet Scanner 70 Service Pack
2|X-Press Update Install.
The Select Location window
is displayed. Select Web Server
option, and Check Install all new X-Press Updates found. Click Next to continue.
Step 3:
Select Yes to agree
to the Export Law Agreeement, and then Click OK.
X-Press Updates will show
the following status screen when updating.
Step 4:
X-Press Update will show the following screen, when it has successfully completed. Click Close to exit out the program.
Step 1:
To start Internet Scanner,
Click Start|Programs|ISS|Internet Scanner 7.0|Internet Scanner. This will launch the Internet Scanner software.
Step 2:
You may receive a warning
message regarding your message license.
Click “Display License Report”.
Step 3:
The License Status Report
window appears. Click on Close.
Step 4:
You may get a warning window
stating that the scanning machine was unable to contact a domain
controller. Click OK.
Step 5:
Step 5:
Select Create a New
Session and Click OK.
|
|
Step 8: The Specify
Known Accounts window appears. If you
are scanning a Windows NT/2000/XP/2003 machine, click on Add Accounts. For other machines, click on Next and
proceed to Step 12.
Note: If you are logged in with a domain administrator account or with an account that has administrator rights to the machines that are being scanned, you do not need to Add Accounts, and can click Next and proceed to Step 13.
Step 9:
The Known Accounts window
appears, click on Add…
Step 10:
The Add Known Account window
appears. Enter the User Name, Domain
Name, password, and confirm password of the administrator account to the
machine being scanned. If you are using
a local account, check local account, and type in machine name. Click on Verified. Click OK when finished.
Step 11:
The Known Accounts Window
should show account credentials of the user you typed in. Repeat Steps 10 and 11 to add more accounts,
or click Exit to end.
Step 12:
Click Next to
continue.
|
|
Step 15:
Internet Scanner will show
the main scanner window. Click Scan|Scan
Now to start the scan.
Note: USDA’s
intrusion detection system may record your scanning activities. Before you perform a scan, please send an
email to scans@opsec.usda.gov indicating the IP addresses that you are scanning,
as well as the IP address of the scanner.
If possible, please provide 24 hours notice prior to performing a
scan.
|
|
|
|
|||
|
|||
Internet Scanner offers five
levels of security that provide structured and logical approach to managing
risk. These groups of security tests
are applied to the systems. The higher
levels are designed for business-critical systems; the lower risk levels are
designed for less important systems. By
applying these levels, you ensure that security efforts remain focused on the
most important components of the IT infrastructure.
Security levels are types of
checks that you apply to particular systems according to the amount of security
needed. Level 5 is the most complex of
the levels.
The following table lists
each level and its description:
Level |
Description |
Level 1 |
Identifies operating
systems of the machines on the network. |
Level 2 |
Identifies the services
running on machines on the network, such as web servers. |
Level 3 |
Checks for compromises by
unskilled attackers, or for signs that a system is already compromised. |
Level 4 |
Checks for compromises by
automated attack tools, or by moderately skilled attackers. |
Level 5 |
Checks for compromises by
highly skilled attackers, or for signs that a system is not configured
properly. |
Discovery Policies
Internet Scanner provides four
default, read-only scan policies that gather operating system and service
information about devices connected to the network.
Policy |
Description |
D0 Light Discovery |
Provides a general idea of
the types of devices and services active on the network. (DNS Lookups, ICMP, Fingerprinting) |
D1 Standard Discovery |
Runs processes that
provide a general idea of the types of devices and services active on the
network. (DNS Lookups, NetBIOS,
Fingerprinting) |
D2 Full Discovery |
Gathers information about
the network by performing port scans, operating system (stack)
fingerprinting, banner grabbing techniques, and NetBIOS scans. |
D3 Maximum Discovery |
Identifies any unknown or
closed ports on devices connected to the network in addition to any database
servers active on the network. |
Assessment Scan Policies
Internet Scanner provides
fourteen default, read-only scan policies that assess the security of devices
connected to the network.
Policy |
Description |
Blank |
Has no vulnerability
checks enabled for the scan policy. |
Evaluation |
Runs vulnerability checks
that detect the most extreme high and medium risk vulnerabilities, including
all vulnerability checks performed by the SANS Top 20 policy. Note: All denial
of service checks and some of the more time consuming checks included in
Internet Scanner have been disabled in this scan policy. |
Runs vulnerability checks
that check for account names and passwords Database Scanner can use in
gaining access to any database servers connected to the network. |
|
Runs all high risk
vulnerability checks to determine if a desktop connected to the network could
allow an unauthorized user to:
|
|
Runs all high risk
vulnerability checks to determine if a router or switch connected to the
network could allow an unauthorized user to:
|
|
Runs all high risk
vulnerability checks to determine if a server connected to the network could
allow an unauthorized user to:
|
|
Runs all high risk
vulnerability checks to determine if a Web server connected to the network
could allow an unauthorized user to:
|
|
Runs all high and medium
vulnerability checks to determine if a router or switch connected to the
network could allow an unauthorized user to gain system access to the
network. Note: This
scan policy also users the settings and vulnerability checks used by the L3
Router & Switch policy. |
|
Runs all high and medium
vulnerability checks to determine if a server connected to the network could
allow an unauthorized user to compromise or bring down the network. Note: This scan
policy also uses settings and vulnerability checks used by the L3 Server
policy. |
|
Runs all high and medium
risk vulnerability checks to determine if a Web server connected to the
network could allow an unauthorized user to gain system access to the
network. Note: This
scan policy also uses the settings and vulnerability checks used by the L3
Web Server Policy. |
|
Runs all high, medium, and
low risk vulnerability checks to determine if a server connected to the
network could allow an unauthorized user to compromise or bring down the
network. Note: This scan policy
also uses settings and vulnerability checks used by the L3 Server policy and
the L4 Server policy. |
|
Runs all high, medium, and
low risk vulnerability checks to determine if a Web server connected to the
network could allow an unauthorized user to compromise or bring down the
network. Note: This scan
policy also uses the settings and vulnerability checks used by the L3 Web
Server policy and the L4 Web Server policy. |
|
Combines L5 Server and L5
Web Server vulnerability checks, and adds any Fusion related checks not
already included. |
|
Runs the ten most common
categories of exploits used against Unix system and the ten most common
categories of exploits used against Windows systems. Note: See the
SANS Web site and http://www.sans.org/top20 for more information on the SANS top 20
list. |
|
Detects systems vulnerable
to one or more of the most serious high-risk vulnerabilities and attacks
listed in the X-Force CRI. See the
ISS Web site at http://xforce.iss.net/xforce/riskindex
for more information. |
You can edit scan policies
to scan for specific vulnerabilities or to turn off specific checks. The example below shows you how to create a
L5 server scan that turns off brute force checks
Step 1:
Go to Policy|Derive New
to create policy.
Step 2:
Select a policy to use a base for the new policy. In this case, we will select L5 Server. Click Next to continue.
Step 3:
Create a name for the new
policy. Click Finish when
complete.
After finishing, the Policy
Editor should appear.
Step 4:
Expand “Common Settings” and
click on Brute Force List. Uncheck
all Operating System Checks in the right window.
Step 5:
Click on Brute Force
Options. Uncheck all options in right window. When finished, click on the save icon
or go to File|Save. When
finished, click on the exit icon in the top right corner.
Internet Scanning Reporting
Step 1: If Internet
Scanner is not running, Click Start|Programs|ISS|Internet Scanner 7.0
|Internet Scanner 7.0. If Session
wizard appears, Click Cancel.
|
|
|
|
|
Internet Scanner provides
the capability to run Internet Scanner at specific times during the day. However, there is no graphical user
interface to schedule scans, and you must use the Command Line Interface/Engine
Manager along with Windows Scheduler to schedule Internet Scanner events. The example below shows how you can schedule
Internet Scanner to run a scan at a specific time.
Step 1:
Go to command prompt. At command prompt, change directory to c:\program
files\iss\scanner console.
C:\>cd
c:\program files\iss\scanner console C:\program
files\iss\scanner console\>
Step 2:
Once at the proper
directory, you must use the “Addasset” command under engine manager to add the
Internet Scanner sensor before you can use any other command line interface for
the sensor. Type the following two
syntax entries at the command line and hit enter. Replace “cchase” with your computer name. Replace “scanner_1” with your sensor
name. You should receive a successful
command after the second syntax command.
NOTE: This needs
to be performed every time you reboot your machine. You can also create a batch file to perform this command.
C:\Program
Files\ISS\ScannerConsole>EngineMgr -a addasset -e cchase -n scanner_1 -t
scanner -o stdout.txt C:\Program
Files\ISS\ScannerConsole>EngineMgr -a addasset -e cchase -n scanner_1 -t
scanner -mp EngineMgr.policy AddAsset
for scanner_1 at 199.128.144.92 completed successfully C:\Program
Files\ISS\ScannerConsole>
A description of the syntax
commands for EngineMgr used in this example is on page 49.
Step 3:
You will need to create a
batch file to schedule the automated session.
Open Notepad and type the following syntax.
c:\program files\iss\scannerconsole\enginemgr -a
startscan -n scanner_1 -hr 127.0.0.1 -poll t -p "L3 Desktop"
Step 4:
Save the file as a unique
file name with the extension of “.bat” in a specified directory. Be sure to use double quotes when you are
saving. After saving, exit out of
Notepad.
Step 5:
Go to Start|Settings|Control
Panel, and open scheduled scans
Step 6:
Click Add Scheduled Task.
Step 8:
Type a name for this
task. Select when to perform this task
and click Next.
Step 9:
Select the day and time you
want to perform this task. Click
Next.
Step 10:
Under “Enter the name and
password of a user”, you must enter a user ID with local administrator rights
to the machine. Click Next when
done.
Step 11:
Click Finish when
complete. You should see your newly
scheduled task in the Scheduled Scans window.
EngineMgr
Common Syntax Commands
Option |
Description |
-a |
The action performed by
the Internet Scanner sensor. Default: none |
-e |
The IP address where the
Internet Scanner sensor resides. This option is not used
for the help and version commands, but can be used with all other CLI
commands. Default: 127.0.0.1 |
-hf |
Specifies a host file to
be used. File listed by be in
quotes. |
-hr |
A comma and/or hyphen
separated list of IP addresses specifying the range of hosts to scan |
-mp |
The file name of the
Engine Manager policy file. This
option can be used with all CLI commands Default: EngineMgr.policy |
-n |
The name of the Internet
Scanner sensor. Default: scanner_1 |
-o |
The complete name and file
path of the output file. This option
can be used with all CLI commands. Default: stdout |
-p |
The file name of the
policy file |
-t |
The engine type |