Vulnerability Scanning For Network Appliances

Are you shipping network appliances that haven’t been scanned for vulnerabilities?

I’m responsible for getting security vulnerabilities corrected or “remediated” at work. Keep in mind this is no small job since our network is probably one of the largest in the world.

I continue to be surprised by these network equipment manufacturers that are completely clueless about vulnerability management and the vulnerability footprint of their devices.   These devices are often shipped full of security holes from the factory.

Below I will list some very simple steps that every network appliance manufacturer can do to reduce their customer’s security headaches.

  1. Always run a vulnerability scanner against your device or appliance before you “finalize” the revision for testing. Fix the security holes then start testing.
  2. Ship your “default config” without services needed that expose or open up security holes. This is also known as “secure by default.”  This means instead of having everything the customer could possibly need already up and running, give them an easy way to turn on what they need.
  3. If your default shipping config exposes something that vulnerability scanners pick up on as a vulnerability, or even an informational exposure, Document This information. This will save your security folks work and make your company actually seem professional.
  4. Realize that the security of your appliance is your responsibility as the appliance manufacturer. Be proactive.

It is only a matter of time before some major breach occurs via some “appliance” that was shipped full of security holes from the manufacturer. How will your company reputation be damaged from the fallout?

Database Patching

Don’t forget about Databases!

Since SQL server was affected by the recent patch Tuesday, I realized that databases are a large space in the Enterprise that may have not been getting the focus they need.

In many large companies a separate team (or teams) own and manage the database engine, whether that is SQL server, DB2, Oracle, etc..  How much time has been spent on making sure that there is a solid patching plan for operating systems and networking equipment compared to major “infrastructure applications” like database engines?

Sure, you have to secure the system to have any hope of securing data and applications, but database engines are almost their own little world that ride on top of the operating system.    Here’s why.. Databases…

1) have their own ports they open up,

2) often have their own user management systems that may or may not tie in to your authentication directory,

3) have their own security vulnerabilities that are widely publicized,

4) Are a #1 target for hackers.

Do I really need to give any more reasons that a solid lifecycle management and patching program for database engines is as critical as your patching and lifecycle management for your operating systems and networking equipment?

Surprisingly, your database engineers may be happy to get extra push for upgrades and patches. They often want to apply them but can’t get the cooperation of their customers for testing etc..

Scans Versus Penetration Tests

What is the difference between scanning and penetration testing?

Those of us responsible for managing Vulnerability scanning and penetration testing often seem to get the same question over and over… What is the difference between a vulnerability scan and a penetration test?

You would think that this is not a difficult topic to grasp, but some folks really do struggle to remember the difference. I’ll lay it out here in the most simple way I know how..

  • Scan = Look for holes and issues on a network or website. Usually with some type of scanning tool.
  • Penetration Test = Exploit and Hack holes that you have found on a network. And see how far you can get. A penetration test often starts with a scan, but is not limited to just the scanning.

Some good scanning tools are..

McAfee Vulnerability Manager (used to be called Foundstone)

QualysGuard

Nessus

Many companies offer penetration testing services.  I’ve only had experience with a few, so my only advice is to make sure your contracts are well written and that you are careful when working with a small company.