External Vulnerability Scanning Assessment

Document Sample
External Vulnerability Scanning Assessment Powered By Docstoc
					 Enterprise Vulnerability Management Program


 The internet is an unsafe place to do business; the number of vulnerabilities is increasing exponentially.
 These vulnerabilities are targets for attacks, and any governmental entity with vulnerabilities opens the
 State of Minnesota to risk. The Office of Enterprise Technology’s Enterprise Security Office (ESO) is
 committed to providing entities the information necessary to find and resolve these vulnerabilities,
 providing the tools to manage risk.

 One such tool is the external vulnerability scanning assessment that will be provided to all entities on the
 MNET network, beginning in January 2009.
 Each month OET will
     Execute a vulnerability assessment against every entity’s public IP address space
     Conduct a preliminary analysis of the results
     Prepare a summary report of identified critical and high vulnerabilities. (No report will be
       distributed directly to a customer unless the report contains high vulnerability risks. However,
       customers can access the EVMS system at any time to see results for their own systems.)
     Provide customers with recommendations to improve their security vulnerability

 The external vulnerability assessment focuses on identifying applications and services available to the
 Internet and evaluating known security vulnerabilities. These assessments provide entities with an
 attacker’s point of view, creating an opportunity to manage risk proactively.
 This service is a part of the MNET OET contract and leverages a highly professional security staff that is
 dedicated to threat and vulnerability management.

 The assessment process uses the world’s leading vulnerability and risk management system and tests for
 over 21,000 known vulnerabilities.

 This assessment provides an external viewpoint to a network environment, using a robust assessment tool.
 When combined with internal assessments that use the ESO Enterprise Vulnerability Management
 System, customers have a complete picture of their system vulnerabilities.
 The external vulnerability assessment tests an entity’s computing devices for known vulnerabilities that
 are exposed to the Internet. The assessment identifies open ports, services or applications and determines
 if known vulnerabilities exist.

 Version: 00.01                                     Page 1 of 3                                  DocID: 0001
Enterprise Vulnerability Management Program

Scans will be conducted monthly. The ESO will compile the results and summaries critical and high-level
vulnerabilities. The ESO will distribute the summary results and provide access upon request to the scan
results. It is the responsibility of the entity to review the scan results and resolve the vulnerabilities.

The ESO will conduct vulnerability scanning using the Enterprise Vulnerability Management System
(EVMS). The technology supporting EVMS is the commercial enterprise class vulnerability assessment
tool nCircle IP360. nCircle is the leader in the vulnerability assessment space.

In some situations, the ESO may use additional tools to help validate scans results. Entities that are
already using EVMS to scan their networks internally will be able to contrast the internal and external
results providing additional insight into the security profile.

Scans results are stored within EVMS. Access to the entity’s scan results is limited to the entity’s
authorized individuals. The entity’s designated representative has the authority to grant access to the scan

The ESO will provide initial analysis to reduce false positives, and narrow results by entity, where
possible. In addition, the ESO will prepare summary reports of critical and high vulnerabilities. The
summary reports summarize findings and provide details on the critical and high vulnerabilities.
It is important that the results be protected, as they contain sensitive security information. The designation
of an individual to receive the results is critical to maintaining the security of this information. The ESO
will work with the designated individual to create a secure means of delivering the results.
The entity’s responsibility is to review the identified vulnerabilities, and to resolve, at a minimum, the
critical and high vulnerabilities.

Criticality is determined by the vulnerability score, a numeric value from 0 – 50,000+ -- The higher the
score, the more significant the vulnerability. The vulnerability score is calculated using a unique
vulnerability-scoring algorithm that takes into account:
 The age of the vulnerability (the older the vulnerability, the greater the chance of exploitation)
 The risk of the vulnerability (is it local, remote, privileges gained, etc)
 The skill set required to exploit vulnerability (low: automated programs publicly available, high:
    vulnerability requires a highly skilled person to execute the exploit)

    Criticality                   Score                              Resolve Within
    Critical                      > 20,000                           48 hours
    High                          10,000 – 19,999                    1 week

The above table is a guideline the ESO uses to prioritize and resolve vulnerabilities. There will be
instances where the ESO’s experience with a vulnerability, or known environmental constraints will
change the criticality of the vulnerability.

Version: 00.01                                      Page 2 of 3                                 DocID: 0001
Enterprise Vulnerability Management Program

The Enterprise Security Office will store scan data results for 5 years.

For questions regarding the External Vulnerability Scan and Assessment, contact Neal Dawson,

Version: 00.01                                     Page 3 of 3                           DocID: 0001

Shared By: