Wanted: A clear view of vulnerability

Computerworld - When a new, high-risk Apache worm was announced in June, Motorola Inc.'s IT security team was able to find and plug its vulnerabilities before the worm hit, thanks to Foundstone Inc., the company's vulnerability assessment partner, says Bill Boni, chief information security officer for Motorola's information protection services.

Since Sept. 11, IT managers have been taking steps to get their arms around the difficult job of inventorying their corporatewide applications and patching systems before an attack on vulnerabilities can take out vital services. But those tasks are expensive, time-consuming and ultimately impossible to achieve if done by manually scanning systems, say analysts.

Thanks to a number of commercial and freeware tools on the market today, IT managers can automate those processes. But users say some of these tools can add even more complexity by scanning for too many vulnerabilities, leaving lists of things to repair that may not align with corporate security requirements, for example. Other tools spit out vulnerabilities and services that don't even exist. And most of the tools don't help with the patching and repair process, which many users say they want. Some companies, such as Tower Records, a West Sacramento, Calif.-based music and video retailer, are giving up on installing and managing their own tools and turning to assessment application service providers to simplify this vital function for them.

Vulnerability assessment tools, which cost $50,000 to $100,000 per year for a Class C network, use a variety of technologies. Some scan hosts for insecure services and ports, patch levels and other configuration problems. Network-based assessment tools examine traffic patterns for indicators of Simple Network Management Protocol, User Datagram Protocols and other traffic-related vulnerabilities. Some tools provide automated services over the Web. Some focus on application assessment. And some do all of those things.

Too Much Information

But without a way to manage and prioritize vulnerability reports, users are faced with the same problem they have with their closely linked intrusion-detection counterparts: too much information to sift through and act on. In response, some vendors are attempting to match their assessment information against information derived from intrusion-detection agents to weed out false positives and pinpoint true vulnerabilities. But they haven't been very successful, say analysts.

"Some scanners are really dumb. All they do is emulate a hacker operating with minimal or no knowledge about a remote system and make assumptions about what's on the network, which creates a lot of false positives," says Patrick Heim, vice president of enterprise security at McKesson Corp., a $50 billion medical services and supplies vendor in San Francisco.