1 / 9

SLAC Vulnerability Scanning

SLAC Vulnerability Scanning. Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC. Tools Used. ISS RealSecure SiteProtector Consoles 1 ISS RealSecure SiteProtector DB 5 ISS Internet Scanners 1 DNS Registration DB (CANDO)

dalmar
Download Presentation

SLAC Vulnerability Scanning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC

  2. Tools Used • ISS RealSecure SiteProtector Consoles • 1 ISS RealSecure SiteProtector DB • 5 ISS Internet Scanners • 1 DNS Registration DB (CANDO) • 2 Windows Automated Patching Methods (that mostly work) • ~20 Desktop Admins (for when the automated patching doesn’t work)

  3. “Daily” Scans • Lab is 24x7 – scans run 3x/day • “Daily” policy runs 30-40 tests • Most are recent “critical” Windows patches • P2P and Remote Admin software tests • “No SA password” test • Finds the unexpected…

  4. Updates to “Daily” Policy • All tests are listed in SLAC Security web page • Deadlines (if set) are found on same page • URLs to “disconnect” procedures as well • DHCP/VPN/Dial-UP Users • Deadline of ~10 days after patch release • Mailing list used to reach all “remote” users • Fixed IP Users • Only set deadlines on vulns w/ active exploits • Mailing list to reach all “windows” users

  5. Enforcement of “Daily” Scan • Vulnerabilities found are dumped to CSV • Imported into Oracle DB; merged with DNS Registration DB (CANDO); and exported to Excel file on network • Tue/Thu = Desktop Admin e-mail • If past deadline – fix it or IP is blocked from Internet at 6PM – blocked immediately if dhcp/vpn/dial-up user • Fridays = System Admin “Nag” e-mail • If vulnerable (w/o deadline) for > 2 weeks • Mon/Wed/Sat – just e-mail Security – or notify SysAdmin if extremely critical patch missing • “Daily” scan & enforcement is 30 to 60 mins/day

  6. “Quarterly” Scans • Web Servers • Standard ISS L4 Web Server Policy • Could switch to monthly • SANS TOP 20 • Visitor Network • Public Networks • “Special” Networks (open, but critical apps) • Private Networks (haven’t gotten to these yet…)

  7. Enforcement of “Quarterly” Scans • Trouble Tickets Created in RT • Most of the “highs” & a few of the “mediums” • Work with System Admins to get resolved or… • Move systems into Internet-Free-Zone • Rescanning; Assisting Admins; Closing Tickets is a huge effort. Takes about 1 month of my time. Hoping this drops each quarter.

  8. ScanMe Application • To keep the Desktop Admins from constantly contacting me to re-scan… • One dedicated Internet Scanner with a Web front-end • Windows Authentication • Enter IP and Policy to use • Verify caller is authorized • PDF report is emailed to requester • Big time-saver for me – Admins like it!

  9. Questions?

More Related