Hi all!
Today I want to talk about Qualys Vulnerability Management, a cloud-based solution for finding and analyzing vulnerabilities, on which one of our .
Below I will show how the scanning itself is organized and what information on vulnerabilities can be found from the results.
What can be scanned
external services. To scan services that have access to the Internet, the client provides us with their IP addresses and credentials (if you need a scan with authentication). We scan services using the Qualys cloud and send a report based on the results.
Internal services. In this case, the scanner looks for vulnerabilities on internal servers and network infrastructure. Using such a scan, you can inventory the versions of operating systems, applications, open ports and services behind them.
A Qualys scanner is installed for scanning within the customer's infrastructure. The Qualys cloud acts as a command center for this scanner here.
In addition to the internal server with Qualys, agents (Cloud Agent) can be installed on scanned objects. They collect information about the system locally, with virtually no load on the network and on the hosts they work on. The received information is sent to the cloud.
There are three important points here: authentication and selection of objects for scanning.
- Using Authentication. Some clients ask for blackbox scans, especially for external services: they give us a range of IP addresses without specifying the system and say "be like a hacker". But hackers rarely act blindly. When it comes to attack (not reconnaissance), they know they're hacking.
Blindly, Qualys can stumble upon fake banners and scan them instead of the target system. And without understanding what exactly will be scanned, it is easy to overshoot with the scanner settings and βattachβ the service being checked.
Scanning will be more useful if you run authentication checks in front of scanned systems (whitebox). So the scanner will understand where it came from, and you will receive complete data about the vulnerabilities of the target system.
Qualys has many authentication options. - Group assets. If you run a scan on everything at once and indiscriminately, it will take a long time and create an unnecessary load on the systems. It is better to combine hosts and services into groups according to their importance, location, OS version, infrastructure criticality, and other features (in Qualys they are called Asset Groups and Asset Tags) and select a specific group when scanning.
- Select a technical window for scanning. Even if you have foreseen and prepared everything, scanning creates an additional load on the system. It will not necessarily cause the degradation of the service, but it is better to choose a specific time for it, as for backup or update rolling.
What can be learned from the reports?
Based on the results of the scan, the client receives a report that will contain not only a list of all vulnerabilities found, but also basic recommendations for their elimination: updates, patches, etc. Qualys has a lot of reports: there are default templates, and you can create your own. In order not to get confused in all the diversity, it is better to first decide for yourself on the following points:
- Who will view this report: a manager or a technical specialist?
- what information do you want to get from the results of the scan. For example, if you want to find out if all the necessary patches are installed and how work is being done to eliminate previously found vulnerabilities, then this is one report. If you just need to inventory all hosts, then another.
If your task is to show a brief, but visual, picture to the management, then you can form executive report. All vulnerabilities will be sorted by levels, criticality levels, graphs and diagrams. For example, the top 10 most critical vulnerabilities or the most common vulnerabilities.
For the technician there is Technical Report with all the details and details. You can generate the following reports:
Host report. A useful thing when you need to inventory the infrastructure and get a complete picture of host vulnerabilities.
This is how the list of analyzed hosts looks like with an indication of the OS running on them.
Let's open the host of interest and see a list of 219 vulnerabilities found, starting from the most critical, the fifth level:
You can see the details for each vulnerability below. Here we see:
- when the vulnerability was fixed for the first and last time,
- industrial numbers of vulnerabilities,
- patch to eliminate the vulnerability,
- are there any problems with compliance with PCI DSS, NIST, etc.,
- is there an exploit and malware for this vulnerability,
- whether a vulnerability is detected during scanning with / without authentication in the system, etc.
If this is not the first scan - yes, you need to scan regularly π - then using TrendReport you can track the dynamics of working with vulnerabilities. The status of vulnerabilities will be shown in comparison with the previous scan: vulnerabilities that were previously found and closed will be marked as fixed, unpatched - active, new ones - new.
Vulnerability report. In this report, Qualys will build a list of vulnerabilities, starting with the most critical, indicating which host to catch this vulnerability on. The report will come in handy if you decide to deal with, for example, all level XNUMX vulnerabilities at the moment.
You can also make a separate report only for vulnerabilities of the fourth and fifth levels.
Patch report. Here is a complete list of patches that need to be installed in order to eliminate the vulnerabilities found. For each patch, there is an explanation of what vulnerabilities it treats, on which host / system it needs to be installed, and a direct download link.
PCI DSS Compliance Report. The PCI DSS standard requires scanning of information systems and applications accessible from the Internet every 90 days. After the scan, you can generate a report that will show what the infrastructure does not meet the requirements of the standard.
Vulnerability Reporting. Qualys can be integrated with the service desk, and then all vulnerabilities found will be automatically translated into tickets. With the help of this report, it will be just possible to track progress on completed tickets and fixed vulnerabilities.
Open ports reports. Here you can get information on open ports and services running on them:
or generate a report on vulnerabilities on each port:
These are just standard report templates. You can create your own for specific tasks, for example, show only vulnerabilities not lower than the fifth level of criticality. All reports are available. Report format: CSV, XML, HTML, PDF and docx.
And remember: security is not a result, but a process. A one-time scan helps to see problems in the moment, but this is not about a full-fledged vulnerability management process.
To make it easier for you to decide on this regular work, we have made a service based on Qualys Vulnerability Management.
For all readers of Habr there is a promotion: when ordering a scanning service for a year, two months of scans are free. Applications can be left , in the "Comment" field, write Habr.
Source: habr.com