Hot Stuff! Vulnerability Remediation
Earlier this week, I had the good fortune to pay a visit to TechEd, Microsoft’s annual information exchange event for technoids like me. On the exhibit floor, I visited with some representatives of Dallas-based Citadel Security Software, who offer a product that performs what they call “vulnerability remediation.” Intrigued by what this might mean, I submitted to a little education wary of snake-oil and sales pitches and walked away with some new insights into how security scans should really work (and sometimes do, if the Citadel staff are to be believed; given their customer list, I presume they deliver on their technology descriptions-slash-promises).
The company sells a product called Hercules that’s licensed on a push server, where licensing fees vary by client platform and role (client or server). For most security scanning tools, either standalone scanners like Harris STAT or the long-lived and well-known ISS Internet Scanner, or scanning services SecuritySpace.com, what results from scanning a system is a report that lists the vulnerabilities, password problems, bogus settings, open ports, and more, that it discovered during its efforts. If you’re lucky, such listings will include advice on how to remedy the items that are discovered, or perhaps you’ll get pointers to resources online that provide such information. But the real work remains in the hands of busy network or system administrators who must then apply whatever fixes, changes, configuration updates, or other contortions that are necessary to repair, foil, or mitigate potential vulnerabilities
In one of those brilliant technical maneuvers that is completely obvious after it’s explained, Citadel’s Hercules product uses the output from any of a number of security scanners to automatically fix the vulnerabilities that such tools report. Furthermore, it does so in a simple, straightforward way that permits changes that later prove onerous or problematic to be rolled back as easily as they can be applied in the first place. “Now why didn’t I think of that?” was my thought as the crew explained Hercules to me.
If there’s any kind of secret to Hercules’ automated abilities, it’s that a team of engineers keeps constant track of new vulnerabilities, exploits, security bulletins and alerts, and so forth, to decide what needs remediation. These folks use this information to build and test automatic remediation scripts (called “vulnerability flashes” or “V-flashes” in product jargon) that are then made available across the Internet to Hercules server owners to use as they see fit. Hercules offers remediation for the following systems:
- Windows NT 4.0 (SP4 or higher), Windows 2000, and Windows XP
- Solaris 2.6, 7, 8, and 9
- Red Hat Linux distributions 6.0, 6.1, 6.2, 7.0, 7.1, 7.2, 7.3
Such scripts are also known as remediation signatures at Citadel. They reside in a centralized database on Citadel’s V-Flash Server where Hercules servers can access them and download them. The Hercules server handles delivery and script execution on all designated client machines (which themselves also include Hercules agents to handle local installation, processing, status, restarts or reboots, and so forth).
Today, Hercules takes input from numerous security scanners:
- Harris STAT scanner
- ISS Internet Scanner and System Scanner
- Microsoft HFNetChk
- Nessus Scanner
- Qualys QualysGuard
- Retina Digital Security Scanner
Hercules also deals with five classes of vulnerabilities to cover the full range of security remediation:
- unsecured accounts: null passwords, no Administrator password, no password expiration, weak passwords, passwords in violation of password policy, etc.
- mis-configurations: NetBIOS exposures, null sessions, vulnerable well-known accounts, etc.