Coming to you, live from Rapid7, my name is Chris Godoy and I work on the Security Solutions team here in Boston. My colleagues and I have been posting creative ways to take advantage of Nexpose's new and improved CSV export options. It allows you to easily extract vital pieces of metadata from your vulnerability scans that may not be clearly depicted in our out of the box (or customizable) reports.
Now you can decide exactly what data fields you would like to have at your fingertips to manipulate in an Excel spreadsheet, and using pivot tables you can create your own awesome reports (that management will love you for!). Take a look at my examples below (other examples can be found in Parts 1, 2, 3 and 4) and let me know what you think! –Chris
Report 1 – Allocate and manage resources effectively to minimize chances of a BREACH!
WHO: Anyone within an organization's network/security team who determines how to go about spending time/resources on remediation, and what issues to remediate, post vulnerability scan.
WHAT: This report is very simple – it looks at 2 critical pieces of data in regards to your vulnerability management program:
- Are there any exploits associated with discovered vulnerabilities on a system? If a vulnerability has a working exploit written for it, it is MUCH more likely that vulnerability will be targeted first, using an open source tool like Metasploit, before other vulnerabilities are targeted in an attack.
- How easy is it to use these exploits – what skill level would be required to use them? The vast majority of breaches – more than 75% according to the latest Verizon Breach Report – are the result of a hacker taking advantage of easily exploitable vulnerabilities: low hanging fruit. The breaches we've seen over the past year are not exactly on par with the complexity of understanding linear algebra, so focus on systems that are susceptible to exploits that can be easily executed.
This pivot table shows a list of Operating Systems in scope for a scan, and the average number of exploits available for each OS – either requiring a novice or intermediate skill level. Systems that do not have exploits associated with their vulns, or exploits that require an expert skill level, are omitted from this report. This allows you to spend time and resources efficiently, remediating vulnerabilities on systems that are likely to get you in trouble, and triaging other issues accordingly.
WHY: Why is this important? Well, isn't that why we spend time and money on security – to prevent a data breach at the hands of ______?? (Fill in the blank with any of the following: Your #1 competitor trying to steal company data. The angry, resentful admin you just let go. Hacking group Anonymous. An advanced persistent threat.).
If there is an exploit out in the wild that has been published and submitted to the most widely used hacking tool in the world, don't you think you should remediate those vulnerabilities first? And oh yeah, in regards to the exploit - are you an ethical hacker? Professional pen tester? Have you ever tried to use the Metasploit Framework? If you're not a seasoned vet, you'll know that successful exploitation isn't the easiest thing to accomplish. So let's break it down 1 step further and start off by focusing on exploits that only require a NOVICE skill level to pull off.
Report 2 – Review Risk Over Time. Are you overlooking any vulnerabilities?
WHO: Anyone within an organization's network/security team who is looking to assess their risk posture from 30,000 feet and identify trends over time that may not be present at first glance.
WHAT: This report looks at a few important pieces of data.
- It looks at the published date of a vulnerability – when was it first publicly disclosed?
- It looks at the vulnerability age – how long has that vulnerability been present within your environment?
On the X axis you can see the vulnerability risk score, and on the Y axis you can see the overall asset risk score. By looking at this graph, you can see that vulnerabilities from the 2006-2008 timeframe appear to have been neglected, and most of them hold a significant individual risk score which leads to a significant overall asset risk score.
WHY: Why is this important? Well, was there a lull in active remediation during that time period? Has your security team focused more effort on newly published vulnerabilities (i.e. Microsoft Patch Tuesday bulletins), while neglecting older, potentially more risky issues that are more well-known in the hacking community? Let's not forget about the old, past their prime, 45-year-old-hanging-out-at-the-college-bar-type vulnerabilities. The hacking community is great at self-study, learning new tricks, and teaching others about how to take advantage of security flaws. While you scramble to address the latest vulnerabilities as recommended by Dark Reading, those vulns from back in the day are exactly the type of issues hackers are lurking to exploit.