What is IAVA?

IAVA (Information Assurance Security Alert) is an alert that is generated by the DoD-CERT, part of the U.S. Cyber Command, detailing specific vulnerabilities that are believed to be relevant to the DoD. Policy dictates that these alerts are distributed to system administrators, who are then responsible for determining which assets are vulnerable and applying the relevant fixes that are associated with the vulnerability in question. It is imperative that system administrators are able to determine what assets are potentially affected when a new IAVA comes out, allowing them to determine the level of scope across their organization and begin to step through the remediation process. While the rest of the world is heavily focused on CVE's, the DoD uses IAVA's to manage vulnerability notifications.

IAVA (Information Assurance Security Management) is the database of all the known IAVA's

How can Nexpose help?

Users of Nexpose are easily able to identify vulnerabilities that have an associated IAVA ID. When looking at a specific vulnerability within Nexpose, you can use the "Vulnerability References" section to view if the underlying vulnerability has an associated IAVA.

In addition, you can also use the search functionality within Nexpose to search for specific IAVA identifiers, allowing you to see all of the different vulnerabilities within Nexpose vulnerabilities that are associated with the same IAVA alerts.

The above easily solves two major problems for you.

  1. How do I determine if a vulnerability within Nexpose is associated with an IAVA identifier?
  2. DoD-CERT has released a new alert. How do I determine the list of vulnerabilities within Nexpose that are associated with that alert, so that I can walk through the remediation process and fix any vulnerabilities that are out there.

While the above workflow solves those core problems, it doesn't solve the biggest problem of all, as it relies on you to be looking at a specific vulnerability or know which specific IAVA id you are looking for. The biggest problem is "How can I find all the vulnerabilities within my environment associated with ANY IAVA identifier?" Luckily, Nexpose can help with this as well.

The IAVM Vulnerability Category

One of the powerful feature sets within Nexpose is the concept of a vulnerability category. A vulnerability category is a grouping of like vulnerabilities together in one group. As an example, the Adobe Flash vulnerability category contains all vulnerabilities within Nexpose that are known to be associated with Adobe Flash. This allows Nexpose users to pick and choose which categories are important to them and include or exclude them within scans and reports.

One of the vulnerability categories that is selectable is the IAVM category within Nexpose. This category contains every vulnerability within Nexpose that is associated with a specific IAVA identifier. In addition, the vulnerability category listing is dynamic, allowing you to have an up to date view of vulnerabilities within Nexpose associated with IAVA identifiers.

One of the first things you can do with a vulnerability category is include it in scans. You are able to include or exclude specific vulnerability categories from running within a scan.

In the above example, I have added the IAVM category within my scan template. This will ensure that only vulnerabilities associated with IAVA identifiers will be included in my vulnerability scan, excluding vulnerabilities that are not. This allows you to customize your scans to focus on scanning only for specific vulnerabilities, allowing you to run scans of your environment and get the information that you need faster.

However, you may not want to scan for specific vulnerabilities. You may have a need to scan for everything all at once, since you have a limited time window to scan, and then pick out the information you require later. The advantage to the vulnerability category feature set is that you can also use it in reporting as well. Similar to how we restricted vulnerability scans to a specific category above, the Nexpose reporting platform allows you to also restrict the data within a report to vulnerabilities associated with specific categories. On the report page, you can restrict vulnerabilities by using a vulnerability filter under the scope section.

One of the options on the filter page is the ability to include or exclude a vulnerability category. In the example below, I've explicitly included the IAVM category.

Therefore, the report that is generated will only have information related to vulnerabilities discovered that are associated with the IAVM vulnerability category. Even though other vulnerabilities may have been discovered in the scan that are not associated with IAVM, those are automatically removed from the report, allowing you to target your reports for specific audiences.

Nexpose provides the ability to allow organizations, such as the DoD, the ability to quickly and accurately identify vulnerabilities associated with IAVA alerts within their organizations and assist them in finding assets that need to be remediated. With the ability to query IAVA information in multiple ways, Nexpose provides administrators with flexibility and control in how they want to be able to manage their overall level of IAVA compliance within their organization.