How I became vulnerable: we scan IT infrastructure with Qualys
Hello!
Today I want to tell you about the cloud solution for searching and analyzing vulnerabilities in Qualys Vulnerability Management, on which one of our services is built .
Below I will show how the scan itself is organized and what information on vulnerabilities can be found on the basis of the results.
')
External services. To scan services that have access to the Internet, the client provides us with their IP addresses and credentials (if you need a scan with authentication). We scan services using the Qualys cloud and send a report on the results.
Internal services. In this case, the scanner looks for vulnerabilities on the internal servers and network infrastructure. With this scan, you can make an inventory of versions of operating systems, applications, open ports and services behind them.
For scanning within the client's infrastructure, a Qualys scanner is installed. The Qualys cloud here serves as the command center for this scanner.
In addition to the internal server from Qualys, agents can be installed on the scanned objects (Cloud Agent). They collect information about the system locally, practically do not create a load on the network and on the hosts on which they work. The resulting information is sent to the cloud.
There are three important points: authentication and selection of objects for scanning.
Following the results of the scan, the client receives a report that includes not only a list of all the vulnerabilities found, but also basic recommendations for eliminating them: updates, patches, etc. Qualys has many reports: there are default templates and you can create your own. In order not to get confused in all its diversity, it is better to first decide for yourself on the following points:
If you have a task to show a brief, but clear, picture to the management, then you can form the Executive Report . All vulnerabilities will be decomposed into shelves, severity levels, graphs and diagrams. For example, the top 10 most critical vulnerabilities or the most common vulnerabilities.
For a technical specialist there is a Technical Report with all the details and details. You can generate the following reports:
Host report . The useful thing is when you need to take an inventory of the infrastructure and get a complete picture of the vulnerabilities of the hosts.
Here is the list of analyzed hosts with the indication of the operating systems.
Open the host of interest and see a list of 219 vulnerabilities found, starting from the most critical, fifth level:
Then you can see the details of each vulnerability. Here we see:
If this is not the first scan - yes, you need to be scanned regularly :) - then with the help of Trend Report you can track the dynamics of working with vulnerabilities. The status of vulnerabilities will be shown in comparison with the previous scan: vulnerabilities that were previously found and closed will be marked as fixed, unclosed - active, new - new.
Vulnerability report. In this report, Qualys will build a list of vulnerabilities, starting with the most critical ones, with an indication on which host to catch this vulnerability. The report is useful if you decide to understand the moment, for example, with all the fifth level vulnerabilities.
You can also make a separate report only on vulnerabilities of the fourth and fifth levels.
Patch report Here is a complete list of patches that need to be put to eliminate the found vulnerabilities. For each patch, there is an explanation of what vulnerabilities it treats, on which host / system you need to install, and a direct link to download.
Report for compliance with PCI DSS standards . The PCI DSS standard requires scanning information systems and applications available from the Internet every 90 days. After the scan, you can generate a report that shows that the infrastructure does not meet the requirements of the standard.
Vulnerability reports . Qualys can be integrated with the service desk, and then all found vulnerabilities will automatically be translated into tickets. With the help of this report, it will be possible to track the progress on tickets executed and vulnerabilities fixed.
Reports on open ports . Here you can get information on open ports and services running on them:
or generate a report on vulnerabilities on each port:
These are just standard report templates. You can create your own under specific tasks, for example, show only vulnerabilities not lower than the fifth level of criticality. All reports are available. Report format: CSV, XML, HTML, PDF and docx.
And remember: safety is not a result, but a process. A one-time scan helps to see problems in the moment, but this is not about a full-fledged process of managing vulnerabilities.
To make it easier for you to decide on this regular work, we have made a service based on Qualys Vulnerability Management.
For all Habr readers, there is a special offer: when ordering a scanning service for a year, two months of scans are free. Applications can be left here in the field "Comment" write Habr.
Today I want to tell you about the cloud solution for searching and analyzing vulnerabilities in Qualys Vulnerability Management, on which one of our services is built .
Below I will show how the scan itself is organized and what information on vulnerabilities can be found on the basis of the results.
')
What can be scanned
External services. To scan services that have access to the Internet, the client provides us with their IP addresses and credentials (if you need a scan with authentication). We scan services using the Qualys cloud and send a report on the results.
Internal services. In this case, the scanner looks for vulnerabilities on the internal servers and network infrastructure. With this scan, you can make an inventory of versions of operating systems, applications, open ports and services behind them.
For scanning within the client's infrastructure, a Qualys scanner is installed. The Qualys cloud here serves as the command center for this scanner.
In addition to the internal server from Qualys, agents can be installed on the scanned objects (Cloud Agent). They collect information about the system locally, practically do not create a load on the network and on the hosts on which they work. The resulting information is sent to the cloud.
There are three important points: authentication and selection of objects for scanning.
- Use authentication . Some customers ask to scan the blackbox, especially for external services: they give us a range of IP addresses without specifying the system and say “be like a hacker”. But hackers rarely act blindly. When it comes to attack (not intelligence), then they know they are breaking into.
Blindly, Qualys may stumble upon bogus banners and scan them instead of the target system. And without understanding what exactly will be scanned, it is easy to miss with the scanner settings and “attach” the service being checked.
Scanning will bring more benefits if you carry out authentication checks before scanning systems (whitebox). So the scanner will understand where it has come, and you will receive complete data on the vulnerabilities of the target system.
Qualys has many authentication options. - Group assets . If you run a scan around at once and without analysis, it will be long and will create an extra load on the system. Hosts, services are best grouped by importance, location, OS version, infrastructure criticality and other features (in Qualys they are called Asset Groups and Asset Tags) and select a specific group when scanning.
- Select technical window for scanning. Even if you have all been prepared and prepared, the scan creates an additional load on the system. It does not necessarily cause the degradation of the service, but it is better for him to choose a specific time, as for backup or roll forward of updates.
What can you learn from the reports?
Following the results of the scan, the client receives a report that includes not only a list of all the vulnerabilities found, but also basic recommendations for eliminating them: updates, patches, etc. Qualys has many reports: there are default templates and you can create your own. In order not to get confused in all its diversity, it is better to first decide for yourself on the following points:
- Who will watch this report: manager or technician?
- What information do you want to get from the scan results? For example, if you want to find out if all the necessary patches are installed and how the removal of previously found vulnerabilities is being done, then this is one report. If you just need to inventory all the hosts, then the other.
If you have a task to show a brief, but clear, picture to the management, then you can form the Executive Report . All vulnerabilities will be decomposed into shelves, severity levels, graphs and diagrams. For example, the top 10 most critical vulnerabilities or the most common vulnerabilities.
For a technical specialist there is a Technical Report with all the details and details. You can generate the following reports:
Host report . The useful thing is when you need to take an inventory of the infrastructure and get a complete picture of the vulnerabilities of the hosts.
Here is the list of analyzed hosts with the indication of the operating systems.
Open the host of interest and see a list of 219 vulnerabilities found, starting from the most critical, fifth level:
Then you can see the details of each vulnerability. Here we see:
- when the vulnerability was fixed for the first and last time
- industrial vulnerability numbers,
- patch to fix the vulnerability
- Are there any problems with compliance with the standard PCI DSS, NIST, etc.,
- Is there an exploit and malware for this vulnerability?
- Is the vulnerability detected when scanning with or without authentication in the system, etc.
If this is not the first scan - yes, you need to be scanned regularly :) - then with the help of Trend Report you can track the dynamics of working with vulnerabilities. The status of vulnerabilities will be shown in comparison with the previous scan: vulnerabilities that were previously found and closed will be marked as fixed, unclosed - active, new - new.
Vulnerability report. In this report, Qualys will build a list of vulnerabilities, starting with the most critical ones, with an indication on which host to catch this vulnerability. The report is useful if you decide to understand the moment, for example, with all the fifth level vulnerabilities.
You can also make a separate report only on vulnerabilities of the fourth and fifth levels.
Patch report Here is a complete list of patches that need to be put to eliminate the found vulnerabilities. For each patch, there is an explanation of what vulnerabilities it treats, on which host / system you need to install, and a direct link to download.
Report for compliance with PCI DSS standards . The PCI DSS standard requires scanning information systems and applications available from the Internet every 90 days. After the scan, you can generate a report that shows that the infrastructure does not meet the requirements of the standard.
Vulnerability reports . Qualys can be integrated with the service desk, and then all found vulnerabilities will automatically be translated into tickets. With the help of this report, it will be possible to track the progress on tickets executed and vulnerabilities fixed.
Reports on open ports . Here you can get information on open ports and services running on them:
or generate a report on vulnerabilities on each port:
These are just standard report templates. You can create your own under specific tasks, for example, show only vulnerabilities not lower than the fifth level of criticality. All reports are available. Report format: CSV, XML, HTML, PDF and docx.
And remember: safety is not a result, but a process. A one-time scan helps to see problems in the moment, but this is not about a full-fledged process of managing vulnerabilities.
To make it easier for you to decide on this regular work, we have made a service based on Qualys Vulnerability Management.
For all Habr readers, there is a special offer: when ordering a scanning service for a year, two months of scans are free. Applications can be left here in the field "Comment" write Habr.
Source: https://habr.com/ru/post/457768/
All Articles