Security Vulnerability Assessment Tools
By Kevin St Thomas, CTS Security Officer
With all the current security breaches that we hear about in the news, it is important that the State of Maine take all necessary steps to safeguard data it maintains. The value of this data cannot be underestimated, nor can the damage to the public caused by security breaches to any devices in our infrastructure.
The Office of Information Technology (OIT) has, in the past three years, invested in a suite of tools that allows performance of security assessments on computing assets and applications in state government. The goal is to reduce vulnerability exposures, and enhance overall security. As part of this effort, NeXpose, an enterprise vulnerability assessment software tool, was acquired to perform security assessments on infrastructure components such as servers, routers and wireless access points.
The NeXpose tool, when run, will discover, detect, and assess security vulnerabilities of network devices and prescribe remediation steps. The assessment process:
- tests for the presence of running or installed services, open ports, missing or outdated patches;
- performs vulnerability checks of 3rd party commercial applications; and
- tests for compliance with group policies, operating systems, applications, and services.
NeXpose features extensive reporting capabilities assisting administrators and security professionals in remediation efforts.
Starting in the summer of 2009, with the aid of the NeXpose tool, the service management team in OIT Core Technology Services began the task of establishing a proactive method of assessing vulnerabilities on the State of Maine network. The goal was to implement a process that would measure the OIT security posture on an on-going basis and present specific, measured steps to remediate any security issues found. Servers were the first items analyzed on the network. Reporting formats were designed, presented, and approved by server teams and management, and vulnerability assessment tests were then run on a small pool of devices to prove out the process, test network utilization, and analyze report output. Initial runs were successful, leading to scheduled scans which commenced September 2009.
Over the next several months the pool of scanned servers was increased to more than 500 devices (approximately two-thirds of the server inventory) and now, each month assessment testing is performed on the bulk of Windows servers, internal and external networks, data centers and sites throughout the state.
Monthly meetings occur between service management team members and security representatives of the various teams to review results and agree on recommended remedial steps. Through this process, OIT is able to more accurately measure, report, and track the security posture of its assets. These ongoing monthly efforts have demonstrated a reduction in vulnerabilities, thereby improving the overall security posture of the network.
The next step planned in vulnerability assessment testing is to extend the pool of tested servers to the UNIX family of servers. In the next several months, the plan is to include all Solaris, Linux, HP-UX and other servers on the network.
Future plans include extending vulnerability assessment testing to include routers, wireless access points and other discovered network components.
Vulnerability assessment testing has proven to be an essential part of a comprehensive security plan for the State of Maine, and its systems and data are more secure as a result.