Preventsys 2.5 User Guide

Transcription

Preventsys Security Risk
Management System
User’s Guide
PREVENTSYS™ SRM USER’S GUIDE
NOTICES
NOTICES
This user guide (the “Guide”) is provided by Preventsys, Inc. to you to facilitate your use of the Preventsys, Inc. system. This Guide is subject to change
without notice.
Preventsys, Inc. retains all rights with respect to the Guide and the Preventsys, Inc. system. Your right to use this Guide and the Preventsys, Inc. system is
subject to the Preventsys, Inc. Terms of Use found at http://www.preventsys.com including, but not limited to, the warranty disclaimers contained therein. In
addition, your use may be subject to other terms and conditions as agreed upon in writing between you and Preventsys, Inc.
All content included in this Guide, including trade names or trademarks, service names or service marks, text and graphics (collectively the “Content”) and the
selection and arrangement thereof, are the sole and exclusive property of Preventsys, Inc. or its suppliers. However, subject to the Terms of Use and other
written agreements you may have with Preventsys, Inc., you are free to view, copy, print, and distribute the Content as long as:
•
•
•
•
The Content is used for non-commercial purposes only within your organization in support of Preventsys, Inc. products.
The Content is not distributed in any form to any third party.
The Content is used for information purposes only.
Copies of the Content include all Preventsys, Inc.’s copyright or other proprietary notices.
Except as specified above, nothing contained herein shall be construed as conferring by implication, estoppel or otherwise any license or right under any patent,
trademark or copyright of Preventsys, Inc. or any third party.
THE CONTENT IN THIS GUIDE AND THE PREVENTSYS SYSTEM ARE THE PROPRIETARY PROPERTY OF PREVENTSYS, INC. AND/OR ITS
SUPPLIERS AND IS PROTECTED BY U.S. AND INTERNATIONAL COPYRIGHT AND OTHER INTELLECTUAL PROPERTY LAWS. EXCEPT AS
SPECIFICALLY PERMITTED HEREIN, YOU AGREE NOT TO DUPLICATE, TRANSLATE, PUBLISH, DISTRIBUTE, MODIFY, EXTRACT DATA
FROM, OR OTHERWISE COMMERCIALLY EXPLOIT ANY CONTENT OR THE PREVENTSYS SYSTEM.
All contents in this Guide are: Copyright ©2002-2006. Preventsys, Inc. or its licensors. Preventsys is a registered trademark of Preventsys, Inc. All other
trademarks are the property of their respective owners. All Rights Reserved.
Preventsys, Inc. respects the intellectual property of others, and we ask you to do the same. If you believe some Content in this Guide has been copied in such
as way to constitute copyright infringement, please contact Preventsys, Inc. via email at [email protected].
Government Rights Legend: Use, duplication or disclosure of the contents in this Guide or the Preventsys System by the U.S. Government is subject to
restrictions set forth in the applicable Preventsys license agreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.2277013(c)(1)(ii) (Oct. 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14, as applicable.
Export Controls. The Content and the Preventsys System may be subject to export controls imposed by U.S. laws and regulations. Use of the Content and
Preventsys System must be in compliance with all export laws and restrictions and regulations of the United States Department of Commerce or other United
States or foreign agency or authority, and the Content, Preventsys System and any underlying information or technology may not be exported, re-exported, or
downloaded in violation of any such restrictions, laws or regulations, or to Cuba, Libya, North Korea, Iran, Iraq, Uganda, Rwanda or Afghanistan, or to any
Group D:1 or E:2 country (or any national of such country) specified in the then current Supplement No. 1 to Part 740, or in violation of the embargo provisions
in part 746 of the U.S. Export Administration Regulations (or any successor regulations or supplement), except in compliance with all licenses and approvals
required under applicable export laws and regulations, including, without limitation, those of the U.S. Department of Commerce.
Document Number: 2006.2.5.0.0-00
i
CONTENTS
CONTENTS
PREFACE ........................................................................................VIII
About Preventsys .............................................................................................................................. viii
Conventions Used in this Guide ....................................................................................................... viii
Contacting Preventsys Support ......................................................................................................... viii
CHAPTER 1........................................................................................ 1
Security Risk Management ...................................................................................... 1
Security Risk Manager......................................................................................................................... 2
Automated Security Compliance Reporter .......................................................................................... 2
CHAPTER 2........................................................................................ 3
Getting Started ......................................................................................................... 3
Web Browser Requirements ................................................................................................................ 3
Accessing the Preventsys SRM System............................................................................................... 4
The Basics............................................................................................................................................ 5
System Components ......................................................................................................................6
Navigating the Preventsys SRM System ............................................................................................. 7
Main Menu ....................................................................................................................................7
Pagination Controls .......................................................................................................................8
Table Sorting .................................................................................................................................8
Saving as PDF ...............................................................................................................................8
Licensing and Version Information ...............................................................................................9
Reporting Errors .................................................................................................................................. 9
CHAPTER 3...................................................................................... 12
Assessment Servers and Instance Configurations ................................................ 12
Managing Assessment Servers .......................................................................................................... 14
Adding Assessment Servers ........................................................................................................14
Editing Assessment Servers.........................................................................................................15
Disabling an Enabling Assessment Servers.................................................................................15
Deleting Assessment Servers.......................................................................................................16
Managing Instance Configurations .................................................................................................... 16
Affinity and Weight.....................................................................................................................16
Adding Instance Configurations ..................................................................................................17
Editing Instance Configurations ..................................................................................................17
Deleting Instance Configurations ................................................................................................18
CHAPTER 4...................................................................................... 19
User Authorization.................................................................................................. 19
Managing User Groups...................................................................................................................... 19
About Resources and Permissions...............................................................................................20
Adding User Groups....................................................................................................................23
Editing User Groups ....................................................................................................................24
Deleting User Groups ..................................................................................................................24
Adding and Removing Users from Groups .................................................................................24
Managing Users ................................................................................................................................. 25
Adding User Accounts.................................................................................................................26
Editing User Accounts.................................................................................................................27
Deleting User Accounts...............................................................................................................27
Changing Your User Information ................................................................................................27
ii
CONTENTS
Associating a User with an External Remediation System..........................................................28
CHAPTER 5...................................................................................... 30
Assets and Networks ............................................................................................. 30
Managing Assets................................................................................................................................ 30
Adding an asset............................................................................................................................31
Editing an asset............................................................................................................................32
Deleting an Asset.........................................................................................................................33
Managing Host Properties ................................................................................................................. 33
Adding a Host Property ...............................................................................................................34
Editing a Host Property ...............................................................................................................35
Deleting a Host property..............................................................................................................35
Managing Services............................................................................................................................. 36
Adding a Service .........................................................................................................................38
Editing a Service..........................................................................................................................39
Delete a Service ...........................................................................................................................39
Managing Exclusion Lists ................................................................................................................. 40
Adding an Exclusion List ............................................................................................................40
Making an Exclusion List Global ................................................................................................41
Editing an Exclusion List.............................................................................................................42
Deleting an Exclusion List...........................................................................................................42
Managing Networks........................................................................................................................... 43
Time Windows ............................................................................................................................44
Adding a Network .......................................................................................................................45
Editing a Network........................................................................................................................46
Deleting a Network......................................................................................................................46
Managing Network Properties ........................................................................................................... 47
Adding a Network Property.........................................................................................................48
Deleting a Network Property .......................................................................................................48
Managing Network Groups ............................................................................................................... 49
Adding a Network Group ............................................................................................................49
Editing a Network Group ............................................................................................................50
Deleting a Network Group...........................................................................................................50
CHAPTER 6...................................................................................... 51
Policies and Rules.................................................................................................. 51
Configuring Your System for Policy Analysis .................................................................................. 51
Initial Rule Setup .........................................................................................................................51
About PDL Rules............................................................................................................................... 52
Managing PDL Rules ..................................................................................................................53
Deactivating a PDL Rule .............................................................................................................53
Working with Policies ....................................................................................................................... 53
Managing Policies .......................................................................................................................54
Deactivating a Policy...................................................................................................................54
Importing Preventsys Policies ........................................................................................................... 55
Importing and Exporting Policies ...................................................................................................... 57
Import a Policy ............................................................................................................................58
Exporting a Policy .......................................................................................................................58
CHAPTER 7...................................................................................... 59
Assessments.......................................................................................................... 59
Managing Connector Configurations................................................................................................. 60
iii
CONTENTS
Adding a Connector Configuration..............................................................................................61
Editing a Connector Configuration..............................................................................................62
Deleting a Connector Configuration............................................................................................63
Managing Assessment Configurations .............................................................................................. 63
Creating an Assessment Configuration........................................................................................64
Editing an Assessment Configuration..........................................................................................65
Deleting an Assessment Configuration........................................................................................66
Managing Assessment Schedules ...................................................................................................... 66
Adding an Assessment Schedule .................................................................................................67
Editing an Assessment Schedule .................................................................................................68
Deleting an Assessment Schedule ...............................................................................................69
About The Assessment Lifecycle ...................................................................................................... 69
Network Assessment ...................................................................................................................69
Fact Indexing ...............................................................................................................................69
Analysis .......................................................................................................................................69
Understanding Assessment Status ..................................................................................................... 72
Viewing Assessment Details .......................................................................................................74
Pausing and Resuming an Assessment ........................................................................................76
Canceling an Assessment ............................................................................................................76
Hiding and Un-hiding Assessment Statuses ................................................................................76
Importing External Assessment Data................................................................................................. 77
Basic Steps To Import .................................................................................................................77
Importing Assessment Results Using the Preventsys SRM System’s UI ....................................79
Importing Assessment Results Using the Preventsys Command-Line AIU ................................82
Deleting Assessments ........................................................................................................................ 85
Deleting An Assessment Using the Preventsys SRM System’s UI .............................................85
Deleting An Assessment Using the Using the Preventsys AIU...................................................85
Re-Analyzing Assessment Results .................................................................................................... 87
Re-Analyzing an Assessment’s Results.......................................................................................87
Viewing the Status of a Re-Analyzed Assessment ......................................................................88
CHAPTER 8...................................................................................... 89
Remediations ......................................................................................................... 89
Managing Remediation Tasks ........................................................................................................... 89
Status Lifecycle ...........................................................................................................................89
Workflow Example......................................................................................................................91
Assigning Remediation Tasks ........................................................................................................... 92
About Severity.............................................................................................................................93
About Priority..............................................................................................................................93
About Due Date and Criticality ...................................................................................................93
Assigning or Reassigning a Remediation task.............................................................................95
Bulk Assignment .........................................................................................................................96
Filtering Remediation Tasks........................................................................................................96
Viewing Different Columns of Data............................................................................................97
Viewing Details about a Remediation .........................................................................................98
Verifying Remediation Tasks ....................................................................................................100
Working with Assignment Rules ..................................................................................................... 101
Creating an Assignment Rule ....................................................................................................102
Editing an Assignment Rule ......................................................................................................104
Ordering Assignment Rules.......................................................................................................104
Deleting an Assignment Rule ....................................................................................................104
Updating Remediation Tasks........................................................................................................... 104
Updating the Status of a Remediation Task...............................................................................106
iv
CONTENTS
Managing External Remediation Systems ....................................................................................... 107
Adding an External Remediation System ..................................................................................107
Editing an External Remediation System ..................................................................................109
Deleting an External Remediation System ................................................................................109
Managing External Remediation System Users............................................................................... 109
Adding an External Remediation System User .........................................................................110
Editing an External Remediation System User..........................................................................111
Deleting an External Remediation System User........................................................................111
CHAPTER 9.................................................................................... 112
Manual Audit Tasks.............................................................................................. 112
Managing Manual Audit Tasks........................................................................................................ 114
Adding a Manual Audit Task ....................................................................................................114
Editing a Manual Audit Task.....................................................................................................117
Deleting Manual Audit Tasks....................................................................................................117
Updating Manual Audit Tasks ......................................................................................................... 118
Updating the Status of a Manual Audit Task.............................................................................118
Manual Audit Task Email Notifications .......................................................................................... 118
Managing Manual Audit Task Recipient Groups ............................................................................ 118
Adding a Recipient Group .........................................................................................................119
Editing a Recipient Group .........................................................................................................120
Deleting a Recipient Group .......................................................................................................120
About Manual Audit Task Rules and Policy Violations.................................................................. 120
Verification of Manual Audit Task Policy Violations ...............................................................120
CHAPTER 10.................................................................................. 122
Security Risk Dashboard...................................................................................... 122
About the Enterprise Console .......................................................................................................... 124
Viewing Enterprise Compliance and Enterprise Trending Portlets ...........................................124
About the Exposure Console ........................................................................................................... 124
About the Compliance Console ....................................................................................................... 125
About the Threat Console ................................................................................................................ 126
Viewing the Latest Threat Alerts...............................................................................................126
Viewing the Top Threat Alerts ..................................................................................................126
Viewing All Threat Alerts .........................................................................................................126
How Threat Alerts Affect Remediation Tasks...........................................................................127
How Severity Is Adjusted By Threat Alerts ..............................................................................128
Filtering the List of All Threat Alerts........................................................................................128
Viewing Different Columns of Data for All Threat Alerts........................................................129
Viewing Details about a Threat Alert ........................................................................................130
Viewing Details about Assets....................................................................................................134
About the Remediation Console ...................................................................................................... 135
Latest Tasks ...............................................................................................................................135
My Tasks ...................................................................................................................................135
Viewing Details about a Remediation .......................................................................................136
About the Assessment Console........................................................................................................ 136
About Enterprise Groups ................................................................................................................. 136
Creating an Enterprise Group ....................................................................................................138
Editing an Enterprise Group ......................................................................................................138
Activating and Deactivating an Enterprise Group .....................................................................139
CHAPTER 11.................................................................................. 140
Reports................................................................................................................. 140
v
CONTENTS
Working with the Report Filter........................................................................................................ 141
Modifying the Report Context Filter .........................................................................................143
Calculating Compliance................................................................................................................... 145
Navigating Between Reports ........................................................................................................... 146
Using the “Narrow by Asset” Control ............................................................................................. 147
Viewing Reports .............................................................................................................................. 147
Executive Summary Report.......................................................................................................147
Enterprise Group Summary Report ...........................................................................................150
Administrator Overview ............................................................................................................152
Network Group Reports.............................................................................................................153
Network Report .........................................................................................................................156
Asset Report ..............................................................................................................................159
Chronological View Report.......................................................................................................164
Operating System Report...........................................................................................................165
Task Reports..............................................................................................................................168
Task Recipient Report ...............................................................................................................174
Compliance Overview Report ...................................................................................................177
Comparative Compliance Report ..............................................................................................178
Exposure Overview Report........................................................................................................180
Services Report..........................................................................................................................181
Wireless Access Points Report ..................................................................................................182
Saving Rendered Reports................................................................................................................. 184
Publishing a Report ...................................................................................................................184
Viewing Published Reports .......................................................................................................184
Deleting Published Reports .......................................................................................................185
CHAPTER 12.................................................................................. 186
System Updates................................................................................................... 186
Basic Update Steps .......................................................................................................................... 186
About Maintenance Mode .........................................................................................................186
Update Failure ...........................................................................................................................187
Checking for a New System Update................................................................................................ 187
Uploading and Applying a System Update...................................................................................... 188
Rolling Back a System Update ........................................................................................................ 190
APPENDIX A .................................................................................. 191
Instance Configurations ....................................................................................... 191
About Third-Party Connectors......................................................................................................... 193
AppDetective Instance Configuration.............................................................................................. 193
Dynamic Address Resolution Instance Configuration..................................................................... 194
Retina Instance Configuration ......................................................................................................... 195
FoundScan Instance Configuration.................................................................................................. 196
ISS Internet Scanner Instance Configuration................................................................................... 197
ISS SiteProtector Instance Configuration ........................................................................................ 198
Microsoft Baseline Security Analyzer Instance Configuration........................................................ 198
Nessus Instance Configuration ........................................................................................................ 199
Network Architecture Assessor Instance Configuration.................................................................. 200
Nmap Instance Configuration.......................................................................................................... 200
WiFi Instance Configuration ........................................................................................................... 201
Windows Registry Instance Configuration ...................................................................................... 202
QualysGuard Instance Configuration .............................................................................................. 203
vi
CONTENTS
APPENDIX B .................................................................................. 204
Connector Configurations .................................................................................... 204
Updating Scanner Plugins................................................................................................................ 204
AppDetective Connector Configuration .......................................................................................... 204
FoundScan Connector Configuration .............................................................................................. 205
ISS Internet Scanner Connector Configuration ............................................................................... 206
ISS SiteProtector Connector Configuration..................................................................................... 206
Microsoft Baseline Security Analyzer Connector Configuration .................................................... 207
Nessus Connector Configuration ..................................................................................................... 207
Network Architecture Assessor Connector Configuration............................................................... 208
P2P Assessment.........................................................................................................................209
Adding Custom NAA Rules ......................................................................................................210
Nmap Connector Configuration....................................................................................................... 212
QualysGuard Connector Configuration ........................................................................................... 212
Retina Connector Configuration ...................................................................................................... 213
WiFi Connector Configuration ........................................................................................................ 213
WinReg Connector Configuration ................................................................................................... 214
Windows-Based Rules...............................................................................................................215
APPENDIX C .................................................................................. 217
Importing Assessment Data ................................................................................. 217
File Import ....................................................................................................................................... 217
Preventsys XML File Import .....................................................................................................217
Generic XML File Import..........................................................................................................218
AppDetective XML File Import ................................................................................................218
AppScan 5 XML File Import.....................................................................................................219
AppScan 6 XML File Import.....................................................................................................219
FoundScan Risk Data XML File Import....................................................................................220
FoundScan Risk and Host Data XMLs File Import...................................................................220
MBSA XML/Zip File Import ....................................................................................................221
nCircle IP360 XML2 File Import ..............................................................................................221
Nessus XML File Import...........................................................................................................222
Nessus NSR File Import ............................................................................................................222
NeXpose XML File Import .......................................................................................................223
NGSSquirrel for Oracle XML File Import ................................................................................223
NGSSquirrel for SQL Server XML File Import ........................................................................224
Nmap XML File Import ............................................................................................................224
QualysGuard XML File Import .................................................................................................225
Scan Import...................................................................................................................................... 225
AppDetective Scan Import ........................................................................................................225
FoundScan Scan Import.............................................................................................................226
QualysGuard Scan Import .........................................................................................................226
Retina Scan Import ....................................................................................................................227
SiteProtector Scan Import..........................................................................................................227
APPENDIX D .................................................................................. 228
Database Backup Guidelines............................................................................... 228
Backup.......................................................................................................................................228
Restore.......................................................................................................................................228
GLOSSARY .................................................................................... 229
vii
PREFACE
PREFACE
This guide provides a complete description of the features and options available in the Preventsys
Security Risk Management System (Preventsys SRM System).
About Preventsys
Preventsys delivers automated solutions for security risk management and security compliance
reporting to large government agencies and Fortune 1000 Companies in the financial,
telecommunication, ecommerce, technology and healthcare markets. Preventsys customers reduce the
time required to run a host assessment from 4 hours per host to 9-12 minutes per host; saving the
company an average of $700,000 per year.
Preventsys is headquartered in Carlsbad, California just north of San Diego and has regional offices
across the United States.
Conventions Used in this Guide
The following table presents the typographic conventions used in this guide.
Convention
Represents
Bold
An element of the graphical user
interface
SMALL CAPS
A specific key on the keyboard
Fixed width
A file name, folder name, or other
information that you must type exactly as
shown
Italics
A file name, folder name, or other
information that you must provide
>
A sequence of commands from the menu
bar
Examples
Type the computer’s IP address or MAC
address in the Unique ID field and click
Next.
Press ENTER to continue.
Hold down CTRL to choose multiple
selections.
Log in to the system using the
Preventsys username.
Save the XML text as filename
sample.xsl.
Login to the selected system as root and
run the upgrade program from CD-ROM.
Click Admin > User > Add
Contacting Preventsys Support
Preventsys Inc.
2131 Palomar Airport Rd
Suite 200
Carlsbad, CA 92011
Telephone: 760.268.7888
Fax: 760.476.1011
Email: [email protected]
Web Site: https://support.preventsys.com
viii
CHAPTER 1 | SECURITY RISK MANAGEMENT
CHAPTER 1
Security Risk Management
Preventsys has pioneered an award-winning Security Risk Management System for large companies
that need to proactively protect confidential customer and company information, ensure high
availability of critical IT assets and easily communicate security compliance to executive management.
Preventsys provides the only solution that consolidates vulnerability, configuration and threat data
from multi-vendor tools, prioritizes critical remediation tasks and automates security compliance
reporting, dramatically cutting costs and reducing the time it takes to create a picture of an
organization's security posture from weeks to seconds.
The Preventsys Security Risk Management System is the only solution that consolidates vulnerability,
configuration and threat data from multi-vendor tools into an enterprise dashboard, prioritizes critical
remediation tasks and automates security compliance reporting. As a result, you can proactively
protect your confidential company and customer information, ensure the high availability of your
critical IT assets, and easily communicate your enterprise compliance scorecard to your executive
team.
The Security Risk Management System has two solutions
The Security Risk Management System provides the following benefits:
»
Consolidation of Multi-vendor Assessment Data – Creates a consolidated view of your risks
across your network to simplify reporting and decision-making.
»
Prioritization of Remediations – Reduces the amount of information the IT team needs to act
upon by prioritizing remediation tasks to protect business critical systems.
»
Automated Compliance Reporting – Automates the time-consuming process of reporting
compliance against internal and external policies to save time and money.
1
CHAPTER 1 | SECURITY RISK MANAGEMENT
Security Risk Manager
The Preventsys Security Risk Manager Application provides a single dashboard view of risks across
the enterprise, prioritizes remediation efforts and produces an executive scorecard to assess current risk
as well as changes in an organization’s risk score from day to day.
By consolidating multi-vendor vulnerability, configuration and threat data together, security
professionals can reduce the amount of data they need to analyze by up to 98%. The RiskScore™
Engine removes duplicate results, and identifies the top 2% of risks for remediation. Issues are then
assigned and tracked using a centralized workflow engine, which automates the remediation process to
help bridge the gap and create accountability between IT Security and IT Operations.
Automated Security Compliance Reporter
The Automated Security Compliance Reporter Application is the leading sustainable security
compliance reporting solution. Using its patent pending PolicyLab™, customers can “link” their
corporate security policies and standards to specific technical checks to ensure business policy
objectives are being adhered to across the network.
The Automated Security Compliance Reporter provides a consistent and cost-effective way for
auditors to report against established policies like HIPAA, SOX, GLBA and FFIEC. It significantly
reduces the costs of pre-audits and provides executive level insight to the company’s security
compliance initiatives, their cost and effectiveness. As a result, an enterprise can reduce legal and
regulatory exposure and demonstrate security compliance to management without the need for a team
of expensive auditors.
2
CHAPTER 2 | GETTING STARTED
CHAPTER 2
Getting Started
This chapter explains the basics steps for getting started with the Preventsys SRM System, including
configuring your Web browser, accessing the Preventsys SRM System, and setting up assessments.
Web Browser Requirements
The Preventsys Administrative Client is a browser-based application that utilizes 128-bit encryption
and the HTTPS protocol to ensure secure communication. Microsoft Internet Explorer 5.5 or higher is
required to access the Administrative Client, and you must ensure that your Web browser is set to 128bit encryption.
You must also configure your Web browser to ensure that it always displays the latest versions of all
Web pages. Without the proper configuration settings, you may encounter cached versions of the
Preventsys SRM System’s pages. The following figures illustrate the proper Microsoft Internet
Explorer configuration.
To configure Internet Explorer
1
Click Tools > Internet Options from the Internet Explorer menu bar.
2
Click the Settings button in the Temporary Internet Files section under the General tab.
3
3
4
5
Under Check for newer versions of stored pages, click the Every visit to the page radio
button.
Click Okay in the Settings dialog box.
Click Okay in the Internet Options dialog box to save the configuration.
Accessing the Preventsys SRM System
To access the Preventsys Administrative Client you must first login to the system. If you log in
unsuccessfully three consecutive times, your session will be locked. Open a new Web browser and try
logging in again. Enter your Username and Password, and then click Login.
Close your session by clicking Logout located in the top right-hand corner of the Preventsys screen. If
your session is idle for 45 minutes or more your session will automatically be closed and the Logged
Out screen displayed. Click Login Again to return to the Login screen.
4
The Basics
The Preventsys SRM System uses the results of assessments that you configure and schedule to
identify vulnerabilities and policy violations on your networks. It can also use this information to
relate threat alerts to vulnerabilities and their associated remediation tasks.
To run assessments using the Preventsys SRM System, you must first complete the following tasks
after you have configured the Preventsys ESM Server. Details about each of these steps are presented
in the referenced chapters.
Step 1 – Change the Super User Password Preventsys ships with a default Super User
group and associated “Preventsys” user account that is used during installation and
configuration of the system. For security, change the Preventsys user’s password after
installation. See the “User Authorization” chapter for information about how to change a
password.
Step 2 – Update the Policy Library After installation, use the Importing the Preventsys
Policy function to obtain the latest version of the Policy Library. See the “Policies and Rules”
chapter for details about the importing policies. You can also create your own polices and
rules if desired using the rules shipped with the Preventsys SRM System as a template, or
develop custom rules to address your specific concerns. Refer to the Preventsys SRM System
PolicyLab User’s Guide for details about rule and policy development.
Note: Preventsys provides several policies that contain Manual Audit Task Rules. During the
analysis phase of an assessment, these rules conduct integrity checks on the associated
Manual Audit Tasks in your system (e.g.,, whether a Manual Audit Task is assigned, is one
such check). You should review your Manual Audit Tasks to ensure that they will pass all of
these checks before you run your first assessment and analysis, if you do not want policy
violations created because of these checks. See the PolicyLab User Guide for details about
Manual Audit Task Rules and their associated integrity checks.
Step 3 – Configure Assessment Servers and Instance Configurations Configure your
assessment servers and then configure each assessment server’s instance configurations. See
the “Assessment Servers and Instance Configurations” chapter for details about adding
assessment servers and associated instance configurations.
5
Step 4 – Define Networks and Network Groups Define the networks and network groups
that you want the Preventsys SRM System to assess. See the “Assets and Networks” chapter
for details about defining assets, networks, and network groups.
Step 5 – Configure Connectors and Configure and Schedule Assessments Configure
the connectors you want to use for assessments. Note that you must first add an instance
configuration for a connector before it can be configured for an assessment. Next, configure
your assessments, and then schedule them. See the “Assessments” chapter for details about
configuring connectors and configuring and scheduling assessments.
At any time you can add users and user groups, which define the functionality and content to which
those users should have access. After you have successfully run an assessment, you can view the
results in reports and on the Security Risk Dashboard. At this point, you can also review and assign
the remediation tasks created because of the vulnerabilities and policy violations found by the
assessment.
Step 6 – View Reports and the Security Risk Dashboard After an assessment is
completed, use the reporting feature to view the results. See the “Reports” chapter for details
about reports. The Security Risk Dashboard provides a snapshot of how compliant you are,
your current exposure, the current top-five unresolved remediation tasks as well as your topfive assigned remediation tasks based on priority. If you have Preventsys Threat Intelligence
license, you can also receive and view timely, actionable and comprehensive security analysis
and notification about the latest cyber threats, including the threats and vulnerabilities that
affect your networks. See the “Security Risk Dashboard” chapter for details.
Step 7 – Add User Groups and Users Add Groups that define how you want to mange user
access to functionality and content. Add a user account for each individual user who will be
accessing the system. Last, associate those users with the groups to which they should
belong. See the “User Authorization” chapter for details about defining users and associating
them with groups.
Step 8 – Assign Remediations Review and assign vulnerabilities and policy violations, so
that they can be resolved. You can also create filters that will only display the remediation
tasks you specify, and create rules that will automatically pre-assign tasks to specific
remediators. See the “Remediations” chapter for details about creating filters and rules and
assigning remediation tasks.
System Components
The Preventsys SRM System is comprised of the following main components.
Administrative Client The Administrative Client is a browser-based client that serves as the user’s
interface to the Enterprise Security Management Server. This client is responsible for allowing users
to perform user management, assessment and system configuration tasks, as well as report navigation
and remediation functions.
Assessment Server The server (or cluster of servers) which hosts the actual scanners. The
assessment server and the assessment tool instances you want on the server are configured via the
Preventsys SRM System web application UI.
Enterprise Security Management Server The Enterprise Security Management Server is the server
(or cluster of servers) which provides the administrative interface to the Preventsys software. This
server is responsible for allowing the administrator to configure target host and network information,
assess sessions, and to review reported assessment results.
6
Dynamic Address Resolution Connector (DARC) DARC provides consistent address resolution for
correlation of host information throughout changing IP addresses (because of DHCP) by tracking hosts
by its network interface controller’s (NIC) MAC address. By utilizing the Dynamic Target Address
Resolution Protocol (DTARP) to report the correlation between IP addresses and host identity, the
system is able to correlate the same physical hosts regardless of IP changes due to DHCP.
RDBMS Server The Relational Database Management System (RDBMS) stores Preventsys
configuration data and scan results in both raw and analyzed formats. Note that it is possible to install
multiple components on individual servers in environments that meet the requirements for minimum
installation configurations. See the Installation Guide for details about installation configuration
options.
Navigating the Preventsys SRM System
This section provides information about navigating via the Preventsys Main Menu, the Preventsys
Reports Menu, and the pagination controls.
Main Menu
The Preventsys Main Menu provides access to all system functions. Access to this functionality is
granted based on the groups to which the user belongs. See the “User Authorization” chapter for
information about controlling functionality .
Note: If a user does not belong to any groups, only the Home and Help menu items are displayed.
Enterprise Security Dashboard
Policies
Support
Rules
Submit Error
Update Policy Library
About Preventsys
Import Preventsys Policy
Enterprise Groups
Connector Configurations
Assessment Configurations
Assessment Schedules
Manual Audit Tasks
Assessment Status
Manual Audit Recipient Groups
Re-Analyze
Remediation Tasks
Re-Analyze Status
Remediation Assignment Rules
External Patch Management Systems
External Remediation Systems
External Remediation Users
Administrator
Comparative Compliance
Standard
Compliance
Executive Summary
»
Users
Trending
Groups
Enterprise Group
Exposure
Assets
Assets
»
Network
»
Network Group
Standard
Overview
Trending
Standard
Host Properties
Asset Exclusion Lists
Services
»
Trending
Task
»
Aging Summary
Standard
Network Groups
Task Recipient
»
Rollup by Violation
Trending
Preferences
Operating System
Services
Networks
Overview
Network Properties
Wireless Access Points
Rollup by Vulnerability
Assessment Servers
Published Reports
Standard
System Updates
Trending
Overview
Standard
Trending
7
Pagination Controls
Various reports and administration screens feature pagination controls near the bottom of the screen
that allow for convenient navigation through long lists of data. When the data spans multiple pages,
you may simply click a page number to advance to the selected page of data.
Note that these page numbers are presented in groups of ten. If there are more than ten pages, the
pagination controls will include links to the “Next” and “Previous” series of pages, allowing you to
navigate quickly to the next (or previous) group of ten pages.
Table Sorting
Many screens display information in tables. This information is organized based on a default sort (for
example, username). To change the way the table is sorted, click on the desired column heading. Note
that sortable columns will display a dashed line under the heading text. Click on the column heading a
second time to reverse the sort order. Note that not all column headings have the sort option.
Saving as PDF
There are several areas in Reporting and Remediation where you can save the displayed information as
in a Portable Document Format (PDF). Clicking the Save as PDF link will open a separate browser
to save
window displaying the information in PDF format. Click on the Adobe Acrobat Save icon
the report as a PDF file.
8
Licensing and Version Information
You can view information about the Preventsys SRM System including licensing and version
information by selecting Help > About Preventsys.
Note: The "Number of nodes used" is updated daily.
If your license has expired, the ESM Server and Administrative Client functionality will be
deactivated. Previously scheduled scans will continue, but assessment data will not be accessible
without a valid license. If this happens, please contact Preventsys to update your license.
Reporting Errors
You can report errors to Preventsys by using the Error Report form. This form is also displayed
whenever the Preventsys SRM System encounters an unknown issue with the system.
The Submit Error function allows you to email Preventsys about an issue you are experiencing with the
system. When you submit the Error Report form, the system gathers all the log files on the ESM and
sends them with the report. The Error Report form is also displayed when an unexpected issue occurs
with the system.
By default the information in the Error Report is encrypted and sent to Preventsys via email. However,
you can turn off the encryption option if desired, and you can specify a different “To” email address.
9
If your email system does not handle large files, you can elect to download the file and then manually
upload it to the Preventsys Customer Support Site using your Support account.
To submit an Error Report
1
Select Help > Submit Error. The Error Report screen is displayed. All the fields are prefilled with the exception “Comments”.
2
Modify any field entries desired and enter as much information as you can about what you
think caused the error and any steps that might help Preventsys reproduce it.
Select Continue when you are finished. The system will start gathering and compressing log
information. When this task is completed, the report will be sent to the "To" email address
you specified. If you elected to download the report, an email containing a link to a screen
where you can download the file will be sent to the "From" address you specified."
3
10
As discussed earlier, the Error Report screen is also displayed whenever the system encounters an
unexpected issue. When this happens, the screen also displays details about the error.
Figure 2-1. Sample Error Report based on unexpected system error
11
CHAPTER 3 | ASSESSMENT SERVERS
AND
INSTANCE CONFIGURATIONS
CHAPTER 3
Assessment Servers and Instance Configurations
Before the Preventsys SRM System can perform assessments on your networks, you must first
configure your Assessment Server(s) and the instance configurations for the assessment tools you want
to use. This chapter discusses how to add and modify assessment servers and how to add instance
configurations.
The following terms and their definitions will assist you when reading this chapter.
Assessment Server: The Assessment Server is one of the applications that make up the Preventsys
Security Risk Management System. The Assessment Server provides an interface between the ESM
Server and a variety of assessment tools, both third-party as well as Preventsys-created. Each of these
interfaces is called a connector, and each Assessment Server is shipped with several connectors preinstalled. Additionally, the interface has been documented so that anyone can write their own
connector, enabling them to add support for additional third-party software.
Connector: A Connector is the interface used by the Preventsys Assessment Server, which allows an
ESM Server to configure, control, and receive results from a particular assessment tool. Each
connector must provide instance configuration and connector configuration forms, must be able to
start, stop and (optionally) pause and resume scans, and must be able to transform the tool’s results
into the Preventsys result format. Each connector is dynamically loaded at startup, so individual
connectors can be added, updated and/or removed without requiring a replacement Assessment Server
executable.
Preventsys has published its connector API, so that anyone can add support for additional software.
Contact Preventsys Support for information about the API. For a current list of connectors supported
by Preventsys, click on the “Supported Connectors List” link available on the Assessment Server
Management screen and on the Import Assessment Data screen.
12
AND
Figure 3-1. Example of the Preventsys Supported Connectors List
This list is updated regularly as new connectors are supported
Instance Configuration: An Instance Configuration is a static set of parameters for a particular
installation of an assessment tool supported by the Preventsys Assessment Server. An Instance
Configuration’s parameters are generally used to allow an Assessment Server to connect to, and, if
needed, authenticate to a particular installation of the assessment tool.
For example, if the same tool were installed in three different locations, each of those installations
would have a single instance configuration.
Network Affinity: During an assessment, the ESM Server can distribute a task across multiple
Assessment Servers, a process that not only frequently speeds up auditing, but also improves
reliability, since an assessment is never tied to a specific set of Assessment Servers. The downside to
this approach is that it assumes that all Assessment Servers are equally capable of scanning a particular
network range when, in fact, this is rarely the case. The mechanism Preventsys has to deal with this is
called network affinity.
Network affinity, on a basic level, allows you to configure how suitable a particular instance
configuration is to scan a network range. When adding an instance configuration, you can add one or
more network affinity ranges, each of which consists of a range of IPs and a weight, which is a number
from 1-100. If no network affinity range is defined for an instance configuration, the ESM Server
assumes that instance is the best possible instance for any IP range.
During an assessment when network affinity ranges are defined, the ESM Server will assign each task
to the instance configuration whose network affinity both supports the range and has the highest
weight. If necessary, the ESM Server will split the task across multiple Assessment Servers to insure
that the instance configuration with the highest weight for a given range of IPs is always used.
One case where network affinity is practically required is when dealing with Assessment Servers that
cannot send packets to a particular IP range due to routing or filtering-based restrictions. Using
network affinity ranges, you would define the IP ranges each instance configuration can reach, while
leaving out the ranges they cannot reach. This would prevent the ESM Server from using any of the
instance configurations to scan any ranges without network affinity ranges for the target IP range(s).
13
AND
Without being able to define network affinity ranges, assessments might fail because the ESM Server
could assign a task to an instance configuration unable to handle the target IP range.
This functionality is also very useful when configuring Assessment Servers at multiple locations that
are networked over a slower WAN connection. By assigning higher weights to local networks, and
lower weights to remote networks, you can insure that the fastest available instance configuration will
be selected to scan a particular network range, and that scan traffic will only be transmitted over the
WAN link as a last resort.
Managing Assessment Servers
All Assessment Server and Instance Configuration administration is conducted from the Assessment
Server Management screen.
To access the Assessment Server Management screen
1
Select Admin > Assessment Servers. The Assessment Server Management screen is
displayed.
The Assessment Server Management screen displays the connection status and version number of each
assessment server. The average status of all assessment servers is also displayed.
The screen also displays the connectors initialized on each assessment server. From this screen, you
can add a new assessment server and associated instance configurations, edit an existing assessment
server and associated instance configurations, and delete an assessment server and/or associated
instance configurations.
Note: The Preventsys SRM System supports the cooperative scanning of more than one network at a
time using multiple Assessment Servers, as well as scanning the same network using more than one
Assessment Server.
Adding Assessment Servers
The Add Assessment Server function allows authorized Preventsys users to add assessment servers to
the system.
14
AND
To add an assessment server
1
Select the Add New button on the Assessment Server Management screen. The Add
Assessment Server screen is displayed.
2
3
4
5
6
Enter the name for the assessment server (20 character max).
Enter the assessment server’s IP and hostname.
Enter the associated port.
Select Submit to save.
The system will verity connection to the added assessment server.
Editing Assessment Servers
The Edit Assessment Server function allows authorized Preventsys users to modify assessment servers.
To edit an assessment server
1
2
3
Select the Edit function on the Assessment Server Management screen the server you want to
edit.. The Edit Assessment Server screen is displayed.
Edit the assessment server as desired.
Disabling an Enabling Assessment Servers
The Disable function allows you take an Assessment Server offline temporarily without losing any
data about the server or the associated instance configurations. When an Assessment Server is
disabled, it will still be displayed on the Assessment Server Management screen with its associated
instance configurations, however you will not be able to edit any of this data or use it to run new
assessments. Any assessments currently running should complete as expected.
After the Assessment Server is enabled, you will be able to edit it, view and edit the associated
instance configurations as well as add new ones, and use it to run assessments just as before.
To disable/enable an assessment server
1
2
Select the Disable function on the Assessment Server Management screen for the server you
want to deactivate. A confirmation popup box is displayed.
Select OK to continue or Cancel to quite.
15
3
4
AND
If you selected OK, the system deactivates the selected assessment server and all associated
instance configurations. The “Disable” link changes to “Enable”.
Select the Enable function to reactivate the Assessment Server.
Deleting Assessment Servers
The Delete Assessment Server function allows authorized Preventsys users to delete assessment
servers from the system. Note that deleting an Assessment Server may cause currently running
assessments to fail if connectivity is also lost. In addition, all instance configurations associated with
that Assessment Server will also be deleted.
To delete an assessment server
1
2
3
Select the Delete function on the Assessment Server Management screen for the server you
want to remove. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected assessment server and all associated
instance configurations.
Managing Instance Configurations
As discussed at the beginning of this chapter, you must configure your assessment server and the
instance configurations for the assessment tools you want to use before assessments can be performed
on your networks. This section discusses how to add and modify instance configurations after you
have added an assessment server. See the “Instance” appendix for details about the connectors
supported by Preventsys. You can also click on the Supported Connectors List link available on the
Assessment Server Management screen for the current list of connectors supported by Preventsys.
All Instance Configuration administration is conducted from the Assessment Server Management
screen. See the previous section for details about accessing this screen.
Affinity and Weight
When you add an instance configuration to an Assessment Server, you have the option of specifying
which network(s) the instance should be allowed to assess. This is referred to as “Network Affinity”.
If you do not enter an affinity, then the system assumes “all” networks can be scanned.
If you chose to specify an affinity, make sure that the networks you want to assess are within the
affinity ranges. Networks outside of the affinity ranges will be ignored by the system when an
assessment is run.
Note: You can add multiple as well as overlapping network affinity ranges to a single instance
configuration.
If you have more than one instance configuration of a specific type (e.g., two Nessus instances), you
can also specify the priority in which the system should utilize them during an assessment by assigning
a weight with the network affinity range.
16
AND
Adding Instance Configurations
The Add Instance Configuration function allows authorized Preventsys users to add instance
configurations to assessment servers.
To add an instance configuration
1
Select the type of connector for which you want to add an instance from the dropdown list on
the Assessment Server Management screen, and then select the Add button. The instance
configuration screen for the connector you selected is displayed.
Figure 3-2. Example of the Nessus Instance Configuration screen
2
Enter the connector’s name.
Note: Preventsys recommends that you name your instance configurations such that their associated
connector type can be easily identified (e.g., “nessus1”; not “instance1”).
3
4
5
Enter the required and any desired optional content for the connector.
Enter affinities and weight if desired.
Editing Instance Configurations
The Edit Instance Configuration function allows authorized Preventsys users to edit instance
configurations for assessment servers.
To edit an instance configuration
1
2
3
On the Assessment Server Management screen, expand the Connectors row for the
assessment server you want and then select the Edit link for the instance configuration you
want to edit. The instance configuration screen for the connector you selected is displayed
Edit the instance as desired.
17
AND
Deleting Instance Configurations
The Delete Instance Configuration function allows authorized Preventsys users to remove instance
configurations from an assessment server. Note: If you have multiple instance configurations of the
same type, the system will attempt to use the remaining instance if you delete the other while
assessments are running.
To delete an instance configuration
1
2
3
On the Assessment Server Management screen, expand the Connectors row for the
assessment server you want and then select the Delete link for the instance configuration you
want to remove. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected instance configuration from the
assessment server.
18
CHAPTER 4 | USER AUTHORIZATION
CHAPTER 4
User Authorization
The Preventsys SRM System controls access to functionality and content using a group-based access
control mechanism. This chapter provides details about how to grant access to functionality by adding
permissions to groups, how to grant access to content by associating networks with groups, how to add
users to the system, and how to add users to groups.
User Account: A User Account grants the user associated with that account initial access to the
Preventsys SRM System. The user’s account must be added to a group (or groups) to give them
additional access to functionality and content.
Resource: A Resource is an object of the Preventsys SRM System. For example, all of the
management screens in the system are resources (e.g., Assessment Configuration Management, User
Administration Management, etc.).
Permission: A Permission is a corresponding action that can be conducted on the resource (e.g., read,
modify, etc.). By giving a group a permission, you are granting that group access to the associated
functionality. For example, the “Modify User” permission for the “Users” resource gives users the
ability to add, edit, and delete user accounts. Permissions are also granted at the network level, which
gives users access to content in areas where content is driven by networks. For example, if a group has
the “Assign Remediations” permission for the “Remediations” resource and permission to the
“AcmeDataCenter” network, then members of that group will be able to view and assign tasks for
assets within the “AcmeDataCenter” network range.
User Group: A User Group is where you define the resources and permissions that members of that
group will have.
Managing User Groups
A User Group defines the resources, permissions, and networks for which its members should have
access. When users are added to a group, they automatically inherit the access rights of that group.
A user can belong to more than one group. In this case, the least restrictive permission takes
precedence. For example, the “modify” permission takes precedence over the “read” permission.
Since access is managed by groups rather than a user’s name, if you want a particular user to have
unique access permission, then you should create a separate group for that individual.
Any changes made to a group's permissions will automatically be applied to all members of that group.
Removing an individual user from one group and adding them to another group will sever all
connections to the resources, permissions, and networks of the previous group and replace them with
those of the new group.
19
The Preventsys SRM System comes with a predefined group called “Super Users” that provides full
access to the system. Full access means that the group has permissions to modify all resources and
view content for all networks.
Note that content displayed on some resources in the system is controlled at the network group level
verses the network level. For those areas, for example reporting, the user must belong to a group (or
groups) with both the permissions for viewing the resource and for all the networks that make up the
network group associated with the content displayed on the report.
About Resources and Permissions
The following table presents all the resources and corresponding permissions for the system, the
functions that each of them control, and the screens to which they allow access.
Resource
Users
Permission
read only
modify users
Link from "Hello username"
> My Details
Functions
Read (read only, no adding or modifying
allowed)
Add/Edit/Delete/Add and Remove Users From
Groups
modify groups
Add/Edit/Copy/Delete and Add/Remove
Group Associations from Networks
N/A
Edit Self
Note: Unless the logged in user has other user
management permissions, they can only
change their password, full name, and email
address
Assets
read only
Networks
modify assets
modify asset properties
modify services
modify exclusion lists
globalize exclusion lists
read only
Assessment Servers
modify networks
modify network properties
modify network groups
read only
modify assessment servers
allowed)
Add/Edit/Delete Assets
Add/Edit/Delete Properties
Add/Edit/Delete Services
Add/Edit/Delete
Make Global
allowed)
Add/Edit/Delete Networks
Add/Delete Properties
Add/Edit/Delete Network Groups
allowed)
Add/Edit/Delete AS and Connector Instances
System Updates
update system
Read/Upload/Update/Rollback/ Check for
Updates
System Preferences
modify due date and criticality
Edit due date and criticality
Manual Audit Tasks
read only
modify MAT Recipient Groups
allowed)
Add/Copy/Edit/Delete MATs (includes
assignment and scheduling)
Add/Copy/Edit/Delete Recipient Groups
resolve MATs
Update MAT Status/View MAT Summary
modify MATs
20
Resource
Remediations
Permission
read only
assign remediations
prioritize remediations
modify pre-assignment rules
resolve remediations
Policies and Rules
allowed)
Assign and Reassign/Modify Due Date
Prioritize/Modify Due Date
Add/Edit/Delete Rules
Update Remediation Status/View My Tasks
Portlet/View Remediation Details/Patch
Remediations
modify external systems
Add/Edit/Delete External PMS and
Remediation Systems and Users
read only
allowed)
Access PolicyLab/View Policy and Rule
Management/View Policy and Rule
Deactivate Rules and Policies
modify rules/policies
deactivate rules/policies
Assessments
Functions
import/export policies
read only
Import and Export
allowed)
modify assessment
configurations
Add/Edit/Copy/Delete Assessment
Configurations
modify analysis
Can select a policy and the threat analysis
option when editing an assessment
configuration
import
Import To Assessment
schedule
cancel
pause
terminate all
delete
hide
unhide
Add/Edit/Delete Schedules/Execute Now
Cancel Assessments
Pause/Resume Assessments
Terminate All Assessments
Delete Assessments
Hide Assessments
Unhide Assessments
reanalyze
Configure Reanalysis and View Reanalysis
Status
Add/Edit/Delete Connector Configurations
modify connector
configurations
Threat Alerts
modify enterprise groups
read threat alerts
Add/Edit/Copy/Delete/Activate
All Threats/Threat Details/Latest Threats
Reports
access reports
Read/Modify Filter/View Enterprise
Compliance, Enterprise Trending, Exposure,
and Compliance Dashboard portlets
publish reports
Publish/Delete
21
The Preventsys SRM System comes with a pre-defined group called the “Super User” group, which
has one user called “Preventsys”. This group has all resources and permissions for all networks. Users
can be added to and removed from the group as long as at least one user remains in the group, but the
group itself cannot be edited, deleted, or copied.
The Preventsys user account is generally reserved for the Preventsys SRM System’s lead administrator
and has a default password:
Username:
Password:
preventsys
audit
While this default account is generally used for the initial setup and subsequent system administration,
it is strongly suggested that you change the default account’s password as soon as possible.
All user group administration is conducted from the Group Management screen.
To access the Group Management screen
1
Click Admin > Groups. The Group Management screen is displayed.
The Group Management screen allows authorized users to view existing groups, create new groups,
edit existing groups, add and remove group members, and remove groups. You can also view groups
based on the networks to which they are associated by selecting the By Network tab. Note that the
Super User group cannot be edited, copied, or deleted. You can only add and remove users from the
Super User group.
Note: If you are a member of the Super User group, then all groups are displayed. Otherwise, only
groups to which you belong are displayed.
22
Adding User Groups
The system will automatically add you as a member to every User Group you create.
To add a User Group
1
On the Group Management screen, click the Add New Group button. The Add Group screen
is displayed..
2
3
Enter a name for the user group and a description if desired
Select the permissions under each resource to which you want the group to have access.
Selecting the checkbox next to a resource name will select all permission for that resource. A
checkbox with a gray check means that some, but not all, permissions for the resource are
selected.
Note: If a group is given both a “read only” and a “modify” permission for the same resource, the
“modify” permission will take precedence.
4
Select the networks to which you want the group to have access. By selecting a network, you
are allowing all member of the group to view and modify content associated with that
network. For example, a group with permission to “network1” and the “resolve remediations”
permission can be assigned remediation tasks associated with assets in network1.
Note: If you are a member of the Super User group, then all networks are displayed. Otherwise, only
networks that are within the range of the network permissions of the groups to which you belong are
displayed.
23
Editing User Groups
If the group is edited such that permissions or networks are removed from the group, then members of
that group will no longer have authorization to the removed permissions and network ranges. The
user must belong to another group or groups with the same permission and network range
combinations that were removed to retain the same authorization.
To edit a group
1
2
3
On the Group Management screen, click the Edit link for the group you want to modify. The
Edit Group screen is displayed.
Edit group as desired.
Selected Submit to save.
Deleting User Groups
If a group is deleted, then members of that group will no longer have authorization to the permissions
and network ranges that were unique to that group. The user must belong to another group or groups
with the same permission and network range combinations as the deleted group to retain the same
authorization.
To delete a group
1
2
3
On the Group Management screen, click the Delete link for the group you wanted removed.
A confirmation popup box is displayed.
If you selected OK, the system deletes the selected group.
Adding and Removing Users from Groups
The Add and Remove Users function allows authorized users to add users to and remove users from
the groups to which they belong.
If a user is removed from a group, then that user will no longer have authorization to the permissions
and network ranges unique to that group. The user must belong to another group or groups with the
same permission and network range combinations as the group they were removed from to retain the
same authorization.
Note: The system will not allow a logged in user to remove himself/herself from the Super User Group.
Another logged in user with the correct permissions must conduct this action on behalf of that user.
To add and remove users
1
On the Group Management screen, select the Add/Remove Group Users link. The
Add/Remove Users screen is displayed.
Note: All users are displayed regardless of which group(s) they belong to as well as users who not
belong to any groups.
24
2
Managing Users
All user administration is conducted from the User Management screen.
To access the User Management screen
1
Click Admin > User. The User Management screen is displayed with the By User tab
selected by default.
From this screen, you can view a list of existing users by their usernames. You can also add new
users, edit existing users, and delete users.
Note: The By User tab displays all users in the system regardless of your group permissions.
25
If you select the By Group tab, you can view a list of existing groups and their members.
Note: The By Group tab displays all groups and their members in the system regardless of your group
permissions.
Adding User Accounts
All users must be assigned a username, a password, a full name, and an email address. In addition,
users should also be added to at least one group that has the resources and permissions you want them
to have in the system.
To add a user
1
On the User Management screen, click the Add New User button. The Add User screen is
displayed.
2
Enter the following data for the new user:
Username (20 characters maximum)
26
3
Password (50 characters maximum)
Enter the password again in the Verify Password field
Full Name (must be unique)
Email Address
Select the Group(s) to which you want the new user to belong
Note: If you are a member of the Super User group, then all groups are displayed in the “Groups” list.
Otherwise, only the groups to which you belong are presented.
4
Click Submit to add the user.
Editing User Accounts
You cannot edit your own username. Only a user belonging to the Super User group or a user
belonging to a group with the “Users” resource, the “Modify Users” permission, and the same network
associations as your group can make this change for you.
Note: Only users that belong to the Super User group can modify the user accounts of other users that
belong to the Super User Group.
To edit a user
1
2
3
On the User Management screen, click the Edit link for the user you want to modify. The
Edit User screen is displayed.
Edit the user’s information as desired.
Click Submit to save.
Deleting User Accounts
You cannot delete yourself from the system. If there is only one user in the Super User group, you also
cannot delete that user.
Remediation Tasks
Open remediation tasks that are assigned to the deleted user are automatically changed to the
“Unassigned” state by the system. For example, if user JohnSmith has four remediation tasks that are
have not been resolved (i.e. he has not changed their statuses to Claimed Resolved, False Positive, or
Accepted Risk), the system will change the status of these four tasks to Unassigned after he is deleted.
They can now be reassigned to a different user. See the “Remediations” chapter for details about
Remediation Task Management.
To delete a user account
1
2
3
On the User Management screen, click the Delete link for the user you want removed. A
confirmation popup box is displayed.
If you selected OK, the system deletes the selected user.
Changing Your User Information
You can change your password, full name, and email address by clicking on your username in the
upper right-hand corner of any screen next to the word “Hello”. Click Submit when finished to save
your changes.
27
Note: You cannot edit your own username. Only a user belonging to the Super User group or a user
belonging to a group with the User resource, Modify Users permission, and the same network
associations as your group can make this change for you.
Associating a User with an External Remediation System
The Associate External Remediation User screen is displayed following the creation of a new user if
you have an external remediation system configured in the Preventsys SRM System. See the
“Remediations” chapter for details about working with external remediation users.
This screen allows you to associate an external remediation system user with a Preventsys user to
allow for the exchange and synchronization of remediation task status. Preventsys users with external
remediation system associations should always be granted the “Remediations” resource and associated
“resolve remediations” permission. Since the external user will inherit the Preventsys user’s
privileges, this ensures that you will be able to assign tasks to that external user.
28
Note that only “existing” external users may be associated via the Add User and Edit User functions.
In order to access the Associate User functionality, you must first have added the selected user via the
Add External Remediation System User function. If the external user is subsequently disassociated
from the Preventsys user, then tasks will remain assigned to the external user. If the external user
association is removed from the Preventsys SRM System, then all remaining tasks will be assigned to
the Preventsys user. See the “Remediations” chapter for details about working with external
remediation systems and users.
29
CHAPTER 5 | ASSETS
AND
NETWORKS
CHAPTER 5
Assets and Networks
Before the Preventsys SRM System can perform assessments on your networks, you must first define
those networks. This chapter discusses how to add networks, assets, and network groups.
The following terms and definitions will assist you when reading this chapter.
Asset: An Asset is an IP-based system (router, switch, server, firewall, etc.).
Service: A Service specifics whether the given service runs under TCP or UDP and the port that the
service runs on. Services are associated with Host Property Specifications to specify which services
are required or prohibited for an asset.
Host Property: A Host Property defines the asset/host type (e.g., Trusted, Firewall, Router). This
allows for the detection of policy violations in the context of asset type during analysis if a policy is
used.
Network: A Network is defined as a collection of IP-based systems (routers, switches, servers,
firewalls, etc.) that are grouped as a logical unit. For example, one network could be the “Finance
Network” which would include all of the servers, routers, and systems that service the finance
department.
Network Property: A Network Property defines the network type (e.g., DMZ, Private, Public). This
allows for the detection of policy violations in the context of network type during analysis if a policy is
used. Network properties can be exclusive or non-exclusive.
Time Window: YA Time Window specifies the times at which the system is allowed to conduct
assessments on a give network.
Network Group: A Network Group is a network or a selection of networks that you group together for
the purposes of assessment. When creating an Assessment Configuration, you will select the network
group you want to assess.
Exclusion List: An Exclusion List specifies the assets that you want the system to ignore during an
assessment.
Managing Assets
Each asset represents a specific machine on your network and must have a name, an IP address, a
unique ID, an operating system, a description, a host property, a financial impact and an operational
impact value.
The unique ID represents either a static IP address or a MAC address in DHCP systems. This unique
ID is used to identify assets despite potential changes to asset name or IP address.
30
CHAPTER 5 | ASSETS
AND
NETWORKS
Asset properties are used to define the type of asset, allowing for the detection of policy violations in
the context of asset type during analysis.
The financial impact of an asset (e.g., its replacement cost) is used for calculating assets at risk data. If
you wish to assign a specific dollar value to an individual asset, you may do so using the Edit Asset
function. Assets that are not assigned a financial impact will utilize the average value assigned to the
parent network.
The hourly operational impact is the cost that you would incur from an operations perspective (e.g., the
amount of work time lost $ per/hour) if a machine was compromised. This value is used for
calculating exposure risk, which is displayed on the Security Risk Dashboard. Assets that are not
assigned a operational impact will utilize the average value assigned to the parent network.
After adding the networks you want to assess, creating and running an assessment will trigger the
Dynamic Address Resolution process which automatically populating the Preventsys SRM System
with asset data. You can then edit these assets and add information such as the asset’s unique ID, host
property, and dollar value. While this process will automatically retrieve asset data as part of the
assessment process, you may also manually add and delete assets.
All asset administration is conducted from the Asset Management screen.
To access the Asset Management screen
1
Click Admin > Assets. The Asset Management screen is displayed.
From the Asset Management screen, you can view a list of existing assets, view details about an asset,
add new assets, edit existing assets, and delete assets.
Note: If you are a member of the Super User group, then all assets are displayed. Otherwise, only
assets that are within the range of the network permissions of the groups to which you belong are
displayed.
Adding an asset
Assets are generally acquired using the Dynamic Address Resolution Connector (DARC) during the
assessment process. New assets only need to be added manually in rare instances where the DARC
cannot acquire basic asset data. For example, if DARC is not able to generate the required data on
packet-filtered assets or assets with sporadic uptimes.
31
CHAPTER 5 | ASSETS
AND
NETWORKS
To add an asset
1
On the Asset Management screen, click the Add New Asset button. The Add Asset screen is
displayed.
2
Enter the following information:
IP Address of the new asset
Note: You can only enter assets that are within the range of the network permissions of the groups to
which you belong.

3
Asset name (50 characters maximum).
Unique ID
Operating System
Description for the new asset
Select Asset Properties (you can select multiple properties by holding down the CTRL
key while making your selections)
Financial impact
Operational Impact per Hour
Click Submit to add the asset.
Editing an asset
The Dynamic Address Resolution Connector (DARC) automatically retrieves basic asset data as part
of the assessment process; however, asset properties and dollar values must be assigned manually.
To edit an asset
1
2
On the Asset Management screen, click the Edit link for the asset you want to modify. The
Edit Asset screen is displayed.
Edit the asset’s information as desired.
Note: In general, it is recommended that you do not edit the Unique ID field. This is the value used to
track hosts across successive assessments. The Unique ID should only be edited for manually added
hosts or for hosts that change to a new static IP address.
32
3
CHAPTER 5 | ASSETS
AND
NETWORKS
Click Submit to save your changes.
Deleting an Asset
Assets are normally deleted automatically by the Dynamic Address Resolution Connector (DARC) as
part of the assessment process. Assets only need to be deleted manually in rare instances where DARC
cannot track the selected asset (as in the case of manually added assets) or where the assessment
process is causing errors on the specified asset. For example, if the assessment process is causing a
printer to crash, you may manually delete the printer’s asset to alleviate the problem.
To delete an asset
1
2
3
On the Asset Management screen, click the Delete link for the asset you want removed. A
If you selected OK, the system deletes the selected asset.
Managing Host Properties
Assets are categorized into types referred to as Asset Properties (i.e. server, desktop, DMZ, etc.).
During analysis, asset properties allow for the detection of policy violations in the context of asset type
when PDL policies are applied to assessment results.
For example, the Webserver_Constraint host property may be applied to dedicated Web servers to
ensure that they run no services other than SSHD (Secure Shell Daemon) and HTTPD (Hyper Text
Transfer Protocol Daemon). A policy violation will be reported if any other services are detected
when assets with the Webserver_Constraint host property are assessed.
There are two types of asset properties: “Label” and “Specification”. A Host Property Label is used to
define a list of assets that may or may not have any common network characteristics. A Host Property
Specification also defines a list of assets as well as specifies a list of services that are required or
prohibited for each those assets.
For example, if a company’s “development machines” do not prohibit or require that any specific
services are running, a host property label can be used to identify the list of assets that are considered
“development machines.” However, machines like “Commerce Servers” often have specific common
characteristics. For example, in most corporations, Commerce Servers typically require HTTPS, may
require HTTP, and prohibit insecure services like telnet. In this case, you can use a host property
specification to define the list of assets that are commerce servers and define which services are
required, allowed, and prohibited from running on them.
Label-based asset properties include a name only, while specification-based asset properties include a
name, description, solution, severity level, and service mappings, as well as an indicator determining
whether the host property should be applied to all assets. The description provides basic information
about the host property that is displayed in reports. The solution includes a text description and/or
links for alleviating policy violations associated with the selected host property. Severity levels range
from 1 to 100, with 100 being the most severe.
The Preventsys SRM System provides a set of standard Host Property Specifications and Host
Property Labels for you. Refer to the Preventsys SRM System Policy Reference Guide for a list of
these.
All Host Property administration is conducted from the Host Property Management screen.
33
CHAPTER 5 | ASSETS
AND
NETWORKS
To access the Host Property Management screen
1
Click Admin > Host Property. The Host Property Management screen is displayed.
From the Host Property Management screen, you can view a list of existing properties, add new
properties, edit existing properties, and delete properties.
Adding a Host Property
The Add Host Property function allows authorized Preventsys users to create new asset properties.
To add a host property
1
On the Host Property Management screen, click on the Add New Host Property button. The
Add Host Property screen is displayed.
2
Enter the Host Property Name (80 characters maximum). Note that a host property name
cannot include spaces.
Select whether the host property is Specification or Label based.
If you select Label based, advance to Step 11.
3
4
34
5
6
7
8
CHAPTER 5 | ASSETS
AND
NETWORKS
Enter a Description for the new host property (2047 characters maximum).
Enter a Solution for the new host property (2047 characters maximum).
Select a severity level from the pull-down Severity control.
Click the Apply to All Assets checkbox if you want this property applied to all existing assets
as well as new assets.
Note: The “Apply to all Assets” option will only apply the property to assets that are within the range
of the network permissions of the groups to which you belong.
Now, select which services are mapped to this property (i.e. whether a service should be
Mandatory, Allowed or Prohibited by default) using the pull-down menus for each service.
10 Remember to select how you want the system to handle services that you have not specified
as Mandatory, Allowed or Prohibited.
11 Click Submit to add the new host property.
9
Editing a Host Property
The Edit Host Property function allows authorized Preventsys users to edit existing Specificationbased asset properties. However, you cannot change a Specification-based host property to a Labelbased property.
Note: Label-based asset properties cannot be edited. Since Label style asset properties include only a
name, they can be replaced when necessary via the Delete Asset Properties and Add Host Property
functions.
To edit a host property
1
2
3
4
On the Host Property Management screen, click on the Edit function for the property you
want to modify. The Edit Host Property screen is displayed.
Edit the host property’s information as desired. Note that a host property name cannot be
edited.
Click Next.
Click Submit to save the changes.
Deleting a Host property
The Delete Host Property function allows authorized Preventsys users to remove existing asset
properties that are no longer utilized on their networks. This screen features two dialog boxes, one
listing Specification asset properties and one listing Label asset properties.
To delete a host property
5
6
7
On the Host Property Management screen, click the Delete link for the property you want
removed. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected property.
35
CHAPTER 5 | ASSETS
AND
NETWORKS
Managing Services
As discussed previously, a Host Property Specification defines a list of assets as well as specifies a list
of services that are required or prohibited for each those assets. The Preventsys SRM System ships
with the following standard services. You can also add custom services using the Add Service
function described in this section.
Protocol
Service Name
Port
BearShare
tcp
6346
bootp
tcp
67
chargen
tcp
19
daytime
tcp
13
deslogin
tcp
2005
dhcp client
tcp
68
discard
tcp
9
domain
tcp
53
echo
tcp
7
eMule
tcp
4662
exec
tcp
512
finger
tcp
79
ftp
tcp
21
Gnutella
tcp
6346
Hotline Server
tcp
5500
http
tcp
80
https
tcp
443
imap
tcp
143
Kazaa
tcp
1214
loc-srv
tcp
135
login
tcp
513
Microsoft-DS
tcp
445
ms-sql-s
tcp
1433
MySQL
tcp
3306
Napster
tcp
8875
Napster
tcp
8888
netbios
tcp
135
netbios
tcp
136
netbios
tcp
137
netbios
tcp
138
netbios
tcp
139
netbios-ssn
tcp
139
netstat
tcp
15
Oracle SQL*NET
tcp
1521
pop3
tcp
110
36
CHAPTER 5 | ASSETS
Protocol
Service Name
AND
NETWORKS
Port
postgres
tcp
5432
printer
tcp
515
shell
tcp
514
smtp
tcp
25
snpp
tcp
444
Soulseek
tcp
2234
ssh
tcp
22
sunrpc
tcp
111
Sybase
tcp
2638
telnet
tcp
23
time
tcp
37
UPnP
tcp
5000
uucp
tcp
540
webcache
tcp
8080
WinMX
tcp
6699
Blubster
udp
41170
bootp
udp
67
chargen/udp
udp
19
daytime/udp
udp
13
dhcp client
udp
68
discard/udp
udp
9
domain
udp
53
echo/udp
udp
7
Gnutella
udp
6346
ipsec
udp
500
ldap
udp
389
lockd
udp
4045
microsoft-ds
udp
445
ms-sql-m
udp
1434
ms-sql-s
udp
1433
netbios
udp
135
netbios
udp
136
netbios
udp
137
netbios
udp
138
netbios
udp
139
netstat/udp
udp
15
nfs
udp
2049
nntp
udp
119
ntp
udp
123
portmap
udp
111
qotd
udp
17
37
CHAPTER 5 | ASSETS
Protocol
Service Name
AND
NETWORKS
Port
snmp
udp
161
snmp
udp
162
syslog
udp
514
systat
udp
11
tftp
udp
69
time
udp
37
WinMX
udp
6257
x11
udp
6000
Each service includes a service name, a protocol, and a service port. The service port represents the
port that the service runs on. The protocol indicates whether the service runs under TCP or UDP.
All services administration is conducted from the Services Management screen.
To access the Services Management screen
1
Click Admin > Services. The Services Management screen is displayed.
On the Services Management screen, you can view a list of existing services (both active and not), add
new services, edit existing services, and delete services. An active service “Active = Yes” means that
the service is available for use. An deactivated service “Active = No” means that the service was
deleted and is only being displayed for historical reference and reporting purposes.
Adding a Service
The Add Service function allows authorized Preventsys users to create new services.
To add a service
1
On the Services Management screen, click the Add New Service button. The Add Services
screen is displayed.
38
2
CHAPTER 5 | ASSETS
AND
NETWORKS
Enter a Service Name for the new service (50 characters maximum).
Note: An “active” service can have the same name as a deleted service, but no two active services can
have the same name.
3
4
5
Enter the Service Port.
Select whether the new service protocol is TCP or UDP using the pull-down menu.
Click Submit to add the new service.
Editing a Service
The Edit Service function allows authorized Preventsys users to edit previously created services.
Note: You can only edit active services. Services that are not active have been deleted and are
displayed for reference only.
To edit a service
1
2
3
4
On the Services Management screen, click the Edit function for the service you want to
modify. The Edit Service screen is displayed.
You may modify the Service Port.
You may modify whether the service protocol is TCP or UDP using the pull-down menu.
Delete a Service
The Delete Service function allows authorized Preventsys users to delete previously created services.
When a service is deleted, it is still kept for historical and reporting purposes in the system. Therefore,
when a service is deleted, the “Active” row will change from “Yes” to “No”. You cannot reactivate a
deleted service.
Note: To delete a service associated with a host property, you must first remove the association by
editing the host property.
39
1
2
3
CHAPTER 5 | ASSETS
AND
NETWORKS
On the Services Management screen, click the Delete function for the service you want
If you selected OK, the system deactivates the selected service.
Managing Exclusion Lists
An Exclusion List allows you to specific assets or ranges that you want the system to ignore during an
assessment. You can configure an Exclusion List so that it is automatically applied to “all”
assessments (even those that already exist), or so that it must be selected each time you create an
assessment.
All exclusion list administration is conducted from the Exclusion List Management screen.
To access the Exclusion List Management screen
1
Click Admin > Exclusion Lists. The Exclusion List Management screen is displayed.
Note: If you are a member of the Super User group, then all exclusion lists are displayed. Otherwise,
only exclusion lists that are within the range of the network permissions of the groups to which you
belong are displayed.
Adding an Exclusion List
When you create an exclusion list, you are specifying that a certain asset or range of assets be ignored
by the system when the list is manually applied to an assessment. See the “Making an Exclusion List
Global” section for details about configuring a list so that it is automatically applied to all assessments.
To add an Exclusion List
1
On the Exclusion List Management screen, click the Add New List button. The Add
Exclusion Lists screen is displayed.
Note: You can create an Exclusion List based on another list by selecting the Copy an Existing
Exclusion List radio button.
40
2
3
4
CHAPTER 5 | ASSETS
AND
NETWORKS
Enter an Exclusion List Name.
Enter a Description.
Enter the Assets you want excluded (each entry must be separated by a [RETURN]).
Note: You can enter hosts in several ways:
Enter a single IP
Enter using a range: 208.130.29.30 - 208.130.29.39 - Adds all IPs within this range
Enter using Classless Inter-Domain Routing (CIDR) extensions:
208.130.29.33 - Adds just this host
208.130.29/24 - The "/24" extension adds all IP addresses starting with the twenty-four bit
prefix 208.130.29.
208.130.28/22 - The "/22" adds 208.130.29/24 because in binary, 28 is 00011100, while 29
is 00011101. However, because of the 22-bit prefix length, only the first 6 bits of the third byte are
valid.
5
6
Click Submit when you are finished.
You can now apply this list to individual assessments via the Add and Edit Assessment
screens. See the “Assessments” chapter for details about configuring assessments.
Note: You can only create lists that are within the range of the network permissions of the groups to
which you belong are displayed.
Making an Exclusion List Global
After you create an exclusion list, you can start applying it to assessments. However, if you want the
system to apply the exclusion list to “all” assessments automatically, you must make the list “global”.
You can make as many lists as you want “global”.
To make an Exclusion List global
1
2
On the Exclusion List Management screen, click the Make Global function for each list you
want applied to all assessments. Notice that the globe icon turns from the color gray to blue
for the global list.
This Exclusion List will now be automatically applied to all assessments (including existing
ones that have already been scheduled).
41
CHAPTER 5 | ASSETS
AND
NETWORKS
Note: Global lists are not displayed on the Add or Edit Assessment screens.
3
4
To make the list not global, click on the Un-Globalize function. Notice that the globe icon
turns from the color blue to gray for the non-global list.
The list will no longer be automatically applied to all assessments, but you can still apply it to
individual assessments when creating an Assessment Configuration. See the “Assessments”
chapter for details about configuring assessments.
Editing an Exclusion List
When you edit an Exclusion List, changes are automatically applied to future assessments. You do not
need to re-edit assessments that reference the list.
To edit an Exclusion List
1
2
3
On the Exclusion List Management screen, click the Edit function for the list you want to
modify. The Edit Exclusion List screen is displayed.
Edit the list as desired.
Deleting an Exclusion List
You can only delete Exclusion Lists that are not associated with an assessment. Delete the list from
the associated assessment via the Edit Assessment screen. See the “Assessments” chapter for details
about editing assessments.
To delete an Exclusion List
1
2
3
On the Exclusion List Management screen, click the Delete link for the list you want
removed. Remember that only lists that are not associated with an assessment can be deleted.
A confirmation popup box is displayed.
If you selected OK, the system deletes the selected list.
42
CHAPTER 5 | ASSETS
AND
NETWORKS
Managing Networks
Each network represents a specific cluster of assets. Each network must have a network name, an IP
range (for range-based networks) or IP address/network mask (for mask-style networks), a
static/DHCP configuration, an average financial impact for each individual device on the network, and
an average operation impact for each asset per hour.
The average financial impact (e.g., the replacement cost) of each individual device on the network is
used to calculate assets at risk. This average value is used to determine the value of each asset for
which no dollar value was specified. When no value is specified, the average financial impact of each
individual device on the network defaults to $1,500.00. If the assets associated with the network have
not been assigned a financial impact value, they will utilize this default value. This allows you to
assign value easily to large groups of similar assets at one time.
The hourly operational impact is the cost that you would incur from an operations perspective (e.g., the
amount of work time lost $ per/hour) if a machine was compromised. This value is used for
calculating exposure risk, which is displayed on the Security Risk Dashboard. When no value is
specified, the operational impact of each individual device on the network defaults to $750.00. If the
assets associated with the network have not been assigned an operational impact value, they will utilize
this default value. This allows you to assign value easily to large groups of similar assets at one time.
Network properties are used to define the type of network, allowing for the detection of policy
violations in the context of network type during analysis. Network properties can be exclusive or nonexclusive. Networks can support multiple non-exclusive network properties, but assigning an
exclusive network property to a network precludes the assignment of additional network properties to
that network. See the “Managing Network Properties” section for details about working with network
properties.
For example, an Accounting network might be set up for all systems in an office’s accounting
department, encompassing the entire range of IP addresses from 10.10.10.50 through 10.10.10.100.
Applying network properties to this Accounting network would then allow for the detection of policy
violations based on specific types of services or network activity that are prohibited in the Accounting
department while being permissible in other parts of the office.
Note that when you add a network via the Add Network function, the system will automatically create
a network group of the same name containing the new network. If this network is subsequently deleted
via the Delete Network function, the automatically generated network group of the same name will
also be deleted provided if it has not been modified to contain any additional networks that remain
existent.
43
CHAPTER 5 | ASSETS
AND
NETWORKS
All Network Management is conducted from the Network Management screen.
To access the Network Management screen
1
Click Admin > Network. The Network Management screen is displayed.
From the Network Management screen, you can view a list of existing networks, add new networks,
edit networks, and delete networks.
Note: If you are a member a of the Super User group, then all networks are displayed. Otherwise,
only networks that are within the range of the network permissions of the groups to which you belong
are displayed.
Time Windows
You can identify when assessments “can” take place per a given network by specifying times windows
for that network. For example, if you enter 1:00 AM to 3:00 PM on Weekends. The system will run
assessments for the associated network only between 1:00 AM and 3:00 PM on Saturday and Sunday.
If an assessment cannot be completed during the specified time window, the system will pause the
assessment until the window reopens and then complete the assessment.
Note: Time windows cannot be for less than one hour. If you do not enter a time window, the default
will be “anytime”.
44
CHAPTER 5 | ASSETS
AND
NETWORKS
Adding a Network
The Add Network function allows authorized Preventsys users to create new networks. Preventsys
recommends adding networks in a hierarchical top-down approach. For example, if your network
range is 10.4.1.2-10.4.1.118, then you might add a network for that main range and then add several
other networks in smaller ranges of that range, such as networks for 10.4.1.2-10.4.1.40, 10.4.1.5010.4.1.80, and so on. This will also make it easier to administer authorization since users are granted
access to content based on the networks associated with the groups to which they belong.
Note: Assets within a network cannot overlap.
To add a new network
1
Select the Add New Network button on the Network Management screen. The Add Network
Note: You must be a member of a group with at least one network to add a network.
2
3
Enter the Network Name (50 characters maximum).
Enter the Assets you want in this network.
45
CHAPTER 5 | ASSETS
AND
NETWORKS
Note: If you are a member of the Super User group, then you can and any asset. Otherwise, you can
only add assets that are within the range of the network permissions of the groups to which you
belong.
4
Select any Existing Networks that you also want in this network.
displayed.
Select the Create Default Network Group checkbox if you want a network group
automatically created based on this network (the network group will have the same name as
the network).
6 Select the type of IP Protocol you want the network to utilize: Static IP Addresses, DHCP
with Dynamic Host Names, or DHCP with Static Host Names.
7 Select one or more Network Properties.
8 Enter the Average Financial impact of Each Host on the network ($1,500.00 default).
9 Enter the Average Operational Impact of Each Host per Hour ($750.00 default).
10 Select the Groups you want associate with this network.
5
Note: You can also associate networks to groups when creating or editing groups. See the “User
Authorization” chapter for details about groups. If you are a member of the Super User group, then
all groups are displayed. Otherwise, only groups to which you belong are displayed.
11 Enter one or more Time Windows for this network if desired. If you do not enter a time
window, the default will be “anytime”.
12 Click Submit to add the new network.
Editing a Network
The Edit Networks function allows authorized Preventsys users to edit networks.
To edit an existing network
1
2
3
Select the Edit link on the Network Management screen for the network you want to edit.
The Edit Network screen is displayed.
Edit the network as desired.
Click Submit to save changes.
Deleting a Network
The Delete Network function allows authorized Preventsys users to remove networks from the system.
To delete a network
1
2
3
Select the Delete link on the Network Management screen for the network you want to
remove. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected network.
46
CHAPTER 5 | ASSETS
AND
NETWORKS
Managing Network Properties
All networks require network properties to define a network type for analysis. Network properties
allow for the detection of policy violations in the context of network type when PDL policies are
applied to assessment results.
The Preventsys SRM System ships with the following standard network properties:
»
DMZ Represents a network segment in which some ports are publicly accessible from the
Internet while the majority of ports are filtered from public access.
»
Public Represents a network segment that is open to public access.
»
Private Represents a network segment that is restricted from public access.
Custom network properties may be created and manipulated via the Add Network Properties and
Delete Network Properties functions.
For example, an Engineering network property could be created and applied to all networks in an
office’s Engineering department. A simple PDL rule could then be developed to flag file sharing
services and other prohibited network activity in the Engineering department as policy violations.
All Network Property administration is conducted from the Network Property Management screen.
To access the Network Property Management screen
1
Click Admin > Network Property. The Network Property Management screen is displayed.
From the Network Property Management screen, you can view existing properties, add new properties,
and delete properties.
47
CHAPTER 5 | ASSETS
AND
NETWORKS
Adding a Network Property
The Add Network Property function allows authorized Preventsys users to create new network
properties.
To add a new network property
1
Select the Add New Network Property button on the Network Property Management screen.
The Add Network Property screen is displayed.
2
3
Enter the Property Name (50 characters maximum).
Click the Exclusive checkbox if the new network property is intended to be exclusive to all
networks.
Click Submit to add the new network property.
4
Deleting a Network Property
The Delete Network Properties function allows authorized Preventsys users to remove network
properties from the system.
Note: Deleting a network property will remove it from all networks that reference the property.
To delete a network property
1
2
3
Select the Delete link on the Network Property Management screen for the property you want
to delete. A confirmation popup box is displayed.
48
CHAPTER 5 | ASSETS
AND
NETWORKS
Managing Network Groups
Network group management encompasses adding, editing, and deleting network groups.
Network groups represent clusters of networks that are grouped for the purposes of performing
assessments and analysis. To assess a network, it must first belong to a network group. If you wish to
assess an individual network, you must first create a network group containing the selected network.
Each network group includes a network group name and a group of included networks.
Note: Networks within a network group cannot overlap.
All Network Group administration is conducted from the Network Group Management screen.
To access the Network Group Management screen
1
Click Admin > Network Group. The Network Group Management screen is displayed.
Note: If you are a member of the Super User group, then all network groups are displayed. Otherwise,
only network groups that are made up entirely of networks within the range of the network permissions
of the groups to which you belong are displayed.
Adding a Network Group
The Add Network Group function allows authorized Preventsys users to create new network groups.
To add a new network group
1
Select the Add New Network Group button on the Network Group Management screen.
The Add Network Group screen is displayed.
49
2
3
CHAPTER 5 | ASSETS
AND
NETWORKS
Enter the Network Group Name (50 characters maximum).
Select one or more networks to be included in the network group.
displayed.
4
Click Submit.
Editing a Network Group
The Edit Network Group function allows authorized Preventsys users to edit existing network groups.
To edit an existing network group
1
2
3
Select the Edit link for the Network Group you want to edit on the Network Group
Management screen. The Edit Network Group screen is displayed.
Edit the network group as desired.
Deleting a Network Group
The delete Network Group function allows authorized Preventsys users to remove network groups
from the system.
To delete a network group
1
2
3
Select the Delete link for the Network Group you want removed on the Network Group
Management screen. A confirmation popup box is displayed.
50
CHAPTER 6 | POLICIES
AND
RULES
CHAPTER 6
Policies and Rules
The Preventsys Policy Library is a collection of packaged regulations, policies and configuration
standards designed to make configuration and customization for your environment as easy and fast as
possible. The library includes policies and rules based on the requirements of industry organizations,
Federal and State governments, and regulatory agencies governing financial services, healthcare,
manufacturing, and other industries. All of these can be customized to the specific practices,
specifications and requirements of your organization, and linked directly to original paper-based
policies through PolicyLab™. See the Preventsys PolicyLab User Guide for details.
The Proactive Compliance Module provides you with ready-made policy content, rules and mappings
for both configuration standards and regulatory policies. Based on frameworks like COBIT and ISO
17799, Preventsys has created hundreds of predefined rules to measure an organization's compliance
with government, regulatory policies and security standards and guidelines. These templates are ready
to use out-of-the-box and enable you to automate the time consuming task of compliance reporting
against your internal and external security policies.
The following terms and definitions will assist you when reading this chapter.
PDL Rule: The Policy Definition Language (PDL) utilizes XSL templates to define PDL rules that
identify specific policy violations and vulnerabilities via analysis.
Policy: A Policy is a combination of one or more PDL rules. PDL rules can also be combined to
create custom policies tailored to your corporate security policy. See the See the Preventsys
PolicyLab™ User Guide for details.
Configuring Your System for Policy Analysis
Before the Preventsys SRM System can analyze the results of an assessment against a security policy,
you must first set up your PDL rules and policies and all associated properties, and update your Policy
Library by importing the current set of policies and rules supplied with the Preventsys SRM System.
Note: If you do not want to analyze your networks against policies, you must still make sure that the
Preventsys Default Vulnerability Policy is available and selected for each Assessment Configuration
that you want to return any found vulnerabilities. If you do not select this policy, the system will not
create vulnerabilities, conduct threat correlation, or create remediation tasks, and you will not be able
to view reports based on the assessment results. In this case, you can conduct a reanalysis using the
Preventsys Default Vulnerability Policy and the results of your assessment, which will perform the
analysis the same as if the policy been selected before the assessment ran.
Initial Rule Setup
When the Preventsys SRM System’s standard PDL rules are initially installed, they will require some
modifications to ensure that your assets and networks are specified for property fragments. This may
be accomplished via the following procedures:
51
AND
RULES
To ensure that assets and networks are specified for property fragments
1
2
3
4
Perform an assessment of your networks (this will populate the asset and network tables, so
that you can edit assets and networks).
Assign the standard host property specifications to the various assets on your system, as
appropriate, via the “Edit Asset” function.
Assign the standard network properties to the various networks on your system, as
appropriate, via the “Edit Network” function.
Generate or regenerate those properties listed in the Properties Used in Rules table using
PolicyLab™. Refer to the Preventsys SRM System PolicyLab™ User’s Guide for details.
Note: Some rules feature comments describing which property fragments should be added and where
in the rule text they should be added. Other rules already have shells of asset properties in them.
First, generate a fragment corresponding to the shell that you see in the rule. Then replace the shell
with the generated fragment. The new property fragments will have an updated list of assets. Refer to
the Preventsys SRM System PolicyLab™ User’s Guide for details.
About PDL Rules
Asset properties and network properties are referenced within PDL rules to denote conditions that
signify policy violations upon analysis. The Preventsys SRM System ships with standard PDL rules
configured to detect policy violations based on assessment results as applied to specific asset properties
and network properties. In this manner, you may customize the assessment process without
developing XSL for new PDL rules.
A number of standard PDL rules are included with the Preventsys SRM System. Using the
PolicyLab™ Client, you can create policies using these rules, or develop custom PDL rules to address
specific concerns. See the Preventsys PolicyLab™ User Guide for details. The Preventsys SRM
System allows you to view Preventsys policies and rules as well as polices and rules that you have
created or modified in the PolicyLab application.
All PDL rules are assigned a description, rule type, severity, and XSL text.
The PDL rule type identifies whether the rule detects a policy violation or vulnerability. There are five
basic rule types:
»
Violation of Network Policy
»
Information
»
Host Compromised
»
Exploitable Vulnerability
»
Custom Vulnerability
»
Exposure Analysis
»
Manual Audit Task
Note: To view a mapping of the scanners, common scanner tests, properties, characteristics, and rule
types associated with each rule, see the “Preventsys SRM System Policy Reference Guide”.
PDL rules are stored by version. Editing an existing PDL rule via the PolicyLab application will result
in the creation of a new version of the PDL rule.
The list of PDL rules displays current versions by default, but you may view all versions in the system
using the View All Versions of PDL Rules function. See “Managing PDL Rule” for details.
52
AND
RULES
Managing PDL Rules
All Rule administration is conducted from the PDL Rule Management screen.
To access the PDL Rules Management screen
1
Click Policies > Rules. The PDL Rule Management screen is displayed, listing the most
recent version of each PDL rule.
2
Click the Show all Versions button to view all previous versions of the PDL rules in addition
to the current versions.
Select the View function to view the rule’s xml.
3
Deactivating a PDL Rule
The Deactivate function allows authorized Preventsys users to deactivate PDL rules.
To deactivate a rule
1
2
3
Select the Deactivate function on the PDL Rules Management screen for the rule you want
deactivated. A confirmation popup box is displayed.
If you selected OK, the system deactivates the selected rule.
Working with Policies
Policies are created through the grouping of PDL rules. All policies are assigned a name, a
description, a category, and a selection of PDL rules. See the Preventsys Policy Reference Guide for a
detailed list of the policy packages and rules available from Preventsys
The Preventsys SRM System allows you to view policies, delete policies, and import/export policies.
In order to create or edit policies, the stand-alone Preventsys PolicyLab application must be used. See
the PolicyLab User Guide for details about creating and editing policies.
Policies are stored by version. Editing an existing policy via the PolicyLab application will result in
the creation of a new version of the policy.
The policy list displays current versions by default, but you may view all versions in the system using
the View All Versions of Policies function.
53
AND
RULES
Managing Policies
All Policy administration is conducted from the Policy Management screen.
To access the Policy Management screen
1
Click Policies > Policies. The Policy Management screen is displayed, listing the most recent
version of all Policies.
2
Use the Policy Module pull-down to select which type of policy you want to view and click
the >> button to refresh the view. The selected Policy Module is displayed.
Click the Show All Versions button to view all previous versions of the PDL policies in
addition to the current versions.
Click the Policy Name of any policy to edit the policy or view the policy’s XSL text.
Select the View link to see the View Policy screen, which lists all rules associated with the
policy.
3
4
5
Deactivating a Policy
The Deactivate policy function allows authorized Preventsys users to deactivate policies. Polices that
are deactivated will no longer be displayed in the system. The deactivated policy will also be removed
54
AND
RULES
from any assessment configurations in which it was referenced. The policy will need to be imported
again to be displayed.
To deactivate a policy
1
2
3
Select the Deactivate link on the Policy Management screen for the policy you want
deactivated. A confirmation popup box is displayed.
If you selected OK, the system deactivates the selected policy.
Importing Preventsys Policies
The Import Preventsys Policies function allows you to update your system to the latest version of the
Preventsys Policy Library, or rollback to a previous version.
Note that the import process may take a few minutes to complete. Never use your browser's Back,
Stop, or Refresh buttons on any of the update or rollback pages. As a safeguard, it is recommended
that you log out of the product, or close your browser after the update or rollback process is finished
and the confirmation screen is displayed. Then, log back in as you normally would.
To import Preventsys Policies and update the Policy Library
1
2
Click Policies > Import Preventsys Policy.
The Import Preventsys Policies screen is displayed. Note that when you first install the
Preventsys SRM System, you will not have any installed policy libraries.
3
4
Click Submit.
A confirmation page is displayed, listing all potential conflicts with existing system resources.
Potential conflicts include clashes between Manual Audit Task names. If requested, you must
correct these conflicts before you can continue.
55
AND
RULES
5
Click Next to update the Policy Library to the latest version. All of the new policies, rules,
properties, and services are listed on the screen.
6
Click Done to exit the update screen.
Note: Following the update, the Rollback function will be enabled at the bottom of the update screen.
This is your only opportunity to rollback to the previous version of the Policy Library.
To rollback the Policy Library
1
2
After using the Import Preventsys Policies function, the Rollback Policies function will
become active under the list of new policies and rules. Scroll down to the bottom of the
screen and click Rollback to rollback the Policy Library to the previous version.
A confirmation page is displayed. Click Submit to rollback.
56
AND
RULES
Note: The Rollback Policies function is only available immediately after updating the Policy Library.
Once you leave the update screen which lists new policies and rules, the Rollback Policies function
will no longer be available.
The Preventsys Policy Library allows for the safe implementation of new and updated policies, policy
source documents, rules, properties, and services directly from the Preventsys Web site.
Importing an updated Policy Library creates new versions of policies and rules where a version of a
policy or rules already exists. In this case, you must manually reapply any changes to the newly
imported policy or rule. These changes include regenerating all property fragments for any propertybased rule as well as adding other custom changes. Likewise, changes to any rule require updating
each policy that uses that rule. It is important to understand that your modified rule and/or policy may
no longer be the current rule and/or policy in the system. However, the old rule still exists and has not
been deleted.
Importing an updated Policy Library also creates new properties in the Preventsys SRM System. Like
any new property, user specific network and asset information needs to be added to the properties prior
to their usage. Likewise, any rule that references these properties will need to be updated after the
properties have been changed.
Importing and Exporting Policies
You can import policies you have access to via your local machine using the Import Policy function on
the Policy Management screen. You can also save policies in the Preventsys SRM System to local
media using the Export function on the same screen.
If any rules in the imported policy contain properties such as Host Property Specifications, Host
Property Labels, and Network Properties, you will need to manually recreate all associated properties
and services, manually assign them to assets and networks on your system, and then recreate the
fragments associated with the imported rules.
57
AND
RULES
For example, the E-Commerce_Servers_on_DMZ rule utilizes the standard network property DMZ.
After importing a new policy that includes this rule, you must ensure that the DMZ network property is
applied to all appropriate networks in order for the imported policy to function properly.
Import a Policy
The Import Policy function allows authorized Preventsys users to import policies that they have that
are accessible from a local media.
To import a new a policy
1
Click the Import Policy button on the Policy Management screen. The Import Policy screen
is displayed.
2
Enter the name of the File to import, or click the Browse button to locate the file in the file
library.
Enter a suffix for the policy filename in the Global Suffix field.
Click Submit to import the selected policy.
If the imported policy’s name conflicts with an existing policy, the Import Policy Conflict
You may modify the policy filename and all included rule filenames to resolve conflicts.
Click Submit to save the modified filenames.
3
4
5
6
7
Exporting a Policy
The Export Policy function allows authorized Preventsys users to export policies to local media using
their browser’s “Save As” function.
To export a policy to an external file
1
2
3
Select the Export link on the Policy Management screen for the policy you want to export. A
separate browser window will open displaying the signed XML text of the selected policy.
Use the browser’s Save As function to select a destination for the exported policy data.
The file is saved to the destination you specified.
58
CHAPTER 7 | ASSESSMENTS
CHAPTER 7
Assessments
This chapter presents the steps involved in configuring an assessment including, creating connector
configurations and assessment configurations as well as scheduling assessments. Next, it presents how
to pause, resume, or cancel an assessment that is running, view the status of an assessment, and
reanalyze the results of a completed assessment against a policy. This chapter also provides details
about importing assessment data acquired outside of the Preventsys SRM System.
Before you can conduct assessments, you must first follow the steps presented in the “Assessment
Servers and Instance Configurations” chapter, and add at least one Assessment Server and one
associated Instance Configuration. You will also need to add at least one network and associate
network group.
After you have completed these tasks, you need to add a connector configuration, add an assessment
configuration, and finally schedule your assessment.
Connector Configuration: A connector configuration is a set of parameters that controls the behavior
of a particular assessment tool supported by the Preventsys Assessment Server during an assessment.
A popular parameter defined in a connector configuration is the set of tests/checks to run during an
assessment. Unlike an Instance Configuration, a Connector Configuration can be applied to any
defined instance of the same assessment tool. For example, if the same assessment tool was installed
in three different locations, a single Connector Configuration could be applied to each of these
installations.
Assessment Configuration: An Assessment Configuration is a set of parameters that controls which
assessment tools, and connector configurations are used for the assessment, the networks that will be
assessed, the assets (if any) that will be excluded, the polices that will be analyzed against the results
of the assessment, and whether received threat alerts will be analyzed against the results of the
assessment.
Assessment Schedule: An Assessment Schedule specifies when the assessment will run and how
often. Assessments can be schedule to run once immediately, once on a specific day and time, or
recurrently.
Vulnerability: A vulnerability is a weakness in a system allowing an attacker to potentially violate the
integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or
the data and applications it hosts. Vulnerabilities can result from bugs or design flaws in the system.
A vulnerability can exist only in theory, or could have a known exploit. During an assessment, the
Preventsys SRM System identifies vulnerabilities based on the results of the scanner-specific
tests/checks that are run. If you have the Preventsys Threat Feed license, then external threats that
exploit the vulnerabilities found are correlated and turned into “Actionable Threats”. See the “Security
Risk Dashboard” chapter for details about actionable threats.
Vulnerability Coalescing: The RiskScore Engine coalesces security facts from your assessment tools
to automatically aggregate, transform, classify and correlate vulnerability and configuration data into a
59
prioritized remediation task list. For example, Nessus and Nmap will often report the same
vulnerability for the same asset in different ways for the same or multiple ports. The system will
coalesce all of these issues into one remediation task with multiple descriptions.
Violation: A violation is the breach of a Preventsys PDL rule that was part of a policy analyzed
against the results of an assessment during the Policy Analysis phase. A violation means that the
conditions of the rule in a security policy were not met. For example, a Certificate_Expiration rule
checks to make sure no expired certificates are in use based on assessment data gathered from any of
the many assessment tools supported by Preventsys. If Expired Certificates are in use, this may not
necessarily be a vulnerability, but it would be considered a violation of this rule.
Another type of violation is a Manual Audit Task Violation. A Manual Audit Task can be associated
with a Manual Audit Task Rule, which can check whether the Manual Audit Task meets certain
criteria (e.g., integrity checks). If the Manual Audit Tasks does not meet these criteria, then the rule
can cause a violation. See the PolicyLab User Guide for details about Manual Audit Task Rules and
the different integrity checks they can perform.
Assessment Import: Assessment Import allows you to import assessment data that was gathered
outside the Preventsys SRM System.
Reanalysis: A Reanalysis is when you choose to analyze the results of a successful assessment
against another policy (or policies) regardless of whether the initial assessment included a policy.
Remediation Task: A remediation task is created based on either a vulnerability or a violation found
by the system. This task can be assigned to a user, so that it can be fixed, and then verified by the
system. Remember that Remediation Tasks are different from Manual Audit Tasks. However, a
Manual Audit Task Violation, as discussed in the “Violation” definition, can cause an associated
Remediation Task to be created (referred to as a Manual Audit Violation Type Remediation Task). A
Manual Audit Task Violation is always associated with the first assessment that finds it even if it is
found by multiple assessments. Therefore, you will need to run an assessment using the assessment
configuration associated with the assessment that found the violations, to verify the Manual Audit
Violation Type Remediation Task. See the “Manual Audit Tasks” chapter for details about Manual
Audit Tasks. See the “Remediations” chapter for details about Remediation Tasks and how to assign
and verify them.
Managing Connector Configurations
Assessment configurations also include Assessment Server/network assignments that are used to
determine which Assessment Servers are employed to scan specific networks.
A wide range of scanner options and configuration settings are accessible as part of the assessment
configuration process. See the “Connector Configuration” appendix for details about Preventsys
scanner support and configuration options.
All connector configuration administration is conducted from the Connector Configuration
Management screen.
To access the Connector Configuration Management screen
1
Click Assessments> Connector Configurations. The Connector Configuration Management
60
Adding a Connector Configuration
The Add Connector Configuration function allows authorized Preventsys users to add new connector
configurations.
To add a new connector configuration
1
Select the Add New tab on the Connector Configuration Management screen. A dropdown
list of connectors is displayed.
Note: Only connectors for which you have added an instance configuration on a running Assessment
Server are listed. Therefore, if the ESM Server cannot connect to your Assessment Server for any
reason, the instance configurations on that server are not listed.
2
Select the connector type for which you want to create a connector configuration and select
». The connector’s configuration screen is displayed.
Note: If the instance configuration is not available due to an invalid instance configuration (i.e. the IP
or username for the instance configuration is incorrect), then a message is displayed on the Connector
Configuration Management screen. You should verify that your instance configuration is correct. See
the “Assessment Servers and Instance Configurations” chapter for details about Instance
Configurations.
61
Figure 7-1 – Sample Nmap Connector Configuration screen
3
4
5
Enter a name for the connector configuration. Note that a connector configuration’s name
cannot be changed once submitted.
Enter the required information and any optional information you desire.
Editing a Connector Configuration
The Edit Connector Configuration function allows authorized Preventsys users to edit existing
connector configurations.
When you access the Edit Connector Configuration screen, the Preventsys SRM System reviews the
configuration options for the associated connector against the options on each Assessment Server. If
the options do not match (e.g., you have updated the connector since this connector configuration was
added), the system will display all options that were present when the connector configuration was
created as well as any new options with their associated default settings.
If the ESM Server cannot connect to the Assessment Server and/or an Instance Configuration
associated a Connector Configuration, then the “Edit” function will not be active for that Connector
Configuration and a message will be displayed.
62
To edit an existing connector configuration
1
2
3
Select the Edit link for the connector configuration you want to edit on the Connector
Configuration screen. The Edit Connector Configuration screen is displayed.
Edit the connector’s configuration as desired. Note that a connector configuration’s name
cannot be edited.
Deleting a Connector Configuration
The Delete Connector Configuration function allows authorized Preventsys users to remove connector
configurations from the system.
To delete a connector configuration
1
2
3
Select the Delete link for the connector configuration you want removed on the Connector
Configuration Management screen. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected connector configuration.
Managing Assessment Configurations
Assessment configurations represent specific schemes for performing network security assessments.
Each configuration includes a unique name, a list of network groups selected for the assessment, an
optional list of policies against which the assessment will be analyzed, a selection of connector
configurations that will perform the assessment, and any exclusion lists you specify.
All assessment configuration administration is conducted from the Assessment Configuration
Management screen.
To access the Assessment Configuration Management screen
1
Click Assessments> Assessment Configurations. The Assessment Configuration
Management screen is displayed.
63
Note: If you are a member of the Super User group, then all assessment configurations are displayed.
Otherwise, only assessment configurations associated with network groups made up completely of
displayed.
Creating an Assessment Configuration
The Create Assessment Configuration function allows authorized Preventsys users to create new
assessment configurations, which may then be scheduled for execution. You can view a list of the
scanners the Preventsys SRM System supports and access information about evaluation software by
clicking on the Support Scanner Vendors link.
Note: It is recommended that assessment configurations be used as a mechanism to group reporting so
that the network groups and policies define a logical reporting structure like Line of Business (LOB)
or organizational unit. It is not recommended that several assessment configurations contain exactly
the same network groups and policies and differ only in the connector configurations used. This can
lead to confusing results during enterprise group summary reporting because only the latest analyses
for each network group and policy combination from the associated assessment configuration will be
shown. If there is an overlap, this may be confusing.
Policy Analysis
If no policies are selected in an assessment configuration, then the assessment’s results will not be
available for generating reports until policies are applied via the Re-Analyze Assessment Results
function.
Threat Analysis
If the Threat Analysis option is not selected, then the system will not perform threat correlation. See
the “Threat Intelligence Correlation” section in this chapter for details about threat correlation.
Note: If you do not want to analyze your networks against a specific policy, please select the
Preventsys Default Vulnerability Policy for each Assessment Configuration that you want to return
any found vulnerabilities. If you do not select this policy, the system will not create vulnerabilities,
conduct threat correlation, or create remediation tasks, and you will not be able to view reports based
on the assessment results. In this case, you can conduct a reanalysis using the Preventsys Default
Vulnerability Policy and the results of your assessment, which will perform the analysis the same as if
the policy been selected before the assessment ran.
64
In addition to standard network assessments, Preventsys supports the use of Manual Audit Tasks
(MAT) to track and confirm manual audit tasks that do not lend themselves to traditional electronic
solutions. See the “Manual Audit Tasks” chapter for details about working with manual audit tasks.
To create an assessment configuration
1
On the Assessment Configuration Management screen, select Add New. The Create
Assessment Configuration screen is displayed.
2
3
4
Enter the Assessment Configuration’s Name (50 characters maximum).
Select the Connector Configuration(s) you want utilized for the assessment.
Select the Network Group that will be assessed – only one network group can be selected.
only network groups made up completely of networks that are within the range of the network
permissions of the groups to which you belong are displayed.
5
6
7
8
Select the Exclusion List(s) you want the system to apply.
If you want the system to analyze the results of this assessment against a policy, select the
Policies desired. By default, only the latest version of each policy is displayed. To see all
versions of each policy, click the View all button.
If you want the system to analyze the results of this assessment against threats, make sure the
Perform Threat Analysis checkbox is selected.
Editing an Assessment Configuration
The Edit Assessment Configuration function allows authorized Preventsys users to edit existing
assessment configurations.
65
To edit an assessment configuration
1
2
3
On the Assessment Configuration Management screen, select the Edit link for the assessment
configuration you want to modify. The Edit Assessment Configuration screen is displayed.
Edit the assessment configuration as desired. Note that the assessment configuration’s name
is not editable.
Note: Remember that vulnerabilities are found by the selected connector during an assessment. Those
vulnerabilities are then associated with remediation tasks by the system. If you edit the connector’s
checks/tests (or delete a connector ) such that the checks that found those vulnerabilities will not be
run the next time the assessment is conducted, then the associated Unassigned, Unresolved, and
Claimed Resolved remediations will be verified by system due to the absence of their associated
vulnerabilities.
Deleting an Assessment Configuration
The Delete Assessment Configuration function allows authorized Preventsys users to remove existing
assessment configurations from the system. When you delete an assessment, the associated schedules
are also deleted. In addition, the system changes any remediation tasks associated with that assessment
configuration, which are in the Unassigned, Unresolved, or Claimed Resolved states to Verified. If
these issues are not fixed, they will reappear during the next assessment that finds them. This allows
for a more accurate trending of issues over time.
Note: Due to Preventsys’ Coalescing of Multi-vendor Assessment Data, a remediation can contain
more than one vulnerability. If a remediation task contains multiple vulnerabilities and at least one of
them is not associated with the deleted configuration, then the remediation task is not changed to
Verified. However, the affected vulnerabilities are deleted.
To delete a assessment configuration
1
2
3
Select the Delete link for the assessment configuration you want removed on the Assessment
Configuration Management screen. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected assessment configuration.
Managing Assessment Schedules
Assessment scheduling functions are used to schedule the execution of previously defined assessment
configurations. Assessments can be scheduled to execute immediately, execute once at a specified
date and time, or execute periodically according to a recurring schedule.
Note that assessments that are configured with a recurring schedule will continue to be run indefinitely,
according to the specified date parameters, until the assessment schedule is altered using the “Editing
an Assessment Schedule” or “Deleting an Assessment Schedule” functions.
Once you have scheduled assessments you may view the status of all pending assessments via the
“View Assessment Status” function.
The Create Assessment Schedule function allows authorized Preventsys users to schedule previously
configured assessments for execution. There are three basic types of schedules:
»
»
»
Execute Immediately
Schedule Once
Recurring Schedule
66
All assessment schedule administration is conducted from the Assessment Schedule Management
screen.
To access the Assessment Schedule Management screen
1
Click Assessments> Assessment Schedules. The Assessment Schedules Management screen
is displayed.
Note: If you are a member of the Super User group, then all assessment schedules are displayed.
Otherwise, only assessment schedules for assessment configurations associated with network groups
made up completely of networks that are within the range of the network permissions of the groups to
which you belong are displayed.
From this screen, you can add new schedules as well as view schedules whose start dates have not yet
occurred. For example, if you create a schedule that will start one week from today or will run every
Monday, that schedule will appear on the View Assessment Status screen as a future assessment.
Adding an Assessment Schedule
The Add Assessment Schedule function allows authorized Preventsys users to schedule previously
configured assessments for execution.
You can schedule an assessment configuration to run immediately, once based on a specific date and
time, or recurring based on the frequency you specify.
To run an assessment immediately
1
On the Assessment Configuration Management screen, select Execute Now. The
assessment will run immediately.
To schedule an assessment
1
On the Assessment Configuration Management screen, select Schedule to go to the Add
Assessment Schedule screen, or on the Assessment Schedule Management screen, select the
Add New button. The Add Assessment Schedule screen is displayed.
67
2
On the Add Assessment Schedule screen, select the name of the assessment configuration you
want to schedule.
displayed.
3
4
Select the radio button for the type of schedule you want: Execute Immediately, Schedule
Once, or Recurring Schedule.
a. If you select Execute Immediately, the assessment will run as soon as you select
Submit.
b.
If you select Schedule Once, enter or select a Start Date that is greater than today’s date,
and then select a Start Time. The assessment will run on this date and time.
c.
If you select Recurring Schedule, enter or select a Start Date that is greater than today’s
date, and then select a Start Time. Next, select the Frequency on which you want the
assessment to run: Daily, Weekly, Monthly, or Yearly. Last, configure the timing
options you want based on the frequency you selected. The system will begin using this
scheduled on the Start Date and Time you entered. The assessment will then run based
on the frequency you specified.
Editing an Assessment Schedule
The Edit Assessment Schedule function allows authorized Preventsys users to edit previously
determined assessment schedules.
To edit an assessment’s schedule
1
2
3
On the Assessment Schedule Management screen, select the Edit link for the assessment
schedule you want to modify. The Edit Assessment Schedule screen is displayed.
Edit the assessment’s schedule as desired.
Click Submit to save. Not that the modified schedule will not affect currently running
assessments.
68
Deleting an Assessment Schedule
The Delete Assessment Schedule function allows authorized Preventsys users to remove existing
assessment schedules from the system. Note that when you delete a schedule, the assessment
configuration remains.
To delete an assessment’s schedule
1
2
3
Select the Delete link for the assessment schedule you want removed on the Assessment
Schedule Management screen. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected assessment schedule. Note that deleting a
schedule will not affect currently running assessments.
About The Assessment Lifecycle
Before an assessment can be conducted, you must add at least one Assessment Server with at least one
instance configuration. Next, you need to create an assessment configuration and an associated
schedule.
During an assessment, the system performs the following main tasks:
»
Network Assessment
»
Indexing (only occurs if you have the Preventsys Threat Feed license)
»
Analysis (this task is only performed if you selected a policy when creating the assessment
configuration)
Network Assessment
The Network Assessment phase begins when an Assessment Configuration is run. The configuration
identifies the Connectors used to gather internal intelligence (or facts) about your network, including:
»
Asset Discovery, Service Port Mapping, OS Fingerprinting, Vulnerability Detection, etc.
You may choose to use a supported network connector (e.g., Nessus, etc.) for checking for
vulnerabilities, providing port scanning for services and OS fingerprinting.
»
Configuration Information You may choose to use the Preventsys WinReg connector to
gather registry configuration information.
»
Wireless Access Points You may choose to use the Preventsys WiFi connector to identify
all access points, their logical location, vendor, WEP usage, and so on.
Once an Assessment Configuration is scheduled and its schedule executes, the different connectors
chosen are used to gather facts about your network.
Fact Indexing
When the Network Assessment finishes, the Indexing phase begins. During this phase, all of the facts
found during the network assessment are indexed so that complex associations with external threat
intelligence can be made during the Analysis phases.
Analysis
Once the Indexing phase finishes, an Analysis will be done if a policy was selected in the assessment
configuration. The analysis phase results in vulnerabilities, policy violations, threat correlation and
vulnerability and violation coalescing for the purpose of reporting and remediation prioritization and
tracking.
69
Note: If you do not want to analyze your networks against a specific policy, please select the
Preventsys Default Vulnerability Policy, which will allow the system to perform non-policy specific
analysis, such as vulnerability coalescing and threat correlation as described later in this section. If
this policy is selected, the system will not analyze and display vulnerabilities, analyze threat alert data
against your networks, or create remediations based on the assessment.
This phase uses complex and optimized Preventsys search and mapping algorithms to apply policy
rules written in the Preventsys Policy Definition Language, and coalesce vulnerabilities and violations
(as described in the “Coalescing of Multi-vendor Assessment Data” section).
This phase is one of the single most important features of the Preventsys product as it drastically
reduces the effort of manually comparing data from different Security Point Solutions that gather
internal network intelligence but are not themselves correlated and then mapping that to external threat
intelligence typically gathered from threat newsletters and threat analyst services.
The Preventsys product merges this information during this phase to provide you with a consistent,
easy to navigate set of relationships.
The Analysis phase also creates Remediation tasks automatically, and can alter the severity and
priority of existing remediations tasks based on the contextual information of each contributing piece
of intelligence. See the “Remediations” chapter for details about remediations.
Threat Intelligence Correlation
If you have a valid Preventsys Threat Intelligence license, this phase will correlate threat intelligence
data with facts about your network that may expose you. Threat date received via the Preventsys
Threat Intelligence Connector undergoes a complex associative analysis with the internal vulnerability
and policy violation intelligence that the Preventsys ESM Server has in its database about your
enterprise network. All of this is accomplished without re-scanning and without you having to do all
the manual correlation.
The resulting analysis is a rapid and easy to understand association between devices at risk to a given
threat, exposure based on that threat and most importantly, prioritization of unresolved remediation
tasks that are that are associated with the threat.
Note: You can turn off the Threat Intelligence Correction phase of analysis by deselecting the Perform
Threat Analysis checkbox.
Coalescing of Multi-vendor Assessment Data
Vulnerability Coalescing
The Preventsys SRM System integrates a number of different pieces of security technology using its
Connector APIs. Many of the products integrated in this manner give similar pieces of information.
Even the same product will often give reams of data related to the same problem. The Preventsys
SRM System helps reduce this data overload by combining related information where possible into a
single piece of information with multiple descriptions (as different sources may have valuable
information).
As a result, on many of the screens where a vulnerability, remediation task or threat alert is referenced,
you will often see several pieces of information coalesced for that task or issue.
As an example of vulnerability coalescing, Nessus and Nmap will often report the same vulnerability
for the same asset in different ways for the same or multiple ports. The ESM System will coalesce all
of these issues into one item with multiple descriptions, when possible, so that fewer remediation items
and less data overload occur, resulting in higher value information.
70
A second example of vulnerability coalescing would be if Nessus, ISS SiteProtector, and eEye Retina
were all utilized in the same assessment and found the same vulnerability, but had very different
descriptions for it. The ESM System will coalesce all of this information into one vulnerability and
one remediation item with multiple descriptions. By doing this, no data is lost, but rather is organized
for more productive usability.
Coalescing reduces the huge amount of manual correlation you typically need to do when using each
of these types of integrated products and alerts individually.
The coalesced icon
allows you to identify coalesced vulnerabilities easily in the following areas:
»
Comparative Compliance Report
»
Network Standard Report
»
Network Group Standard Report
»
Operating System Standard Report
»
Asset Summary Report
»
Asset Standard Report
»
Asset Details Report
In addition, the descriptions and solutions for vulnerabilities that have been coalesced will be grouped
by scanner name and the associated test ID and test name. Descriptions and solutions for coalesced
vulnerabilities are viewable in the following areas:
»
Asset Summary Report
»
Asset Details Report
»
Remediation Details
71
Figure 7-2. Asset Summary Report displaying a coalesced vulnerability
(note that the vulnerability was found by both the Qualys and Nessus connectors)
Violation Coalescing
When two different scanners find the same violation, the ESM coalesces these into one violation.
Coalescing helps reduce manual correlation, and since only one remediation task is created, it helps
reduce task management time as well.
Rules must be specifically written to allow for violation coalescing. For details about which
Preventsys rules allow coalescing, see the Policy Reference Guide. For information about how to write
rules that allow coalescing, see the PolicyLab User Guide.
Understanding Assessment Status
The following phases are displayed during an assessment. See the beginning of this chapter for more
details about each of these phases.
»
Assessing Preventsys SRM System is using the information in your assessment
configuration to gather facts about your networks using the specified scanner connectors. The
is displayed during this phase.
Assessing icon
»
Indexing Preventsys SRM System is indexing all of the facts found during assessment (i.e.
the scan results) so that they can be compared against threat alters during analysis (only
occurs if you have the Preventsys Threat Intelligence license). The Indexing icon
is displayed during this phase.
»
Analyzing Preventsys SRM System is applying the policy (or policies) specified in the
assessment configuration against the results obtained during assessment (only occurs if you
selected a policy), analyzing the latest threat alerts (only occurs if you have the Preventsys
72
Threat Intelligence license), and grouping like vulnerabilities for the same asset into one
remediation. This phase results in vulnerability, policy violation and threat correlation and
coalescing for the purpose of reporting and remediation prioritization and tracking as well as
is displayed during this
the creation of remediation tasks. The Analyzing icon
phase.
»
Complete Preventsys SRM System has completed all tasks associated with the assessment.
Refer to the Status to for information about whether the assessment was completed
is displayed at this time. While
successfully or with errors. The Complete icon
the assessment maybe complete, you must check the Status column to know whether the
assessment was completely successful, successful with warnings, or failed

Successful – The assessment completed as expected

Successful with Warnings – At least one of the assessment’s tasks failed. When
this happens, the system will still attempt to complete the assessment. Assuming at
least one task can be completed successfully, the system will return partial results.
This icon “ ”is displayed if this occurs.

Failed – Several things can cause an assessment fail. If the system cannot complete
the assessment, it will return a “Failure” message.
About Partial Results
If not all tasks conducted during the Assessing phase completed successfully, the system will save the
results it was able to obtain for report viewing and reanalysis. The Assessment Details screen will
display information about which assessment tasks completed successfully and which failed.
If not all tasks conducted during the Analyzing phase completed successfully, the system will save the
results it was able to obtain for report viewing.
If an assessment returns partial results, remediation tasks will be handled as follows:
»
No remediation tasks will be verified because of the assessment.
»
If your assessment used the Preventsys Default Vulnerabilities policy, then Claimed Resolved
remediation tasks will be reopened if the associated vulnerabilities are re-identified, and new
remediation tasks will be created for any new vulnerabilities found. Note that this is the same
behavior as with successfully completed assessments.
Note: You can view the status of the latest five assessments run via the Assessment console on the
Security Risk Dashboard. See the “Security Risk Dashboard” chapter for details.
All assessment status administration is conducted from the Assessment Status Management screen.
To access the Assessment Status Management screen
1
Click Assessments> Assessment Status. The Assessment Status Management screen is
displayed in the Standard View default.
73
From this screen, you can access detailed status information about assessments that are in progress as
well as those that have completed. You can also pause and resume or cancel assessments, clean up
your view by hiding old assessments, and delete assessments from the system.
Note: If you are a member of the Super User group, then all assessment statues are displayed. Otherwise, only
assessment statuses for assessment configurations associated with network groups made up completely of
networks that are within the range of the network permissions of the groups to which you belong are displayed.
Viewing Assessment Details
The Assessment Details screen presents additional and detailed information about a specific
assessment, such as the scanners used during the assessment, the schedule, when the assessment was
started and when it completed, the completion status, a list of any asset exclusion lists that were
applied, and if there were partial scan results. It also lists each task conducted for the assessment and
the analysis and their associated statuses.
Note: You can also access details about an assessment by clicking on the Assessment Details link on
reports.
To view details about an assessment:
1
On the Assessment Status Management screen, select the Details link for the desired
assessment. The Assessment Details screen is displayed.
74
Figure 7-3. Sample Assessment Details screen displaying a successful assessment and running analysis
Figure 7-4. Sample Assessment Details Screen displaying a failed assessment task and therefore partial results are available
75
Figure 7-5. Sample Assessment Details Screen displaying a failed analysis task and therefore partial results are available
Pausing and Resuming an Assessment
The Pause and Resume Assessment functions allows authorized Preventsys users to pause an
assessment that is in progress and then resume it at a later time. Note that only in progress assessments
can be paused and only paused assessments can be resumed.
To pause and resume an assessment
1
2
3
4
Select the Pause link for the assessment you want paused on the Assessment Data
Management screen. A confirmation popup box is displayed.
If you selected OK, the system pauses the selected assessment. The system also changes the
“Pause” link to “Resume”.
To resume the assessment, select the Resume link.
Note: An assessment can also be paused by the system if a network time window closes before the
assessment can complete. The system will automatically resume the assessment once the time window
opens again. See the “Assets and Networks” Chapter for details about setting time windows for
networks.
Canceling an Assessment
On the Assessment Status Management screen, there are two ways to cancel an assessment that is in
progress: Clicking Terminate All Immediately “immediately stops” all current assessment activity.
Selecting the Cancel link for an individual assessment or the Cancel All link allows you to “cleanly
stop” current assessment activity.
When you select any of these links a confirmation popup box is displayed. Select OK to continue or
Cancel to quite. If you selected OK, the system cancels the assessment(s).
Hiding and Un-hiding Assessment Statuses
You can use the Hide functionality to cleanup the Assessment Status Management screen by hiding
completed assessments from view. The hidden assessment can always be redisplayed by using the
unhide functionality accessible via the Extended View.
76
To hide and unhide an assessment
1
2
3
4
5
6
7
8
On the Assessment Status Management screen select the Standard View to see all in progress
assessments and all completed assessments that have not been hidden.
To hide an assessment, select the Hide link the assessment you want to hide. Note that you
can also access the “Hide” functionality in the Extended View. A confirmation popup box is
displayed.
If you selected OK, the system removes the selected assessment from the Standard View.
To unhide an assessment, on the Assessment Status Management screen select the Extended
View to see all in progress assessments and all completed assessments both hidden and not
hidden. Assessments that have not been hidden will have a “Hide” link and those that have
been hidden with have an “Unhide” link.
Select the Unhide link for the assessment you want to add back to the Standard View. A
If you selected OK, the system displays the selected assessment in the Standard View.
Importing External Assessment Data
The Preventsys SRM System allows the importing of externally obtained assessment data from the
following two sources:
»
File – Assessment data gathered and then exported into a file using an assessment tool outside
of the Preventsys SRM System
»
Scan – Scan results from an assessment tool supported by the Preventsys SRM System can be
imported via an associated instance configuration
Note: See the “Assessment Servers and Instance Configurations” chapter for details about adding
Assessment Servers and Instance Configurations to the Preventsys SRM System.
Files can be imported using the Preventsys SRM System’s GUI or by using the Preventsys Assessment
Import Utility (AIU), a command line interface. Steps for importing assessment data as well as
deleting assessments using each of these interfaces is presented in the following sections.
Basic Steps To Import
Determine Import Source
The Preventsys SRM System supports the import of assessment data from a file as well as directly
from a scanner.
Import Source
Import Type
File
Preventsys XML
File
Generic XML
File
AIU (Assessment Import Utility)
Description
File must already be in the valid Preventsys
XML format (no XSL transform is required)
For example, if you used the SiteProtector
extractor to extract data directly from
SiteProtector into a valid XML file. This file
can now be imported using the Preventsys
XML file import.
File requires an XSL file to transform it into
the valid Preventsys XML format – you must
enter the XSL filename
Similar to “Generic XML” in that the file is
77
Import Source
Import Type
File
Connector File Import
Scan
For the import of assessment data
from scans, the system will only
support connectors that allow the
Preventsys SRM System to extract
the scan data requested directly.
Description
not in the valid Preventsys XML format.
However, Preventsys has built AIUs for these
connectors (i.e. XSL transforms). The XSL
will be applied automatically by the system
based on the file type/version selected (i.e.
Nessus, etc.), so you do not need to enter an
XSL filename. Please contact Preventsys
Support for details about AIUs.
Connector File import is similar to AIU import
except the transform will be done by a
connector instance verses just being converted
by the ESM using an XSL. The format does
not have to be XML (e.g., we support Nessus
NSR). The format does have to be a format
the connector recognizes and knows how to
convert to Preventsys XML format.
Importing scan data is similar to Connector
File Import in that the transform of the data
will be done by a connector instance verses
being converted by the ESM using an XSL.
However, instead of you providing a file to
import, the system connects directly to the
connector specified and displays a list of
available scans for you to select from or, in
some instances, requests that you enter a Job
ID for a scan the connector conducted.
Note: Please contact your Preventsys Support Representative for information about XSL transforms
that Preventsys has created and for the Preventsys Connector SDK.
Create An Assessment Configuration
Imported data must be associated with an assessment configuration. Therefore, you need to create a
assessment configuration with a network group that includes all of the IPs in the assessment data file
you want to import. Hosts data outside the ranges of the network group associated with the selected
assessment configuration will not be imported.
The connector types associated with the assessment configuration you select do not have to match the
assessment tool type of the file you are importing. For example, the assessment configuration you
selected uses the Nessus connector type, but you are importing a file from ISS SiteProtector.
However, if you want that assessment configuration to use the assessment tool type of the imported
scan results or data file for future assessments, you must add that instance configuration to your
assessment server, create an associated connector configuration, and then update the assessment
configuration.
Note: You do not need to conduct assessments with the assessment configuration you create prior to
importing a file; the assessment data can be imported into an assessment configuration for which no
assessments have been run.
Determine File Import Order
When importing a file if you do not specify an “override date”, the start_time in the xml file being
imported will be used as the start date and time of the assessment.
78
Note: When importing an assessment data file, the start time in the file “must” be later than the latest
assessment’s time associated with the assessment configuration. If the start time of the file is earlier,
then the import will fail. Use the Override Date option to specify a different start time.
When importing a scan if you do not specify an “override date”, the start_time in the scan will be used
as the start date and time of the assessment. If neither of these are available, the system will use the
time that the import was started.
If you will be importing more than one file in a series, consider organizing these files in the historical
order in which you want them presented in the Preventsys SRM System. Thus, the file with the oldest
time should be imported first, followed by the next oldest and so on. The most recent file should be
imported last. Please allow time in between the imports for the system to perform its indexing of the
result set for analysis.
Note: Imported assessment data will be put in the database sequentially. Imported assessment data
cannot be placed in the middle of a sequence of assessments.
About System Data Merging and Analysis
Merge With Latest Assessment Data: As part of the import, the Preventsys SRM System merges the
imported assessment data with the latest assessment data for the assessment configuration you
specified, filtering out any duplicate vulnerabilities (i.e. the same vulnerability found on the same host
using the same assessment tool). The resulting assessment becomes the “new” latest assessment for
the assessment configuration you specified. This merging of assessment data prevents remediation
tasks from being closed due to missing data in the import file.
Note: The merging of assessment data is optional. If you turn this function off, then the imported
assessment data will not be merged with any other assessment data. The “new” latest assessment will
only include the imported data. Remediations associated with vulnerabilities found on hosts in
previous assessments that are not in the imported data will be changed to “verified” due to the
absence of their reoccurrence.
Assessment Configuration Inheritance: After an import, the “new” latest assessment is treated as if
it had been run by the Preventsys SRM System. It is displayed in the Assessment Console on the
Preventsys Security Risk Dashboard (assuming that the time specified falls in the range of the latest
five assessments), and on the View Assessment Status screen. This new assessment also inherits the
hosts, networks, network group, and policies of the associated assessment configuration.
Assessment Data Analysis: If the associated assessment configuration has a policy, then policy
analysis will take place automatically after the import. If the assessment configuration does not
contain a policy, then no analysis will be conducted as part of the import (i.e. no vulnerabilities or
violations will be created). You will need to conduct a re-analysis with the assessment to identify
vulnerabilities and violations.
Importing Assessment Results Using the Preventsys SRM System’s UI
All import functionality from the GUI is conducted from the Import Assessment Data screen.
To access the Import Assessment Data screen
1
On the Assessment Configuration Management screen, select the Import to link for the
assessment configuration into which you want to import your scan results. The Import
Assessment Data screen is displayed.
79
To import an assessment data file
1
The Import to Assessment Configuration field is populated with assessment configuration
you selected on the previous screen.
Note: The Import to Assessment Configuration dropdown list only displays assessment configurations
associated with network groups made up completely of networks that are within the range of the
networks to which you are associated via you user group(s).
2
3
4
5
6
Select “File” for the Source.
For Type, select the type of file and format you are importing.

Preventsys XML – The file is already in the valid Preventsys XML format

Generic XML – You have an XSL that will transform the file into valid Preventsys
XML

Assessment Tool Name/Format – The format used by the assessment tool from
which the file was exported is supported by Preventsys and therefore no XSL is
required (supported assessment tool output formats are listed in the “Type”
dropdown)
Enter an Override Date if you want to use a different assessment date than what is specified
in the file. Format of the date/time entered must be yyyy-mm-ddTHH:mm:ss (e.g., 2004-0727T22:36:20) and is always in GMT
If the Merge with Latest Data check box is selected, the system to merges the imported
assessment data file with any previous assessments for the selected assessment configuration.
Select Next. The Import File screen is displayed.
80
Figure 7-6 – Sample File Import screen if “Generic XML” selected
7
8
Enter the path or browse to find the requested file or files.
Select Submit to import the file.
To import scan results
1
2
3
4
5
6
Select “Scan” for the Source.
For Type, select the assessment tool from which you want the system to import the
assessment results.
For the assessment tool you selected, specify which associated instance configuration you
want the system to use. Note that the instance configuration must be valid and running on an
available assessment server.
Enter an Override Date if you want to use a different assessment date than what is specified
in the scan. Format of the date/time entered must be yyyy-mm-ddTHH:mm:ss (e.g., 2004-0727T22:36:20) and is always in GMT. If the scan does not have a scan time and you do not
enter an override date, then the date and time the scan is imported will be used.
If the Merge with Latest Data check box is selected, the system to merges the imported
assessment data file with any previous assessments for the selected assessment configuration.
Select Next. The Import Scan screen is displayed.
81
Figure 7-7 – Sample Scan Import screen if Qualys scanner and instance configuration selected
7
8
Select the scan you want to import.
Select Submit to import the scan.
Importing Assessment Results Using the Preventsys Command-Line AIU
To Install the Preventsys Assessment Import Utility (AIU)
To utilize the Preventsys AIU, you must first install Java, and then the files supporting these functions
using the installation instructions below. Note that these commands are supported for both Windows
(batch files) and Linux (shell-scripts).
1
2
3
4
5
6
7
Install Java JDK or JRE v1.4.x
Create a new System Environment Variable and name it JAVA_HOME
Modify your existing System Environment Variable PATH so that it includes
%JAVA_HOME%/bin
Verify that JAVA_HOME is set by running a new command window and typing ‘set
JAVA_HOME’
Verify that %JAVA_HOME%/bin is now in your PATH by typing ‘set PATH’
Unzip the preventsys_data_manipulation_v1.1.zip file to any directory
Use the import_file, import_scan, or remove_scan command as needed
Before using the AIU, the following arguments must be placed in the file dataimport.conf in the
same directory as the import_file utility.
The property values of the dataimport.conf file are shown below:
# Url of the Preventsys ESM appliance web application
preventsys.webservice.host =
<host or IP address>
preventsys.webservice.port =
<8888>
# Preventsys login info
preventsys.login.username=
<preventsys user name>
preventsys.login.password=
<preventsys password>
82
truststore.filename=
<full path to truststore>
truststore.password=
<truststore password>
Importing a File
The following are parameters that are used with the import_file command. These are also discussed in
the “Basic Steps to Import” section of this chapter.
Parameter
Description
<pconfig_name>
The Preventsys Assessment Configuration Name with which you
want the imported data to be associated. Generally, this
will be the Assessment Configuration whose network group
definition most closely matches the ranges of hosts in the
imported scan. You can find the Preventsys Assessment
Configuration Name in the Assessment Status window.
Remember to put the assessment configuration name in quotes
if it contains spaces. Preventsys recommends always using
quotes regardless.
<xml>
The name of the xml file to import
<xsl>
An optional parameter that will transform the given XML
into the Preventsys Assessment Data format if it is not
already in that format.
<time>
An optional parameter for when you want to specify the
assessment date; format is yyyy-mm-ddTHH:mm:ss (e.g., 200407-27T22:36:20) and is always in GMT
<roll true|false>
An optional parameter that will turn off assessment data
merging if –roll false. If not present then default is
"roll=true”.
To import an assessment data file using the Preventsys AIU
Run the following import_file command using any optional parameters desired:
import_file -xml <xml> -paconfig <p_config_name>
Example using all optional parameters:
import_file -xml <xml> [-xsl <xsl>] [-time <time>] -paconfig
<p_config_name> -roll false
Example with actual values:
> import_file -xml NESSUS.xml –xsl ./NESSUS.xsl –time 2004-0727T22:36:20 –paconfig “MyNessusCompliantServers” –roll false
Importing a Scan
The following are the parameters used with the import_scan command. These are also discussed in the
“Basic Steps to Import” section of this chapter.
Parameter
Description
83
Parameter
Description
<scanner_type>
The type of scanner/assessment tool.
<scan_id>
The scan id of the external scan to import (e.g.,
scan/1108521446.20654).
<pconfig_name>
The Preventsys Assessment Configuration Name with which you
want the imported data to be associated. Generally, this
will be the Assessment Configuration whose network group
definition most closely matches the ranges of hosts in the
imported scan. You can find the Preventsys Assessment
Configuration Name in the Assessment Status window.
Remember to put the assessment configuration name in quotes
if it contains spaces. Preventsys recommends always using
quotes regardless.
<connector_name>
The name of instance configuration associated with the
scanner type you entered that is to be used in the import
<assessment_server_name>
The name of assessment server associated with the instance
configuration that you entered
<time>
An optional parameter for when you want to specify the
assessment date; format is yyyy-mm-ddTHH:mm:ss (e.g., 200407-27T22:36:20) and is always in GMT
<roll true|false>
An optional parameter that will turn off assessment data
merging if –roll false. If not present then default is
"roll=true”.
To import scan results using the Preventsys AIU
Using the import_scan utility, scan results can be imported from the assessment tool you specify.
Run the following import_scan command using any optional parameters desired:
import_scan -scanner_type <scanner_type> -scan_id <scan_id> -paconfig
<config_name> -pci <connector_name> -pas <assessement_server_name>
Example using all optional parameters:
import_scan -scanner_type <scanner_type> -scan_id <scan_id> -paconfig
<config_name> -pci <connector_name> -pas <assessement_server_name> [time assessment_time] [-roll true|false]
> import_scan -scanner_type qualys -scan_id scan/1137454348.25445 paconfig qualys2-9 -pci qualys -pas as13 –time 2004-07-27T22:36:20 roll false
Local process has finished successfully.
Payload is being sent to the
server to be completed....
Successfully imported data.
New Preventsys scan_id = 1942261186194227
In addition to the arguments that must be supplied at each invocation, the following arguments must be
placed in the file dataimport.conf in the same directory as the import_scan utility.
84
The property values of the dataimport.conf file are as follows:
<8888>
# Qualys scanner required variables
dataimport.qualys.key.deleteres=
Off
dataimport.qualys.key.appliancename=
<appliance name>
dataimport.qualys.key.password=
<password>
dataimport.qualys.key.optionspolicy
<policy>"SANS20 Options"
dataimport.qualys.key.username=
<qualys user name>
Deleting Assessments
When an assessment is deleted, all vulnerabilities that were initially found based on that assessment as
well as their associated remediations are removed from the Preventsys SRM System.
Vulnerabilities and their associated remediations that were initially found in previous assessments and
carried forward to the deleted assessment are not deleted. They remain and keep their latest status
(e.g., Unassigned, Assigned, Claimed Resolved, False Positive, Accepted Risk, or Verified). Any reanalyses associated with the deleted assessment are also deleted. If the deleted assessment is also the
latest assessment, then the previous assessment now become the “new” latest assessment for that
assessment configuration.
Note: When an assessment is deleted, the system goes into Maintenance Mode until the removal is
complete. See “System Updates” chapter for details about Maintenance Mode.
Deleting An Assessment Using the Preventsys SRM System’s UI
To delete an assessment using the Preventsys SRM System’s UI
1
2
3
On the Assessment Status Management screen, select the Delete link for the assessment you
want to remove from the system. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected assessment.
Deleting An Assessment Using the Using the Preventsys AIU
Note: The Preventsys AIU must be installed prior to use. Please refer to the section about installing
the Preventsys AIU in this chapter for details about installation.
The following parameter must be used with the remove_scan command.
85
Parameters:
<p_scan_id>
Preventsys Scan ID to be removed. You can find the Preventsys Scan ID
by clicking on the “Assessment Successful” link in the Assessment
Status. This will popup a window that displays the Preventsys Scan ID
for the assessment.
In addition to these arguments which must be supplied at each invocation, the following arguments
must be placed in the file dataimport.conf in the same directory as the remove_scan utility.
The property values of the dataimport.conf file are as follows:
<8888>
To delete an assessment using the Preventsys AIU
1
Identify the Preventsys scan id for the assessment you want deleted. You can locate the
assessments scan id by selecting Reports > Executive Summary. Select the assessment you
want to delete from the report context at the top of the screen. After the report refreshes with
the selected data, select the Assessment Details link located in the top right-hand corner of the
report. The scan id is the same as the “Assessment ID” (see the following image).
86
2
After you have identified the Preventsys scan id for the assessment you want to delete, use the
remove_scan command and the <p_scan_id> parameter to perform the removal.
remove_scan -scan_id <p_scan_id>
> remove_scan -scan_id 8813212898813212
Local process has finished successfully. Payload is being sent to the server
to be completed....
Successfully removed data for scan_id = 8813212898813212
Re-Analyzing Assessment Results
The Re-Analyze feature allows you to re-analyze all successful assessments (even if only partial results
were obtained) against another policy (or policies) regardless of whether your initial assessment
included a policy. The system will send the administrator who initiated the re-analysis an email
notification upon its completion.
Re-analyzing an assessment is the same as running that assessment again except that the selected
assessment’s scan results are used instead of the system rescanning the associated assets. Therefore,
when an assessment is re-analyzed, the result becomes the latest assessment for the associated
assessment configuration. Before conducting a re-analysis, make certain you understand what happens
to exiting remediations during subsequent assessments. Please see the “Remediations” chapter for
details about how remediations are created, verified, and reopened.
Note: Conducting a reanalysis against an older assessment will result in the old assessment becoming
the “latest” assessment for that assessment configuration. This may cause Remediation Tasks to
change state based on this old data. If you conducted a reanalysis by mistake and want to remove the
resulting assessment, please see the previous section about deleting an assessment.
Re-Analyzing an Assessment’s Results
The Re-Analyze Assessment Results function allows authorized Preventsys users to select PDL
policies for assessment analysis.
To re-analyze an assessment’s results
1
2
3
4
Click Assessments > Reanalyze. The Select Order to View Assessments screen is displayed.
Select whether you wish to view the list of scan results Chronologically or Alphabetically.
Click Next. The Re-Analysis Management screen is displayed.
Select which assessment you wish you re-analyze from the Select an Assessment pull-down
menu.
Note: If you are a member of the Super User group, then all assessments are displayed. Otherwise,
only assessments for assessment configurations associated with network groups made up completely of
displayed.
87
5
6
Select which policies you wish to apply from the Select a Policy list box.
Click Submit to being the reanalysis.
Viewing the Status of a Re-Analyzed Assessment
Click Assessments > Reanalysis Status to view the status of an assessment reanalysis. The
Reanalysis Status Management screen is displayed.
Note: If you are a member of the Super User group, then all reanalysis statuses are displayed.
Otherwise, only reanalyzes for assessment configurations associated with network groups made up
completely of networks that are within the range of the network permissions of the groups to which you
belong are displayed.
Once a reanalysis is completed, you can click on the Scanresults XML link to view the associated
XML results.
88
CHAPTER 8 | REMEDIATIONS
CHAPTER 8
Remediations
Remediation Tasks allow you to prioritize, assign, and track the security tasks that need to be fixed to
protect your critical IT assets. This chapter provides details about managing and assigning
remediations tasks, including creating rules that automatically assign tasks for you based on criteria
you specify, and specifying due dates based on a task’s priority. Integration of the Preventsys SRM
System with an external remediation system, such as Remedy’s Action Request System®, is also
discussed.
Remediation Task: A remediation task is automatically created by system based on either a
vulnerability or a violation found by during the Analysis phase of an Assessment. This task can be
assigned to a user, so that it can be fixed, and then verified by the system. See the “Assessments”
chapter for the definitions of vulnerability, violation, and vulnerability coalescing.
Vulnerability Type Remediation Task: A Vulnerability Type Remediation Task is automatically
created by the system based on a vulnerability found by during the Analysis phase of an Assessment.
Violation Type Remediation Task: A Violation Type Remediation Task is automatically created by
the system based on a violation found by during the Analysis phase of an Assessment.
Manual Audit Type Remediation Task: A Manual Audit Type Remediation Task is automatically
created by the system when a violation is found based on a Manual Audit Task Rule during the
Analysis phase of an Assessment. See the “Manual Audit Tasks” chapter for details about creating
Manual Audit Tasks, which can thus trigger Manual Audit Task Rules. See the Preventsys PolicyLab
User Guide for details about creating Manual Audit Task Rules, which can trigger violations and thus
Manual Audit Type Remediation Tasks.
Managing Remediation Tasks
Remediation Tasks can be managed through bulk assignment and the Assignment rules you create, and
can be assigned to users of external Action Request or Trouble Ticketing Systems.
Status Lifecycle
The status of each task is tracked, prioritized and verified automatically by the system and allows user
overrides. These items can be managed individually, or in bulk and navigation is easy using
customizable filters and column selection that you can save for use at any time.
The basic lifecycle of a remediation task includes four main stages:
»
Unassigned
»
Unresolved/Assigned
»
Resolved (Claimed Resolved, False Positive, or Accepted Risk)
»
Verified
89
3
2
Unassigned
1
Verified
Unresolved/Assigned
4
Reassigned to a
different remediator
Resolved
Claimed Resolved
Accepted Risk
False Positive
1
Claimed Resolved tasks are changed to Assigned if they cannot be Verified “and” the previously assigned remediator is still
active in the system, and is still a remediator for the network group associated with the task.
2
Claimed Resolved tasks are changed to Unassigned if they cannot be Verified “and” the previously assigned remediator is no
longer active in the system or is no longer a remediator for the network group associated with the task.
3
User can request that a task be “reassigned” in which case the task is changed to Unassigned.
A remediation is considered resolved if it has one of the following statuses: Claimed Resolved, False
Positive, or Accepted Risk. However, only tasks with the Unassigned, Assigned, and Claimed
Resolved status can be verified by the system. By marking a task as False Positive or Accepted Risk,
you are telling the system that you have acknowledged the policy violation or vulnerability and no
longer want to be notified of its existence or verified by the system.
Following task assignment, the system will automatically generate email notifications informing the
selected remediators of all task assignments. Remediators can then access the Update Remediation
Task function via links in the email notification to update the status of their tasks or directly via the
main menu. Note that users associated with external remediation systems will not receive email
notifications.
Note: Tasks may also be assigned to users in external remediation systems, which have been
configured to work with the Preventsys SRM System. See the “Managing External Remediation
Systems” section for details about setting up external remediation systems and users.
If a user loses authorization to an asset for which they have assigned remediation tasks (i.e. they are
removed from a group, the group is edited, the networks associated with the group are edited, or the
user’s account is deleted), then those tasks that are not in the Claimed Resolved, False Positive,
Accepted Risk, or Verified state will be set to “Unassigned” by the system. The exception to this is if
the user belongs to another group with the “resolve remediation” permission for a network whose
range includes the asset to which the user lost authorization, then tasks associated with that asset will
not be affected.
Once a remediation task has been completed and its status changed to Claimed Resolved, the fix may
be verified by running the assessment configuration that originally resulted in the detection of the
associated policy violation or vulnerability. See the “Verifying Remediation Tasks” section for details
about how the system verifies remediation tasks.
90
Workflow Example
For example, on a site with one lead IT administrator who is in charge of scheduling assessments,
reviewing reports, and assigning remediation tasks. This administrator has two IT personnel who fix
remediation tasks. When policy violations and vulnerabilities are identified, the lead IT administrator
assigns the corresponding remediation tasks to the other two remediators, both of whom would receive
emails informing them of their respective tasks.
The two remediators can follow the links in their task assignment emails to review their assigned tasks
and update each task’s status to Claimed Resolved once fixed. The lead IT administrator can then
schedule a new assessment utilizing the previous assessment configuration (including the same policy),
which will verify that the detected policy violations and vulnerabilities have been fixed, and their
statuses will automatically be updated from Claimed Resolved to Verified if appropriate.
If any of the previously detected policy violations or vulnerabilities remain active (are found again),
then the applicable remediation tasks will be reopened. Note that if any previously detected policy
violations or vulnerabilities associated with Unassigned or Assigned remediation tasks also do not
appear again on the subsequent assessment, then they too will be automatically updated to Verified.
All remediation task administration is conducted from the Remediation Task Management screen.
To access the Remediation Task Management screen
1
Click Tasks > Remediation Tasks. The Remediation Task Management screen is displayed.
Note: If you have tasks assigned to you, the “My Tasks” tab is displayed by default with your tasks
listed. Otherwise, the “Task Assignment” tab is displayed.
Note: If you are a member of the Super User group, then all remediation tasks are displayed in the
Task Assignment tab. Otherwise, only remediation tasks associated with hosts that are within the
range of the network permissions of the groups to which you belong are displayed. In addition, “all”
Manual Audit Task violations are displayed regardless of your group permissions.
From the Task Assignment tab on the Remediation Task Management screen, you can view details
about individual tasks, assign and reassign tasks, and change the priority of tasks. You can also use the
Filter Options and Column View Options tabs to filter and view different information. Note that by
default, tasks on this screen are displayed in the order of their priority; highest priority first.
91
Note: You can also access this screen via the Security Risk Dashboard by selecting the » tab located
on the “Latest Tasks” area of the Remediation console. Tasks are automatically filtered by the active
Enterprise Group when the screen is accessed in this way. Use the Filter Options tab to turn off
Enterprise Group filtering.
From the My Tasks tab on the Remediation Task Management screen, you view details about
individual tasks and resolve your tasks. You can also request that any of your tasks with the Accepted
Risk or False Positive resolution be reassigned.
Note: Only tasks assigned to you that are also associated with hosts that are within the range of the
network permissions of the groups to which you belong are displayed. All Manual Audit Task
violations assigned to you are also displayed.
Note: You can also access this screen via the Security Risk Dashboard by selecting the » tab located
on the “My Tasks” area of the Remediation console.
Assigning Remediation Tasks
The Assign Remediation Tasks function allows authorized users to assign new remediation tasks.
Note that you can only assign tasks using the latest analysis. Tasks that were not assigned in similar,
previous analyses are carried forward to the latest analysis.
After a task is assigned, it can be reassigned as long as it does not have the Claimed Resolved or
Verified status. A remediator can also request that a task with the False Positive or Accepted Risk
status be reassigned by selecting the Reassign status on the Remediation Task Update screen. The
task’s status is then automatically changed to Unassigned.
Note: Users in external remediation systems can only reassign Preventsys tasks that have the
“Assigned" status.
When tasks that are assigned to an external remediation user are reassigned to a different external
remediation user associated with the same external system, Preventsys simply reassigns the task and
updates the external system with the new information. If the two external users are associated with
92
different external systems, Preventsys updates the task in the first system by changing its status to
“Closed” and sends the reassigned task to the associated external remediation system.
If Preventsys encounters errors while attempting to send an external user’s task assignment to the
associated external remediation system, the system will display an error screen listing each task and the
associated error, including the error code and message generated by the external system when
available. The specified tasks will remain unassigned until they are successfully reassigned.
About Severity
The severity of each remediation task is automatically calculated by the system based on the severity
of the associated vulnerability or violation. A task’s severity can also be changed by the system if an
associated threat alert is found. Changes to severity are noted in the History/Comments section of the
Remediation Details screen.
Figure 8-1. Sample Remediation Details screen displaying system comments about changes to the task’s severity
About Priority
The priority of each remediation task is automatically calculated by the system based on the associated
severity, financial impact, and operational impact of the associated asset, relative to the highest
exposure value of all assets. However, you can also manually enter your own priority if desired. The
priorities you enter will take precedence over the priorities calculated by the system.
About Due Date and Criticality
Due dates for remediation tasks are optional and can be specified in two ways: automatically
calculated by the system or manually entered by the user.
93
System Calculated Due Dates
The system calculates due dates for remediation tasks based on how you decide to map priority ranges
to criticality levels. You setup this mapping on the System Preferences screen. There are three
criticality levels: High, Medium, and Low. The system defaults for these levels are as follows:
»
Low = 0 – 50
»
Medium = 51 – 80
»
High = 81 – 100
The system does not provide default due dates. Therefore, if you do not enter due dates for the
criticality levels, remediation tasks will display “N/A” for the due date. You will still be able to
manually enter due dates on the Remediation Task Management Assignment screen.
To change the criticality levels and due dates for remediation tasks
1
Select Admin > Preferences. The Preferences screen is displayed.
2
Click and hold the slider control while moving your mouse left to right to set the remediation
priority range for each Criticality level: Low, Medium, and High.
Enter a Due In date for each criticality level. This date is the number of days, after which the
remediation task is created, that you want the task completed. For example, you may want
highly critical tasks fixed within one day, but lower tasks can be fixed within six days.
3
4
Note: Due dates are re-calculated by the system whenever the remediation task’s priority is changed.
If the change is such that the priority is bumped into the next criticality level, then the due date will
change to reflect this.
Manually Entered Due Dates
You can manually enter due dates on the Remediation Task Management Assignment screen by typing
the desired date in the Due Date field and selecting Submit. Due Date can be entered manually
regardless of whether the system has calculated a due date.
Note: The due dates you enter will take priority over calculated due dates.
94
Assigning or Reassigning a Remediation task
For each remediation task, The “Assign To” list will only display users that belong to groups with both
the “Resolve Remediations” permission and network permissions that include the host associated with
the remediation. In addition, all “Unassociated” External Users (i.e. user for an external remediation
system who do not have an associated Preventsys username) are also displayed.
To assign or reassign a remediation task
1
On the Remediation Task Management screen, select the Task Assignment tab if it is not
already selected. The Remediation Task Management screen is displayed.
2
For each task you want to assign or reassign, select the assignee from the associated Assign
To dropdown. Note that the “Assigned To” column displays to whom the task is currently
assigned.
Note: The Assign To dropdown list displays users with the “Remediation” resource and “resolve
remediations” permission that are associated with networks via their user group(s), which contain the
host associated with the remediation task. For Manual Audit Task violation Remediations, all users
with the “Remediation” resource and “Resolve Remediation” permission are displayed regardless of
their network permissions.
3
4
5
You can also change the Priority of the task if desired. Remember that Priority is
automatically calculated for you by the system and can affect “Due Date”. If you enter your
own priority, the system will default to that value and no longer automatically calculate
priority for you.
Click Submit to assign tasks and save any change you made to task priority.
The system automatically sends email notifications to all selected remediators. Tasks
assigned to external remediation system users are forwarded to the associated external
remediation system.
Note: If for any reason the system cannot send the assignment email notification to a remediator (e.g.,
there is an email server error or the recipient(s) address is incorrect), the task(s) will still be assigned.
A message will be displayed on the Task Assignment screen altering you to the issue. The system will
not attempt to resend the email, so please notify the remediator(s) if they have urgent tasks that need to
be resolved.
95
Bulk Assignment
You can assign several tasks to the same person at once by selecting the checkbox for each
remediation task you wish to assign, and then selecting the assignee’s name at the bottom of the screen
in the “With selected, assign to” dropdown. All checked remediations on all pages will be assigned to
the individual you selected assuming that user has permission for the host associated with each tasks.
Filtering Remediation Tasks
You can filter remediations tasks in a variety of ways by using the Filter Options tab. Filters you
create can also be saved for later use. For example, you can use a saved filter to create an Assignment
Rule. See the “Working with Assignment Rules” section for details about Assignment rules.
The Preventsys SRM System provides two preconfigured filters to get you started. You cannot edit or
delete these filters, but you can use them to create new filters (see the “Saving a Filter” section in this
chapter for details).
»
“Selective Remediation L1” - This filter displays tasks with a priority between 91 and 100
»
“Selective Remediation L2” - This filter displays tasks with a priority between 81 and 100
To filter remediations
1
On the Remediation Task Management screen or the Remediation Task Update screen, click
the Filter Options tab.
2
Enter data for the options you want to use.
Note: Text string fields are case sensitive. For example, entering “denverlab” for the network group
will not return “Denverlab”. You can also use the asterisk “*” for wildcard searches, for example:
96
▪ Searching for comp* will return all asset names starting with the letters “comp” such as
“computer” or “company.”
▪ Searching for *comp* will return all asset names containing the letters “comp” such as
“accompany.”
▪ Searching for *comp will return all asset names beginning with the letters “comp” such as
3
4
Click Apply Filter.
The list of remediations is displayed based on the filter selected.
Note: Remember that a Manual Audit Task Violation is always associated with the first assessment
that finds it even if it is found by multiple assessments. Therefore, if you want to search for Manual
Audit Task Violations by Assessment Name, you will need to know the name of the assessment that first
found those violations.
Saving a Filter
You can select various filter options that will change the types of data displayed and then save that
filter for use later. For example, you can filter by remediations that are associated with a specific asset.
To save a filter, enter the filter’s name in the Save as Filter field (400 characters maximum), and click
Save and Apply Filter.
You can also create a new filter based on an existing filter by using the Load Filter dropdown,
modifying the filter options as desired, and then changing that filter’s name and clicking Save and
Apply Filter.
Applying a Saved Filter
You can apply filters you have saved by using the Load Filter dropdown. Note that column settings
are not saved with a filter. To apply a saved filter, select the filter’s name from the Load Filter
dropdown, click Load, and then click Apply Filter.
Editing a Saved Filter
You can edit filters you have saved. To edit a saved filter, select the filter’s name from the Load
Filter dropdown, click Load, edit the filter including the filter’s name as desired, and then click Save
and Apply Filter.
Note: Remember that if you change the name of the filter you are editing, a new filter with that name
is created when you click Save and Apply Filter. The initial filter you selected is not deleted or
modified in any way.
Deleting a Saved Filter
Deleting a saved filter does not alter the remediations displayed. To delete a saved filter, select the
filter’s name from the Load Filter dropdown, click Load, and the click Delete Filter.
Note: Deleting a filter that was used to create an assignment rule does not affect the rule.
Viewing Different Columns of Data
You can choose different columns of data to view by using the Column View Options tab.
Note: Column options are not saved with filters. Saved filters use the system’s default column set.
97
To choose a column
1
On the Remediation Task Management screen or the Remediation Task Update screen, click
the Column View Options tab.
2
3
4
Select the column data that you want to show.
Click Apply View Choices.
Remediation tasks are displayed with the data columns you selected.
Viewing Details about a Remediation
You can view details about a remediation task by clicking on an Issue Name from the Task
Management tab, the My Tasks tab, or the Remediation console accessible from the ESM Dashboard.
See the “Security Risk Dashboard” chapter for information about the ESM Dashboard.
The Remediation Details screen provides in-depth information about a selected issue (policy violation
or vulnerability) and its remediation task.
This screen lists the issue name as well as information about its Severity, Priority, Asset, IP Address,
Data Found, Patchability, Patch Status, Issue Status, and assigned Remediator. The issue’s description
and a possible solution is also listed. A history of all user comments and status changes, as well as
changes the system made to the task are also displayed. Altering the task’s severity based on a threat
alert is an example of a system change.
Vulnerability Remediation Details
If the issue contains coalesced vulnerabilities, the descriptions and solutions will be grouped by
scanner name and the associated test ID and test name. In addition, if some of the coalesced
vulnerabilities were not found again during the latest assessment, they are listed under the “Previously
Found” heading. If they were found (or found again) during the latest assessment, they are listed under
the “Found” heading.
98
Figure 8-2. Sample Vulnerability Type Remediation Details Screen
Violation Remediation Details
For policy violation type remediation tasks, the Remediation Details screen also displays information
about the associated policy if a source document exists. A link to the policy is also provided. When
selected, this link opens a new browser window which displays the entire policy source document.
The rule associated with the remediation, is always displayed at the top of this window.
99
Figure 8-3. Sample Violation Type Remediation Screen With Policy Reference Displayed
Verifying Remediation Tasks
A Remediation Task is verified by the system when a subsequent assessment using the same
assessment configuration that found the associated policy violation or vulnerability on an asset cannot
find that same issue again on that same asset. Note that the system only attempts to verify
Remediation Tasks that are Unassigned, Unresolved, or Claimed Resolved. Remediations Tasks that
are Accepted Risk or False Positive are ignored.
»
To verify a policy violation fix, you must rerun the same assessment configuration that
created it (i.e. same connector configuration, same network group, same policy, same
exclusion lists).
»
To verify a MAT violation fix, you must rerun the same policy that created it using any
»
To verify a vulnerability fix, you must you must rerun the same assessment configuration that
created it (i.e. same connector configuration, same network group, same policy, same
exclusion lists).
Other Reasons Remediations Task Can Be Verified
It should be noted that there can be several reasons, other than that the associated issue was actually
fixed, as to why a violation or vulnerability was not found again. For example, if the asset on which
the vulnerability or violation was detected cannot be found during the subsequent assessment, then the
associated remediation task will be automatically updated to Verified based on the absence of that
asset. This could happen if you modify the assessment configuration by selecting a different network
group that does not contain that asset, or if you modify the selected network group such that it no
longer contains the asset, or if you select an Exclusion list or a Global Exclusion list is active that
includes the asset.
For vulnerabilities, another reason could be if the connector check/test that found the issue does not
fire. This could happen if you modify the assessment configuration by selecting a different connector
configuration, or if you modify the selected connector configuration such that it no longer performs
that check/test.
100
For violations, another reason could be if the rule that found the issue does not fire. This could happen
if you modify the assessment configuration by deselecting the policy that found the violation. This
could also happen if you modify the rule such that it no longer performs the same checks, update that
rule in the policy, and then modify the associated the assessment configuration so that it uses the new
version of that policy.
Verifying Remediation Tasks with Coalesced Vulnerabilities
As mentioned previously, if a remediation task contains coalesced vulnerabilities (i.e. different
connector types detect the same vulnerability for the same asset), the descriptions and solutions will be
grouped by scanner name and the associated test ID and test name.
The information mentioned in the previous paragraphs about verifying Remediation Tasks applies to
Remediation Tasks with Coalesced Vulnerabilities with the exception that each vulnerability must be
verified by running an assessment using the assessment configuration that found that particular
vulnerability. Therefore, if one vulnerability is verified, but the others are not, then the Remediation
Task will not be verified. All coalesced vulnerabilities must be verified for the Remediation Task to be
verified.
Verifying Remediation Tasks with Coalesced Violations
As mentioned previously, if a remediation task contains coalesced violations (i.e. different connector
types detect the same violation for the same asset). The information mentioned in the previous
paragraphs about verifying Remediation Tasks applies to Remediation Tasks with Coalesced
Violations with the exception that each violation must be verified by running an assessment using the
assessment configuration that found that particular violation. Therefore, if one violation is verified,
but the others are not, then the Remediation Task will not be verified. All coalesced violations must be
verified for the Remediation Task to be verified.
Working with Assignment Rules
Assignment rules allow the system to automatically pre-assign remediation tasks based on the
conditions you specify. For example, you can create a rule that pre-assigns all tasks associated with a
specific network group to “johnsmith”. Note that you should make sure that johnsmith has the
“Remediations” resource and associated “resolve remediations” permission for the all of the networks
within the network group specified for which you want him to be assigned tasks. Because the system
“pre-assigns” these tasks, you will still need to review and accept the assignment on the Remediation
Task Management screen before the tasks are officially assigned.
All assignment rule administration is conducted from the Assignment Rule Management screen.
101
To access the Assignment Rule Management screen
1
Click Tasks > Remediation Assignment Rules. The Assignment Rule Management screen
is displayed.
From this screen, you can add new rules, edit existing rules, and delete rules. You can also change the
order in which the system applies the rules.
Creating an Assignment Rule
Use Assignment rules to specify remediations that should automatically be assigned. For example, you
can create an assignment rule that assigns all tasks associated with a specific network to the remediator
you select.
Assignment rules can be created via the Remediation Task Management screen or the Assignment
Rule Manager screen, but can only be edited via the latter.
Note: Remember that group resources and permissions are granted at the network level. If you create
a rule that specifies that all remediations for an asset should be assigned to a specific remediator, then
you should also make sure that that remediator has the “Resolve Remediations” permission for the all
of the networks desired.
102
To create an assignment rule
1
On the Assignment Rule Management screen, click on the Add New Rule button. The Add
Assignment Rule screen is displayed.
2
Either load a saved filter or select the conditions upon which you want the system to assign
tasks (for example, all remediations associated with a specific asset) by entering data in the
provided fields.
Note: Filters and rules are saved separately, therefore modifying the rule does not alter the filter that
was used to create the rule and visa versa.
3
4
5
Enter the name of the rule in the Save as Rule field (400 characters maximum).
Select an assignee in the Assigned to dropdown.
When a new rule is saved, it is automatically applied to all unassigned remediation tasks as well as all
new remediations tasks. Existing rules are automatically reordered so that the rule you created is first.
103
Editing an Assignment Rule
When you edit an assignment rule, it is applied to new remediations tasks as well as all existing ones
that have not been assigned.
To edit an assignment rule
1
2
On the Assignment Rule Management screen, click on the Edit link for the rule you want to
modify. The Edit Assignment Rule screen is displayed.
Edit the rule as desired.
Note: Remember that if you change the name of the rule you are editing, a new rule with that name is
created when you click Submit. The initial rule you selected is not deleted or modified in any way.
3
Ordering Assignment Rules
You can specify the order in which you want the system to apply Assignment Rules. New rules are
automatically ordered first. When you reorder rules, the new order is automatically applied to all new
remediations tasks as well as all existing ones that have not been assigned.
On the Assignment Rule Management screen, click on the Up link to move the rule up on the list and
click the Down link to move it down.
Deleting an Assignment Rule
When you delete an assignment rule, remediations tasks that have been assigned are not affected.
Because filters and rules are saved separately, deleting a rule does not alter the filter that was used to
create the rule and visa versa.
To delete an assignment rule
1
2
3
On the Assignment Rule Management screen, click on the Delete link for the rule you wan to
remove. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected rule.
Updating Remediation Tasks
A remediation task can be resolved by changing its status to one of the following: Claimed Resolved,
False Positive, or Accepted Risk. Only tasks with the Claimed Resolved status will be verified by the
system.
To verify a remediation task with the Claimed Resolved status, you must conduct an assessment using
the “same” assessment configuration that resulted in the initial detection of the policy violation or
vulnerability. If the assessment does not find the policy violation or vulnerability, then the system will
automatically change the task’s status from Claimed Resolved to Verified.
You can change the status of False Positive and Accepted Risk tasks to Reassign, which means that the
task’s status will be changed to Unassigned. The task can then be reassigned via the Remediation Task
Management screen. You can also change their status to Claimed Resolved. Note that on Reports, a
Claimed Resolved task is treated the same as a Verified task.
104
You can use the Filter Options tab and the Column View Options tabs to control which remediation
tasks and what type of information is displayed. You can also save the filters you create. See the
“Filtering Remediation Tasks” section in this chapter for details.
Figure 8-4 – My Tasks tab Filter Options
Figure 8-5 – My Tasks tab Column View Options
105
Updating the Status of a Remediation Task
To update the status of a remediation task
1
On the Remediation Task Management screen, select the My Tasks tab if it is not already
selected. Your assigned tasks are displayed.
Note: My Tasks displays all tasks assigned to you that are associated with hosts that are within the
range of your network permissions based on the groups to which you belong, and “all” MAT violation
type remediations assigned to you regardless of your network permissions. This implies that if your
network permissions are changed such that you no longer have access to certain hosts, then you will
no longer see tasks associated with those hosts.
2
For each task that you want to resolve, select the new status from the Change Status
dropdown. The “Issue Status” column displays the status for each task.
Note: You can change several tasks to the same status at once by selecting the checkbox for each
remediation task you wish to change, and then selecting the new status at the bottom of the screen in
the “With selected” dropdown. All checked remediations on all pages will be changed to the status
you selected. If the status you select is not valid for all tasks (for example, you select “Reassign”
which is not a valid status change for tasks that are still unresolved), then only tasks that can be
changed to “Reassign” will be; the others will be ignored. A message will be displayed on the
confirmation screen, “Note: Some of the items you selected were not valid for this operation.”
3
4
You may also enter comments in the Additional Comments text box. Click on the Issue’s
Name to view all previous comments as well as additional details about the task. Remember
that comments can include user comments and status changes, as well as changes the system
made to the task. For example, altering the task’s severity based on a threat alert. See the
“Remediations” chapter for details about the Remediation Details screen.
Click Submit to save. If the task is associated with an external remediation system, the
updated task status will be forwarded to the external remediation system.
106
Managing External Remediation Systems
The Preventsys SRM System supports integration with Remedy’s Action Request System®. Setting up
an external action request (AR) system and associated users in the Preventsys SRM System allows for
the exchange and synchronization of remediation task status.
Remedy AR System v4.5, v5.1, or v6.3 must be installed for integration to function properly.
Additionally, the Preventsys Enterprise Security Management Server must have network access to all
specified Remedy servers, and the date and time must be synchronized to within 10 minutes of each
other.
Note that while the Add and Edit Remediation System screens contain fields for Name, Type, Host,
Port, Form Name, User Name, Password, To System Mapping, and From System Mapping, only the
Name, Type, Host, and To/From System Mapping fields are required by the Preventsys SRM System
when submitting an external remediation system configuration. The remaining fields may be required
by the external remediation system, in which case they must be entered properly in order to facilitate
communication.
The Add and Edit Remediation System screens both feature a Test System function that may be used
to test the validity of the external remediation system’s configuration.
All external remediation system administration is conducted from the External Remediation Systems
Management screen.
To access the External Remediation Systems Management screen
1
Click Tasks > External Remediation Systems. The External Remediation Systems
From this screen, you can add a new external systems, edit existing external systems, and delete
external systems.
Adding an External Remediation System
The Add Remediation System function allows external remediation systems to be integrated with the
Preventsys SRM System.
107
To add an external remediation system
1
On the External Remediation Systems Management screen, click the Add New System
button. The Add External Remediation System screen is displayed.
2
3
4
5
6
7
8
Enter the Name of the external remediation system.
Select a Type from the pull-down menu.
Enter the Host.
Enter a Port if required by the external remediation system.
Enter a Form Name if required by the external remediation system.
Enter a Username if required by the external remediation system.
Enter a Password if required by the external remediation system, and then Re-enter your
Password in the space provided.
Select a To System Mapping.
9
Note: Task data will not be exchanged without a valid entry in the To System Mapping field.
10 Select a From System Mapping.
Note: Task data will not be exchanged without a valid entry in the From System Mapping field.
11 Enter a Description if required by the external remediation system.
12 Click Test to test whether the Preventsys SRM System can exchange task data with the
external remediation system properly. If this test fails, review the information you entered for
errors.
13 Click Submit to save the external remediation system’s settings.
Note: You may submit the new external remediation system even if the test performed in Step 13 fails,
however no tasks can be assigned to the associated external users until the system test is successful.
108
Editing an External Remediation System
The Edit Remediation System function allows for the modification of previously configured external
remediation systems.
To edit an external remediation system
1
2
3
4
On the External Remediation Systems Management screen, click on the Edit link for the
system you want to modify. The Edit Remediation System screen is displayed.
Edit the external remediation system’s configuration as desired.
Click Test System to test whether the Preventsys SRM System can exchange task data with
the external remediation system properly.
Note: You may submit the new external remediation system even if the test performed in Step 4 fails,
however no tasks can be assigned to the associated external users until the system test is successful.
Deleting an External Remediation System
The Delete Remediation System function allows for the removal of previously configured external
remediation systems.
Note that an external remediation system cannot be deleted until all of the selected system’s
unresolved tasks (assigned tasks that have not been marked as Claimed Resolved, False Positive, or
Accepted Risk) are reassigned to users that are not associated with the system that is being deleted.
To delete an external remediation system
1
2
3
On the External Remediation Systems Management screen, click on the Delete link for the
system you want removed. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected system.
Managing External Remediation System Users
The Add External Remediation System User function allows for external remediation system users to
be set up within the Preventsys SRM System.
Note that external remediation system users are not automatically granted Preventsys user accounts,
without which they will not be able to login to the Preventsys client. However, external remediation
system users may be associated with Preventsys users to provide enhanced integration for users that
are active on both systems.
For example, non-associated external users are automatically granted the “resolve remediation”
permission for every network. This ensures that the non-associated external user can be assigned tasks
for any asset via the Remediation Task Management Assignment screen. Associated external users
inherit the networks of the user to which they are associated. Therefore, these types of users can be
assigned tasks for those assets within the range of those networks for which the Preventsys user has the
“resolve remediation” permission.
See the “User Authorization” chapter for details about associating external user accounts with
Preventsys users via the Add User and Edit User functions.
All external remediation user administration is conducted from the External Remediation Users
Management screen.
109
To access the External Remediation Users Management screen
1
Click Tasks > External Remediation Users. The External Remediation Users Management
From this screen, you can add new external users, edit existing external users, and delete users.
Adding an External Remediation System User
To add an external remediation system user
1
On the Remediation Users Management screen, click the Add New User button. The
External Remediation User screen is displayed.
2
Enter the External Username of the external remediation system user. Note that this name
must exactly match the specified username in the external remediation system.
Select an External System from the pull-down menu.
Select a Preventsys User from the pull-down menu if you wish to associate the external
remediation system user with an existing Preventsys user. Note that this association is
optional; you may leave this field blank if you do not wish to associate the external user with
a Preventsys user.
3
4
110
Note: The Preventsys User dropdown list displays all Preventsys users who have the “resolve
remediations” permission regardless of the groups to which they belong.
5
6
Click Verify to verify that the specified user is authorized to access the selected external
remediation system.
Editing an External Remediation System User
The Edit External Remediation System User function allows for the modification of previously
configured external users.
To edit a previously entered external remediation system user
1
2
3
4
5
On the Remediation Users Management screen, click the Edit link for the user you want to
modify. The Edit External Remediation User screen is displayed.
Edit the user as desired.
Selecting “No Association” in the Preventsys User dropdown will clear the previous
Preventsys User association.
Click Verify to verify that the specified user is authorized to access the selected external
remediation system.
Note: Modifying an external user’s Username or External System will result in all of the open
remediation tasks assigned to the old user/system being reassigned to the new user/system.
Deleting an External Remediation System User
The Delete External Remediation System User function allows for the removal of previously
configured external users. An external user cannot be deleted until all of that user’s unresolved tasks
(tasks that have not been changed to Claimed Resolve, False Positive, or Accepted Risk) are
reassigned. If you attempt to delete an external remediation system user with open tasks pending, the
system will display a message stating that all open tasks must be reassigned first. You may use the
Assign Remediation Tasks function described earlier in this chapter to reassign the selected external
user’s open tasks.
To delete an external remediation system user
1
2
3
On the External Remediation Users Management screen, click the Delete link for the user you
want removed. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected user.
111
CHAPTER 9 | MANUAL AUDIT TASKS
CHAPTER 9
Manual Audit Tasks
Manual Audit Tasks (MAT) allow you to create, assign, track, and confirm manual security tasks.
Manual audit tasks allow for the support of policy rules that do not lend themselves to traditional
electronic solutions. For example many security rules are physical, such as locking doors, ensuring
that media is stored, etc. In other cases, an enterprise may wish to ensure that a backup was made of a
database or other external system that is not directly accessible to Preventsys. Manual audit tasks can
account for all of these scenarios through the definition of custom tasks, which may then be reported
upon and tracked in the Preventsys remediation system.
Manual audit tasks have two main stages “Incomplete” and “Complete”. A manual audit task is
considered “Incomplete” until it has both a schedule and at least one recipient. Once a manual audit
task has both of these, it is considered “Complete”.
The Preventsys SRM System ships with a selection of predefined manual audit tasks, which cover a
wide range of common tasks. Some of these manual audit tasks also have predefined schedules. You
may create your own manual audit tasks to account for additional scenarios.
All manual audit task administration is conducted from the Manual Audit Task Management screen.
To access the Manual Audit Task Management screen
1
Click Tasks > Manual Audit Tasks. The Manual Audit Task Management screen is
displayed.
Note: If you have tasks assigned to you, the My Tasks tab is displayed by default with your tasks listed.
Otherwise, the By Task tab is displayed.
From the By Task tab on the Manual Audit Task Management screen, you can view all Manual Audit
Tasks rolled up by assignees. From this screen you can also add new tasks, edit existing tasks, and
delete tasks. Note that by default, tasks on this screen are displayed in alphabetical order by name.
112
You can also use the Filter tab on the By Task and By Recipients views to filter tasks by Resolved,
Unresolved, Overdue, Future tasks and Incomplete tasks.
Note: Filtering by “Incomplete” is only available on the By Tasks view. In addition, selecting the
Future filter option with any other option will display only those future occurrences without a current
occurrence. Selecting the Future filter option by itself will display all future occurrences.
Figure 9-1. Manual Audit Task Management – By Task
You can conduct the same functions on By Recipients tab as you can on the By Tasks tab. The By
Recipients tab allows you to view a list of all tasks. Note that by default, tasks on this screen are
displayed in alphabetical order by name.
Figure 9-2. Manual Audit Task Management – By Recipient
113
From the My Tasks tab on the Manual Audit Task Management screen, you view details about the
individual tasks assigned to you and resolve them.
Figure 9-3. Manual Audit Task Management – My Tasks
Managing Manual Audit Tasks
Adding a Manual Audit Task
All manual audit tasks have an Audit Task Name, a Directive, and an Asset Value. The Directive
represents a text description of the manual audit task, including what the recipient must do to resolve
the task. The Asset Value is the dollar value assigned to those assets that are dependent upon the
manual audit task. For a tasks to be complete, it must also have recipients and a schedule. However,
neither recipients nor a scheduled is required to add the task.
All manual audit task schedules include a Due Date (or Start Date in the case of recurring schedules)
and an Assignment Date. The Assignment Date is the date upon which the manual audit task is
assigned to the specified recipients. Once the Assignment Date is reached, the manual audit task
becomes active and its status can therefore be updated by the recipients. On this date, recipients are
also sent emails notifying them of the task. If the recipient does not change the manual audit task’s
status to Resolved by the Due Date, the system automatically changes the task’s status to Overdue.
Manual audit tasks can be assigned to individuals as well as groups. If one user in the group changes
the status of a task, all other instances of the task change to that status as well.
The system will wait until a task has been assigned “and” has a schedule before actually assigning it,
and therefore allowing it to be seen and resolved by the assignees. When a manual audit task is
assigned that also has as schedule that can be run immediately (that is, it is not a task scheduled in the
future), the system will automatically generate email notifications informing the recipients that they
have manual audit tasks assigned to them. Recipients can then access and update the status of their
assigned manual audit tasks via the link provided in the email notification. Note that users associated
with external remediation systems will not receive email notifications.
In addition to the initial assignment of new manual audit tasks, individual occurrences of recurring
manual audit tasks may be edited to add new recipients or delete existing recipients.
114
To create a manual audit task
1
On the Manual Audit Task Management screen, click the Add New Task button. The Add
Manual Audit Task screen is displayed.
2
3
4
Enter the Task Name (100 characters maximum).
Enter the Directive.
Modify the default Asset Value of $1500 if desired.
Note: Even if the Manual Audit Task is not related to a specific asset, the Asset Value can still be
useful because it will aid in penalizing Manual Audit Type Policy Violations in exposure and risk
calculations.
5
Select the type of schedule you want the task to have: Schedule or Recurring Schedule.

If you select Schedule Once, enter a Due Date for the task, or click on the calendar
icon and select a date.

If you select Recurring Schedule, enter a Start Date for the task or click on the
calendar icon and select a date. Note that while the system will allow you to enter
dates such as February 31, it will still calculate and schedule the task correctly (e.g.
if you enter February 31, the system will use February 28; the last day of that
month).
Now set the Frequency of the schedule by selecting one of the following options:
»
Select Daily, and choose whether the manual audit task should occur “every
so many days”, Every ___ day(s), or Every weekday.
115
»
Select Weekly, and enter the number of weeks between occurrences, and
select whether the manual audit task should take place on Sun, Mon, Tue,
Wed, Thu, Fri, or Sat.
»
Select Monthly, and enter the Day of the month on which the manual audit
task should take place, the number of months between occurrences, and
select whether the Day setting should be based upon Weekdays or all Days.
»
Select Yearly, choose the month and day on which the manual audit task
should take place, and select whether the day setting should be based upon
Weekdays (Monday-Friday) or Days (Monday-Sunday).
Note: The Start Date is the date on which you want to make the schedule effective; however, it cannot
be earlier than today’s date. For example, if the start date is today, Monday, and your schedule is
every two weeks on Tuesday, then the first occurrence will be tomorrow, Tuesday, and the second
occurrence will be two weeks from tomorrow on Tuesday.
6
Specify how many Hours, Days, Weeks, or Months in advance of the Due Date the manual
audit task should be assigned using the Assign to Recipients controls.
Note: If the assignment date ends up being earlier than today’s date, then the assignment is sent out
immediately, assuming recipients have been assigned. For recurring schedules, you cannot schedule
an assignment date that would cause the next occurrence to be assigned before the previous
occurrence is due. In other words, only one occurrence of a manual audit task can be assigned or
“active” at any given time.
7
8
Click Calculate Schedule to display the schedule you created based upon the above data.
The screen will refresh to display the manual audit task’s proposed schedule.
Select the users or MAT groups you want assigned to the task from their respective lists and
click <. To delete a name, select the name and click >.
Note: Only users that belong to groups with the Resolve MATs permission are displayed in the
Available Users list.
9
116
Editing a Manual Audit Task
When editing a Manual Audit Task, if you change the task’s directive and the task has a current
occurrence, than an email notification is sent to the recipients.
If the task had a schedule and recipients and you delete either of these, then the task becomes
Incomplete and all current and future occurrences are canceled. In addition, if the task has a current
occurrence, an email notification is sent to each recipient whose task state is “Unresolved” notifying
them that they are no longer responsible for the task.
When editing a task’s schedule, if the task has a “current” occurrence and you changed the due date,
then an email notification is sent to recipients telling them that the schedule has changed. Note that if
the you change the Assignment Date to be later than today’s date, then the “current” occurrence will go
away and be replaced by a “future” occurrence. An email notification will be sent to each recipient
whose task state is “Unresolved” notifying them that they are no longer responsible for the current
occurrence of the task.
When editing a task’s recipients, if a recipient is deleted then that recipient is deleted from both the
current and any future occurrences of the task. If the recipient’s status for the current occurrence of the
task is “Unresolved”, they will receive an email notification notifying them that they are no longer
responsible for the task.
See the “Email Notifications” section for details about which edits result in an email notification being
sent to a manual audit task recipient.
To edit a manual audit task
1
2
On the Manual Audit Task Management screen, click the Edit link for the task you want to
modify. The Edit Manual Audit Task screen is displayed.
Modify the task’s information, schedule, and recipients as desired.
Note: Manual Audit Task Names must be unique.
3
Deleting Manual Audit Tasks
When you delete a manual audit task, you delete the actual task.
Note: You cannot use the “delete” function to delete individual occurrences (either current or future,
assigned or not assigned) of a task. See the “Edit Manual Audit Task” section for details about
adding and removing recipients and modifying the scheduled.
When a task is deleted, all current and future scheduled occurrences of the task are automatically
canceled. If the task has a current occurrence, then an email notification is sent to each recipient
whose task state is “Unresolved” notifying them that they are no longer responsible for the task. Task
states in the “Resolved” or “Overdue” state are not affected.
To delete an manual audit task
1
2
3
On the Manual Audit Task Management screen, click the Delete link for the task you want
If you selected OK, the system deletes the selected task and all of its scheduled occurrences.
117
Updating Manual Audit Tasks
Once a manual audit task is “Complete” (has both a schedule and at least one recipient) and its
assignment date has passed, its current occurrence can be viewed and its status updated by the
recipient(s). The status of Future Tasks (occurrences of tasks for which the assignment date has not
yet passed), cannot be updated. Once a task is “Overdue”, it cannot be resolved.
Updating the Status of a Manual Audit Task
To update the status of a manual audit task assigned to you
1
2
3
On the Manual Audit Task Management screen, select the My Tasks tab. All tasks assigned
to you are displayed. Use the Filter tab to view only Unresolved, Resolved, Overdue, or
Future.
Change the status of the desired task to Resolved.
Click Submit to save your updates.
Manual Audit Task Email Notifications
The Preventsys SRM System will send email notifications to recipients about their manual audit tasks
whenever the following conditions are met.
»
An email notification will be sent to the manual audit task recipients on the Assignment Date
of each occurrence of a recurring task or on the first occurrence of a single occurrence task.
»
An email notification will be sent to the manual audit task recipients when the Task Directive
of a Complete Task is changed if there is a Current Occurrence.
»
An email notification will be sent to the manual audit task recipient(s) when a Complete Task
is changed to an Incomplete Task.
»
An email notification will be sent to the manual audit task recipient(s) when a Complete Task
is deleted.
»
An email notification will be sent to the manual audit task recipient(s) when the schedule of a
Complete Task is changed such that the Assignment Date is later than today’s date.
»
An email notification will be sent to the manual audit task recipient(s) when the due date of a
task for which there is a Current Occurrence is changed.
Managing Manual Audit Task Recipient Groups
Manual audit tasks can be assigned to individuals as well as groups. A group can have as many
members as desired, but must have at least one member. Note that the system will wait until a task has
been assigned “and” has a schedule before actually assigning it, and therefore allowing it to be seen
and resolved by the assignees. When one user in the group changes the status of a task, all other
instances of the task change to that status as well.
All manual audit recipient group administration is conducted from the Manual Audit Task Recipient
Groups Management screen.
To access the Manual Audit Task Recipient Groups Management screen
1
Click Tasks > Manual Audit Recipient Groups. The Manual Audit Task Recipient Groups
118
From the Manual Audit Task Recipient Groups Management screen, you can add new groups, edit
existing groups, and delete groups.
Adding a Recipient Group
To add a recipient group
1
On the Manual Audit Task Recipient Groups Management screen, select the Add New
Group button. The Manual Audit Task Recipient Group screen is displayed.
2
3
4
Enter the Group Name.
You may enter a Description (optional) for the new recipient group.
Highlight a user(s) from the list on the right-hand side of the screen and click < to add the
selected users to the group. To delete recipients, select them and then click >.
Note: Only users that belong to groups with the Resolve MATs permission are displayed in the
Available Users list.
5
Click Submit to save the new recipient group.
119
Editing a Recipient Group
Deleting a member from a group will delete that member from all current occurrences and any future
occurrences of the Manual Audit tasks to which the group is assigned. If the member’s status for any
current occurrences was Overdue or Resolved before they were deleted, the member will be displayed
on the Manual Audit Tasks screen when Complete Tasks and Recipient view is selected. The deleted
member will no longer be able to update tasks to which the group they belonged to was assigned.
To edit a recipient group
1
2
3
On the Manual Audit Task Recipient Groups Management screen, click the Edit link for the
group you want to modify. The Edit Recipient Groups screen is displayed.
Edit the Recipient Group as desired.
Click Submit to save the modified recipient group.
Deleting a Recipient Group
Deleting a Recipient Group will remove that group from all current occurrences and any future
occurrences of tasks to which it is assigned. Members will no longer be able to update tasks to which
the group was assigned. Members, whose status was Overdue or who changed the status of any
current occurrences of their tasks to Resolved before the group was deleted, will be displayed on the
Manual Audit Tasks screen when Complete Tasks and Recipient view is selected.
To delete a recipient group
1
2
3
On the Manual Audit Task Recipient Groups Management screen, click the Delete link for the
group you want removed. A confirmation popup box is displayed.
If you selected OK, the system deletes the selected group.
About Manual Audit Task Rules and Policy Violations
Manual Audit Tasks may also be incorporated into policies via the PolicyLab Client using special
Manual Audit Task Rules. In this manner, Manual Audit Tasks may be used to generate Manual Audit
Task Policy Violations that can be tracked through remediation tasks.
Manual Audit Tasks do not require a schedule or recipient assignments to be used in Manual Audit
Task rules and policies. The Manual Audit Task Policy Violations generated by Manual Audit Task
Rules will be included in the following reports: Executive Summary Standard and Trending, Task
Standard and Trending Report, Exposure Overview Report, and Task Recipient Standard and
Trending. See the Preventsys PolicyLab Guide for details about working with Manual Audit Task
Rules.
Verification of Manual Audit Task Policy Violations
When a Manual Audit Task Rule fires because the criteria set by it is not met by the associated Manual
Audit Task, the result is a Manual Audit Task Policy Violation. This policy violation, is always
associated with the first assessment that finds it even if it is found by multiple assessments. This is
important to note when filtering by Assessment Name on the Remediation Task Management screen.
See the “Remediations” chapter for details about filtering remediation tasks.
120
It is also import to note that the system looks at the state of Manual Audit Tasks when an assessment
starts. Therefore, even if you modify a Manual Audit Task such that it should not fire a Manual Audit
Task Policy Violation (e.g., you make sure it is assigned, scheduled, and not overdue), that Manual
Audit Task can still cause a Manual Audit Task Policy Violation to be created or reopened. This can
happen if you modified the Manual Audit Task “after” the start of an assessment that uses a policy
which contains the associated Manual Audit Task Rule. If this occurs, simply rerun your assessment,
and the Manual Audit Task Policy Violation should be verified.
121
CHAPTER 10 | SECURITY RISK DASHBOARD
CHAPTER 10
Security Risk Dashboard
The Security Risk Dashboard allows you to get quick, simple access to the information you need and
the application controls used most frequently. If you have the Preventsys Threat Intelligence license,
you can also receive timely, actionable and comprehensive security analysis and notification about the
latest cyber threats, including the threats and vulnerabilities that affect your networks the most and
overall exposure levels. The Security Risk Dashboard also provides a snapshot of policy compliance
and the top outstanding remediation tasks, as well as your personal task list.
The Security Risk Dashboard is comprised of the following consoles. Details about each console are
provided in this chapter.
»
Enterprise Console
»
Exposure Console
»
Compliance Console
»
Threat Console
»
Remediation Console
»
Assessment Console
122
Clicking on logo
returns you to the
Dashboard
Enterprise
Compliance
Console
Exposure
Console
Enterprise
Trending Console
Network Group
Compliance
Console
Threat
Console
Remediation
Console
Assessment
Console
The Dashboard is displayed when you login to the Preventsys SRM System. You can also click on the
Preventsys logo or Home menu tab during any operation to return to the Dashboard.
Note: Much of the data displayed on the Dashboard is based on the results of assessments. You can
specify the assessment data you want displayed as well as ignored using the Enterprise Group feature.
See the “About Enterprise Groups” section for details.
123
About the Enterprise Console
Viewing Enterprise Compliance and Enterprise Trending Portlets
The Enterprise Compliance and Enterprise Trending portlets are scaled-down views of the Enterprise
Group Summary report, which you can access quickly by clicking on either of these portlets. The data
displayed in these portlets is filtered based on the active Enterprise Group. See the “About Enterprise
Groups” section for details about Enterprise Groups.
About the Exposure Console
On the Exposure console, you can view a snapshot of the current exposure of your networks based on
current vulnerabilities, the financial impact and operational impact of the affected assets, and severity
of those vulnerabilities. The data displayed in this console is filtered based on the active Enterprise
Group.
Clicking on the Exposure graph will display the Exposure Summary report, which provides additional
trending details about your exposure.
»
Exposure – An enlarged view of the graph displayed on the Exposure console.
»
Issues and Remediations over Time – Presents the number of issues over time.
»
Average Resolution Time – Presents the average resolution time of assigned remediation
tasks over time. Resolution time is the difference between the time the task was assigned to a
remediator and the time its status was changed to Claimed Resolved, False Positive, or
Accepted Risk.
124
About the Compliance Console
The Compliance portlet provides snapshots of analyses which you have “promoted” to the dashboard
via the Comparative Compliance Report. Note that the promoted view will always show the most
recent data for the selected analysis families. Therefore, if the user attempts to promote different
analyses from the same analysis family on the Comparative Compliance report, they will only see the
most recent in the Compliance portlet. Clicking on one of the charts in the portlet opens the
Comparative Compliance report with all the promoted assessments displayed. You can promote
additional assessment via this report as well as delete currently promoted ones by selecting the
“Dashboard+” and “Dashboard-“ buttons, respectively.
125
About the Threat Console
The Threat console is only available to users with the Preventsys Threat Intelligence license. This
subscription service is a near real-time information feed that provides actionable information for all
aspects of the threat horizon - from vulnerability announcements to patches, to exploit code and global
port scanning, through virus announcements and variants.
Preventsys combines the external intelligence of different sources of information, in a way that can be
automatically associated by the system, to knowledge about your corporate network’s current security
posture. This information contains technical and descriptive information and analysis, remediation
actions, and threat rules that can be directly applied to your network to pinpoint problems; often before
a signature file is available for a scanner. The Threat Intelligence Connector feed includes vendor
vulnerability announcements, as well as information from sources like CVE, Open Source
Vulnerability Database, subscription intelligence services, and Preventsys’ own in-house security
experts.
All of this results in prioritized and actionable remediation tasks based on threat severity and your
exposure to it for your highest valued asset.
Threat alerts are categorized into the following categories:
»
Actionable – By reviewing network assessment results, the Preventsys SRM System
determined that at least one of your assets is vulnerable to this threat alert. As a result,
remediation tasks associated with this threat are associated with the threat alert. As long as at
least one remediation task associated with the threat remains unresolved, the threat itself will
remain Actionable.
»
Remediated – All remediation tasks associated with this actionable threat alert were
fixed, and therefore your related assets are no longer vulnerable.
»
Non-Actionable – The Preventsys SRM System determined that your assets are not
vulnerable to this threat alert.
This message
displayed if
system cannot
receive latest
threat feed
Viewing the Latest Threat Alerts
From the Threat console, you can view a list of the latest five threat alerts by clicking on the Latest
Threats tab. The latest five threat alerts are displayed and ordered by the date received, and then by
severity.
Viewing the Top Threat Alerts
From the Threat console, you can view a list of the latest five threat alerts that the Preventsys SRM
System has determined would put your networks at risk of exposure by clicking on the Top Threats
tab. These types of threat alerts are considered “actionable”. Because each actionable threat alert is
associated with a remediation task, you can prioritize and track their resolution. If there are no
actionable threats, then the latest threats are displayed. See the “Remediations” chapter for details.
Viewing All Threat Alerts
From the Threat console, you can view all threat alerts received to date by clicking on the Details
tab ». All threat alerts received are displayed, ordered by date, and filtered to show the last 30 days of
126
data based on the date of the latest threat alert received. There is no additional filtering based on
Enterprise Group (see the Filtering section for details about filtering based on Enterprise Group). You
can change the filter to show any range desired, but note that larger ranges may take longer to calculate
and display. The All Threats screen also displays the number of threats out of the possible number of
threats that exist. Note that this number reflects the 30-day filter. Select the Filter Options tab to
specify a new filter.
This message
displayed if
system cannot
receive latest
threat feed
How Threat Alerts Affect Remediation Tasks
When actionable threat alerts are identified, the Preventsys SRM System automatically reviews the
current set of remediation tasks to determine if there is a similar task, which addresses the
vulnerability. If it finds such a task that does not have the Verified status, it alters that task’s severity
and adds details about the threat to its description and solution as needed.
127
How Severity Is Adjusted By Threat Alerts
The severity of a Vulnerability type remediation is determined by the severity set by the scanner that
detected that vulnerability. The severity of remediation tasks associated with threats can be adjusted
(raised or lowered) based on several things.
Each time the severity or the lifecycle phase of a threat alert, which is associated with a remediation
task increases or advances, the severity of that remediation task increases. Each time the severity or
the lifecycle phase of a threat alert, which is associated with a remediation task decreases, the severity
of that remediation task decreases. When a threat alert is associated with a remediation task for the
first time, the severity of that remediation task will increase.
In addition, a remediation task’s severity can be adjusted by an Exposure rule. Refer to the Preventsys
SRM System Policy Reference Guide for a list of exposure rules.
Filtering the List of All Threat Alerts
You can filter the list of all threat alerts in a variety of ways by using the Filter Options tab. Filters
you create can also be saved for later use.
Note: The list of all threats is automatically filtered to show the last 30 days. To view another date
range, simply enter a starting and ending date in the Date fields. Please note that larger ranges may
take longer to calculate and display.
To filter the threat alert list
1
On the list of all threats, click the Filter Options tab.
2
Enter data for the options you want to use.
Note: Text string fields are case sensitive. For example, entering “spybot*” for the threat name will
not return “Spybot…”.
3
Click Apply Filter.
128
Note: To see all actionable threats select the “actionable” option for the Status filter. To see only
threats related to the Enterprise Group, select the “actionable” option for the Enterprise group filter.
See the “About Enterprise Groups” section for details about using the Enterprise Group.
4
The list of threat alerts is displayed based on the filter selected.
Note: Selecting the “Remediated” filter option will return both remediated threats as well as partially
remediated threats (referred to as Actionable threats). As long as at least one remediation task
associated with a threat remains unresolved, the threat itself will remain Actionable.
Saving a Filter
You can select various filter options that will change the types of data displayed. For example, you
can filter by actionable threats. To save a filter, enter the filter’s name in the Save as Filter box (400
characters maximum), and click Save and Apply Filter.
You can also create a new filter based on an existing filter by applying a saved filter, modifying the
filter options as desired, and then changing that filter’s name and clicking Save and Apply Filter.
Applying a Saved Filter
You can load filters you have saved and apply them to the list of all threats list. Note column settings
are not saved with a filter. To apply a saved filter, select the filter’s name from the Load Filter
dropdown, click Load, and click Apply Filter.
Editing a Saved Filter
You can edit filters you have saved. To edit a saved filter, select the filter’s name from the Load
Filter dropdown, click Load, edit the filter including the filter’s name as desired, and then click Save
and Apply Filter.
Note: Remember that if you change the name of the filter you are editing, a new filter with that name
is created when you click Save and Apply Filter. The initial filter you selected is not deleted or
modified in any way.
Deleting a Saved Filter
Deleting a saved filter does not alter the threats displayed. To delete a saved filter, select the filter’s
name from the Load Filter dropdown, click Load, and click Delete Filter.
Viewing Different Columns of Data for All Threat Alerts
You can choose different columns of data to view for the list of all threat alerts by using the Column
View Options tab.
Note: Column options are not saved with filters. Saved filters use the system’s default column set.
129
To choose a column
1
On the list of all threats, click the Column View Options tab.
2
3
4
Select the data that you want to show.
Click Apply View Choices.
The list of threat alerts is displayed with the data you selected.
Viewing Details about a Threat Alert
From the Threat console, you can view all threat alerts received to date.
To view details about a threat alert
1
2
From the Threat Alert console, click on the name of a threat alert.
Click the individual tabs to view detailed information about the threat alert.
130
Main Tab
The Main tab displays the description of the threat alert.
Threat Lifecycle Tab
The Threat Lifecycle tab displays a graph that shows the current phase the threat is at within the threat
lifecycle: Advisory, Exploit Discovered, and Threat Active in Wild. Note that these phases can occur
in any order. Each of these phases has an associated probability of incident (likelihood that you will be
affected if the threat is actionable).
131
The following events are also displayed on the threat lifecycle graph:
»
At Risk – The date it was determined that your network was at risk of exposure from the
threat.
»
Patch Available – The date it was determined that your network was no longer at risk of
exposure from the threat.
»
Fixed – The date it was determined that your network was no longer at risk of exposure from
the threat.
132
Exposure Tab
The Exposure tab displays a graph that depicts the system’s exposure based on the financial and
operational impact on the affected assets based on this threat.
Assets Tab
The Assets tab displays the number of assets at risk for this threat. This means the number of assets to
which the system was able to correlate the threat. Also displays each asset’s financial and operational
impact.
Note: If you are a member of the Super User group, then all assets are displayed. Otherwise, only
assets within the range of the network permissions of the groups to which you belong are displayed.
133
Tasks Tab
The Tasks tab displays the remediation tasks associated with the threat.
Note: If you are a member of the Super User group, then all applicable remediation tasks are
displayed. Otherwise, only applicable remediation tasks associated with hosts that are within the
range of the network permissions of the groups to which you belong are displayed.
Viewing Details about Assets
Many of the consoles and tabs present asset data. You may view details about these assets by clicking
on an asset Name or IP Address in those areas and viewing the Asset Summary screen. For example,
select the Threat Details > Assets tab, and then click on an asset Name or IP Address.
The Asset Summary screen displays the issues (vulnerabilities and policy violations) associated with
the selected asset as well as service information.
Note: If you are a member of the Super User group, then all tasks are displayed. Otherwise, only tasks
are associated with hosts that are within the range of the networks to which you are associated via
your user group(s).
134
If an issue contains coalesced vulnerabilities, the descriptions and solutions for that issue will be
grouped by scanner name and the associated test ID and test name. In addition, if some of the
coalesced vulnerabilities were not found again during the latest assessment, they are listed under the
“Previously Found” heading. If they were found (or found again) during the latest assessment, they are
listed under the “Found” heading.
About the Remediation Console
The Remediation console is comprised of the following two areas:
Latest Tasks
The Latest Tasks console displays the five latest remediation tasks with a status of Unassigned,
Assigned, False Positive, or Accepted Risk, listed in descending order by date found, followed by
priority in descending order, followed by Issue ID in ascending order. This list can be additionally
filtered by the active Enterprise Group.
Note: If you are a member of the Super User group, then all applicable remediation tasks are
displayed. Otherwise, only applicable remediation tasks associated with hosts that are within the
range of the network permissions of the groups to which you belong are displayed.
Click the details tab » to view the Remediation Management screen where you can view and assign
the task as well as view its status. Note that tasks are automatically filtered by the active Enterprise
Group when the Remediation Management screen is accessed in this way. Use the Filter Options tab
on the screen to turn off Enterprise Group filtering.
My Tasks
The My Tasks console displays the five highest priority tasks in descending order by date found,
assigned to you (the logged in user), that have a status of Assigned, False Positive, or Accepted Risk.
Click the details tab » to view the Remediation Update screen where you can update your status.
135
Viewing Details about a Remediation
You can view details about a remediation task by clicking on a Task Name. See the “Remediations”
chapter for details about the Remediation Details screen.
About the Assessment Console
The Assessment console presents the latest assessments conducted by the system. Remember that
assessments that have been “hidden” are not displayed. See the “Assessments” chapter for details
about hiding assessments. Click the details tab » to view the View Assessment Status screen which
displays all assessments.
Note: If you are a member of the Super User group, then all applicable assessments are displayed.
Otherwise, only applicable assessments associated with network groups made up completely of
displayed.
You can view details about an assessment by clicking on the View Details link for an assessment. See
the “Assessments” chapter for details about the Assessment Details screen.
About Enterprise Groups
An Enterprise Group allows you to specify which assessment configurations you want the system to
include results from and which ones you want the system to ignore. For example, if you create a test
network and do not want assessment data from it displayed or utilized. You can create an enterprise
group that does not include any of the assessment configurations associated with that test network.
When an Enterprise Group is activated, the system selects the latest analysis for each policy/network
group combination from the latest version of each assessment configuration in the active Enterprise
Group, and then only uses those analyses that correspond to the policies currently selected in those
assessment configurations. For example, create an assessment configuration with two policies. When
that assessment configuration is run, it will result in two analyses (one for each policy). Now edit that
assessment configuration such that only one of those policies is now selected. Now the system will
only use the analysis associated with the policy that is still selected. If both policies are deselected,
then no analyses are used.
If you do not have an active Enterprise Group, the system will use the results from the latest analysis
for each policy/network group combination from the latest version of each assessment configuration
“in the system” verses just a subset defined in an enterprise group.
136
Several areas in the Preventsys SRM System are Enterprise Group Centric, and therefore use the query
described in the previous paragraphs to determine what data is displayed as well as what data is used in
calculations whose results are displayed. The following areas are considered enterprise group centric:
»
Top Threats – Actionability is determined base on enterprise group
»
Latest Threats – Actionability is determined base on enterprise group
»
All Threats – Actionability is determined base on enterprise group (filter option available to
see actionability not based on enterprise group)
»
Threat Details Exposure Tab – Graph calculated based on enterprise group
»
Latest Tasks – Tasks displayed based on enterprise group
»
Asset Summary – Tasks displayed based on enterprise group
»
Enterprise Group Summary Report - Calculated based on enterprise group; includes the
Enterprise Compliance pie chart and trending graph on the Dashboard
»
Exposure Summary - Calculated based on enterprise group; includes the Exposure graph on
the Dashboard
All enterprise group administration is conducted from the Enterprise Groups Management screen.
To access the Enterprise Groups Management screen
1
Click Assessments > Enterprise Groups. The Enterprise Groups Management screen is
displayed.
From the Enterprise Groups Management screen, you can add new groups, copy and edit existing
groups, activate a group, and delete groups.
Note: If you are a member of the Super User group, then all enterprise groups are displayed.
Otherwise, only enterprise groups, made up completely of assessment configurations, associated with
network groups, made up completely of networks that are within the range of the network permissions
of the groups to which you belong are displayed.
137
Creating an Enterprise Group
Create an enterprise group when you want to define which assessments the system will utilize to
display data on the Dashboard. You can create multiple enterprise groups, however only one group
can be active at a time. Remember that if you do not create and activate your own enterprise group,
the system will use all assessments as the default. When an enterprise group is activated, only the
latest analysis for each policy/network group combination from the latest version of each assessment
configuration in the enterprise group are utilized.
To create an Enterprise Group
1
On the Enterprise Groups Management screen, click the Add Enterprise Group button. The
Add Enterprise Group screen is displayed.
2
3
4
Enter an Group Name (100 characters maximum and must be unique).
Enter an Description (256 characters maximum).
Select the Assessment Configurations you want in the enterprise group from the Available
list and click the < button to add them. They will be added to the In Group list.
displayed.
5
Click Submit to save. Remember that you must “activate” the group before it will be utilized
by the system.
Editing an Enterprise Group
To edit an Enterprise Group
1
2
3
On the Enterprise Groups Management screen, click the Edit link for the group you want to
modify. The Edit Enterprise Group screen is displayed.
Edit the group as desired. To remove assessment configurations from the enterprise group
select them from the In Group list and click the > button to remove them.
138
Activating and Deactivating an Enterprise Group
After you create an enterprise group, it must be activated before it will be utilized by the system.
Remember that you can create multiple enterprise groups, however only one group can be active at a
time. If you do not activate an enterprise group, the system will use all the assessments as the default.
To activate and deactivate an Enterprise Group
1
2
3
4
5
6
On the Enterprise Groups Management screen, click the Activate link for the group you want
activated. A confirmation popup box is displayed.
If you selected OK, the group is activated and the icon turns color
. The link changes to
Deactivate. The system will now filter the data displayed on the ES Dashboard by this group.
To deactivate a group, click on the Deactivate link for the desired active group. A
If you selected OK, the system deactivates the selected group.
139
CHAPTER 11 | REPORTS
CHAPTER 11
Reports
The Preventsys SRM System provides many reports that allow you to view the state of your networks
with respect to policy violations, vulnerabilities, remediation tasks, and general compliance on a per
analysis basis. An analysis is generated after an assessment is completed and will “only” be created if
a policy was selected.
An assessment generates one analysis for each policy applied to the assessment, so a single assessment
can potentially generate multiple analyses. The analysis includes facts found about the assets assessed
as well as policy violations and vulnerabilities. Each Analysis includes the assessment configuration
name, policy name and version, network group, and a date and time indicating when the assessment
was performed. Many of these reports also provide trending data between two like analyses (analyses
that used the same assessment configuration).
The following are brief summaries about the reports. For details, refer to their individual sections in
this chapter.
Executive Summary: The Executive Summary reports provide a detailed overview of the assessed
network group with differential trending analysis. This is an ideal starting point for reviewing new
assessment results. The Asset Details reports can also be accessed from this report by clicking on a
specific asset
Enterprise Group Summary: The Enterprise Group Summary report, accessible via the Executive
Compliance and Enterprise Trending Dashboard consoles, is enterprise group centric and therefore
shows the aggregated results based on the active enterprise group. See the “Security Risk Dashboard”
chapter for details about Enterprise Groups.
Administrator: The Administrator overview lists all administrators, providing the email address and
network group assignments for each.
Network Group: The Network Group reports provide detailed information about the network groups
included in the selected assessment.
Network: The Network reports provide in-depth information about a selected network, including a
table listing all of the assets on the selected network, along with their IP addresses, operating systems,
number of policy violations, and number of vulnerabilities. This is an ideal report for reviewing the
status of an individual network.
Assets: The Assets reports are similar to the Network reports except you can filer the report by a
specific host in the network group. The Asset Details report can also be accessed from this report.
Asset Details: The Asset Details reports provide detailed information about a selected asset, listing its
IP address, operating system, network association, administrators, services, policy violations, and
vulnerabilities. This is the definitive report for reviewing the status of an individual asset. The
Chronological View report can also be accessed from this report.
140
Chronological View: The Chronological View (accessible from the Asset Details Standard Report)
provides detailed information about scan analysis, vulnerability history, administrator history, and
network association specific to a selected asset. This is an ideal report for reviewing the history of an
individual asset.
Operating System: The Operating System reports provide in-depth information about all of the assets
utilizing a selected operating system in the assessed network group. This is an ideal report for
reviewing the status of all assets running a selected operating system.
Task: The Task Standard and Trending reports provide snapshot and trending information about all
remediation tasks addressing policy violations and vulnerabilities in the assessed network group. This
is the definitive report for tracking remediation status and effectiveness.
Task Aging Summary: The Aging Summary provides information about remediation tasks that are
overdue, the number of days since found, and the number of days since assigned using the enterprise
group. See the “Security Risk Dashboard” chapter for details about Enterprise Groups.
Task Rollup by Violation and Vulnerability: The rollup reports provide information about the
number of vulnerability type and violations type remediations per network group using the enterprise
group. See the “Security Risk Dashboard” chapter for details about Enterprise Groups.
Task Recipient: The Task Recipient reports provide current information about the status of
remediation tasks assigned to specific administrators.
Compliance: The Compliance report presents basic compliance data derived from the number of
violations, rules, and assets associated with the selected analysis.
Comparative Compliance: The Comparative Compliance report allows for the comparison of
multiple analyses, and for the viewing of more than one report/analysis combination at once.
Exposure: The Exposure report identifies how long individual vulnerabilities and policy violations
were active on the assessed network group. This is a critical report for analyzing the potential risk
associated with detected policy violations and vulnerabilities.
Services: The Services reports provide in-depth information about all services detected on the
assessed network group, identifying all assets running the selected service. This is an ideal report for
reviewing the usage of a particular service.
Wireless Access Points: The Wireless Access Points report provides detailed information about all
machines connected to the assessed network group via wireless networking. This is the definitive
report for monitoring the activity of all assets connected via wireless networking.
Working with the Report Filter
The Report Context appears at the top of most reports and allows you to select the analysis for which
you want to view information. The Report Context Filter allows you to filter the list of analyses
displayed in the Report Context. An Analysis is generated after an assessment is run. An assessment
will generate one Analysis for each policy applied to the assessment, so a single assessment can
potentially generate multiple Analyses. Each Analysis includes the assessment configuration name,
policy name and version, network group, and a date and time indicating when the assessment was
performed.
Note: An analysis always includes a policy. Therefore, if you do not select a policy when you
configure your assessment, the results of that assessment will not be displayed in the Report Context.
141
The Preventsys SRM System automatically sets the defaults for the Report Context and the Report
Context Filter based on the latest analysis conducted. See the “System Default for the Report Context
Filter” section for details.
Figure 11-1 Report Context for a Standard Report
Note: If you are a member of the Super User group, then all applicable assessments are displayed.
Otherwise, only applicable assessment with network groups made up completely of networks that are
within the range of the network permissions of the groups to which you belong are displayed.
For Trending reports, an expanded Report Context is provided to include both a Starting Analysis and
an Ending Analysis selection, which allows you to view differential data between the two analyses.
Figure 11-2 Expanded Report Context for a Trending Report
Note: Selecting a Starting Analysis that utilized different scanners than the Ending Analysis, may
result in inconsistent results relative to the number and types of vulnerabilities and policy violations
reported.
The Report Context can be changed by selecting the Modify Filter link. This link displays the Report
Context Filter screen, which consists of a Date Filter (Starting Date and Ending Date), a Policy Filter,
and a Network Group Filter.
Note: If you are a member of the Super User group, then all network groups are displayed in the
Network Group Filter dropdown list. Otherwise, network groups made up completely of networks that
are within the range of the network permissions of the groups to which you belong are displayed.
Figure 11-3 Report Context Filter
When you select a report for the first time, the System automatically sets the Report Context Filter and
the Report Context as described in the following sections.
142
System Default for the Report Context Filter
The Report Context Filter is automatically configured based on the latest analysis and the associated
policy and network group.
»
Ending Date Defaults to the date of the latest analysis.
»
Starting Date Defaults to the date on which the earliest equivalent analysis was completed.
Equivalent analyses are those where the assessment configuration name, policy name, and
network group are the same. The version of the policy however can be different.
Note: The Start Date and End Date can be the same if the completion date of the earliest equivalent
analysis is the same as the completion date of the latest analysis.
»
Policy List defaults to all policies that were applied between the Start and End Dates. The
Policy associated with the latest analysis is automatically selected.
»
Network Group List defaults to all network groups that the selected Policy was applied to
between the Start and End Dates. The Network Group associated with the latest analysis is
automatically selected.
System Default for the Report Context
The Report Context is automatically configured based on the default Report Context Filter settings.
For Standard Reports, the latest analysis is automatically selected, and the Analysis dropdown list is
populated with all equivalent analyses that occurred during the selected Start and End Dates.
For Trending Reports, the latest analysis is automatically selected for the Ending Analysis, and the
dropdown list is populated with all equivalent analyses whose analysis date is equal to or greater than
the earliest equivalent analysis (the analysis selected for the Starting Analysis). The earliest equivalent
analysis is automatically selected for the Starting Analysis, and the dropdown list is populated with all
equivalent analyses whose analysis date is equal to or less than the latest equivalent analysis (the
analysis selected for the Ending Analysis).
The System continues to use the default Report Context Filter and the Report Context until you modify
the filter.
Modifying the Report Context Filter
To modify the report context filter
1
2
3
Click Reports and select a specific report from the menu.
Click the Modify Filter link.
The Report Context Filter screen is displayed.
143
4
5
6
7
Enter a Starting Date in the appropriate field, or click the accompanying calendar control to
enter the date using a graphical calendar.
Enter an Ending Date in the appropriate field, or click the accompanying calendar control to
enter the date using a graphical calendar.
Select a Policy Filter from the dropdown menu. Note that the Policy Filter only contains
those policies that were applied to an assessment between the selected Starting and Ending
Dates.
Select a Network Group Filter from the dropdown menu. Note that the Network Group
Filter only displays those network groups to which the selected Policy was applied between
the selected Starting and Ending Dates.
Click Apply Filter to utilize the selected context filter, or click Cancel or Restore Defaults.
The Report Context displays all analyses that match the Report Context Filter settings. That
is all analyses conducted between the Starting and Ending Dates that utilized the selected
policy and network group.
10 On the Report Context, the system automatically selects the latest analysis for you. For
Trending reports, the system also selects the earliest equivalent analysis.
8
9
Note: For Trending Reports, the analysis you select in the Ending Analysis is driven by what you select
for the Starting Analysis. The Ending Analysis will always be equal to or greater than the date of the
analysis selected for the Starting Analysis. By default, the latest analysis will automatically be
selected as the Ending Analysis and the earliest equivalent analysis will automatically be selected as
the Starting Analysis.
144
Calculating Compliance
Preventsys uses a violation centric algorithm to determine the compliance of your assets. Details about
the data and formulas Preventsys uses to calculate asset compliance are provided in this section.
Term
Definition
Number of Assets
This is the total de-duped number of assets for a given grouping (network,
network group, enterprise group).
Distinct Rules
This is a count of all “unique” rules that could yield policy violations. Note that
“Violation of Network Policy” and “Host Compromised” are currently the only
two rule types that can create policy violations, and therefore, the only types
counted.
This is the count of all unique asset violations for the given grouping of assets
(e.g. individual asset, network, network group, exec summary, enterprise group).
Note that on Executive Summary and Executive Trending reports the grouping is
actually “by network group”. On the Enterprise reports, the grouping is “all
network groups in the enterprise group”.
Asset Violations
Possible Asset Violations
This is a count of all possible asset violations that could have been generated for
the set of assessments being considered and is used as a component of the
denominator in several calculations. This value is calculated using the following
formula:
Distinct Rules * Number Of Assets
MAT Violations
This is the count of all violations associated with manual audit tasks. It is
important to understand that MAT violations are not associated with assets and
therefore do not belong in any report that is purely asset-group based. For
example, the asset details, network, and network group reports are all purely asset
based and therefore do not include MAT violations. On the other hand, executive
summary and enterprise reports are “assessment based” and do include MAT
violations.
Possible MAT Violations
This is a count of all possible MAT violations, which could have been generated,
and is used as a component of the denominator in several calculations. Due to
the nature of MAT policy rules, the formula for calculating possible MAT
violations is somewhat complex.
Latest Distinct Analysis
The latest analysis for each unique policy/network group combination for which
there is currently both an associated network group and policy selected in the
When the assessing phase of an assessment is conducted, the returned scan result
is for the network group selected in the associated assessment configuration.
When the analyzing phase of an assessment is conducted, a separate analysis is
returned for each policy selected in the associated assessment configuration. To
determine the “latest distinct analyses” for an assessment configuration, the
system looks at the policies and the network group selected in the assessment
configuration and then gathers the latest analysis for each of those policies for
that network group and assessment configuration.
For example, assessment_config1 has networkgrp1 and two policies selected.
Therefore, when an assessment is run using assessment_config1, a scan result for
networkgrp1 and two analyses (one for each policy selected) will result. If
Assessment_config1 is then edited such that one of the two policies is deselected,
leaving only one policy selected, only the analysis associated with the policy still
selected will be used. Note that if both policies are deselected, then no analyses
are used.
145
Note: Average Compliance is the formula used by the system by default and is based on an average
percentage of compliance using violations only (see definition in following table). Boolean
Compliance is an optional formula, which counts the number of assets that are 100% compliant (do
not have any violations or vulnerabilities) and divides by the number of total assets. Therefore, if at
least one violation or vulnerability is found for an asset, that asset is considered noncompliant. The
Boolean formula must be turn on by modifying certain files and doing a redeploy. See your Preventsys
Support Representative for details.
Formula
Definition
Equation
Reports
Asset
Compliance
Asset compliance is calculated
based on distinct violations;
vulnerabilities are not
considered
(asset violations) /
(possible asset
violations)
Asset Details
Network
Compliance*
Average compliance for all
assets that lie within the
specified network for a given
analysis
Sum(asset compliance)
/ (number of assets)
Network, Asset
Standard
Network Group
Compliance*
Average compliance for each
asset considered to be in the
network group. Note that only
distinct violations are counted.
Sum(asset compliance)
/ (number of assets)
Network Group,
Comparative
Compliance, Operating
System
Total
Compliance**
Includes both asset and MAT
based violations. Note that the
Executive reports consider a
single network group and
policy combination while
Enterprise Group may contain
multiple.
Sum(asset violations) +
Sum(mat violations) /
(possible asset
violations * number of
assets) + (possible Mat
violations))
Enterprise Group
Summary*, Executive
Summary**
*This is applied against all “Latest Distinct Analyses” based on the latest version of each assessment configuration
in the active enterprise group. If there is no active enterprise group, then it is applied based on the latest version of
each assessment configuration in the system.
**A network group can be considered non-compliant if there are MAT violations even if its individual assets do
not show any policy violations. This is because MAT violations are network group based; not host based. For
example, if you scanned a single host and it produced no vulnerabilities or policy violations, but three MAT
violations were created. The Executive Summary Pie chart will display the network group as non-compliant,
however the Bar chart will display Compliant = “1” because it is host based.
Navigating Between Reports
When moving from a Trending report to a Standard report, the Ending analysis selected in the
Trending report becomes the analysis selected on the Standard report. The same Report Context Filter
settings are applied that were set on the Trending report.
When moving from a Standard report to a Trending report, the Analysis selected on the Standard
report becomes the Ending analysis selected on the Trending report (i.e. the “latest” analysis). The
Starting Analysis dropdown list is automatically populated with all analyses whose analysis date is
equal to or earlier than the selected Ending Analysis. The analysis with the earliest analysis date is
automatically selected for you. The same Report Context Filter settings are applied that were set on
the Standard report.
146
Using the “Narrow by Asset” Control
Selected Asset reports and Network Group reports feature a “Narrow by Asset” control that may be
used to refine the data included in these reports based upon IP addresses or asset name substrings.
After entering an IP address or substring and clicking Refresh, the system will refresh the report
based on only those assets that meet the specified criteria.
Deleting the query entered in the Narrow by Asset field and clicking Refresh will clear the filter and
display all results based on the selected Analysis.
In the case of asset name substrings, asterisk “*” wildcards may be used in the following manner:
»
Searching for comp* will return all asset names starting with the letters “comp” such as
»
Searching for *comp* will return all asset names containing the letters “comp” such as
“accompany.”
»
Searching for *comp will return all asset names beginning with the letters “comp” such as
»
In the case of IP address entry, CDIR notation may be used to refine the search in the
following manner:
»
208.130.29.33/32 – The "/32" extension will return all IP addresses that match all thirty-two
bits of the specified address (i.e. a host address, matching a single IP address). An IP address
without a trailing prefix is assumed to be a single address.
208.130.29/24 – The "/24" extension will return all IP addresses starting with the twenty-four
bit prefix 208.130.29.
»
208.130.28/22 – The “/22” extension here will result in the inclusion of 208.130.29/24
because in binary, 28 is 00011100, while 29 is 00011101. However, because of the 22-bit
prefix length, only the first 6 bits of the third byte are valid.
»
0.0.0.0/0 or 0/0 – The “/0” is the shortest possible IP address prefix and matches any IP
address.
Viewing Reports
This section describes what types of information are displayed on each report. Remember that you can
view details about the assessment selected for the report by clicking the Assessment Details link. See
“Error! Reference source not found.” for details.
Executive Summary Report
The Executive Summary provides a detailed overview of the assessed network group with information
about compliance, asset data, and vulnerabilities and policy violations.
Standard
The Standard Executive Summary report opens with a pie chart and a bar graph indicating basic
compliance information.
The Compliance Summary pie chart illustrates the percentage of compliant and noncompliant assets in
the selected Analysis. Compliance is calculated based on the average compliance of all assets
associated with the analysis selected for the report. The accompanying bar chart indicates the number
147
of violations, vulnerabilities, compliant assets, total assets, and the total number of manual audit task
rules referenced in the policy.
The Report Summary table indicates the total number of assets, the total number of assets that passed,
the total number of assets that failed, and the total manual audit task rules referenced in the policy.
The Vulnerabilities and Policy Violations table includes dated information about both pending and
resolved policy violations and vulnerabilities, along with the average time to fix for resolved issues.
Note: If a subsequent assessment verifies remediation tasks found in the previous assessment, the
number of resolved vulnerabilities in the report for that previous assessment will reflect that.
Figure 11-4 Sample Executive Summary – Standard report
Trending
The Trending Executive Summary also includes a trio of graphs indicating Issues and Assets over
Time, Asset Risk over Time, Vulnerabilities/Violations and Remediations over Time, and Average
Time to Fix.
The first graph on the Executive Summary Trending Report presents the total assets, total
noncompliant assets, and the total compliant assets for the analyses selected.
148
Figure 11-5 Sample Compliance Totals over Time graph
The second graph on the trending version of the Executive Summary charts assets at risk. This graph
features a “View By” pull-down menu that allows you to switch between Assets and Dollars. In
Assets mode, this graph plots the severity level of policy violations and vulnerabilities found on the
network group. In Dollars mode, this graph plots the severity of policy violations and vulnerabilities
against the dollar value of the affected assets.
Figure 11-6 Asset Risk over Time graph
The third graph on the trending version of the Executive Summary illustrates the total number of
vulnerabilities and policy violations found along with the number of remedied vulnerabilities and
policy violations.
Figure 11-7 Issues and Remediations over Time graph
The last graph on the trending version of the Executive Summary provides a graph illustrating
differential Average Time to Fix data.
149
Figure 11-8 Average Time to Fix graph
The Trend Report Summary table presents the total number of assets, the total number of assets that
passed, the total number of assets that failed, total services running, total vulnerabilities, total new
assets, total changed assets, the total manual audit task new and existing rules referenced in the policy,
the total Web servers, and the total SSL Web Servers.
The Vulnerabilities/Violations table includes dated information from the two analyses selected about
both pending and resolved policy violations and vulnerabilities, along with the average time to fix for
resolved issues.
Enterprise Group Summary Report
The Enterprise Group Summary report, accessible via the Executive Summary submenu, is Enterprise
Group centric, and therefore shows aggregated results based on the active Enterprise Group. See the
“Security Risk Dashboard” chapter for details about enterprise group centric reports.
The Enterprise Group Summary report displays three areas of information (trends, current compliance,
and roll-up information per network group assessed). It is a blend of trended data (the Trending Report
graph) and the latest snapshot of compliance information (Compliance Summary graph) as well as a
table that displays the latest information on a per network group based on the active Enterprise Group.
The Trending Report graph shows the trend of Total Assets, Compliant Assets and Non-Compliant
Assets. Again, this is based on active Enterprise Group. Therefore, it represents aggregate
information of the trends across all network groups based on the active Enterprise Group.
The Compliance Summary pie chart shows the current, average compliance of assets. Therefore, it
represents aggregate information of the compliance across all network groups based on the active
Enterprise Group.
150
The “Totals by Policy” table displays the all violations and all MAT violations per policy, with totals
for each row and each column. This means that the total violations should match the sum of the
violations from the last table, across all network groups.
The “Totals by Network Group” table displays totals of violations, vulnerabilities, and threats by
network group. These values are the sum of all violations and vulnerabilities across all network
group/policy combinations that are in the current enterprise group, with totals for each column.
The “Totals by Network Group and Policy” table displays the violations, vulnerabilities and threats
associated with the latest analysis by network group and policy. The number of violations and
vulnerabilities link to the Network Group Standard report for that network group and policy. The
number of threats link to the All Threats screen, which is then be pre-filtered to display the actionable
threats for the network group.
Name of active
enterprise group.
If none active,
then “All”
displayed
Figure 11-9 Sample Enterprise Group Summary report – Note that the active Enterprise Group is
displayed as a link next to the report title. There is no enterprise group set, so “All” is displayed to
signify that all assessment configurations in the system are being considered. Note that selecting this link
displays the Enterprise Groups Management screen.
151
Clicking on a link in the Violations column, which represents the number of violations found on the
network group, will display the latest Network Group Standard report for the specified network group.
Clicking on a link in the Vulnerabilities column, which represents the number of vulnerabilities found
on the network group, will display the latest Network Group Standard report for the specified network
group.
Clicking on a link in the Threats column, which represents the number of threats applicable to the
network group, will take you to the All Threats page which will be pre-filtered by the specified
network group. Note that this filtering happens in the background, and therefore is not displayed in the
Filter Options tab. To view “all” threats, click on Apply Filter button, and all threats will be displayed
rather than just those for the selected network group.
This report also allows you to generate a PDF version via the Save As PDF link.
Administrator Overview
The Administrator Overview report lists all administrators and their corresponding network group
assignments, as well as their email addresses.
An Administrator is any user belonging to a group (or groups) that has the “Modify Networks” and
“Modify Assessment Configurations” permissions. However, an administrator will only be displayed
on this report if the groups to which he or she belongs also have network permissions for all the
networks in a network group for which an assessment has been run.
Figure 11-10 Sample Administrator Overview report
Selecting a Network Group name will allow you to view the corresponding Network Group report, and
selecting an administrator’s email address will open your email tool so that you can send an email to
the selected administrator.
152
Network Group Reports
The Network Group reports provides in-depth information about all network groups included in the
selected assessment.
Overview
The Network Group Overview screen presents a list of all network groups, with links to the
corresponding Network Group Details reports.
Figure 11-11 Sample Network Group Overview report
Standard
The standard Network Group Details report opens with a pie chart and a bar graph indicating basic
compliance information. Compliance is calculated based on the average compliance of all assets in the
network group associated with the analysis selected for the report.
Figure 11-12 Sample Network Group Standard report
153
Next is a table displaying information about all assets in the selected network group, including Asset
Name, IP address, Operating System, number of Violations, and number of Vulnerabilities.
Clicking on the Asset Name, IP Address, OS, Violation, or Vulnerabilities column headings will resort
the table according to the selected element.
The Narrow by Asset field allows you to refine the data included in this report based upon IP addresses
or asset name substrings. See the “Using the Narrow by Asset Control” section presented earlier in
this chapter for details about working with the Narrow by Asset control.
All asset names on the Network Group Details screen serve as links to the corresponding Asset report.
All operating system names serve as links to the corresponding OS report.
Trending
The first graph on the trending version of the Network Group Details report charts assets at risk. This
graph features a “View By” pull-down menu that allows you to switch between Assets and Dollars. In
network group. In Dollars mode, this graph plots the severity of policy violations and vulnerabilities
against the dollar value of the affected assets.
The second graph on the trending version of the Network Group Details report illustrates the total
number of vulnerabilities and policy violations found along with the number of remedied
vulnerabilities and policy violations.
Next, the trending version of the Network Group Details report provides a graph illustrating
154
Figure 11-13 Sample Network Group Trending report
155
Network Report
The Network reports provide detailed information about all networks in the selected Analysis,
including asset names, IP addresses, operating systems, policy violations, and vulnerabilities. Assets
with high severity vulnerabilities or policy violations are also flagged as compromised on this report.
Network Overview
The Network Overview screen presents a list of all networks included in the selected Analysis, with
links to the corresponding Network Details reports.
Figure 11-14 Sample Network Overview report
Standard
The standard Network Details report opens with a pie chart and a bar graph indicating basic
compliance information. Compliance is calculated based on the average compliance of all assets in the
network group associated with the analysis selected for the report.
Next is a table displaying information about all assets in the selected network, including Asset Name,
IP address, Operating System, number of Violations, and number of Vulnerabilities.
All asset names on the Network Details screen serve as links to the corresponding Asset report. All
operating system names serve as links to the corresponding OS report..
156
Figure 11-15 Sample Network Details Standard report
Trending
The first graph on the trending version of the Network Details report charts assets at risk. This graph
network. In Dollars mode, this graph plots the severity of policy violations and vulnerabilities against
the dollar value of the affected assets.
The second graph on the trending version of the Network Details report illustrates the total number of
vulnerabilities and policy violations found along with the number of remedied vulnerabilities and
policy violations.
157
The trending version of the Network Details report provides a graph illustrating differential Average
Time to Fix data.
Figure 11-16 Sample Network Details Trending report
158
Asset Report
The Asset reports provide information about all assets within selected analyses associated network
group or detailed information about a specific asset.
Standard
The Asset Standard Report opens with a pie chart and a bar graph indicating basic compliance
information. Compliance is calculated based on the average compliance of all assets associated with
the analysis selected for the report.
Next is a table displaying information about all assets in the selected network group, including Asset
Name, IP address, Operating System, number of Violations, and number of Vulnerabilities.
All asset names on the Asset Standard Report screen serve as links to the corresponding Asset Details
Standard Report. All operating system names serve as links to the corresponding OS report.
Figure 11-17 Sample Asset Standard report
159
Details Standard
The Asset Details Standard Report opens by listing the asset name, IP address, operating system, and
network, followed by all administrators assigned to the selected asset. Next, this report presents a
graphic indicating the severity level of policy violations found on the selected asset. This is followed
with a table listing all policy violations and vulnerabilities detected on the selected asset, along with
Y/N fields indicating whether or not it is a new policy violation or vulnerability and whether or not
there is a known fix. A text description is provided for each policy violation and vulnerability,
offering basic remediation information. Finally, the Asset Report features a table listing all services
detected on the selected asset, providing the port number, protocol, and service name for each.
All operating system names on the Asset Report screen serve as links to the corresponding entries in
the Operating System Overview screen. All network names serve as links to the corresponding
Network Details screen. All administrator names serve as links to the corresponding Administrator
Report, and you may click on administrator’s email address to send email to the selected administrator.
This screen also features a link to the Chronological View for the selected asset.
When available, CVE/BugTRAQ IDs will also be listed within the policy violation/vulnerability text
descriptions. All CVE/BugTRAQ IDs will serve as links to the corresponding CVE/BugTRAQ page.
Note: The Asset Details Standard report is automatically filtered based on the asset that you selected
to view. The Report Context Filter will not allow you to select a network group that does not contain
the selected asset. To view the Asset Details Standard report for a different asset, return to the
previous report and select that asset.
160
Click on the Go to Trending Report link to view the Asset Details Trending Report.
Figure 11-18 Sample Asset Details Standard report
161
Details Trending
The Asset Details Trending report opens by listing the asset name, IP address, operating system, and
network, followed by all administrators assigned to the selected asset, and the analysis date. Next, a
chart that indicating the assets risk over time is displayed. This graph features a “View By” pull-down
menu that allows you to switch between Assets and Dollars. In Assets mode, this graph plots the
severity level of policy violations and vulnerabilities found on the asset. In Dollars mode, this graph
plots the severity of policy violations and vulnerabilities against the dollar value of the affected asset.
The second graph on the trending version of the Asset Details Trending report illustrates the total
Next, the trending version of the Asset Details Trending report provides a graph illustrating differential
Average Time to Fix data.
Figure 11-19 Sample Asset Details Trending report
162
Note: The Asset Details Trending report is automatically filtered based on the asset that you selected
to view. The Report Context Filter will not allow you to select a network group that does not contain
the selected asset. To view the Asset Details Trending report for a different asset, return to the
previous report and select that asset.
Trending
The Assets Trending report opens with a chart that indicating the assets risk over time. This graph
asset. In Dollars mode, this graph plots the severity of policy violations and vulnerabilities against the
dollar value of the affected asset.
Figure 11-20 Sample Asset Trending report
163
The second graph on the Asset Trending report illustrates the total number of vulnerabilities and policy
violations found along with the number of remedied vulnerabilities and policy violations.
Next, the trending version of the Asset Trending report provides a graph illustrating differential
Average Time to Fix data.
Chronological View Report
The Chronological View provides information about scans, vulnerability history, administrator history,
and network association specific to the selected asset. The asset name, IP address, operating system,
and network are listed at the top of the Chronological View page, followed by all administrators
assigned to the selected asset. A chronological listing of all assessments performed upon the asset
follows, then a table listing all vulnerabilities, the date they were found, and the date they were fixed.
Clicking on the Vulnerability, Date Found, or Date Fixed column headings will resort the
Vulnerabilities table according to the selected element.
Figure 11-21 Sample Chronological View report
164
Operating System Report
The Operating System reports provide detailed information about the usage of all operating systems
found in the selected Analysis.
Overview
The Operating System Overview report opens with a pie chart that breaks down all operating systems
found on the assessed network group by percentage. This is followed with a table indicating the
number of assets, number of vulnerabilities, percentage of vulnerabilities, new vulnerabilities, and
average time to fix for each operating system.
The average time to fix is calculated based on the date that policy violations and vulnerabilities are
found versus the date they are reported fixed in the remediation system.
Clicking on the Operating System, Assets, Vulnerabilities, or Average Time to Fix column headings
will resort the table according to the selected element.
All operating system names on the Operating System Overview serve as links to the corresponding
Operating System Details report.
Figure 11-22 Sample Operating System Overview report
165
Standard
The standard Operating System Details report opens with a pie chart and a bar graph indicating basic
compliance information. Next, is another pie chart that presents the percentage of all operating
systems found in the selected Analysis. This is followed with a table listing all assets in the assessed
network group, organized by operating system. This table includes asset name, IP address, operating
system version, and the number of policy violations and vulnerabilities discovered.
Clicking on the Asset Name, IP Address, Violations, or Vulnerabilities column headings will resort the
table according to the selected element.
All asset names and IP addresses on the Operating System Details screen serve as links to the
corresponding Asset report.
Figure 11-23 Sample Operating System Details Standard report
166
Trending
The first graph on the trending version of the Operating System Details report charts assets at risk.
This graph features a “View By” pull-down menu that allows you to switch between Assets and
Dollars. In Assets mode, this graph plots the severity level of policy violations and vulnerabilities
found on the network. In Dollars mode, this graph plots the severity of policy violations and
vulnerabilities against the dollar value of the affected assets.
The second graph on the trending version of the Operating System Details report illustrates the total
Next, the trending version of the Operating System Details report provides a graph illustrating
Figure 11-24 Sample Operating System Details Trending report
167
Task Reports
The Task reports provide current information about the status of all remediation tasks addressing
policy violations and vulnerabilities in the selected Analysis.
Task Aging Summary
The data displayed on the Task Aging Summary report is driven by the active Enterprise Group. In
addition, only remediation tasks that have not been resolved are considered. The report displays charts
and associated tables for Overdue Tasks, Days since Found, and Days since Assigned. No additional
content authorization is done for this report.
Overdue Tasks
The Overdue Tasks chart displays the number of tasks that are past due. A remediation task is
considered past due if it has not been resolved by the associated due date.
168
Days Since Found
The Days Since Found chart groups task by how many days have elapsed since the underlying issue
was first found.
Days Since Assigned
The Days Since Assigned Chart groups task by how many days have elapsed since the task was last
assigned (i.e. if a task is reassigned, then the chart will show the number of days since the task was
reassigned)
169
Task Rollup Reports
The task rollup reports display vulnerability type and violations type remediations rolled up by
Network Group. This report is enterprise group centric. See the “Security Risk Dashboard” chapter
for details about enterprise group centric data.
Rollup by Violation
The Task Rollup by Violation report displays the violations type remediations rolled up for the given
network groups. The following columns are displayed on this report:
»
Network Group – The name of the network group associated with the violations
»
Violation – The name of the violation
»
Assets – The number of assets that have the violation
»
Severity – The average severity for this violation on the current Network Group
»
Priority – The average priority for this violation on the current Network Group
»
Exposure – The sum of all host values and operational impacts for the network group and this
violation
»
New – The % of the tasks that are in an “unassigned” state and not overdue
»
Assigned – The % of the tasks that are in the assigned state and not overdue
»
Overdue – The % of the tasks that are overdue
Rollup by Vulnerability
The Task Rollup by Vulnerability report displays the vulnerability type remediations rolled up for the
given network groups. The following columns are displayed on this report:
»
Network Group – The name of the network group associated with the vulnerabilities
»
Violation – The name of the vulnerability
»
Assets – The number of assets that have the vulnerability
»
Severity – The average severity for this vulnerability on the current Network Group
»
Priority – The average priority for this vulnerability on the current Network Group
170
»
Exposure – The sum of all host values and operational impacts for the network group and this
vulnerability
»
New – The % of the tasks that are in an “unassigned” state and not overdue
»
Assigned – The % of the tasks that are in the assigned state and not overdue
»
Overdue – The % of the tasks that are overdue
Standard
The standard Task report opens with two pie charts illustrating Remediation Status Overview and
Remediation Status Per OS. This is followed with a pair of tables tracking both pending and resolved
policy violations and vulnerabilities, indicating the affected asset and IP addresses as well as the date
upon which each policy violation or vulnerability was found.
Note: The Date Found is the date the violation or vulnerability was first found by the system, across
all analyses and regardless of assessment configuration.
All violation and vulnerability names on the standard Task report screen serve as links to the
corresponding Remediation Details screen. See the “Remediations” chapter for details about the
Remediation Details screen.
171
Figure 11-25 Sample Task Standard report
Trending
The first graph on the trending version of the Task report charts remediation status. This graph
features data points indicating the number of remediation tasks Verified, Claimed Resolved, False
Positive, Accepted Risk, Unresolved, and Unassigned.
Next, the trending version of the Task report provides a graph illustrating differential Average Time to
Fix data.
172
Figure 11-26 Sample Task Trending report
173
Task Recipient Report
The Task Recipient reports provide current information about the status of all administrators and their
corresponding remediation tasks, including policy violations, Manual Audit Task violations, and
vulnerability type remediation tasks.
Overview
The Task Recipient Overview screen presents a list of all users who have the “resolve remediation”
permission.
Note: If a Remediator has remediation tasks assigned to them for hosts that are within the range of
networks to which you can view, then the Remediator’s name will also be a link to the corresponding
Task Recipient Details Standard Report.
Figure 11-27 Sample Task Recipient Overview report
174
Standard
To view details about a recipient’s tasks, select a recipient from the Select Task Recipient dropdown
list, and click Refresh.
Note: The Select Task Recipient dropdown presents a list of all users who have the “resolve
remediation” permission. If a Remediator has remediation tasks assigned to them for hosts that are
within the range of the networks to which you can view, then that data will be displayed. Otherwise,
you will receive a message notifying you that no data was found for the selected user that you are not
authorized to view.
The Standard Task Recipient Details report displays two pie charts illustrating Remediation Status
Overview and Remediation Status by OS. These are followed with tables tracking both pending and
resolved policy violations and vulnerabilities, indicating the affected asset and IP address as well as the
date upon which each policy violation or vulnerability was found.
Note: If you are a member of the Super User group, then all the applicable tasks are displayed.
Otherwise, only the applicable tasks associated with hosts that are within the range of the network
permissions of the groups to which you belong are displayed. In addition, “all” Manual Audit Task
violations are displayed regardless of your group permissions.
Figure 11-28 Sample Task Recipient Details Standard report
175
Trending
To view trending data about a recipient’s tasks, select the Start and End data ranges, select a recipient
from the Select Task Recipient dropdown list, and click Refresh.
Note: The Select Task Recipient dropdown presents a list of all users who have the “resolve
remediation” permission. If a Remediator has remediation tasks assigned to them for hosts that are
within the range of the networks to which you can view, then that data will be displayed. Otherwise,
you will receive a message notifying you that no data was found for the selected user that you are not
authorized to view.
The Task Recipient Details Trending report displays trending data about the selected recipient’s tasks
during the period you specify.
Note: If you are a member of the Super User group, then all the applicable tasks are displayed.
Otherwise, only the applicable tasks associated with hosts that are within the range of the network
permissions of the groups to which you belong are displayed. In addition, “all” Manual Audit Task
violations are displayed regardless of your group permissions.
The first graph charts remediation statuses over time. This graph features data points indicating the
number of remediation tasks Verified, Claimed Resolved, False Positive, Accepted Risk, Unresolved,
and Unassigned. The next graph illustrates differential Average Time to fix data.
Figure 11-29 Task Recipient Details Trending report
176
Compliance Overview Report
The Compliance Overview report presents basic compliance data derived from the number of
violations, rules, and assets associated with the selected analysis.
The Compliance Overview report features a bar graph indicating Violations Per Rule and a table
indicating the number of assets that passed and failed for each individual rule associated with the
selected Analysis.
Figure 11-30 Sample Compliance Overview report
177
Comparative Compliance Report
The Comparative Compliance report allows for the comparison of multiple analyses, and for the
viewing of more than one report/analysis combination at once.
The Comparative Compliance report features a modified Analysis dropdown with an Add button that
allows for the selection of multiple analyses, as well as a control for switching between Overall
Compliance view and Detailed Compliance view.
In the Overall Compliance view, a series of pie charts indicate the compliance level of each selected
analysis. Beneath this is an asset table indicating the Asset Name, IP Address, OS, the number of
Violations, and the numbers of Vulnerabilities.
Figure 11-31 Sample Comparative Compliance report “Overall Compliance” view
178
In the Detailed Compliance view, a series of bar charts indicate the number of Violations,
Vulnerabilities, Compliant Assets, and Total Assets. Beneath this is an asset table indicating the Asset
Name, IP Address, OS, the number of Violations, and the numbers of Vulnerabilities.
All asset names on the Comparative Compliance Report screen serve as links to the corresponding
Asset report. All operating system names serve as links to the corresponding OS report.
Figure 11-32 Sample Comparative Compliance report “Detailed Compliance” view
179
Exposure Overview Report
The Exposure Overview report is designed to tell administrators how long a particular bug has existed
on the system. Whenever a policy violation or vulnerability is found during scan analysis, the
Preventsys SRM System will reference prior scans of the affected network group in reverse
chronological order to calculate how long the system has been exposed. The CVE/BugTraq date
indicates the date the bug was listed on CVE/BugTRAQ. This date is important because it represents
how long the vulnerability has been in general release, significantly increasing the risk associated with
exposure.
The Exposure Overview Report includes a table for each asset listing policy violations and
vulnerabilities, exposure date, remediation assignments, and remediation status. It also provides a
description for policy violations and a CVE/BugTRAQ date for vulnerabilities.
Vulnerability listings also include links to associated entries on the official CVE site when available.
Figure 11-33 Sample Exposure Overview report
180
Services Report
The Services report provides detailed information about selected services. The Services report opens
with a chart indicating the Top 10 Services found in the selected Analysis. This is followed with a
table listing all services discovered, their port numbers, protocols, service names, product guesses, and
the number of assets on which they are active.
Figure 11-34 Sample Services report
All Service Names on the Services report screen serve as links to the corresponding entries in the
Services Details report. The Services Details report lists the service name and port, along with its
banner information, followed by a table listing all assets that are running the selected service and their
IP addresses.
All asset names and IP addresses on the Services Details screen serve as links to the corresponding
Asset report. The Services Details page also provides links to banner information when available.
181
Figure 11-35 Sample Services Details
Wireless Access Points Report
The Wireless Access Points report provides detailed information about all machines using wireless
networking in the selected Analysis. The Wireless Access Points report presents a table listing each
unknown access point’s SSID (Source Station Identifier), a Y/N field indicating whether or not its IP is
known, Wireless Channel, WEP (Wired Equivalent Privacy), and BBSID (Basic Service Set
Identifier), plus an additional Y/N field indicating whether or not the access point is Active.
The SSID represents a unique name or identifier for each wireless access point. If a hidden access
point is identified but not decloaked, then the report will display “(SSID is Blank)” in the SSID
column. If a hidden access point is identified and decloaked, then the system will display
“<SSIDstring> (Cloaked)” in the SSID column.
WEP returns a value of “On” or “Off” to indicate the status of WEP security. BSSID represents the
MAC address of the wireless access point.
182
Figure 11-36 Sample Wireless Access Points report
All SSIDs on the Wireless Access Points report serve as links to the corresponding Wireless Access
Point Details report. The Wireless Access Point Details report presents detailed information about the
selected access point. In addition to the basic information provided on the overview screen, the
Wireless Access Point Details report provides information about WEP key size, Beacon Interval, MAC
filtering, Signal, Noise, and Rates. It also indicates when the access point was First Seen, Last Seen, as
well as Last Disappearance, Last Reappearance, and the total number of disappearances and
reappearances.
Figure 11-37 Sample Wireless Access Points Details report
183
Saving Rendered Reports
Reports can be saved either by saving them as a PDF or by publishing them for viewing later in the
Preventsys SRM System as HTML.
Publishing a Report
The Publish function allows you to save any report in the Preventsys SRM System with its associated
report context as HTML. Publishing reports in this manner allows for the quick retrieval of selected
reports without the use of the Report Context controls.
When a report is published, it will always reflect the active Enterprise Group regardless of what
Enterprise Group was active when the report was published. To save a record of the report based on
the current and active enterprise group, use the Save as PDF feature.
When publishing a report, only the report context is saved; the state of remediation tasks at that time is
not saved. Therefore, the publish report will always display the current state. To save a record of the
report based on the state of remediation tasks at a specific time, use the Save as PDF feature.
To publish a report
1
2
3
4
Select Reports on the main menu and then select a specific report type.
The report you selected is displayed.
Click the Publish link located in the Report Context area.
The Publish Report screen is displayed.
5
6
7
Enter a Published Report Name (35 characters maximum).
Enter Comments (250 characters maximum).
Click Submit to save the published report.
Viewing Published Reports
The View Published Reports function allows you to view any previously published report in the
Preventsys SRM System as HTML.
Note: If you are a member of the Super User group, then all published reports are displayed.
Otherwise, only published reports associated with network groups made up completely of networks
that are within the range of the network permissions of the groups to which you belong are displayed.
184
To view a published report
1
Click Reports > Published Reports. The View Published Reports screen is displayed.
2
Click the link corresponding to the Name of whichever report you wish to view. The selected
report is displayed.
Deleting Published Reports
The Delete Published Reports function allows you to delete published report in the Preventsys SRM
System.
Note: You can only delete published reports that you created.
To delete a published report
1
2
3
Click Reports > Published Reports. The View Published Reports screen is displayed.
Click the Delete checkboxes corresponding to the Name of whichever reports you wish to
delete.
Click the Delete button. The selected reports will be deleted.
185
CHAPTER 12 | SYSTEM UPDATES
CHAPTER 12
System Updates
The Preventsys Update Propagation System (PUPS) allows for the upload, download, deployment, and
rollback of Preventsys SRM System component updates.
Note: You need a username and password to log into the Customer Support System. Please contact
Customer Support to setup an account .
Basic Update Steps
The basic steps for updating the Preventsys SRM System are as follows:
1
2
3
4
5
Check the Preventsys Support System for new updates.
Download the update file to any system accessible by the system running the Administrative
Client.
Upload the update file from the Administrative Client to the Enterprise Security Management
Server.
Apply the new update.
If necessary, you may rollback the update to return to the previous version.
As part of the update process, you will have an opportunity to set the configuration parameters for all
components included in the update. Please refer to the release notes included with the update for
additional information prior to altering the default configuration parameters.
About Maintenance Mode
When the update is initiated, the system will enter Maintenance Mode. Once the system enters
Maintenance Mode, all pending assessments will be completed but no new assessments will be
initiated.
Note: The system will remain in Maintenance Mode until the update is completed. If the pending
assessments are not completed within 24 hours (default setting), the update will not complete
successfully and the system will remain in its current state.
Only Super Users will be able to login and access the system when it is in Maintenance Mode. All
non-Super Users will be automatically logged out of the system as soon as it enters Maintenance
Mode.
Note: Do not modify any system data once the system enters Maintenance Mode. Altering system data
at this time may result in an unsuccessful update.
Once the update is completed, PUPS will automatically restart all system components that require a
reboot for the update to take effect. Note that this may temporarily disrupt the Administrative Client’s
access to the Enterprise Security Management Server.
186
Update Failure
If an update fails, PUPS will restore the system to the latest successful state. Any time an update fails,
the update must be uploaded to the Enterprise Security Management Server again prior to initiating
another attempt at applying the update. In the event of an unsuccessful update or rollback procedure
that results in the Manage System Updates screen being out of synch or other system problems, please
contact Preventsys Customer Support for assistance.
Checking for a New System Update
A Preventsys customer support username and password are required in order to access the Preventsys
Support System. Please contact Preventsys Customer Support to obtain a username and password.
Note: The system running the browser-based Administrative Client must have access to the Internet in
order to download system updates.
To check for new system updates
1
Click Help > Support. The Preventsys Support System login screen is displayed in a new
window.
2
3
4
5
Enter the Username.
Enter the Password.
Click Login. The Preventsys Welcome screen is displayed.
Click the Download Center link on the left side of the screen.
187
6
7
8
9
Click the Product folder.
Click the Preventsys folder.
Click the on the folder that corresponds to the version of the product you are interested in to
display all of the updates available for that version.
You may click any update name to open a download dialog, then click Save and use the file
browser to select a location for the .jar file. System updates are downloaded from the
Preventsys Support System Web site in .jar file format.
Uploading and Applying a System Update
Once you have downloaded an update in .jar file format from the Preventsys Support System Web site,
you may upload the update to the Enterprise Security Management Server and apply it to the
appropriate components.
To upload and apply a system update
1
2
Click Admin > System Updates.
The System Updates screen is displayed. If you have any updates to be applied, they are
displayed on this screen.
188
3
4
Click the Browse button and select the desired system update file.
Click Upload to upload the file to the Enterprise Security Management Server. Once the
upload is complete, the screen will refresh with the update queued for application.
Note: Uploading the update .jar file to the Enterprise Security Management Server may take some
time. Please do not log out or close the Administrative Client’s browser window while the upload is in
progress.
5
6
7
8
9
Click Apply Now to initiate the update process. The Review Contents screen is displayed,
listing a Module Name, Description, and Version for each component included in the
update.
Click Next. The Set Configuration Parameters screen is displayed, listing the configuration
parameters for each component included in the update.
You may edit the configuration parameters as necessary. Please refer to the release notes
accompanying the update package for more details on each of the configuration parameters
prior to modifying the default values.
The Reset button may be used to restore the configuration parameter defaults.
Click Next. The Update Confirm screen is displayed, listing any pending assessments that
will be completed prior to the update, as well as the names of any logged in users who lack
Super User access.
Note: Once the update process is initiated, the system will transition to Maintenance Mode. The
pending assessments listed on the Update Confirm screen will be allowed to complete, but no new
assessments will be initiated. In addition, the non-Super Users listed on the Update Confirm screen
will be logged out automatically.
10 For minor updates, the Save System Archive checkbox will be selected by default. You may
deselect it if you do not wish to save a temporary archive of the current system. IF YOU DO
NOT SAVE AN ARCHIVE OF THE CURRENT SYSTEM, YOU WILL NOT BE ABLE
TO ROLLBACK TO IT LATER.
189
Note: For major updates, the system archive will be saved automatically.
11 Click Update to apply the update. The Update Initiated screen is displayed and the system
will enter Maintenance Mode while applying the update.
12 Click Next to continue. The Preventsys Main Menu is displayed in Maintenance Mode. All
members of the Super User group will receive a confirmation email once the update is
complete.
Note: Please do not modify any system data while the update is pending. Once the update is
completed, the system will automatically restart if necessary and full functionality will be restored.
Rolling Back a System Update
Once an update has been applied, the rollback feature may be used to return the Preventsys SRM
System to the previous version.
Note: The Rollback System Update function may only be used to return the Preventsys SRM System to
the last successful state.
To rollback a system update
1
2
Click Admin > System Updates.
Click the Rollback to previous version link. The Rollback Confirm screen is displayed,
listing any pending assessments that will be completed prior to the rollback procedure, as well
as the names of any logged in users who lack Super User access.
Note: Once the rollback process is initiated, the system will transition to Maintenance Mode. The
pending assessments listed on the Rollback Confirm screen will be allowed to complete, but no new
assessments will be initiated. In addition, the non-Super Users listed on the Rollback Confirm screen
will be automatically logged out.
3
4
Click Rollback to initiate the rollback process. The Rollback Initiated screen is displayed and
the system will enter Maintenance Mode while implementing the rollback.
Click Next to continue. The Preventsys Main Menu is displayed in Maintenance Mode. All
Super Users will receive a confirmation email once the rollback is complete.
190
APPENDIX A | INSTANCE CONFIGURATIONS
APPENDIX A
Instance Configurations
As discussed in the “Assessment Servers and Instance Configurations” chapter, an Instance
Configuration is a static set of parameters for a particular installation of an assessment tool supported
by the Preventsys Assessment Server. An Instance Configuration’s parameters are generally used to
allow an Assessment Server to connect to, and, if needed, authenticate to a particular installation of the
assessment tool. For example, if the same tool was installed in three different locations, each of those
installations would have a single instance configuration.
This appendix presents specific information about the assessment tools supported by the Preventsys
SRM System. For steps about how to add assessment servers and instance configurations, see the
“Assessment Servers and Instance Configurations” chapter. Preventsys has also published its
connector API, so that anyone can add support for additional software. Contact Preventsys Support for
information about the API. For a current list of connectors supported by Preventsys, click on the
“Supported Connectors List” link available on the Assessment Server Management screen and on the
Import Assessment Data screen.
Figure 12-1. Example of the Preventsys Supported Connectors List
This list is updated regularly as new connectors are supported
When adding an instance configuration to an Assessment Server, you will be asked for the information
the system requires to connect to that instance. The assessment tool’s username and password, and its
IP address and port number are some of the types of information which may be required. You can also
specify an affinity and associated weight with an instance. See the “Assessment Servers and Instance
Configurations” chapter for details about affinity and weight.
191
The following assessment tools are supported for conducting assessments within the Preventsys SRM
System:
»
AppDetective by Application Security
»
Dynamic Address Resolution Connector by Preventsys
»
FoundScan by Foundstone
»
ISS Internet Scanner by Internet Security Systems
»
ISS SiteProtector by Internet Security Systems
»
Microsoft Baseline Security Analyzer by Microsoft
»
Nessus by Tenable Network Security
»
Network Architecture Assessor by Preventsys
»
Nmap Insecure.Com
»
QualysGuard by Qualys
»
Retina Network Security Scanner by eEye Digital Security
»
WiFi by Preventsys
»
WinReg by Preventsys
You can view a description of each field on the instance configuration screens by positioning your
mouse over the desired field.
Figure 12-2. Example of Help text displayed on Nessus Instance Configuration screen
192
About Third-Party Connectors
Preventsys makes their API available for the use of writing third-party connectors. You may then
connect to them from the Assessment Server, and therefore run assessments with them using the
Preventsys SRM System.
Note: See your Preventsys Support Representative for details about writing third-party connectors.
Figure 12-3. Sample Third-Party Instance Configuration screen
AppDetective Instance Configuration
To add an instance of AppDetective, you must have a licensed version of AppDetective. Enter the
information requested on the AppDetective Instance Configuration screen.
»
AppDetective connector address – Enter the IP or hostname of the AppDetective connector
»
AppDetective connector port – Enter the port of the AppDetective connector
193
Dynamic Address Resolution Instance Configuration
The Dynamic Address Resolution Connector (DARC), is automatically run in the background by the
system during assessments. You must create an instance configuration for it, but you will not need to
create a connector configuration. This connector is only necessary in Dynamic Host Configuration
Protocol (DHCP) environments. Note that DARC is also utilized during WiFi scans, where it is used
to attempt to ascertain the IP addresses of the wireless access points discovered during scanning.
DARC provides consistent address resolution for correlation of host information throughout changing
IP addresses (because of DHCP) by tracking hosts by its network interface controller’s (NIC) MAC
address. By utilizing the Dynamic Target Address Resolution Protocol (DTARP) to report the
correlation between IP addresses and host identity, the system will be able to correlate the same
physical hosts regardless of IP changes due to DHCP.
DARC can be configured to utilize any network interface controller (NIC) installed on the DARC
server. if a DARC server is attached to two subnets, 10.1.1.0/24 and 10.2.2.0/24, DARC will utilize
DTARP on each of these interfaces.
There are three basic techniques utilized by DARC. DARC automatically utilizes the following
techniques (i.e. DARC is always sending ARP packets to obtain MAC addresses for hosts on the same
subnet, sending NetBIOS packets to hosts on other subnets, and looking for DHCP traffic).
»
Address Resolution Protocol (ARP) – DARC instances send ARP packets to every IP address
in the subnets DARC has been configured to utilize. This process is very accurate, but is
limited because DARC servers need to have an interface physically attached to any subnet
where DHCP is utilized.
»
NetBIOS Querying – DARC instances will attempt to utilize the NetBIOS protocol to obtain
MAC addresses. This process works across subnets, unlike ARP, but it only works against
Microsoft Windows hosts whose NetBIOS port (UDP port 137) is unfiltered.
»
Passive DHCP analysis – MAC addresses may also be gathered from DHCP packets. This
process allows a single DARC instance to gather MAC addresses from a particular DHCP
server.
For these techniques to work, DARC must be able to capture the given DHCP packets. In most
environments, DHCP servers are connected to switches, which prevent DARC from being able to
capture the necessary packets. In this situation, one of two configuration changes must be made. One
option is for the switch to be placed into a Switch Port Analyzer (SPAN) or mirrored configuration in
which all traffic from the DHCP server is also sent to the DARC server. The other option is for the
DHCP server and DARC server to be placed on the same hub. Unlike switches, hubs broadcast any
packets received to each of their ports.
194
To add an instance of DARC, enter the information requested on the DARC Instance Configuration
screen.
»
Select the interfaces on which you want DARC to listen. The interfaces available on the
machine running DARC are listed.
Retina Instance Configuration
To add an instance of Retina, you must have a licensed version of Retina. Enter the information
requested on the Retina Instance Configuration screen.
»
Hostname/IP – Enter the hostname and IP on which Retain is running
»
Port – Enter the port on which Retain is listening
Note: While you can select either Retina 4.9 or Retina 5.0 from the menu, you should only select one
version and install it on all of your Assessment Servers. Do not install different versions.
195
FoundScan Instance Configuration
To add an instance of FoundScan, you must also have a licensed version of FoundScan. Enter the
information requested on the FoundScan Instance Configuration screen.
»
Hostname/IP – Enter the hostname and IP on which FoundScan is running
»
Port – Enter the port on which FoundScan is listening
»
Organization – Enter the name of the organization associated with the FoundScan account
»
User – Enter the username for the FoundScan account
»
Password – Enter the password for the FoundScan account
»
Communications – Select use SSL
»
CA Public Cert – Enter CA public cert. When you install FoundScan, there is a certificate
authority (CA) public key, in PEM format, installed in a file called TrustedCA.pem. Paste
this file into the CA public cert textbox. This file will allow the Preventsys FoundScan
Connector to authenticate the identity of the FoundScan server.
»
Valid Public Key and Private Cert – Enter valid public key and private cert. When you install
FoundScan, in addition to the TrustedCA.pem file, it generates a client certificate. Paste one
of these communications certificates in the PEM format, which contains a private key and a
certificate that has been signed by the above “CA Public cert”. Note that more information
about this can be found in your FoundScan documentation.
196
ISS Internet Scanner Instance Configuration
The Preventsys SRM System provides support for ISS SiteProtector assessment tool as a subordinate
network fact-collection module. The ISS SiteProtector instance must be controlling one or more ISS
Internet Scanner 7.x instances to collect vulnerability data and basic facts about the hosts.
To add an instance of Internet Scanner, you must also have a licensed version of Internet Scanner.
Enter the information requested on the Internet Scanner Instance Configuration screen.
»
Hostname/IP – Enter the hostname and IP on which ISS Internet Scanner is running
»
Port – Enter the port on which the ISS Internet Scanner is listening
»
Scanner Instance – Enter the sensor instance name of the ISS Internet Scanner
Support for one or more instances of ISS Internet Scanner 7.x as a standalone assessment module
independent of ISS SiteProtector is supported. This module may be used instead of Nessus and Nmap,
but does not provide data comparable to the other plug-in modules.
The ISS Internet Scanner 7.0 connector is installed as a Windows service. By default, this service will
run as the default user. Following the installation of this scanner, you must use the Services Control
Panel to assign this service to a user with sufficient security rights to use the ISS Internet Scanner 7.0
connector CLI (enginemgr.exe – usually installed in
C:\ProgramFiles\ISS\ScannerConsole\EngineMgr.exe).
You can configure the Windows Service portion of ISS Internet Scanner by manipulating various
Registry Keys/Values on the Windows system where the Preventsys ISS Internet Scanner module is
installed. These include:
»
HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\Port
»
This specified registry value (REG_DWORD) accepts a number (0-65535). This will be the
port on which the ISS Internet Scanner 7.0 listens for connections. If this value is 0 or nonexistent, a random port will be used. Note: This setting may be useful when routing through
firewalls, etc.
»
HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\dsn
This specified registry value (REG_SZ) identifies the database that ISS Internet Scanner 7.0 is using
for storage of results. This should match the Data Source specified under Tools->Database
Administration in the ISS Internet Scanner console.
197
ISS SiteProtector Instance Configuration
The Preventsys SRM System provides support for the ISS SiteProtector assessment tool as a
subordinate network fact-collection module. The ISS SiteProtector instance must be controlling one or
more ISS Internet Scanner 7.x instances. ISS SiteProtector can be used in addition to or instead of the
Nessus/Nmap modules but does not provide comparable data.
To add an instance of SiteProtector, you must also have a licensed version of SiteProtector and its subcomponents. Enter the information requested on the SiteProtector Instance Configuration screen.
»
Database username – Enter the username for the SiteProtector database
»
Database password – Enter the password for the SiteProtector database
»
Database address – Enter the address for the SiteProtector database
»
Database port – Enter the port on which the SiteProtector database is running
»
Internet Scanner instance – Enter the name for the Internet Scanner sensor instance
»
SP control WSM address – Enter the WSM address for the SiteProtector control
»
SP control WSM port – Enter the WSM port on which the SiteProtector control instance is
listening
Microsoft Baseline Security Analyzer Instance Configuration
To add an instance of MBSA, you must have a licensed version of MBSA. Enter the information
requested on the MBSA Instance Configuration screen.
»
Hostname/IP – Enter the hostname and IP on which MBSA is running
»
Port – Enter the port on which MBSA is running
»
Run MBSA As User – Enter the credentials of an MBSA Administrator account. When
MBSA scans, it will adjust its privilege level to that of this account for the duration of the
scan.
»
Run MBSA As Password – Enter the credentials of an MBSA Administrator account. When
MBSA scans, it will adjust its privilege level to that of this account for the duration of the
scan.
198
Nessus Instance Configuration
The Nessus assessment tool provides vulnerability detection and network-based auditing checks; uses
Nmap plug-in as well as its own database of plug-ins to collect vulnerability data and basic facts about
the hosts, their operating systems, exposed services and default configurations for advanced reporting
and policy compliance analysis by the Enterprise Security Manager Server.
To add an instance of Nessus, enter the information requested on the Nessus Instance Configuration
screen.
»
Nessus username – Enter the username for Nessus
»
Nessus password – Enter the password for Nessus
»
Nessus IP – Enter the IP to which Nessus is bound
»
Nessus Port – Enter the port on which Nessus is listening
199
Network Architecture Assessor Instance Configuration
The Preventsys Network Architecture Assessor (NAA) assessment tool is used to test gateway device
routing and filtering rules (i.e. firewall, routers, etc.) and collects data for comprehensive perimeter
policy checks.
P2P Assessment is built in as part of the Network Architecture Assessor configuration, and is used to
test the perimeter defense devices (routers and firewalls) for the possibility of rogue P2P protocols
such as Kazaa, Direct Connect and Bittorrent). You will need the policies that contain rules associated
with these to view the results. Refer to the Preventsys SRM System Policy and Regulatory Guide for
details.
To add an instance of Network Architecture Assessor, enter the information requested on the Network
Architecture Assessor Instance Configuration screen.
Enter the following for each NAA “Slave” accessible by this NAA
»
Slave Name – The name of the NAA slave accessible by this NAA
»
Slave IP – The IP of the NAA slave accessible by this NAA
»
Slave Netmask – The netmask of the NAA slave accessible by this NAA
»
Slave Port – The port of the NAA slave accessible by this NAAFirewall IP – The firewall IP
of the NAA slave accessible by this NAA
»
Firewall IP – Enter the IP of the firewall this salve will be used to test
»
NAT Network – Enter the NAT network if the source IP of packets sent to this slave will be
NAT’d. Otherwise, leave blank.
»
NAT Netmask – Enter the NAT netmask if the source IP of packets sent to this slave will be
NAT’d. Otherwise, leave blank.
Nmap Instance Configuration
The Nmap assessment tool provides network discovery, OS fingerprinting, and port scanning. Nmap
has no instance configuration parameters. To add an instance of Nmap, enter a connector name and
any affinity desired, and select Submit. Nmap does not have any additional instance parameters to
enter.
200
WiFi Instance Configuration
The Preventsys WiFi assessment tool provides wireless access point detection and property
enumeration (i.e. WEP, SSID, BSSID, MAC Filtering, etc.) used to collect data for comprehensive
Wireless Access policy assessment including rogue and misconfigured access point identification and
location. To add an instance of WiFi, enter the information requested on the WiFi Instance
Configuration screen.
»
Device selection – Select which WiFi device you want used from the list of detected devices.
If no WiFi devices are detected, a message is displayed.
»
Channel Scanning Policy – Select which channel scanning policy you want used
Note: For the system to return data about Wireless IPs, you must have a Dynamic Address Resolution
Instance Configuration created before conducting your WiFi assessment.
201
Windows Registry Instance Configuration
The Preventsys Windows Registry (WinReg) assessment tool provides support for remote assessment
of the Windows Registry in Windows Domains, which allows for policy analysis, based on the
existence, non-existence, and values of Windows Registry key entries for Windows environment
specific policies. To add an instance of WinReg, enter the information requested on the WinReg
Instance Configuration screen.
»
Hostname/IP –Enter the hostname and IP on which WinReg is running
»
Port – Enter the port on which WinReg is listening
The Preventsys Windows Registry Installer will install this Windows scan module as a Windows
service. It can be installed and run on Windows 2000 Professional (regular), Microsoft Windows NT
4.0, Microsoft Windows 2000 Server, Windows XP (pre-SP2), and Microsoft 2003 Server Standard
Edition.
By default, this service will run as the default user. Following the installation of this scanner, you
must use the Services Control Panel to assign this service to a user with sufficient access to activate
this remote service. This process is explained later in this chapter.
Note that prior to installation all Preventsys component system clocks must be properly set and
configured to the desired time zone. Moreover, all Preventsys component system clocks must be
synchronized to the same time in order to ensure a successful installation.
Next, you must access the Services Control Panel and change the user assignment for the new
Windows Registry Scanner service to ensure that this service will be run by a user with sufficient
access to read remote system registries.
You can configure the Windows Service portion of the Registry Scanner by manipulating various
Registry Keys/Values on the Windows system where the Windows Registry Scanner was installed.
These include:
»
HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\Port
»
This specified registry value (REG_DWORD) accepts a number (0-65535). This will be the
port on which the ISS Internet Scanner 7.0 listens for connections. If this value is 0 or nonexistent, a random port will be used. Note: This setting may be useful when routing through
firewalls, etc.
202
»
HKEY_LOCAL_MACHINES\SOFTWARE\Preventsys, Inc.\ISS7\dsn
»
This specified registry value (REG_SZ) identifies the database that ISS Internet Scanner 7.0 is
using for storage of results. This should match the Data Source specified under Tools>Database Administration in the ISS Internet Scanner console.
QualysGuard Instance Configuration
The QualysGuard assessment tool is a web-based network discovery/vulnerability detection
application, which can work in conjunction with an “intranet scanner” appliance located inside your
firewall. To add an instance of QualysGuard, you must have a license for QualysGuard and a Qualys
account. Enter the information requested on the QualysGuard Instance Configuration screen.
»
Qualys username – Enter the Qualys username
»
Qualys password – Enter the Qualys password
»
Appliance name – Enter the appliance name for QualysGuard
»
Batch size for pause simulation – Enter the number of hosts to break up into chunks and
therefore scan those chunks serially. Note that this field is required because Qualys does not
include native pause and resume in their API. Preventsys must therefore simulate
pause/resume with Qualys, so that in the case of a requested pause only the chunk being
scanned needs to be rescanned. The number equals the size of those chunks, with “0”
meaning scan all IPs in one Qualys scan.
203
APPENDIX B | CONNECTOR CONFIGURATIONS
APPENDIX B
Connector Configurations
As discussed in the “Assessments” chapter, a connector configuration is a set of parameters that
controls the behavior of a particular assessment tool supported by the Preventsys Assessment Server
during an assessment. A popular parameter defined in a connector configuration is the set of
tests/checks to run during an assessment. Unlike an Instance Configuration, a Connector
Configuration can be applied to any defined instance of the same assessment tool. For example, if the
same assessment tool was installed in three different locations, a single Connector Configuration could
be applied to each of these installations.
This appendix presents connector-specific information about the connectors supported by the
Preventsys SRM System. For steps about adding connector configurations, see the “Assessments”
chapter.
Updating Scanner Plugins
Use the tools provide with the individual connectors to update their associated plugins. For example,
use the update plugin script provide by Nessus.
AppDetective Connector Configuration
To add an AppDetective connector configuration, enter the information requested on the AppDetective
Connector Configuration screen. For details about the options displayed, please refer to your
AppDetective documentation.
Note: If your AppDetective license is exceeded during an assessment, the AppDetective scan will fail
with the following message: “The AppDetective scan failed due to an unspecified error, which is often
a result of a license violation. Please verify that the IP:Port is included in your license."
Preventsys provides the following options, in addition to the standard AppDetective options displayed.
SIDs for Oracle 10g – AppDetective’s Application Discovery scan is normally able to detect the
system identifiers (SID) for any Oracle database. However, AppDetective is unable to detect the SIDs
for Oracle 10g databases. Therefore, to scan Oracle 10g databases, the SIDs must be manually
entered.
To add an Oracle 10g SID, select Insert on the AppDetective Connector Configuration screen under
the SIDs for Oracle 10g section, and enter the SID in the field provided. To delete an SID, select the
radio button next to that SID, and select Delete.
Discovering applications on nonstandard port ranges – AppDetective is configured with the default
ports of each of the applications it supports. However, if one or more of your applications are running
on nonstandard ports, there is an option to override AppDetective’s range and to enter the range
yourself. It is important that you do not make the port range too large by including more than 100
204
ports if possible. AppDetective’s Application Discovery scanner could take a long time for large
numbers of ports.
To specify a custom port range, select the Discover Applications on Nonstandard Ports checkbox.
Next, enter the custom port range in Custom Discovery Port Range field. Note that a valid port range
is made up of one or more ranges or single ports, separated by commas, with no spaces. For example,
to include the ports 1200, 1202, 1203, 1204, 1205, 1207 and 1208 in the Application Discovery scan,
you could enter the range: 1200,1202-1205,1207-1208
FoundScan Connector Configuration
To add an FoundScan connector configuration, enter the information requested on the FoundScan
FoundScan documentation.
205
ISS Internet Scanner Connector Configuration
To add an ISS Internet Scanner connector configuration, enter the information requested on the ISS
Internet Scanner Connector Configuration screen. For details about the options displayed, please refer
to your ISS Internet Scanner documentation.
ISS SiteProtector Connector Configuration
To add an ISS SiteProtector connector configuration, enter the information requested on the ISS
SiteProtector Connector Configuration screen. For details about the options displayed, please refer to
your ISS SiteProtector documentation.
206
Microsoft Baseline Security Analyzer Connector Configuration
On the Microsoft Baseline Security Analyzer (MBSA) Connector Configuration screen, the domain
administrator username and password fields allow you to specify the credentials for the domain
administrator of your target systems. These will be used if MBSA is being run on a machine in one
domain, and you wanted to scan machines in another domain. For example, if MBSA is running on a
machine not in the POLCAP domain, you can scan machines in the POLCAP domain by adding
POLCAP\Administrator as the user, and the matching password.
To add an MBSA connector configuration, enter the information requested on the MBSA Connector
Configuration screen. For details about the options displayed, please refer to your MBSA
documentation.
Note: When MBSA is run from its GUI outside of Preventsys SRM System, you can select a range of
IPs or a Domain to scan. This will produce one file per machine scanned, which Preventsys will
aggregate.
Note: MBSA v2.0 services requires that it run as the local Administrator (./Administrator). When
configuring an assessment you must enter the Username and Password for an MBSA domain
administrator to run a successful assessment (e.g., DOMAIN\ADMINISTRATOR). If these credentials
are not correct or not supplied, the assessment will fail and the following message will be displayed:
“Assessment Failed: ID: 1 - Scan Connector Microsoft Baseline Security Analyzer: Protocol error
(120 / START) got (320/User ID or Password not Supplied).”
Nessus Connector Configuration
The Nessus Connector Configuration screen presents all Nessus scanner options organized under tabs.
Note that Preventsys provides default settings that you can use or edit the configuration as desired.
To add an Nessus connector configuration, enter the information requested on the Nessus Connector
Configuration screen. For details about the options displayed, please refer to your Nessus
documentation. You can also find information at http://www.nessus.org.
207
The first page of the Nessus Connector Configuration lists every Nessus test broken into categories,
spread across multiple tabs. The second page contains preferences, many of which are specific to the
tests on the first page. Therefore, if a test with an associated set of preferences is disabled, those
preferences will be read-only.
By default, all dangerous tests are disabled and displayed in red, along with a few tests deemed to be
redundant by Preventsys. Note that a test is considered dangerous if the author of that test has placed it
in one of four “dangerous” categories: “ACT_DENIAL”, “ACT_KILL_HOST”, “ACT_FLOOD” and
“ACT_DESTRUCTIVE_ATTACK”. The category of a given NASL script can be determined by
opening it and looking for its “script_category” line.
Each category of tests has a set of buttons marked “All”, “Default” and “None”, which will enable all
tests in the category, set the category’s tests to their default state, or disable all tests in the category,
respectively.
Network Architecture Assessor Connector Configuration
To add an Network Architecture Assessor (NAA) connector configuration, enter the information
requested on the NAA Connector Configuration screen. The configuration screen provides the
following options:
»
Slaves to Test – Select the salves you want tested
»
Rule to Use – Select the rules you want to test with
»
Custom Rules Entry – Enter custom rules (see the “Adding Customer NAA Rules” section for
details)
208
NAA performs the following tests by default:
»
rfc1918-192.168 – A TCP/IP packet with a source in the RFC 1918 address block of
192.168/16 was able to be sent through the firewall.
»
rfc1918-10 – A TCP/IP packet with a source in the RFC 1918 address block of 10.0.0.0/8 was
able to be sent through the firewall
»
rfc1918-172.16 – A TCP/IP packet with a source in the RFC 1918 address block of 172.16/12
was able to be sent through the firewall.
»
ipzero – A TCP/IP packet with a source address of 0.0.0.0 was able to be sent through the
firewall.
»
localhost-tcp – A TCP/IP packet with a source address of 127.0.0.1 was able to be sent
through the firewall.
»
localhost-udp – A UDP packet with a source address of 127.0.0.1 was able to be sent through
the firewall.
»
src53-echo – A UDP packet with a source port of 53 was able to be sent through the firewall
to the echo port.
»
src53-ssh – A TCP packet with a source port of 53 was able to be sent through the firewall to
the SSH port.
»
icmp-echoreq – An ICMP echo request packet was able to be sent inward through the
firewall.
»
icmp-echorep – An ICMP echo reply packet was able to be sent outward through the firewall.
»
udp-broadcast – A broadcast packet was able to be sent inward through your firewall.
»
src-routing – A source routed packet was able to be sent inward from a packet thrower.
P2P Assessment
NAA can also do P2P assessments that test perimeter defense devices (routers and firewalls) for the
possibility of the following rogue P2P protocols:
»
P2P – Bittorrent traffic
»
P2P – Direct Connection (DC) traffic
»
P2P – Kazaa traffic
209
You will need to select the policies that contain the rules associated with these protocols when creating
your assessment configuration. Refer to the Preventsys SRM System Policy Reference Guide for
details about these rules.
Adding Custom NAA Rules
NAA can get its rule data from two different sources: from rules entered into the NAA Custom Rules
field in the UI or from rule files you upload to the AS. If you use the second method, you will need to
upload your rules to every AS. In addition, once they’ve been uploaded anyone can use them, which
may not be desirable.
By contrast however, the NAA Connector Configuration screen allows you to paste the contents of
your rule files (referred to as rulesets) into the NAA Custom Rules field. Custom NAA rulesets are
XML documents that contain tests for the NAA. Each document consists of one or more “rules”, each
of which describes a particular packet to send through a firewall. Basically, each packet you configure
should be blocked by the firewall, so that any packet that passes the firewall would be considered a
“failure”.
NAA Custom Rulesets File Layout
The general format of a ruleset document is:
<naarules>
<naarule …XML attributes …>description for rule #1</naarule>
<naarule … XML attributes …>description for rule #2</naarule>
…
<naarule … XML attributes …>description for rule #n</naarule>
</naarules>
As shown above, each rule has a description associated with it. If a given rule is able to be sent
through the firewall being tested, that rule’s description will be used in the results.
NAA Rule Attributes
Each Network Architecture Assessor rule defines a specific packet type that will be sent either
“outward” (from the “Master” to the “Slave”) or “inward” (from the “Slave” to the “Master”).
The following table lists the attributes for NAA rules.
Attribute
Required
dir
Yes
saddr
Yes
daddr
sport
Yes
Yes
Description
Sets the “direction” of the packet for this test. The valid values for this attribute are
“out” (sent from the slave Æ master), “in” (sent from the master Æ slave) and
“both” (the same thing as making two identical rules, one “out”, one “in”).
Sets the source IP address of the packet. This attribute must be specified in one of
three forms:
•
An IP address (for example, “10.4.3.2”)
•
An IP address range, given in either “CIDR” form (ex: 192.168.0.0/16)
or “netmask” form (ex: 192.168.0.0:255.255.0.0)
•
A symbolic address: either “srcaddr” (the address of the host sending the
packet), “srcbcast” (the broadcast address of the host sending the packet),
“destaddr” (the address of the host the packet is being sent to), or
“destbcast” (the broadcast address of the host the packet is being sent to).
Note: In the case of the range format addresses, a random address is selected at
assessment time.
Same format as the saddr attribute
Sets the source port of the packet. This attribute must be specified in one of two
forms:
A port (for example, “12345”)
210
Attribute
Required
dport
proto
Yes
Yes
flags
No (except for
ICMP)
Yes
Yes
severity
id
Description
A range of ports (for example, “1024-65535”)
Note: In the case of the range format ports, a random port is selected at assessment
time.
Same format as the sport attribute
A string specifying the protocol of the packet. The three acceptable values are
“tcp” (for TCP/IP packets), “udp” (for UDP packets) and “icmp” (for ICMP
packets).
One or more comma-delimited strings that configure the packet. See the “List of
NAA Rule Flags” sections for descriptions of each.
Sets the severity of the rule, from 0-90.
A string specifying an identifier that will be given in the results if the packet
described by this rule is able to pass through the firewall being tested.
NAA Rule Flags
As explained in the NAA Rule Attributes section, the flags attribute may contain one or more commadelimited strings. Each of these strings is protocol-specific, and they alter the behavior of the packet.
Here is a list of the possible flags, along with the protocol the flag is specific to, and a description of its
behavior.
Flag
Protocol
syn
ack
psh
urg
rst
fin
srcrt
TCP
TCP
TCP
TCP
TCP
TCP
TCP
echoreq
echorep
ICMP
ICMP
Description
Sets the SYN flag of the TCP/IP packet
Sets the ACK flag of the TCP/IP packet
Sets the PSH flag of the TCP/IP packet
Sets the URG flag of the TCP/IP packet
Sets the RST flag of the TCP/IP packet
Sets the FIN flag of the TCP/IP packet
Adds the source route option to the TCP/IP packet. The firewall address is
specified as one of the required routes.
Makes an ICMP echo request.packet
Makes an ICMP echo reply packet
Uploading Custom Rules
As mentioned previously you can upload custom NAA rules to an assessment server. The file must
have the form name_naa.xml (where name is a unique identifier describing what the rules test for). Put
the file in the directory /usr/local/preventsys/ASComponents/share/audserv/netarch/ on “each
assessment server”.
211
Nmap Connector Configuration
To add an Nmap connector configuration, enter the information requested on the Nmap Connector
Configuration screen. For details about the options displayed, please refer to your Nmap
documentation.
QualysGuard Connector Configuration
To add an QualysGuard connector configuration, enter the information requested on the QualysGuard
QualysGuard documentation.
Note: The Qualys Account must be activated on the Qualys website prior to attempting a Preventsys
Assessment with Qualys.
212
Retina Connector Configuration
To add an Retina connector configuration, enter the information requested on the Retina Connector
Configuration screen. For details about the options displayed, please refer to your Retina
documentation.
Note: When upgrading to Retina 5.0, existing assessment configurations that have a previous version
of eEye Retina selected must be recreated and the new version selected. Simply editing the assessment
configuration or using the "copy existing" feature is not recommended.
WiFi Connector Configuration
The WiFi Connector Configuration screen opens with a license agreement disclaimer. Read the
disclaimer and select the Accept checkbox to continue.
To add an WiFi connector configuration, enter the information requested on the WiFi Connector
Configuration screen. The configuration screen provides the following options:
»
Static IP Address – Enter a static IP address. If you do not want the WiFi card to attempt to
obtain an IP address from each access point using DHCP, you may enter an IP address and
Netmask in the format IP:Netmask (for example “10.2.3.4:255.255.255.0”).
»
Known WEP Keys – Enter known WEP keys for wireless access points on your network.
Select a key length and then enter a WEP key. Select Insert to add additional keys. WEP
keys may be entered as either a plain string of text or as hexadecimal digits preceded by ‘0x’.
On the first iteration of the passive scanning loop, the WiFi server attempts to sniff all of the
theoretically possible wireless channels. In addition, the WiFi sever attempts to detect hidden access
points. If a hidden access point is detected, the server will attempt to decloak it (i.e. obtain the service
set identifier (SSID)).
213
WinReg Connector Configuration
To add an WinReg connector configuration, enter the information requested on the WinReg Connector
Configuration screen. The configuration screen provides the following options:
»
Authentication – Enter the usernames and passwords for the local and domain administrator
accounts you want used. When the Windows Registry scanner attempts to acquire a registry
key from a target, it will present the credentials from each of the accounts you specified, in
addition to the account specified at WSM install time. If no accounts are specified, WinReg
will only attempt to acquire the remote keys with the credentials specified at WSM install
time.
»
Registry Keys to Acquire – Enter the specific registry keys that you want tested. Each
Registry key must be entered on a separate line. For example, to test two registry keys,
simply type or paste the first key into the text box, hit [ENTER], and then proceed to type or
paste the second key on the next line. Note that wildcard entries for registration keys can
return large amounts of data that may slow down and even exhaust the memory of the
Assessment Server and Enterprise Security Management Server.
214
The following wildcard entries may be used when entering registration keys:
»
*  An asterisk alone at the end of a key entry will return all values under the specified key
but will not recurse subkeys. For example,
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\*” will
return all values under CurrentVersion but will not recurse into subkeys like Credentials.
»
**  A pair of asterisks at the end of a key will return all values under the specified key and
will recurse into subkeys. Note that this wildcard can return LARGE amounts of data.
»
*  Asterisks are also supported as intermediate keys. For example,
“HKEY_USERS\*\Environment\TEMP” will return the TEMP directory setting for each user
registered on the scanned machine.
Additionally, since “\” is a legal character in a value name, if you wish to read the value data
of a value named “test\val” under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft, you must “escape” the “\” by doubling
it. “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\test\\val” would be used in this
case.
Assessments that utilize the Preventsys Remote Windows Registry Scanner v1.0 without specifying
Registry keys, will still acquire the OSDetect data described previously. This data may be utilized by
the Registry-specific rules described later in this section.
Windows-Based Rules
The following standard, Windows-specific rules may be used to interface with WingReg:
»
Minimum Password Length Rule
Rule Name: Win_Reg_Prohibited_Software--Template
Rule Description: All windows registry keys that represent specific applications found in this
rule will trigger a violation. By default, keys for Kazaa, AIM, and MSN Messenger are
provided.
This is a template rule. To use this rule, the XML element <prohibited_software> should be
configured with the registry keys of software applications that are prohibited by corporate
policy.
215
»
Require Alpha-Numeric Passwords Rule
Rule Name: Win_Reg_Ctrl_Alt_Del_Logon
Rule Description: Pressing CTRL-ALT-DEL to get to the initial logon screen is required on
Windows 2000 and Windows XP hosts.
»
Automatic Logon to Windows Ruleplay
Rule Name: Win_Reg_Auto_Logon
Rule Description: Automatic Logon is allowed on this host.
This rule checks to see if automatic logon to the windows machine occurs. It reports a
violation if it does.
»
Windows Last Logon Rule
Rule Name: Win_Reg_Last_Logon
Rule Description: This host shows the previous user that logged on.
This rule checks to see if the last username that logged into the system is displayed whenever
someone logs in. It reports a violation if it does.
»
Logon Banner Rule
Rule Name: Win_Reg_Logon_Banner—Template
Rule Description: All Windows Logon Banners must conform to a company banner.
216
APPENDIX C | IMPORTING ASSESSMENT DATA
APPENDIX C
Importing Assessment Data
Externally gathered assessment data can be imported into the Preventsys SRM System using the
Assessment Import functionality. The steps for importing assessment data is discussed in detail in the
“Assessments” chapter. This appendix presents information about the different types of file import
and scan import screens that can be displayed based on which import options you select.
File Import
This section presents the different types of import screens displayed based on the type of “file” import
selected in GUI.
Preventsys XML File Import
The following screen is display if “Preventsys XML” is selected. Enter the path for the xml file you
want to import or select Browse to find. Select Submit to import the file.
217
Generic XML File Import
The following screen is display if “Generic XML (XSL Required)” is selected. Enter the path for the
xml file you want to import or select Browse to find. Enter the path for the xsl transform you want
used or select Browse to find. Select Submit to import the file.
AppDetective XML File Import
The following screen is display if “AppScan XML” is selected. Enter the path for the xml file you
218
AppScan 5 XML File Import
The following screen is display if “AppScan 5 XML” is selected. Enter the path for the xml file you
AppScan 6 XML File Import
The following screen is display if “AppScan 6 XML” is selected. Enter the path for the xml file you
219
FoundScan Risk Data XML File Import
The following screen is display if “FoundScan Risk Data XML” is selected. Enter the path for the xml
file you want to import or select Browse to find. Select Submit to import the file.
FoundScan Risk and Host Data XMLs File Import
The following screen is display if “FoundScan Risk & Host Data XMLs” is selected. Enter the path
for the host data xml results file you want to import or select Browse to find. Enter the vulnerability
data xml results file you want to import or select Browse to find. Select Submit to import the file.
220
MBSA XML/Zip File Import
The following screen is display if “MBSA XML/Zip” is selected. Enter the path for the file or .zip file
you want to import or select Browse to find. If you want to import a zip file, you must also enter the
password for the zip file. Select Submit to import the file.
nCircle IP360 XML2 File Import
The following screen is display if “nCircle IP360 XML2” is selected. Enter the path for the xml file
you want to import or select Browse to find. Select Submit to import the file.
221
Nessus XML File Import
The following screen is display if “Nessus XML” is selected. Enter the path for the xml file you want
to import or select Browse to find. Select Submit to import the file.
Nessus NSR File Import
The following screen is display if “Nessus NSR” is selected. Enter the path for the NSR formatted
results you want to import or select Browse to find. Select Submit to import the file.
222
NeXpose XML File Import
The following screen is display if “NeXpose XML” is selected. Enter the path for the xml file you
NGSSquirrel for Oracle XML File Import
The following screen is display if “NGSSquirrel for Oracle XML” is selected. Enter the path for the
xml file you want to import or select Browse to find. Select Submit to import the file.
223
NGSSquirrel for SQL Server XML File Import
The following screen is display if “NGSSquirrel for SQL Server XML” is selected. Enter the path for
the xml file you want to import or select Browse to find. Select Submit to import the file.
Nmap XML File Import
The following screen is display if “Nmap XML” is selected. Enter the path for the xml format results
you want to import or select Browse to find. Select Submit to import the file.
224
QualysGuard XML File Import
The following screen is display if “QualysGuard XML” is selected. Enter the path for the xml results
file you want to import or select Browse to find. Select Submit to import the file.
Scan Import
This section presents the different types of import screens displayed based on the type of “scan” import
selected in GUI.
AppDetective Scan Import
The following screen is display if “AppDetective” is selected. Select the scan you want to import.
225
FoundScan Scan Import
The following screen is display if “FoundScan” is selected. Select the scan you want to import. Select
Submit to import the scan.
QualysGuard Scan Import
The following screen is display if “QualysGuard” is selected. Select the scan you want to import.
226
Retina Scan Import
The following screen is display if “Retina” is selected. Select the scan you want to import. Select
Submit to import the scan.
SiteProtector Scan Import
The following screen is display if “SiteProtector” is selected. Select the scan result you want to
import, or enter the SiteProtector Job ID you want to import, or enter the Internet Scanner Job ID you
want to import. Select Submit to import the scan.
227
APPENDIX D | DATABASE BACKUP GUIDELINES
APPENDIX D
Database Backup Guidelines
This appendix provides instructions that are meant to serve as general guidelines about how the
Preventsys database could be backed up. If the Preventsys database is located on a database server that
is used for other applications, then it can be included in that server’s backup schedule if the frequency
of backups is acceptable.
These instructions are not meant to replace existing corporate backup strategies and should be viewed
as supplemental information pertaining only to the Preventsys SRM System. Please note that the
commands listed below are to create full “logical” backups of the Preventsys SRM System database.
Consult the official documentation for each database for information about doing a physical file-based
backup.
Backup
pg_dump –U <username> -h <ip-address> -f <backup-filename.sql> <databasename>
For example:
pg_dump –U preventsys –h 192.168.0.10 –f compliance.sql preventsys
Restore
psql –U <username –h <ip-address> -f <backup-filename.sql> <databasename>
For example:
psql –U preventsys –h 192.168.0.10 –f compliance.sql preventsys
Please note that it may be necessary prior to restoring, to drop/recreate the database if it already has
tables and data in it. Use extreme caution when dropping a database, and ensure that you have a
current backup.
These are the commands that should be run in this case:
psql –U <username –h <ip-address> template1
drop database <databasename>;
create database <databasename>
;
228
GLOSSARY
GLOSSARY
A policy violation or vulnerability that was detected, but the user decides that the
risk is acceptable and therefore does not plan to fix the associated remediation. Vulnerabilities and
policy violations associated with remediation tasks that have the False Positive status are treated the
same as Claimed Resolved tasks when calculating and display data for reports.
Accepted Risk
The Administrative Client is a browser-based client, which serves as the
user’s interface to the Enterprise Security Management Server. This client is responsible for allowing
users to perform user management, assessment, and system configuration tasks, as well as report
navigation and remediation functions.
Administrative Client
Assessment
The process by which a network group is scanned for policy violations and
vulnerabilities.
Defines, which network groups, policies, and scan modules, should be
utilized in network assessments.
Assessment Configuration
Assessment schedules are used to schedule the execution of previously
defined assessment configurations. Assessments can be scheduled to execute immediately, execute
once at a specified date and time, or execute periodically according to a recurring schedule.
Assessment Schedule
Assessment Server The server (or cluster of servers) which hosts the actual scanners. The scanners
are configured by the Enterprise Security Management Server through an administrative interface
presented to the administrator resulting in ASCP sessions describing scanner configuration parameters.
Assessment Server Control Protocol (ASCP)
Protocol used to facilitate Assessment Server
communication.
A list of all revoked certificates, including the dates of issue, the
entities that issued them, and the reasons for revocation.
Certificate Revocation List (CRL)
Enterprise Security Management Server The Enterprise Security Management Server is the server
(or cluster of servers) which provides the administrative interface to the Preventsys software. This
server is responsible for allowing the administrator to configure target asset and network information,
assessment sessions, and to review reported results of assessments.
Confirmation Page
A screen that checks for confirmation prior to the removal of a user, asset, PDL
rule, or other item.
Continuous Security Improvement
A process by which network security is continually refined to
provide enhanced security.
A computer host or small network inserted as a buffer between a private
network and the outside public network to prevent outside users from gaining direct access to
resources on the private network.
Demilitarized Zone (DMZ)
Distinguished Name (DN)
A section of an X509 certificate that describes the certificate’s purpose
and issuer.
Dollar Value
A financial impact associated with an asset for calculating assets at risk data.
229
Domain Name System (DNS)
GLOSSARY
A distributed database that manages the mapping of host names to
numerical IP addresses.
Dynamic Host Configuration Protocol (DHCP)
A protocol used to allocate IP addresses
dynamically to computers on a local area network.
The Dynamic Packet Filter (DPF) is a packet filter and application
level proxy-based firewall designed to protect the Preventsys Scanner environment from exploitation.
Note: DPF servers are not required for minimum installation.
Dynamic Packet Filter (DPF)
DPF rules can be defined to manage communications between
Preventsys components and the assessed network groups.
Dynamic Packet Filter (DPF) Rule
Protocol employed by DARC to report the
correlation between IP addresses and host identity in network environment with dynamic IP addresses.
Dynamic Target Address Resolution Protocol (DTARP)
Extensible Markup Language (XML)
A standard for creating special purpose markup languages.
Extensible Stylesheet Language (XSL)
A language used to describe how files encoded in the XML
standard are to be formatted.
A policy violation or vulnerability that is detected when no such policy violation or
vulnerability is active on the specified host. Vulnerabilities and policy violations associated with
remediation tasks that have the False Positive status are treated the same as Claimed Resolved tasks
when calculating and display data for reports.
False Positive
A suffix applied to imported PDL policies in order to distinguish them from
previously existing PDL policies with identical names.
Global Suffix
A specific workstation, server, router, switch, or other type of machine on the assessed
network.
Host
Hosts utilize host properties to define type of host (i.e. server, desktop, DMZ, etc.) for
analysis. Host properties allow for the detection of policy violations in the context of host type when
PDL policies are applied to assessment results. There are two types of host properties: Label and
Specification.
Host Property
Hypertext Transfer Protocol (HTTP)
A protocol used to request and transmit Web content over the
Internet or other computer networks.
Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
An encrypted version of HTTP
used for secure communications.
IP Address
IP Range
An address used to identify hosts on a network.
A range of IP addresses.
MAC Address
An address used to identify hosts on a network based on network interface card.
The Preventsys SRM System is put into maintenance mode during all updates
and rollbacks. When in maintenance mode only Super Users are allowed to log in.
Maintenance Mode
Manual Audit Task (MAT) A special task that must be tested and verified manually via the
Administrative Client. A fully configured manual audit task has a schedule and has one or more users
that are assigned to the task.
230
GLOSSARY
A rule that reports violations based upon a specific manual audit task. A
manual audit task rule can optionally report a violation if the manual audit task is not configured
correctly.
Manual Audit Task Rule
Mask
See Network Mask.
Netmask
See Network Mask.
A collection of IP-based systems (routers, switches, servers, firewalls, etc.) that are grouped
as a logical unit. For example, one network could be the “Finance Network” which would include all
of the servers, routers, and systems that service the finance department.
Network
A network or cluster of networks that are grouped together for assessment
configuration and analysis. Network groups must be defined prior to scheduling assessments.
Network Group
A string of “0”s and “1”s that mask the network portion of an IP address so that only
the unique host address remains.
Network Mask
Networks utilize network properties to define network type for analysis. Network
properties allow for the detection of policy violations in the context of network type when PDL
policies are applied to assessment results.
Network Property
Pagination Controls
A series of links that allow for convenient navigation through long lists of data.
Policy Definition Language (PDL) The Policy Definition Language (PDL) utilizes XSL templates to
create PDL rules that identify specific policy violations and vulnerabilities via analysis.
PDL policies represent collections of PDL rules that together
form a cohesive corporate security policy.
Policy Definition Language Policy
Policy Definition Language Rule
PolicyLab
The tools and functions used to manage PDL rules and policies.
Policy Violation
Port
PDL rules are used to define network security policy.
A condition that violates defined network policy.
A logical connection place that allows for the communication of Internet services.
Permissions are the actions you can conduct on a resource. For example, you can
“add” a user. Resources and their permission grant access to the functionality in the system via
groups.
Permissions
Protocol
A specification describing how computers communicate on a network.
A Registry is a database used by the Windows operating system (Windows 95 and NT)
to store configuration information. The Registry Keys are contained in this database. Each Key may
have one or more Registry Values associated with it. Each key may also have an “Unnamed Value”
associated with it.
Registry Key
Entries associated with a Registry Key, consisting of: Name / Type / Data. To
access this data, the registry key is entered in the form: key[\key_n…]\registry_value_name.
Registry Value
Relational Database Management System The Relational Database Management System
(RDBMS) stores Preventsys configuration data and scan results in both raw and analyzed formats.
231
Remediation Task
GLOSSARY
A task assigned to an administrator to alleviate a detected policy violation or
vulnerability.
Reports present assessment data and analysis.
Report
The selection of specific assessments and PDL policies that are then used to
generate report data.
Report Context
Identifies whether individual PDL rules are used to detect policy violations or
vulnerabilities.
Rule Type
Scan Module
Service
Scanning software utilized by Assessment Servers when assessing network groups.
A network application associated with a specific port.
Defines the severity of policy violations and vulnerabilities. Severity levels range from 1 to
100, with 100 being the most severe.
Severity
Solution
A text description and/or links for alleviating policy violations.
A scheme for IP addressing which associates a unique and unchanging IP address with
every host on the network.
Static IP
A unique host identifier that represents either a static IP address or a MAC address in
DHCP systems.
Unique ID
Entries associated with a Registry key consisting of Name / Type / Data. To
access this data, the registry key is entered in the form: key[\key_n…]\ - this would return the
Unnamed Value associated with key_n.
Unnamed Value
User
An account authorized to access the Preventsys SRM System.
Virtual LAN (VLAN) Group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same wire, when in fact they are
located on a number of different LAN segments. Because VLANs are based on logical instead of
physical connections, they are extremely flexible
Vulnerability
A bug or flaw in software or hardware that could compromise network security.
232