Vulnerability Assessment Questions and Answers
Q: What is AVDS (Automated Vulnerability Detection System)?
A: AVDS is a vulnerability assessment and management solution that delivers accurate reports you can act on with confidence. Build security certainty by finding and eliminating the vulnerabilities in your network that invite attacks.
AVDS is designed to accurately scan networks from 64 to 200K active IPs and offer vulnerability assessment and management control from an easy to use administration console. From that console scanning management and report access rights can be granted to divisional or regional security administrators.
Q: Why is accuracy so important in Vulnerability Assessment (VA)?
A: An inaccurate VA report is very frustrating to use. If every third item in the report is a false positive (doesn't really exist) then soon the entire report, even the use of VA as a vital security tool, gets a bad name.
AVDS will restore your confidence in VA as a vital security tool. Regain complete certainty that when a VA report says that the network has high risks, they actually DO exist. Know without a doubt that when you are handling the risks discovered by AVDS you are doing the best job humanly possible to protect your network.
Q: How can AVDS be more accurate than other scanning or VA tools?
A: All other VA solutions depend primarily upon checking host banners to read the version number. They assume that if version X is present, then all the vulnerabilities of version X are also present. This is not true if an update was 'back doored' (common in Linux) or if server or application settings make access to the vulnerability impossible.AVDS primarily checks the BEHAVIOR of hosts by delivering queries that prove by actual response that a vulnerability exists. Our false positive rate is .1% which is so low that most of our customers never experience a single error. Better yet; AVDS will discover vulnerabilities missed by others, which can happen if a patch is incompletely installed, or a server or service never got restarted so that the patch can take effect.
Q: Is AVDS a hardware or software solution?
A: It is available as a hosted service for scanning external IPS, and an appliance based solution for scanning internal IPs, or as a hybrid. The hardware solution comes as either a single unit capable of both scanning and reporting and an enterprise version that uses two component types to cover networks of any size or complexity: The Information Server ("IS"), and one or more Local Scanning Servers("LSS").
The IS appliance is responsible for controlling the scans, storing the scanned results obtained from various scans, generating consolidated reports and providing access to reports. It is also used to control and manage all the associated LSS servers. The IS appliance can be configured to allow multiple users to connect to the system and to read scan reports, or to schedule scan jobs.
The LSS appliance is responsible for performing vulnerability scans across a segment of the network of up to 2,500 active nodes per day.
Q: What kinds of vulnerabilities does AVDS detect?
A: There are three scenarios in which a system can be vulnerable.
The first way a system can be vulnerable is when operating systems or network applications are poorly coded thus allowing attackers to exploit software flaws.
The second way a system can become vulnerable is when an operating system or an application in the system is infected with viruses, trojans or worms. In these instances, malicious code may open up a TCP port for unauthorized access from across the network.
The third way a system can be vulnerable is when a system is mis-configured, such that it becomes vulnerable. One example could be that a default password was left in place for the administrative interface of an application.
AVDS detects vulnerabilities that are caused by all three of the above scenarios.
Q: Where does Beyond Security get its vulnerability information?
A: Our main source of information is SecuriTeam (www.SecuriTeam.com). This is a vulnerability knowledgebase that Beyond Security owns and manages, and it is one of the largest of such portals. Due to the open nature of the competing security portals, within 24 hours everyone has the same information - not much different than traditional news organizations.
Q: Does AVDS require installation of agents on the systems that are to be scanned?
A: No, AVDS does not require any software agents on any system.
Q: How does AVDS function differently from an Intrusion Prevention System ("HIPS")?
A: IPS blocks attacks, AVDS finds and helps fix the vulnerabilities that the attackers are trying to reach. The most perfect IPS, with the most careful maintenance will not stop 100% of attacks. An average IPS with average maintenance is a poor barrier indeed.
Defending a network with IPS is like catching fast ball pitches (or football free kicks) in front of a glass window. You MUST stop every kick or throw. A well designed VA solution like AVDS will turn your window into a wall. Yes, please do use an IPS, but if you miss a packet, there is no emergency.
Q: How does AVDS function differently from a firewall?
A: A firewall typically performs network access control at the network border. It can only protect the network from unauthorized access from external networks to internal systems or applications. However, if an attack uses a legitimate network access the firewall will not be able to protect the system. AVDS finds and helps repair the vulnerabilities that attackers are searching for. If you have no vulnerabilities, then your dependence on perfect firewall management is eliminated.
Q: How does AVDS function differently from anti-virus software?
A: Anti-virus software is designed to protect a system from malicious code (viruses, worms & trojans) from entering the system - it blocks incoming packets. It does not examine the system to see if there is a weakness that malicious code can take advantage of. AVDS is able to find the vulnerabilities and help you eliminiate them. As such, AVDS complements anti-virus software in protecting the system.
Q: Does AVDS perform auto-patching of the operating system/software when vulnerabilities are discovered?
A: No, AVDS does not perform auto-patching or auto-remediation. Based on good ISMS principles, all patches must be tested and verified before they can be deployed. As such, AVDS is not designed to violate this principle.
Q: What is the average scan rate (in packets/sec) generated by the LSS during typical scanning?
A: The LSS average scan rate is 300 packets per second. Scan rate is fully adjustable.
Q: What is the average throughput (in kb/sec) generated by the LSS during typical scanning?
A: The LSS average throughput rate is 60 kilobits per second. Scan speed and scan time of day, day of week is fully adjustable.
Q: What is the number if IP address the LSS can scan in one day?
A: The LSS can perform scanning on about 2,500 hosts/nodes per day.
Q: What is the speed of an LSS scan on a Class A, Class B and Class C network?
A: The time taken to scan a network depends on the composition of that systems network. A scan on an average network that contains a router, network printer, 4 servers and 10 workstations would be completed in approximately 8 minutes.
Q: Can the rate of scanning be limited to minimize the amount of bandwidth used for scanning?
A: Yes, AVDS allows the administrator to limit the rate of scanning.
Q: How long can the IS keep reports for a network size of one Class C network?
A: The IS can store scan results for a class C for more than 5 years.
Q: Does the AVDS support scanning configuration backup?
A: Yes, the AVDS supports this function.
Q: How is AVDS typically deployed?
A: A single unit installation is available for simple networks of up to 2500 active hosts. This deployment is ideal for companies just starting vulnerability assessment. A multiple unit system scans large or widely distributed networks, such as multiple location retail chains or banks with branches in many countries. In either case these deployments share our proven scanning engine and same vulnerability library.
Q: How do the Local Scanning Servers send the scanned results to the Information Server? Is it via push or pull mechanism?
A: Scan results are encrypted and then sent by SSL. The IS can pull the results from the LSS, or the LSS can push the scanned results to the IS. Such flexibility allows the organization to deploy AVDS to fit their network access control requirements.
Q: Can the LSS scan through a firewall? Can the LSS also operate in a NAT environment?
A: Yes, but for accurate results, scanning of internal IPs must be done from within the network. When a scan is made through a firewall or a NAT environment, the firewall or router may modify certain essential packet contents. As such, it may lead to false positive or false negative in its reporting.
Q: Does AVDS perform port-scanning as part of vulnerability detection?
A: Yes, AVDS always performs port scanning to detect all ports opened on a system.
Q: What systems does AVDS currently check?A: The AVDS currently scans for vulnerabilities in the following systems and applications:
Q: What database system does AVDS use to store scanned results? Where does this database reside?
A: AVDS uses MySQL as the database system, and the database resides in the IS.
Q: How can the Security Administrator access the IS to perform administrative functions?
A: The Security Administrator can manage the IS (and the associated LSS) through a web browser.
Q: How many vulnerability checks does AVDS contain?
A: The AVDS test database can identify and report on more than 10,000 individual vulnerabilities. Over 100 new vulnerabilities are added to it every month.
Q: How often is the vulnerability checks database updated?
A: AVDS will perform an update every hour. Upon discovery of any vulnerability, AVDS can be updated with the latest vulnerability check within one hour time frame.
Q: Are the IS or LSS appliances secure?
A: The IS and LSS are routinely audited for security vulnerabilities and are deployed in a hardened Linux configuration.
Q: How will an IDS/IPS react to an AVDS scan?
A: The LSS sends out packets that are typical to an attack. As such, an IPS/IDS should treat the LSS as a malicious attacker (if is does not, that is an issue!). To avoid conflicts add the IP address of the LSS to the IPS/IDDS white list to prevent them from generating false alarms.
Q: Does the AVDS allow the organization to customize their risk policies?
A: Yes through the asset and policy management features, AVDS allows organizations to assign a value to each asset to establish its risk value.
Q: Why does AVDS manage risk through asset values instead of vulnerability values?
A: Organizations portray the risk of a vulnerability differently among one another. Instead of changing the value of the vulnerability which could be ambiguous, changing the value of the asset is more relevant. This means that a high value asset is deemed more vulnerable than a low value asset if they have the same vulnerability.