CHAPTER 6, PART 1

VULNERABILITY SCAN PROCEDURES

 

 

1          BACKGROUND

 

Global network connectivity is commonplace for information exchange and is crucial for conducting many everyday operations.  However, the benefits can be overshadowed by the increase in network vulnerabilities.  The number of Information Technology (IT) related incidents that have occurred in the past year, along with the increase and complexity of threats, requires that USDA take their security protection measures seriously.  Networks and information technology resources are continually vulnerable to illegal/ malicious activity or exploitation by internal and external sources.

 

Vulnerability Scan Procedures are a critical component of the Overall Security Protection Plan within the Department.  Regular IT inventories and vulnerability scans have proven to be an effective tool in combating IT incidents and exploits of USDA information assets.  The purpose of this document is to establish the policy and procedures for the inventory and vulnerability scans of all USDA managed networks, systems, and servers.

 

 

 

2          POLICY

 

All USDA agencies and mission areas will establish and implement the following procedures for accomplishing vulnerability scanning of all networks, systems, servers, and desktops for which they have responsibility.  Each agency/mission area will report to CS all Critical Vulnerabilities (High and Medium) found as a result of the scan.   Internet Security Systems (ISS) Internet Scanner software will be used to scan networks, systems and servers that will be obtained from the Department-wide Contract Vehicle established for this purpose. The ISS Software already classifies the vulnerabilities into high, medium and lows with default values from the vendor.  Vulnerability Scans are to be performed on a monthly basis for all existing and new networks, systems, servers, and desktops by duly authorized users in accordance with established procedures.  Cyber Security also requires that Discovery Scans be performed monthly to ensure that there are no “unauthorized devices” on agency networks.  Agencies will run scans inside USDA using USDA owned IP addresses, unless they have an approved exception to deviate from this policy.  Physical or electronic inventories can be done of network, systems, servers, and workstations.  However, electronic inventories are preferable.  Each agency will designate authorized personnel to conduct software scans.  All authorized users will be trained in the use of the scanner software prior to conducting any internal or external scans and will notify the CS before running scans.  The National Intrusion Detection System (IDS) managed by CS detects all scans whether they originate externally or internally.  Agencies/staff offices will identify the range of Internet Protocol (IP) addresses to be scanned and the IP address of the platform being used to launch the scan.  Agencies and staff offices will not attempt to scan networks, systems, servers or desktops for which they are not responsible.

 

Agencies and staff offices will produce and retain inventory and vulnerability scan reports for all scans conducted in compliance with agency record management guidelines.  The Monthly Scan Certification form, Appendix B, will be completed by the agency ISSPM and sent to CS at the end of each month.  Critical vulnerabilities are those that have the potential to disrupt the operation of networks, servers and desktops  used to transport USDA data.    A summary of the vulnerabilities identified will be provided to the agency Chief Information Officer (CIO) for review to ensure that corrective action plans are developed within 30 days and implemented for critical vulnerabilities identified.    A Plan of Action and Milestones (POA&M) will be developed in according with Federal Information Security Management Act (FISMA) reporting requirements for any unresolved critical vulnerabilities existing for more than 30 days from the date of the scan.   Agencies do not need to request exceptions for “false positives”.

 

Policy Exception Requirements – Agencies will submit all policy exception requests directly to the ACIO for Cyber Security.  Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy.  Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved.  Interim exceptions expire with each fiscal year.  Compliance exceptions that require longer durations will be renewed on an annual basis with a updated timeline for completion.  CS will monitor all approved exceptions.

 

 

3          RESPONSIBILITIES

 

a         The Associate Chief Information Officer for Cyber Security will:

 

(1)              Provide customer support to agencies and staff offices in obtaining Internet Security Scanners, Scanning Software and Keys from the USDA Enterprise License Contract.

 

(2)              Assist agencies/staff offices in obtaining training on the

use of scanning equipment on their networks, systems, and servers;

                       

(3)              Provide technical guidance in scanner use to agencies and staff offices, as required, after training

of authorized users has taken place;

 

(4)              Conduct oversight reviews of agencies and staff offices

to review vulnerability reports and corrective actions taken to ensure that networks, systems, and servers are protected in accordance with this policy; CS also reserves the right to review Discovery Scans;

 

(5)              Monitors Scan Certification forms to ensure that agencies and staff offices comply with this policy; and

 

 (6)       Review all exceptions requesting exceptions to this policy in a timely manner and coordinate the response to the agency.

 

b         Agency Chief Information Officer will:

 

(1)              Implement and enforce this policy and procedures within all internal agency/staff office activities who are responsible for network, systems, workstations, and servers;

 

(2)              Ensure that all agency/staff offices order and use the

Internet Security Scanner software and keys in conducting internal and external scans on a monthly basis and that inventories of networks, systems, servers, software and Internet Protocol (IP) addresses are maintained;

 

(3)              Designate and notify CS of personnel authorized to conduct agency/staff office scans; ensure that these

personnel are trained; notify Cyber security prior to

conducting any scans;

 

(4)              Review Scan Certification information on a monthly

basis to ensure that critical vulnerabilities identified are

corrected in a timely manner;

 

(5)              Provide a completed Scan Certification Report (Appendix B) to CS for all agency systems and desktops scanned on a monthly basis;

 

 (6)      Submit a exception package, including a strong justification, for all critical vulnerabilities when corrective actions are not taken and forward to the Associate CIO for CS for review and action; and

 

(6)              Take necessary action to archive IP addresses, IT equipment inventory and vulnerability reports in compliance with agency records management guidelines.

 

c          The agency Information Systems Security Program Managers

(ISSPM), Systems/Network Administrators or Authorized Users will:

 

(1)              Assist in performing monthly inventories and vulnerability and discovery scans of all agency/staff office managed networks, systems, workstations, server, and desktops as the authorized user;

 

(2)              Assist in performing vulnerability scans of all new systems, network, or servers prior to production deployment and to existing systems after major changes are made;

           

(3)              Assist in producing/updating inventory and vulnerability reports for all agency/staff office managed networks, servers, software and IP addresses on a monthly basis;

 

(4)       Complete the Scan Certification (Appendix b) on a monthly basis for all agency systems and desktops;

 

(5)       Forward the report to the agency Chief Information Officer for review and further action; and

 

(6)       Document the status of actions taken by all Authorized

Users to mitigate vulnerabilities identified or prepare a written exception package with a strong justification to agency/staff office IT Manager/CIO for actions not taken.

 

(7)        Update quarterly POA&Ms  in accordance with Federal Information Security Management Act (FISMA) reporting requirements with any unresolved critical vulnerabilities existing for more than 30 days from the date of the scan. 

 

d         Agency System/Network Administrators (not Authorized Users)

will:

 

(1)              Deploy new systems into production or operational

status only after critical vulnerabilities are resolved through security mitigations or accreditation by the Designated Accrediting Authority (DAA)/agency CIO;

 

(2)              Apply patches or fixes to agency/staff office managed networks, systems, servers, and desktops in a timely manner as appropriate;

 

(3)              Keep a written record of all patches and fixes applied to agency/staff office managed networks, systems, and desktops,  including the version and date; Cyber Security reserves the right to verify all written records of system/network/server patches;

 

(4)              Collaborate with the ISSPM/Authorized Users in ensuring that IP Address updates, inventory of IT equipment and vulnerability scans are conducted/updated on a monthly basis; and

 

(5)              Assist the ISSPM/Authorized Users in ensuring that mitigation actions are taken promptly for all critical vulnerabilities or that a persuasive and cogent written justification is provided to agency CIO for actions not taken.

 

                     -END-

 

 

 

                                               

 

 

 

 

 

Internet Scanner 7.0 Service Pack 2 User’s Guide

 

July 14, 2005

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Prepared by:

Craig J. Chase, Cyber Security Administrator

1400 Independence Ave, SW, Room 555 Reporters

Stop 7611

Washington, DC 20250

202-690-0271

craig.chase@usda.gov

Overview of Internet Scanner

 

Introduction

 

Internet Scanner is a vulnerability assessment product that analyzes the security of devices on an enterprise-wide network, checking for vulnerabilities on routers, Web servers, Unix servers, and Windows servers, desktop systems, and firewalls.

 

Internet Scanner can be used on all TCP/IP-based networks, networks connected to the Internet, and on stand-alone networks and machines.

 

This user’s guide will provide the basic steps in the basic installation and operation of the Internet Scanner 7.0 Service Pack 2 (SP2).  If you require more detailed information, please refer to the PDF document entitled “Internet Scanner User’s Guide”, provided by Internet Security Solutions (ISS). 

 

Benefits of Internet Scanner

 

There are many benefits that Internet Scanner provides.  Some include: 

 

• Internet Scanner performs the widest variety of vulnerability detection, ranging from gathering information to finding vulnerabilities.
• Internet Scanner finds vulnerabilities much as an intruder would, by examining network devices, services, and interrelationships.
• Internet Scanner provides detailed information about each vulnerability, such as the vulnerable host, description, and corrective actions.
• Internet Scanner also provides different levels of reporting for different audiences, such as illustrated management reports.  Other reports include the Summary and Detailed Host Vulnerability reports for administrators. 

 

Internet Scanner Architecture

 

Internet Scanner is divided into two areas of functionality:

 

• The Console – a collection of tools used to control the Internet Scanner Sensor locally.  It also provides stand-alone reporting and policy editing.

 

• The Sensor – scans devices connected to the network by using vulnerability checks that attempt to detect known security issues. 

 

The Internet Scanner Console

 

There are seven major components of the Internet Scanner console.  They are:

 

Component	Description
Client – Scanner GUI   Scanner_Console.exe	Controls the sensor and scan options from a GUI front end.
Client – 7.0 CLI/Engine Manager   EngineMgr.exe	Controls the sensor and multiple scan options from the command line for scheduling and scripting.
Client – 6.2.1 CLI   ISS_WinNT.exe	Provides backward compatibility to support custom scripts written to control older versions of Internet Scanner.
Policy Editor   CPE.exe	Used to customize policies.
Policy Migration   PolicyMigration.exe	Used to migrate custom policies from Internet Scanner 6.2.1
X-Press Update Installer   XpressUpdate.exe	Used to download and install updates to the current version of Internet Scanner
Report Engine   ReportEngine.exe	Runs reports in various formats based on vulnerability scans.

 

The Internet Scanner Sensor

 

There are six major components of Internet Scanner Sensor.  They are:

 

 

Component	Description
Scan Controller   ISSDaemon.exe	Directs job requests to the appropriate sensor components.
Database   Scan7db.mdf	Stores scan results
Flex Checks   FlexCheck.exe	The engine responsible for running custom vulnerability checks.
Discovery   Discovery.exe	The engine responsible for enumerating live hosts.
OS Identification   Discovery.exe	The engine responsible for identifying remote operating systems.  Part of Discovery.
Assessment Checks   Builtin MicroEngine.exe Plugin MicroEngine.exe	Engines responsible for checking for specific vulnerabilities.

 

SiteProtector and Distributed Scanning Solutions

 

Internet Scanner incorporates native support of SiteProtector, and allows Internet Scanner to be centrally managed.  USDA’s enterprise licenses for Internet Scanner also includes the SiteProtector license.  Please contact your ISSPM for a license key. 

 

This user guide does not cover using SiteProtector with Internet Scanner.  For more information on Site Protector and Internet Scanner, please see the “Internet Scanner User’s Guide”, provided by ISS.   

Installing Internet Scanner

 

Requirements for Installation

 

These items are required when installing Internet Scanner.

 

 

Item	Minimum Requirement
Processor	1.2 GHz Pentium III (2.4 GHz Dual XEON Processor Recommended)
Operating System	Windows 2000 Professional Service Pack 4 Windows Server 2003 Standard Edition Windows XP Professional Service Pack 1a   The installation of Internet Scanner is not supported on Windows 2000 Server or Windows XP Service Pack 2.
Other software	Microsoft Internet Explorer 5.5 SP2 or later required to run HTML Help. Adobe Acrobat Reader 4.x or later is required to view the PDF files in the Manuals folder. For reporting purposes, a printer driver is required on the computer running Internet Scanner.  The Generic/Text only printer driver is sufficient.
Memory	512 MB (1 GB Recommended)
Hard disk	345 MB for installation from file.    NTFS file partition required.
User privileges	Local or domain administrator.
Database	MSDE SP3 Standard Installation. MSDE is automatically installed if it is not already present.
Microsoft MDAC	Version 2.8 If MSDE is automatically installed, it will also install MDAC 2.8.

 

Steps for Installing Internet Scanner 7.0 SP2

 

These steps detail the installation of Internet Scanner SP2 on a Windows XP system SP1 without MSDE installed. 

 

Step 1:

From the CD, Shared Drive or your hard drive, double-click on IS70SP2.exe

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 2:

The Welcome screen appears.  Click Next  to continue. 

 

 

 

 

 

 

Step 3:

The Remove Installation Files window appears.  Select “Unpack the files used to perform the installation to a temporary location, and automatically remove these files after the setup is completed.  Select this option if you are not planning to run the setup again later.”  Click Next to continue. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Internet Scanner will start the extraction process.  The window below will appear.  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 4:

The Welcome screen appears again.  Click Next  to continue. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 5:

Click “I Accept” to accept the license agreement.    

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 6:

The Installation Options window appears.  SelectStandard option, and Click Next to continue. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 7:

The MSDE and MDAC question window appears. Click Yes to continue.  This will automatically install an instance of Microsoft SQL Desktop Engine and MDAC 8.0.  MDAC will be installed first. 

 

 

 

 

 

 

 

The MDAC 2.8 installation window may appear. 

 

 

 

 

 

 

 

 

 

 

 

Step 8:

A Warning Window appears indicating a reboot is required after installing MDAC 8.0.  Click OK once all programs have been saved.  (Note:  If you have MDAC 8.0 already installed, this step will not appear)

 

 

 

 

 

 

 

 

Step 9:

After reboot, Logon with an Administrator account.  This will continue the installation process. 

 

Step 10:

The Welcome to the InstallShield Wizard for Internet Scanner 7.0 Service Pack 2 window appears.  Click Next to continue. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 11:

Click “I Accept” to accept the license agreement.    

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 12:

The Installation Options window appears again.  SelectStandard option, and Click Next to continue. 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 13:

You will receive the The MSDE question appears again. Click Yes to continue setting up MSDE.   You will receive several messages detailing the setup of MSDE.