Pcwas622 PDF

Qualys
Policy Compliance
and Web Application
Scanning
training@qualys.com
Introductions And Expectations
Who am I?
Who are YOU?
Name
Company
Experience with QualysGuard Products
Expectation
Expectations for Class:
To succeed in class, you must understand the basic
functions within QualysGuard, or have reviewed the
"Getting started with QualysGuard online demonstration.
Housekeeping
Please turn your phones to vibrate
Breaks are generally every hour
Class usually ends early
Agenda
Policy Compliance
Policy Compliance and
Vulnerability
Management
Understanding the nuances
The Risk Factor
Policy Development
within an organization
QualysGuard Controls
and Policies
Compliance Scanning
and Reporting
Web Application Scanning
Some history
The Basics of Web
Application Security
The WAS lifecycle
Set Up
Scanning
Reporting
Troubleshooting
Useful QIDs
Policy Compliance in the formal sense - is
heavily dependent on the auditor and
auditing practices of your auditor.
While QualysGuard cannot guarantee
compliance with a particular regulation, we
do assist in your compliance endeavor.
QualysGuard Policy Compliance
Differences between Vulnerability
Management and Policy Compliance
QualysGuard Training
Policy Compliance Mindset
No longer are we
just concerned about
Discovery on a Host
Now we are
concerned with an
overall Security
Posture
Vulnerability Mgmt vs Policy Compliance
Vulnerability Management
Real time check of hosts
Vulnerabilities
Patch levels
Access to Raw Scan data
Remediation tools
Policy Compliance
Realtime configuration
checks
Raw Scan data is not
accessible
Has no meaning until
checked against a policy
QualysGuard gathers all
information about a host
Use Exceptions to exempt
specific devices from
controls
Reactive
PROACTIVE
Compliance Workflow
Deployment Methodology
Create Policy
Assign Policy to Asset Groups
Define Asset Groups
Add Asset Groups to Policy
Compliance Scan
Define Options Profile
Select Scanner Appliance
Run Compliance Scan
Compliance Policy Reports
Define Report Template
Run Report
Create and Manage Exceptions
Run Interactive Report
Request Exception
Policy Development within an
Organization
Compliance Process
a Top - Down Approach
Simple Compliance Framework
Procedures and Guidelines
Detail
Policies,
Standards,
Business
Requirements
Controls
(Manual
/Auto
Procedures
and
Guidelines
!n"orcement
Re#ulations
Frameworks
Standards
S$%
&'PAA
G(BA
Co)i*
C$S$
'S$+,,--
PC'
.'S*
.!RC
/!0ample1 2ulnera)le
Processes must )e
eliminated334
C'D ++56
*7e telnet
daemon s7all
)e disa)led
A'% 830 *ec7nolo#9 *elnet
streams are transmitted in
clear te0t, includin# usernames
and passwords3 *7e entire
session is suscepti)le to
interception )9 *7reat A#ents3
Framework
(e:el
Detailed
*ec7nical
Frameworks
Frameworks you can use within QualysGuard
Frameworks in QualysGuard
CIS - AIX
CIS - Cisco IOS, 2.2
CIS - Cisco IOS, 2.4.0
CIS - HP-UX
CIS - Microsoft SQL Server 2000 1.0
CIS - Microsoft SQL Server 2005 1.1
CIS - Microsoft Windows 7
CIS - Oracle 11g 1.0
CIS - Oracle 9i, 10g v. 2.0
CIS - Red Hat Ent. Linux 2.1, 3.0, 4.0
CIS - Red Hat Ent. Linux 5 v. 1.0
CIS - Solaris 10,
CIS - Solaris 8, 9
CIS - SuSE Linux Enterprise Server 2.0,
CIS - SuSE Linux Enterprise Server 1.0
CIS - Windows 2000 Server Operating System Level 2
Benchmark Consensus Baseline Security Settings
(Stand-alone and Member Servers)
CIS - Windows 2003 2.0, [Member Server]
CIS - Windows 2003, 1.2 [Member Server]
CIS - Windows 2008, 1.0 [Member Server]
CIS - Windows Server 2003, 2.0 [Domain Controller]
CIS - Windows XP Professional Operating System
Legacy, Enterprise, and Specialized Security
Benchmark Consensus Baseline Security Settings
CobiT 4.0 Guidelines (10.2005)
CobiT 4.1 Guidelines (05/2007)
FFIEC version 1 Published: 2006
Health Insurance Portability and Accountability Act
[HIPAA] 1996 45 CFR Parts 160/164
ISO 17799 (2005) ISO/IEC 17799:2005
ISO 27001 (2005) ISO/IEC 17799:2005
IT Infrastructure Library (version 2)
IT Infrastructure Library (version 3)
NERC version 1 (CIP) Published: 2007 vol. 1
NERC version 2 (CIP) Critical Cyber Identification
Standards
NIST 800-53 version 1 Published: 2006
NIST 800-53 version 3 (2009) 3: 2009
Policy Creation Lifecycle
The Compliance Project
I. Planning the Policy Approach
Establish Cross-functional team
Internal Auditors
Business owners
Technical teams
Establish naming conventions:
Policies
Comments
User Defined Controls
Establish approach on technology versions
Establish phases of policy creation steps
II. Creation Steps
1. Perform Gap Analysis
Search controls or create Gap Sheet
2. Create / Import New Policy and add controls
3. Configure parameters of these controls
May require a scan to be run to gather actual data
This data can aid in the parameter value
4. Identify and create simple UDC controls that can be
completed quickly
File/Registry key existence, permissions, simple file content
checks can be done quickly
TIP: Create separate policy of UDCs for testing
5. Identify and create more complex UDC controls
Will require Research and technical assistance
May involve complex regular expressions to allow a range of values for example
6. Identify and create UDC controls that require custom
shell scripts on UNIX systems
III. Review and approval of final policy
Setting up QualysGuard
QualysGuard Setup
Best Practices
1. Create Users
2. Add Domains and Hosts to subscription
3. Map the Network and Add any Additional Hosts
4. Create necessary Asset Groups
5. Create General Policy
6. Assign Policy to affected Hosts
7. Scan Hosts
8. Generate Policy Reports
9. Tweak Policy
10. Rerun Policy Reports
11. Request necessary exceptions
QualysGuard Setup
Creating Users
To enable Compliance for
any role other than
Manager and Auditor
the Extended Permission
of Manage Compliance
must be checked
Types of Roles
Manager
Auditor
Unit Manager
Scanner
Reader
Contact
QualysGuard Setup
Compliance User Role - Auditor
Limited Access to those areas of
QualysGuard which involve Policy
Compliance
Responsible for Exceptions
Cannot be assigned to a BU
Cannot run Compliance Scans
QualysGuard Setup
Adding Domains or Hosts
Add Domains or IPs
This may have been
done with your TAM
QualysGuard Setup
Asset Discovery (Mapping)
Gives a good
overall picture of
the network
QualysGuard Setup
Asset Discovery Map
QualysGuard Setup
Asset Discovery
Mapping looks at the Domain or
Netblock
Scanning looks at the individual
hosts narrow focus
Know what assets are there to
provide proper protection
Verify what is supposed to
be there via Approved Hosts
Mapping is the foundation for proper asset management
Shows an overall view of your corporate assets
QualysGuard Setup
Affected Hosts
Must be in the QualysGuard subscription
They must also be included in the Policy Compliance module
Policies need to be assigned to a Host or Asset Group
Tip: start small there can be performance impact when
doing compliance scans.
Affected Hosts can be in an existing Asset Group, or on
their own
QualysGuard Setup
Creating Asset Groups
Asset Groups are buckets to hold devices
For Compliance, Qualys recommends setting up Asset Groups based on
the geographic location and need:
One asset group for the HIPAA compliant Database Servers in the San Francisco office, and one
for the windows desktops
HIPAA- San Francisco DB
HIPAA-San Francisco- Desktop
Another set of asset groups for the office in Los Angeles
HIPAA-LAX-DB
HIPAA-LAX-Desktop
HIPAA-LAX- Webservers
Control and Policy Setup
Necessary parts of a policy
Policy must have associated
technologies
A policy contains a list of
controls
In order to be useful, a policy
has to have the affected hosts
associated with it.
P$('C;
Set Technologies
Add Hosts
Add Controls
Parts of a policy
Technologies: What
are the technologies
well be viewing for
compliance?
Controls: What are the rules we want in
place to specify our posture?
Hosts: Which hosts will we check?
Policy Import/Export
Download a
Policy
(and share that
written policy)
Import
another
policy from a
file or from
Library
Controls Library
CIDs
Edit and
view info
Categories
Controls
Compliance Categories, Frameworks and Technologies
Compliance Categories
Access Control
Requirements
Anti-Virus/Malware
Database Settings
Encryption
Integrity and Availability
OS Security Settings
Services
Web Application Services
[Entire] Network Settings
Control Anatomy
Frameworks
Select Control to
view info
Select Control to
view info
Category and Sub Category
Control Cross Reference
Control Cross Reference to Internal Documentation
Reference internal compliance documentation such as approved mitigation
procedures
Comments Section of a Control
Components of Controls
Cardinality of a control
X = Value Returned by the scan engine
Y = Represents the value expected by the control
Components of Controls
Control cardinality use:
Windows User Defined Controls
for Windows:
Registry Key
Registry Value
Registry Value Content
Registry ACL
File Existence
File Permissions
File Integrity Check*
!ot enabled by default
UNIX User Defined Controls
for UNIX:
File Content
File Permissions
File Existence
File Integrity Check*
!ot enabled by default
Add controls to QualysGuard that are tailored to existing policy
Why have them?
Custom applications that require compliance audits
Systems use filenames / locations other than default settings
Determine if specific service packs are installed
What happens if I write a control that has already been
defined by Qualys?
The system will present an error
How do we write them?
Requires an understanding of the requirement and a technical
understanding of the system
Usually the auditor and the SysAdmin must be involved
Device Enumeration
Compliance Scan Workflow
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
Aut7entication
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
Aut7entication
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
assessment#
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
assessment#
Requirements for Policy Compliance
QualysGuard must have administrative access to all
affected hosts
QualysGuard acts like an auditor
Hosts must be in the subscription and added to the
Policy Compliance module
A compliance scan pulls every bit of data it can
A Compliance report uses that data to measure your
compliance posture against a specific policy
Enumeration
So, whats our real workflow?
Create *eneral
&olicy
Create *eneral
&olicy
Scan + &ull
everything down
s%ecified in Control
,ibrary
Scan + &ull
everything down
s%ecified in Control
,ibrary
-e%ort -e%ort
Create &olicy'Add
.ser Defined
Controls
Create &olicy'Add
.ser Defined
Controls
Scan again /which
will include your
new controls0
Scan again /which
will include your
new controls0
-e%ort -e%ort
Scanning the Affected Hosts
Tips:
Narrow the focus to the affected hosts
Make sure you have created your Compliance Option
profile
Not created by default
Ensure Full Administrative (or Root) access to hosts
If this access is not granted, the scan will fail for that host entirely
Compliance scanning happens less frequently than
vulnerability management scanning scheduling should
reflect this
Data is NOT readable in raw scan format
Option Profile
An Option Profile specifically for Policy Compliance
needs to be created.
Option Profiles
File Integrity check
If you are using UDCs for file integrity, you must check this
box in your option profile
Password Auditing Controls
Dissolvable Agent performs password auditing
Up to 100 passwords to check
Windows Share Enumeration
Also uses the Dissolvable Agent
Authentication - Vaults
In large organizations where thousands of machines are scanned
regularly for vulnerabilities, managing passwords is a challenge.
For example if a password ages out and gets changed, then those
changes must be passed to QualysGuard so that its passwords remain
current.
Some organizations are reluctant to let their credentials to leave the
network
Based on feedback from customers, including a major international bank
who is our design partner for this integration, we partnered with Cyber-
Ark to build a solution to this problem and reduce the burden of
credential management for trusted scans.
Cyber-Ark Integration: benefits
Better manageability with Cyber-Ark integration
Increased security, control and audit of login credentials
Makes vulnerability trusted scans easier for better visibility
on the vulnerability, better prioritization of the remediation
plans
Facilitates policy compliance scans
QualysGuard offers the best of both worlds to assist
customers adopt security in the cloud
Cyber-Ark Integration: How it works
<ual9sGuard
Scanner
Ser:er (Scan
*ar#et
P'M
Suite
+
+
.ser launch a trusted scan from the
1ualys S(C
=
=
The Scanner A%%liance /SA0 get the
credentials from the Cyber2Ark
&assword 3ault4
5
5
The SA scans the target using the
credentials /5indows and .ni60
>
>
Scan results are e6%orted to the 1ualys
S(C
8
8
Audit'control'%olicy enforcement using
Cyber2Ark &I7 suite features
BeyondTrust PowerBroker for Server, Version 6.0
Similar to Sudo
Executes pbrun su on local target to escalate user to root shell
The following technology platforms have been verified:
Red Hat Ent Linux v3, v4, and v5.x
SUSE Linux Ent Server 9, 10, and 11
HP-UX 11i v1, v2, and v3
IBM AIX v5.x and 6.x
SUN Solaris 8, 9, and 10
VMware ESX 3.x and 4.x
Mac OS X 10.x
Supports VM and PC Scanning
Authentication PowerBroker
Authentication - PowerBroker
Enable in Unix
Authentication Record
Root Delegation
Edit pb.conf locally
Required: runuser = root"
Optional: if (user == "qualys" &&
basename(command) == "su"
&& argc == 2 && argv[1] == "-")
Optional: iolog =
"/var/log/pb.iolog." + user + "." +
basename(command) + "." +
strftime("%y%m%d.%H%M%S")
Verification
Dashboard
55
To% Ten
Technologies
To% 8
&assing
To% 8
Failing
Dashboard is a great
(verview9
:# Double click
Failing &olicies
;# Automatically
generate re%ort
from the .I
<# See your to%
failing Controls
Reports
Compliance Reports
Authentication
Success/Fail report
Full Policy Report that
includes all results,
exceptions and audit
trails
Interactive Control
Pass/Fail report
Interactive Host
Compliance report
Includes workflow for
creating exceptions
Proof of pass/fail for
this control on this
host
Reports
The -e%ort Summary
Pass/Fail Summar9 shows %assed and failed
control instances
Pass/Fail and !0ceptions Summar9 %assed and failed
control instances with %ending e6ce%tions and %assed with
e6ce%tion status#
Best Practice: If the Passed with exception value remains constant, you may need
to revisit the compliance policy or review the asset group.
Reports
Policy Report
includes compliance
status with a specific
policy.
The report lists the
hosts assigned to the
policy with the
controls tested.
Results are shown
as a passed/failed
status
Authentication Reports
Review the Authentication
report to confirm necessary
administrator access
Interactive Reports
Creating Exceptions
Exceptions can only be created
via the Interactive Reports in
Compliance
Creating Exceptions
Make sure the Control Pass/Fail has Both or Failed chosen:
Creating Exceptions
Request the exception
Exception UI
Exceptions are created through the interactive report
Auditor will click on Edit to open the ticket
Managing Exceptions
Regardless of
action, comments are
required.
Set a time limit
on an e6ce%tion
Exceptions Approved
Note the E above the passed Posture
Exceptions
Examples of Exceptions:
Requirement: ftp, or any form thereof should not be
enabled on any external facing device
Reality: the support team must have ftp enabled to allow customers
to send files larger than 5MB when their email will not allow such
attachments
Requirement: all workstations must have the latest
service pack installed
Reality: you are in the midst of an upgrade and it will take 30 days to
have all systems tested and updated
Exceptions the reality
Unlike VM, where *most* vulnerabilities and remediation
tickets can be fixed with a patch, exception tickets present
a different use case:
Changing the corporate stance on password length
Allowing FTP on certain machines but not others
what to do with an exception has been one of the biggest
questions seen from customers thus far.
Can I modify a control? (no)
Can I delete a control? (yes- but there may be consequences)
Policy Compliance Labs

Pcwas622 PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pcwas622 PDF

Uploaded by

Copyright:

Available Formats

Qualys

You might also like