You are on page 1of 70

Qualys

®
Policy Compliance
and Web Application
Scanning
training@qualys.com
Introductions And Expectations
− Who am I?
− Who are YOU?
Name
Company
Experience with QualysGuard Products
Expectation
− Expectations for Class:
To succeed in class, you must understand the basic
functions within QualysGuard, or have reviewed the
"Getting started with QualysGuard” online demonstration.
Housekeeping
− Please turn your phones to vibrate
− Breaks are generally every hour
− Class usually ends early
Agenda
Policy Compliance
− Policy Compliance and
Vulnerability
Management
Understanding the nuances
The Risk Factor
− Policy Development
within an organization
− QualysGuard Controls
and Policies
− Compliance Scanning
and Reporting
Web Application Scanning
− Some history
− The Basics of Web
Application Security
− The WAS lifecycle
Set Up
Scanning
Reporting
− Troubleshooting
Useful QIDs
Policy Compliance – in the formal sense - is
heavily dependent on the auditor and
auditing practices of your auditor.
While QualysGuard cannot guarantee
compliance with a particular regulation, we
do assist in your compliance endeavor.
QualysGuard Policy Compliance
Differences between Vulnerability
Management and Policy Compliance
QualysGuard Training
QualysGuard Policy Compliance
Policy Compliance Mindset
No longer are we
just concerned about
“Discovery” on a Host
Now we are
concerned with an
overall Security
Posture
QualysGuard Policy Compliance
Vulnerability Mgmt vs Policy Compliance
Vulnerability Management
− Real time check of hosts
Vulnerabilities
Patch levels
− Access to Raw Scan data
− Remediation tools
Policy Compliance
− Realtime configuration
checks
− Raw Scan data is not
accessible
Has no meaning until
checked against a policy
QualysGuard gathers all
information about a host
− Use Exceptions to exempt
specific devices from
controls
Reactive
PROACTIVE
QualysGuard Policy Compliance
Compliance Workflow
QualysGuard Policy Compliance
Deployment Methodology
−Create Policy
−Assign Policy to Asset Groups
Define Asset Groups
Add Asset Groups to Policy
−Compliance Scan
− Define Options Profile
− Select Scanner Appliance
− Run Compliance Scan
−Compliance Policy Reports
Define Report Template
Run Report
−Create and Manage Exceptions
Run Interactive Report
Request Exception
Policy Development within an
Organization
QualysGuard Training
Compliance Process
a “Top - Down” Approach
Simple Compliance Framework
Procedures and Guidelines
Detail
Policies,
Standards,
Business
Requirements
Controls
(Manual
/Auto
Procedures
and
Guidelines
!n"orcement
Re#ulations
Frameworks
Standards
S$%
&'PAA
G(BA
Co)i*
C$S$
'S$+,,--
PC'
.'S*
.!RC
/!0ample1 2ulnera)le
Processes must )e
eliminated334
C'D ++56
*7e telnet
daemon s7all
)e disa)led
A'% 830 *ec7nolo#9 *elnet
streams are transmitted in
clear te0t, includin# usernames
and passwords3 *7e entire
session is suscepti)le to
interception )9 *7reat A#ents3
Framework
(e:el
Detailed
*ec7nical
Frameworks
Frameworks you can use within QualysGuard
Frameworks in QualysGuard
CIS - AIX
CIS - Cisco IOS, 2.2
CIS - Cisco IOS, 2.4.0
CIS - HP-UX
CIS - Microsoft SQL Server 2000 1.0
CIS - Microsoft SQL Server 2005 1.1
CIS - Microsoft Windows 7
CIS - Oracle 11g 1.0
CIS - Oracle 9i, 10g v. 2.0
CIS - Red Hat Ent. Linux 2.1, 3.0, 4.0
CIS - Red Hat Ent. Linux 5 v. 1.0
CIS - Solaris 10,
CIS - Solaris 8, 9
CIS - SuSE Linux Enterprise Server 2.0,
CIS - SuSE Linux Enterprise Server 1.0
CIS - Windows 2000 Server Operating System Level 2
Benchmark Consensus Baseline Security Settings
(Stand-alone and Member Servers)
CIS - Windows 2003 2.0, [Member Server]
CIS - Windows 2003, 1.2 [Member Server]
CIS - Windows 2008, 1.0 [Member Server]
CIS - Windows Server 2003, 2.0 [Domain Controller]
CIS - Windows XP Professional Operating System
Legacy, Enterprise, and Specialized Security
Benchmark Consensus Baseline Security Settings
CobiT 4.0 Guidelines (10.2005)
CobiT 4.1 Guidelines (05/2007)
FFIEC version 1 Published: 2006
Health Insurance Portability and Accountability Act
[HIPAA] 1996 45 CFR Parts 160/164
ISO 17799 (2005) ISO/IEC 17799:2005
ISO 27001 (2005) ISO/IEC 17799:2005
IT Infrastructure Library (version 2)
IT Infrastructure Library (version 3)
NERC version 1 (CIP) Published: 2007 vol. 1
NERC version 2 (CIP) Critical Cyber Identification
Standards
NIST 800-53 version 1 Published: 2006
NIST 800-53 version 3 (2009) 3: 2009
Policy Creation Lifecycle
The Compliance “Project”
I. Planning the Policy Approach
Establish Cross-functional team
− Internal Auditors
− Business owners
− Technical teams
Establish naming conventions:
− Policies
− Comments
− User Defined Controls
Establish approach on technology versions
Establish phases of policy creation steps
Policy Creation Lifecycle
The Compliance “Project”
II. Creation Steps
1. Perform Gap Analysis
− Search controls or create Gap Sheet
2. Create / Import New Policy and add controls
3. Configure parameters of these controls
− May require a scan to be run to gather actual data
This data can aid in the parameter value
Policy Creation Lifecycle
The Compliance “Project”
4. Identify and create simple UDC controls that can be
completed quickly
− File/Registry key existence, permissions, simple file content
checks can be done quickly
− TIP: Create separate policy of UDCs for testing
5. Identify and create more complex UDC controls
− Will require Research and technical assistance
− May involve complex regular expressions to allow a range of values for example
6. Identify and create UDC controls that require custom
shell scripts on UNIX systems
III. Review and approval of final policy
Setting up QualysGuard
QualysGuard Training
QualysGuard Setup
Best Practices
1. Create Users
2. Add Domains and Hosts to subscription
3. Map the Network and Add any Additional Hosts
4. Create necessary Asset Groups
5. Create General Policy
6. Assign Policy to affected Hosts
7. Scan Hosts
8. Generate Policy Reports
9. Tweak Policy
10. Rerun Policy Reports
11. Request necessary exceptions
QualysGuard Setup
Creating Users
To enable Compliance for
any role other than
“Manager” and “Auditor”’
the Extended Permission
of “Manage Compliance”
must be checked
Types of Roles
Manager
Auditor
Unit Manager
Scanner
Reader
Contact
QualysGuard Setup
Compliance User Role - Auditor
− Limited Access to those areas of
QualysGuard which involve Policy
Compliance
− Responsible for Exceptions
− Cannot be assigned to a BU
− Cannot run Compliance Scans
QualysGuard Setup
Adding Domains or Hosts
− Add Domains or IPs
This may have been
done with your TAM
QualysGuard Setup
Asset Discovery (Mapping)
• Gives a good
overall “picture” of
the network
QualysGuard Setup
Asset Discovery Map
QualysGuard Setup
Asset Discovery
− Mapping looks at the Domain or
Netblock
− Scanning looks at the individual
hosts – narrow focus
− Know what assets are there to
provide proper protection
− Verify what is supposed to
be there via Approved Hosts
Mapping is the foundation for proper asset management
Shows an overall view of your corporate assets
QualysGuard Setup
Affected Hosts
− Must be in the QualysGuard subscription
They must also be included in the Policy Compliance module
− Policies need to be assigned to a Host or Asset Group
− Tip: start small – there can be performance impact when
doing compliance scans.
− Affected Hosts can be in an existing Asset Group, or on
their own
QualysGuard Setup
Creating Asset Groups
Asset Groups are “buckets” to hold devices
For Compliance, Qualys recommends setting up Asset Groups based on
the geographic location and need:
• One asset group for the HIPAA compliant Database Servers in the San Francisco office, and one
for the windows desktops
• HIPAA- San Francisco –DB
• HIPAA-San Francisco- Desktop
• Another set of asset groups for the office in Los Angeles
• HIPAA-LAX-DB
• HIPAA-LAX-Desktop
• HIPAA-LAX- Webservers
Control and Policy Setup
QualysGuard Training
Necessary parts of a policy
Policy must have associated
technologies
A policy contains a list of
controls
In order to be useful, a policy
has to have the affected hosts
associated with it.
P$('C;
Set Technologies
Add Hosts
Add Controls
Parts of a policy
Technologies: What
are the technologies
we’ll be viewing for
compliance?
Controls: What are the rules we want in
place to specify our posture?
Hosts: Which hosts will we check?
Policy Import/Export
Download a
Policy
(and share that
written policy)
Import
another
policy from a
file or from
Library
QualysGuard Policy Compliance
Controls Library
CIDs
Edit and
view info
Categories
Controls
QualysGuard Policy Compliance
Compliance Categories, Frameworks and Technologies
Compliance Categories
Access Control
Requirements
Anti-Virus/Malware
Database Settings
Encryption
Integrity and Availability
OS Security Settings
Services
Web Application Services
[Entire] Network Settings
QualysGuard Policy Compliance
Control Anatomy
Frameworks
Select Control to
view info
Select Control to
view info
Category and Sub Category
QualysGuard Policy Compliance
Control Cross Reference
Control Cross Reference to Internal Documentation
− Reference internal compliance documentation such as approved mitigation
procedures
QualysGuard Policy Compliance
Comments Section of a Control
Components of Controls
Cardinality of a control
X = Value Returned by the scan engine
Y = Represents the value expected by the control
Components of Controls
Control cardinality use:
QualysGuard Policy Compliance
Windows User Defined Controls
User Defined Controls
for Windows:
− Registry Key
− Registry Value
− Registry Value Content
− Registry ACL
− File Existence
− File Permissions
− File Integrity Check*
!ot enabled by default
QualysGuard Policy Compliance
UNIX User Defined Controls
User Defined Controls
for UNIX:
− File Content
− File Permissions
− File Existence
− File Integrity Check*
!ot enabled by default
QualysGuard Policy Compliance
User Defined Controls
User Defined Controls
− Add controls to QualysGuard that are tailored to existing policy
QualysGuard Policy Compliance
User Defined Controls
Why have them?
− Custom applications that require compliance audits
− Systems use filenames / locations other than default settings
− Determine if specific service packs are installed
What happens if I write a control that has already been
defined by Qualys?
− The system will present an error
How do we write them?
− Requires an understanding of the requirement and a technical
understanding of the system
Usually the auditor and the SysAdmin must be involved
Device Enumeration
QualysGuard Training
QualysGuard Policy Compliance
Compliance Scan Workflow
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
&ost Disco:er9
" The service checks host availability# The service then checks whether the host is
connected to the Internet$ whether it has been shut down and whether it forbids all
Internet connections#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
$S Detection
" The service identifies the o%erating system installed on target hosts using the TC&'I&
stack finger%rinting or (S finger%rinting on redirected %orts#
Aut7entication
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
Aut7entication
" Host authentication is re)uired for a com%liance scan# If authentication fails$ the scan
%rocessing sto%s#
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
assessment#
Compliance Assessment
" The service scans for all technical controls and with information begins com%liance
assessment#
Requirements for Policy Compliance
QualysGuard must have administrative access to all
affected hosts
QualysGuard acts like an auditor
Hosts must be in the subscription and added to the
Policy Compliance module
A compliance scan pulls every bit of data it can
A Compliance report uses that data to measure your
compliance posture against a specific policy
Enumeration
So, what’s our real workflow?
Create *eneral
&olicy
Create *eneral
&olicy
Scan + &ull
everything down
s%ecified in Control
,ibrary
Scan + &ull
everything down
s%ecified in Control
,ibrary
-e%ort -e%ort
Create &olicy'Add
.ser Defined
Controls
Create &olicy'Add
.ser Defined
Controls
Scan again /which
will include your
new controls0
Scan again /which
will include your
new controls0
-e%ort -e%ort
QualysGuard Policy Compliance
Scanning the Affected Hosts
Tips:
• Narrow the focus to the affected hosts
• Make sure you have created your Compliance Option
profile
• Not created by default
• Ensure Full Administrative (or Root) access to hosts
• If this access is not granted, the scan will fail for that host entirely
• Compliance scanning happens less frequently than
vulnerability management scanning – scheduling should
reflect this
• Data is NOT readable in raw scan format
Option Profile
An Option Profile specifically for Policy Compliance
needs to be created.
Option Profiles
File Integrity check
− If you are using UDCs for file integrity, you must check this
box in your option profile
Password Auditing Controls
− Dissolvable Agent – performs password auditing
− Up to 100 passwords to check
Windows Share Enumeration
− Also uses the Dissolvable Agent
Authentication - Vaults
In large organizations where thousands of machines are scanned
regularly for vulnerabilities, managing passwords is a challenge.
For example if a password ages out and gets changed, then those
changes must be passed to QualysGuard so that its passwords remain
current.
Some organizations are reluctant to let their credentials to leave the
network
Based on feedback from customers, including a major international bank
who is our design partner for this integration, we partnered with Cyber-
Ark to build a solution to this problem and reduce the burden of
credential management for trusted scans.
Cyber-Ark Integration: benefits
Better manageability with Cyber-Ark integration
Increased security, control and audit of login credentials
Makes vulnerability trusted scans easier for better visibility
on the vulnerability, better prioritization of the remediation
plans
Facilitates policy compliance scans
QualysGuard offers the best of both worlds to assist
customers adopt security in the cloud
Cyber-Ark Integration: How it works
<ual9sGuard
Scanner
Ser:er (Scan
*ar#et
P'M
Suite
+
+
.ser launch a trusted scan from the
1ualys S(C
=
=
The Scanner A%%liance /SA0 get the
credentials from the Cyber2Ark
&assword 3ault4
5
5
The SA scans the target using the
credentials /5indows and .ni60
>
>
Scan results are e6%orted to the 1ualys
S(C
8
8
Audit'control'%olicy enforcement using
Cyber2Ark &I7 suite features
BeyondTrust PowerBroker for Server, Version 6.0
− Similar to Sudo
− Executes “pbrun su –” on local target to escalate user to root shell
The following technology platforms have been verified:
− Red Hat Ent Linux v3, v4, and v5.x
− SUSE Linux Ent Server 9, 10, and 11
− HP-UX 11i v1, v2, and v3
− IBM AIX v5.x and 6.x
− SUN Solaris 8, 9, and 10
− VMware ESX 3.x and 4.x
− Mac OS X 10.x
Supports VM and PC Scanning
Authentication – PowerBroker
Authentication - PowerBroker
Enable in Unix
Authentication Record
− Root Delegation
Edit pb.conf locally
− Required: runuser = “root"
− Optional: if (user == "qualys" &&
basename(command) == "su"
&& argc == 2 && argv[1] == "-")
− Optional: iolog =
"/var/log/pb.iolog." + user + "." +
basename(command) + "." +
strftime("%y%m%d.%H%M%S")
Verification
QualysGuard Training
Dashboard
55
To% Ten
Technologies
To% 8
&assing
To% 8
Failing
Dashboard is a great
(verview9
:# Double click
Failing &olicies
;# Automatically
generate re%ort
from the .I
<# See your to%
failing Controls
QualysGuard Policy Compliance
Reports
Compliance Reports
– Authentication
Success/Fail report
– Full Policy Report that
includes all results,
exceptions and audit
trails
– Interactive Control
Pass/Fail report
– Interactive Host
Compliance report
– Includes workflow for
creating exceptions
Proof of pass/fail for
this control on this
host
QualysGuard Policy Compliance
Reports
The -e%ort Summary
• Pass/Fail Summar9 shows %assed and failed
control instances
• Pass/Fail and !0ceptions Summar9 %assed and failed
control instances with %ending e6ce%tions and %assed with
e6ce%tion status#
Best Practice: If the Passed with exception value remains constant, you may need
to revisit the compliance policy or review the asset group.
QualysGuard Policy Compliance
Reports
Policy Report
includes compliance
status with a specific
policy.
The report lists the
hosts assigned to the
policy with the
controls tested.
Results are shown
as a passed/failed
status
QualysGuard Policy Compliance
Authentication Reports
Review the Authentication
report to confirm necessary
administrator access
QualysGuard Policy Compliance
Interactive Reports
QualysGuard Policy Compliance
Creating Exceptions
Exceptions can only be created
via the Interactive Reports in
Compliance
QualysGuard Policy Compliance
Creating Exceptions
Make sure the Control Pass/Fail has “Both” or “Failed” chosen:
QualysGuard Policy Compliance
Creating Exceptions
Request the exception
QualysGuard Policy Compliance
Exception UI
− Exceptions are created through the interactive report
− Auditor will click on “Edit” to open the ticket
QualysGuard Policy Compliance
Managing Exceptions
Regardless of
action, comments are
required.
Set a time limit
on an e6ce%tion
QualysGuard Policy Compliance
Exceptions Approved
Note the “E” above the “passed” Posture
QualysGuard Policy Compliance
Exceptions
Examples of Exceptions:
Requirement: “ftp, or any form thereof should not be
enabled on any external facing device”
Reality: the support team must have ftp enabled to allow customers
to send files larger than 5MB when their email will not allow such
attachments
Requirement: “all workstations must have the latest
service pack installed”
Reality: you are in the midst of an upgrade and it will take 30 days to
have all systems tested and updated
QualysGuard Policy Compliance
Exceptions – the reality
− Unlike VM, where *most* vulnerabilities and remediation
tickets can be fixed with a patch, exception tickets present
a different use case:
Changing the corporate stance on password length
Allowing FTP on certain machines but not others
− “what to do” with an exception has been one of the biggest
questions seen from customers thus far.
Can I modify a control? (no)
Can I delete a control? (yes- but there may be consequences)
Policy Compliance Labs