Two significant vulnerabilities affecting a wide range of systems that couldn't be patch fast enough were released in the past few months. The simple solution for both issues was to find and to patch. However, if the site audit policy is inadequate, finding these systems became a daunting task. It became clear that regularly auditing a network is a necessity, having a baseline you can rely on and an accurate software inventory is critical when dealing with issues like; how many systems are using Bash or might have OpenSSL embedded in them is paramount.

Ways that can be used to address and fix known vulnerabilities; and help detect suspicious activity:

1- Identify the risks, if software patch it. If it is the enterprise's "crown jewels", make sure they are well protected. Remember, this a repetitive process that need to be reviewed at regular interval.
2- Defense-in-depth from the perimeter to the host and regularly test and verify its accuracy
3- If you own an IDS/IPS, turn off old signatures that fire on old software. They just "fatigue" the analysts and detract them from the real attacks
4- Set up a SIEM to centralize logging and alert on events that have been identified as serious risks and/or unusual activity

Dealing with Bash will eventually be coming to an end. If you already have a simple and easy method for auditing and keeping an accurate host software inventory, we would like to hear from you. Using your method, how quickly were you able to identify all the vulnerable network devices?

[1] http://heartbleed.com/
[2] https://isc.sans.edu/forums/diary/Attention+NIX+admins+time+to+patch/18703
[3] http://nmap.org/
[4] http://www.open-audit.org/
[5] http://www.openvas.org/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu