LABSsdsfds

QualysGuard® VM Training Labs

2

All Material contained herein is the Intellectual Property of Qualys and cannot be reproduced in any way, or stored in a retrieval system, or transmitted in any form or

by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the express written consent of Qualys, Inc.

Please be advised that all labs and tests are to be conducted within

The parameters outlined within the text. The use of other domains or IP addresses is prohibited.

3

Contents

LAB 1 -‐ Introduction ................................................................................................................................................ 4 Using QualysGuard – Get Started .................................................................................................................. 5 Network Mapping/Discovery ......................................................................................................................... 9 Adding Host Assets to your subscription ............................................................................................... 12 Configuration – Asset Groups ...................................................................................................................... 13 Vulnerability Scanning ................................................................................................................................... 15 Asset Tagging and Asset Search ................................................................................................................. 18 Additional Exercises ........................................................................................................................................ 23

LAB 2 -‐ Reporting ................................................................................................................................................... 29 Creating Reports ............................................................................................................................................... 29 Additional Exercises ........................................................................................................................................ 35

LAB 3 – Organization / Users ........................................................................................................................... 40 Creating A User .................................................................................................................................................. 40 Dashboard ............................................................................................................................................................ 42

Lab 4 – Fine Tuning Scanning and Reporting ............................................................................................ 43 Search Lists .......................................................................................................................................................... 43 Option Profiles ................................................................................................................................................... 46 Authenticated Scanning ................................................................................................................................. 49 Role-‐Based Reporting ..................................................................................................................................... 52 Additional Exercises ........................................................................................................................................ 56

LAB 5 – Remediation and Trouble Ticketing ............................................................................................. 60 A Final Note – Account Setup ............................................................................................................................ 65 Contacting Support .......................................................................................................................................... 72

4

LAB 1 -‐ Introduction The purpose of the QualysGuard Certification class is to familiarize you with QualysGuard Vulnerability Management – its features and functionality as well as our Best Practices. This will make you successful with deploying and managing your Vulnerability Management program.

Vulnerability Management is an operational task. In order to properly manage this task, the following steps have been outlined as Best Practice for use with QualysGuard. Maintaining this ongoing process will allow an enterprise to fully utilize the various modules within QualysGuard.

1. Manage the QualysGuard account

a. This includes setting up the various user roles and business units

2. Map the Network

a. Schedule ongoing maps

3. Review the Resources shown on the network Map

a. Create new Asset Groups

b. Modify existing Asset Groups

4. Scan the Network

a. Schedule ongoing scans

5. Report on Scans

a. Operational Level Reports

b. Executive Level Reports

6. Remediate any necessary Risks

The labs within this workbook are based on this philosophy, and each lab builds on the last. We will continue to return to this process throughout our class.

5

Using QualysGuard – Get Started

ESSENTIAL USEFUL

QualysGuard account For PDF Reports: Adobe Acrobat Reader or comparable

Modern Browser Chrome (stable, latest), Firefox (stable, latest), Safari (latest), Internet Exporer (11, 10, 9)

For Zip archives: An un-zipping program

Java Browser Plug-in

Enable/whitelist pop-ups from the qualys.com domain

First Login

1. Open your browser and navigate to the login listed in your student account.

2. Fill in your login credentials and click “Login”:

For your trial subscription, QualysGuard displays your default user information (you do not need to modify any of the default user settings), and asks you to accept the Service User Agreement.

3. Select the check box to accept the “Service User Agreement”.

4. Click the “I Agree” button.

5. Click Enable Now. This way you’ll get All the benefits of QualysGuard – all its latest features and functionality.

6

Quick Start Guide A successful login will display the QualysGuard Welcome screen and Quick Start Guide.

Click Add IP addresses to scan, and you’ll see there’s no hosts in your account (IPs in Subscription = 0). Right now you can’t scan any hosts for vulnerabilities. No worries, we’ll help you with this – it takes just a minute.

Permissions to scan Important Notice about your student account

Using your student account, you have permission to scan only the demo IP addresses (10) provided by Qualys. You do not have permission to scan any other IP addresses and/or web applications using your student account.

Best Practice -‐ Before you start scanning with Qualys, always be sure to get approval to scan IP addresses and/or web applications. It is your responsibility to obtain this approval.

What about the steps? You’ll skip the Quick Start steps for now, since we’ll walk you through everything in the labs. You can always return here anytime. Just click on your QualysGuard User ID (to the left of the Help button) and select “Quick Start Guide”.

7

Personalize your student account Please update your profile settings and tell us your Name, Title, Phone, and E-‐mail address. Click on your QualysGuard User ID (located just to the left of the Help button) and select “User Profile”.

Context Sensitive Help/Online Manual Online help is available for whatever product you are using and for everything in the User Interface. To receive different help options, simply click on the Help button in the upper right hand corner, and select the “Online Help” option.

When you are in the Quick Start Guide, you’ll find help for the VM application. You can use the Contents and Search options to navigate the help system.

Personalize here – just replace the defaults under General Information

8

Navigation -‐ widescreen-‐optimized

1. Get yourself comfortable clicking from section to section, and tab to tab (within each section).

2. Under the Scan section, click on the Setup tab.

3. Click on Storage to see how long your Scan results will be saved by default.

9

Network Mapping/Discovery Mapping Overview Mapping discovers: hosts/devices, their operating systems, and where they live in the network.

Mapping finds: anything with an IP address; uses TCP and UDP port-‐scans, and ICMP/ping.

Compare maps: see new hosts introduced into the network; find “rogue devices and hosts.”

Launching A Map Mapping is one of the primary tasks in QualysGuard, and it is located under the Scan section of the UI.

1. Under the “Scan” Section, click the “Maps” tab.

2. Select “New > Map…”

You can launch maps against “Domains/Netblocks” or “Asset Groups.”

We don’t have any Asset Groups set up – that will be an exercise for later – so we’ll use the “qualys-‐test.com” domain that has already been added to your demo account.

10

We will use the default Option Profile (Initial Options) for this first map exercise.

3. Give your map a title, such as “My First Map”.

4. Leave the Option Profile set to the default (Initial Options).

5. In the “Target Domains” section, click the “Select” link just to the right of the “Domains/Netblocks” field.

6. Check the qualys-‐test.com domain and click the Add button.

7. Click the “Launch” button to start mapping. It is normal for your map request to display the “Queued” status, before entering into the “Running” status.

Map History The “Maps” tab lists queued maps, running maps, and finished maps, and allows you to cancel running maps and delete finished maps.

11

Viewing Map Results When a map reaches the “Finished” status, you may view the map results. Please do not attempt to view map results while the Status column displays the “Queued” or “Running” status.

1. To view your map results, open the Quick Action menu and select the “View Report” option.

2. Scroll down through your Map Results to view the hosts that were discovered.

Your demo account Map Results are simulated. Many of the discovered hosts do not actually exist within the Qualys Demo Lab. Can you identify the IP addresses that should NOT appear in the map results (Hint: we used an external scanner appliance to produce the map)?

3. You can display the discovery methods for each host by clicking on the arrowhead to the left of the Host IP address.

4. Close the Map Results (File > Close).

12

Adding Host Assets to your subscription Using the map, often you’ll discover a new host and then want to do something with it. You might, for example, wish to add a previously unknown IP address to your subscription. You can’t scan a host (or do much else, for that matter) until it’s been added to your subscription.

1. Under the “Scans” section, click the “Maps” tab.

2. Using the “Quick Actions” Menu, view the map results for the qualys-‐test.com domain (the map results you created earlier).

3. Scroll down and use the check boxes to select the following IP address range (8 IPs). These are the only IP addresses you are permitted to use in this lab:

64.39.106.242-‐64.39.106.249

4. With the appropriate IP addresses checked, choose the “Add to Subscription” option from the Actions drop-‐down list, and then click the “Apply” button.

5. When prompted to Add IP To Subscription, click the “Add” button.

6. Click the “OK” button to acknowledge that you have permission to scan the IPs you have selected.

7. Close the Map Results.

13

Configuration – Asset Groups Asset Group Overview Your organizational hierarchy may be divided by geography (the San Francisco office, the New York office), by device type (databases, routers, servers, desktops), by responsible party (data center ops, desktop IT), or in some completely novel way we’ve never thought of.

Asset Groups allow you to effectively organize your host assets in QualysGuard. You can also create asset groups that overlap: a host can be both in the San Francisco Asset Group and also in the Servers Asset Group.

Creating An Asset Group We’ll start by creating an Asset Group to represent a data center in our organization.

1. Under the “Scans” section, click the “Maps” tab.

2. Using the “Quick Actions” Menu, view the map results for the qualys-‐test.com domain (the map results you created earlier).

3. Scroll down and place a check mark next to the following IPs, the ones with a Unix/Linux OS (look at the OS column):

64.39.106.244 -‐ 64.39.106.247

4. From the Actions drop down menu, select “Add to a new Asset Group”, and then click the “Apply” button.

5. From the New Asset Group window, enter the title “Data Center”.

6. Click the IPs tab to validate the correct selection of IP addresses.

14

7. Click the Domains tab and add qualys-‐test.com to the list of Assigned Domains.

Business Impact Our Asset Group is almost done. You can use it to easily scan or map a part of your network. You might be tempted to claim victory, save the Asset Group, and move on. In so doing, you’d miss something important:

Some hosts are more important than others. While both printers and databases represent legitimate attack vectors within you network, your time is best spent fixing a critical vulnerability on your customer database – one that could be used to steal data – rather than a vulnerability that can take a networked printer off-‐line.

With this in mind, Asset Groups contain a “Business Impact.” Set it up now, and it’ll pay dividends under Reporting – where we’ll use it to prioritize what to fix first.

8. Click the Business Info tab on the “Data Center” asset group, and change the Business Impact setting to “Critical”.

9. Click the Save button to save your new asset group.

10. Repeat steps 1-‐9 to create a second asset group called “Desktops” for the Windows hosts in your subscription. Give them a “Medium” Business Impact.

The specific IP addresses for these hosts are: 64.39.106.242, 64.39.106.243, 64.39.106.248, and 64.39.106.249.

11. Close the Map Results.

15

Vulnerability Scanning Once you have successfully added hosts to your subscription, those hosts can be scanned for vulnerabilities. In this first lab you will use the default Option Profile (Initial Options) to complete your first vulnerability scan. This Option Profile is setup to use the standard 1900 TCP ports, and does not use authentication.

Launch a Scan

1. Under the “Scans” section, click the “Scans” tab.

2. Select “New > Scan” to open the “Launch Vulnerability Scan” window.

3. Give your scan a title, such as “My First Scan”.

4. Leave the Option Profile set to the default “Initial Options”.

5. Click the “Select” hyperlink next to the “Asset Groups” text box. Select both asset groups you created previously. Then click “Add”.

16

6. Click the “Launch” button; leave the resulting Scan Progress window open. View the scan as it progresses.

7. Once the scan is finished, click “View” on the Quick Actions menu to see the scan’s results.

The “Scans” tab lists running scans and stored scans. You can use the “Quick Actions” menu to cancel or pause running scans. To delete a scan, simply place a check in the box next to the Title, and choose the Delete option from the Actions button.

Processed vs. Unprocessed Scans When a Scanner Appliance has finished performing a vulnerability scan, the scan results are sent to the QualysGuard Secure Operations Center (SOC). The raw scan data is then processed and integrated with the “Host Based Findings” within your QualysGuard subscription.

While your scan data is being processed, it will appear with a “green circle” icon within the “Scans” tab. Although the “Status” column may display the “Finished” status, your scan results will not be available for use until the “green circle” icon turns into a “green ball” ( ) icon.

** Note: Your scan data will NOT be available for reporting or asset search purposes, until your scan data has finished processing (indicated by the “green ball” icon).

17

Vulnerability Ratings Scanning analyzes the security of your network devices using an “Inference-‐Based Scanning Engine,” an adaptive process that intelligently runs only tests applicable to the host being scanned.

Vulnerabilities (red) Security weaknesses verified by an “active test”

Potential vulnerabilities (yellow)

Security weaknesses that need manual verification

Information (blue) Configuration data

Potential Vulnerabilities Two common classes of potential vulnerabilities include Denial of Service (DoS) and buffer overflow attacks. QualysGuard won’t try an active test if that active test might deny service or introduce instability, so we can’t actively test these. That said…

Many potential vulnerabilities can be promoted to straight-‐up vulnerabilities using authentication. These are labeled (red/yellow) in the Vulnerability Knowledgebase.

When a normal (untrusted) scan includes a (red/yellow) vulnerability, QualysGuard can find conditions that flag the risk (e.g. SMB is enabled). When a trusted scan is performed (QualysGuard authenticates to the device), the registry is analyzed and other tests are performed. And in the scan results, QualysGuard identifies the issue as a confirmed vulnerability ( ) or a potential vulnerability ( ).

Severity levels Level 5 Remote root/administrator Unfettered remote control over system

Level 4 Remote user Remote control over system with user privileges

Level 3 Leaks critical sensitive data Can be used as part of another attack

Level 2 Leaks sensitive data Determine precise system/service versions

Level 1 Basic information Open ports and other easily deduced data

18

Asset Tagging and Asset Search Asset tagging is a feature offered in the QualysGuard Enterprise Suite. Because IT environments are constantly fluctuating, it’s imperative we have a sound method to track our assets. If we know what assets exist in our infrastructure, we have a better chance of securing them.

With mobile devices, virtualization, and remote employees, keeping track of all the assets in an organization can be daunting. Tagging allows us to organize assets in a flexible, scalable, and automated fashion based on scan results obtained using the Vulnerability Management service.

Currently, asset tags are created and deployed using the QualysGuard Vulnerability Management service. Using the Asset Management module, we can automatically assign tags to our hosts. We can then run a scan or create a report based on the tags that we have defined.

We can configure tags in a hierarchical structure; i.e. parent and child tags. An asset can have multiple tags on it simultaneously. This means if our organization has a variety of ways it organizes its assets, we can tag based on all of them. For example, a host can have a tag because it’s located in Chicago, it belongs to the 10.1.2.0/24 net block, and has SSH running on it.

Tagging is accomplished by utilizing our scan data. So as QualysGuard processes vulnerability data from the latest scan, it will also dynamically place tags on assets based on defined criteria.

As you complete the Asset Tagging exercises that follow, please note that some lag time may occur between the point where a tag is initially created and the point where it is eventually applied to its respective asset(s). Please continue to work through all Asset Tagging exercises, as all tags will eventually be available by the time they are used in Lab 2.

1. Navigate to the Asset Management module using the module picker.

Notice the number of assets currently in the Asset Management module. All of the assets we just scanned appear in our list of assets.

19

Near the upper left corner of the window, click the expander icon and view the default tags the service has already generated.

Currently, we can see an “Asset Groups” and “Business Units” tag. If we click the arrow next to the “Assets Groups” tab, we can see a tree structure indicating the “Asset Groups” tab is the parent, and the “Data Center” and “Desktops” tags are the children.

We can create additional custom tags, using static and dynamic rules. We’ll start off simple by creating a static tag.

2. Click on the link.

3. Let’s call this tag “Critical Hosts”. Assign the tag a different color.

4. Click “Continue”.

5. In this case, we’ll keep the “Rule Engine” setting to “No Dynamic Rule”. Click “Continue” and then “Finish.”

We can see our “Critical” tag is in the list and it has a different color than the default tags.

6. Click (and hold) on the “Critical” tag you just created and drag the tag to the Solaris host (demo5.sea.qualys.com). Since, this is a static tag, you can drag and drop it on any other host you consider to be critical.

20

While it is a nice feature to be able to manually assign tags to assets in our asset list, the real power of the Asset Management module lies in dynamic tagging.

In the following steps, you will create two dynamic tags that will be nested within a static, parent tag. These steps will demonstrate some of the tag nesting capabilities.

7. Click on the link. Give the tag a name of “Exploitable Hosts”, and click the “Continue” button.

8. From the “Rule Engine” drop down menu, choose “No Dynamic Rule”, and click the “Continue” button.

9. Click the “Finish” button to complete the creation of this parent tag; we will nest two dynamic tags within this one.

10. Click on the link. Give this tag a name of “Conficker Worm”.

11. In the Tag Properties section, select a “Default color” (any color you like).

12. While still in the Tag Properties section, use the Parent Tag dropdown box to select the parent tag you just created (Exploitable Hosts).

13. Click the “Continue” button.

14. From the Rule Engine dropdown menu, select “Vuln(QID) Exists”, and then type “90464” (omit the quotes) in the Vuln QID textbox. This is the QID associated with the Windows Server Service that is exploited by the Conficker Worm.

Before we “Continue”, let’s test the applicability of the rule.

15. Click on the “Select an asset” dropdown menu and choose any of the Windows-‐based hosts (2k-‐sp4-‐oe501, demo8, demo7, or xp-‐sp2). Repeat this step until all Windows hosts have been selected.

These actions should produce the following results:

21

Notice the green checkboxes next to some of the assets; indicating the rule will generate a tag for these hosts.

At this point, we are ready to have the service evaluate the rule we just created and assign tags to the appropriate hosts. We can do this in two ways. We can run another scan or, we can select the checkbox to “Re-‐evaluate the rule on save”. This second option will apply tags based on the most recent vulnerability scan results.

16. Select the “Re-‐evaluate rule on save” checkbox (just to the right of the Rule Engine dropdown menu)

17. Click the “Continue” button.

18. Click “Finish”.

Let’s test your asset tagging skills. Repeat steps 8 through 19 above to nest a second dynamic tag within the “Exploitable Hosts” parent tag. Name this second tag “Windows RDP” and use QID 90783 to create this tag dynamically using the “Vuln(QID) Exists” rule engine. Also ensure you click the “Re-‐evaluate on save” checkbox.

Any of the dynamic tagging rule engines can be used to automatically assign tags to existing assets (this process can take a few minutes to complete). While our demo lab has a limited number of assets, imagine if we had 10,000 or 100,000 hosts. We can now easily use the tagged hosts in vulnerability scans and reports. We could easily run a report on all of our Exploitable Hosts, regardless of where they are in the world.

There is also a filtering section within Asset Management. At the top of the screen, we can click “Show Filters” and find a variety of ways to sort our assets based on tags, IP range, vulnerability, and/or scan date. If we were tracking thousands of assets, we could use this feature to locate a specific host matching specific criteria.

Now let’s investigate what we have on a particular host.

19. Mouse over host “demo5.sea.qualys.com” and click on “View host details” from Quick Actions menu.

22

Immediately we can see host information based on a previous scan. We have IP addressing, DNS Hostname and OS. To the right we can see our tags for this host. We can also see information on the host such as the open ports, installed software, and vulnerabilities.

Asset Search During a scan, the scanning engine gathers information about target hosts, including the host’s operating system, open TCP and UDP ports, and services running on open ports. The Asset Search feature enables you to search through scan results to find hosts based on this type of information. We can use Asset Search to help us generate tags, or we can create a one-‐time report based on criteria we set in Asset Search.

1. Navigate back to the Vulnerability Management application. Then, click Assets > Asset Search.

2. In the “Asset Groups” field type “All”.

3. In the “Running Services” section of the Asset Search, find and click “telnet”. From there, click “Search”.

4. From Asset Search Report, verify at least one host appears in the report. Click the “Create Tag” button near the top of the report.

5. Name the tag “Clear-‐text protocols” so we can clearly find all of our hosts with TELNET enabled. Click “OK”.

6. Navigate back to the Asset Management module, and click the expand icon again and expand the “Asset Search Tags” tag.

7. Right click on the tag you just created, and click “Edit Tag…”.

Under the “Tag Rule” tab, we can see what the XML for this tag looks like based on our asset search criteria. We could potentially alter this XML to reflect other services (e.g. add FTP as an additional service). We can also test the tag against our assets to see if it would apply.

8. Finally, click the checkbox next to “Re-‐evaluate rule on save” and then click “Save”.

23

Additional Exercises Navigating and Personalizing the KnowledgeBase The QualysGuard KnowledgeBase provides the most current and comprehensive vulnerability and threat intelligence information. The next few steps will help you to personalize the KnowledgeBase settings and navigate throughout the KnowledgeBase using the Search utility.

1. Go to the “Knowledgebase” Section. Click on the icon, and change the amount of rows you are viewing in the KnowledgeBase to 50 (or higher, if you prefer).

2. Now, change your view to sort by Severity.

3. Use the button to locate all QIDs that contain “Cisco” in the title-‐ using the “Vulnerability Title” field.

4. Start a new search to locate QID 1164 (Tip: You need to clear inputted fields when starting a new search). You can sort your search results by QID, simply by clicking on the QID column header.

5. Try the same search, but this time, under “Discovery Method” choose “Remote Only”

24

Scheduled Maps One of the most common security tasks is looking for new hosts that have been introduced into the network. Sometimes these are legitimate new hosts, but other times they are “rogue hosts”.

You can use “differential reporting” to compare two maps to identify new hosts introduced into the network. This is called the “Unknown Device Report”.

Reporting like this relies on having regular snapshots of the network from which to make the comparisons. We’ll use QualysGuard to set up a weekly “scheduled map” to make sure we have reliable data at regular intervals.

1. Under the “Scans” section, click the “Schedules” tab.

2. Choose “New > Schedule Map…”

3. Configure the schedule with the following details:

Title: Weekly Map

Task Owner: Student User

Option Profile: Initial Options (default)

Domains/Netblocks (under Target Domains tab): qualys-‐test.com

Start (under Scheduling tab): Choose the California time zone

Occurs: Weekly > Every 1 Week > Sunday

Schedule Status: Deactivate this task

4. Click on the “Schedule Status” tab and deactivate this task: select this so the task won’t perform until we get other setup completed.

5. Click “Save”.

25

Exporting and Viewing Map Results Goal: Export your map results and view your map results in a graphical format.

Why? Map Results can be manipulated in spreadsheet and graphics applications.

How? Navigate back to the “Map” section, view the map results, and use the “File” and “View” menus to manipulate your map results.

1. Navigate to the Maps tab within the Scans section.

2. Use the Quick Actions menu to open up and view a Map that you have already created.

3. While viewing the map results, download the map in CSV format (Choose “File > Download” and select CSV). Open the CSV file using Excel or OpenOffice..

4. While viewing the same map results, click the “View” menu and then select the “Graphic Mode” option.

5. Use the filters on the left hand side to see the assets in the map results that are Windows machines. (You can filter different Operating System Families as well)

26

6. Click on the icon over a host in graphics mode and view the host information in the preview pane.

You can also toggle the “Summary” and “Results” tabs at the top of the window to view a list of assets discovered in the map.

By clicking on each individual host, you can see how it was discovered, its last scan date, and the OS.

27

7. Click on the filter section at the top to see which hosts were discovered via Port 23.

Exporting Scan Results and Scheduled Scans Goal: Download results to distribute and analyze in a spreadsheet; schedule a weekly scan.

Why? Without fresh vulnerability information, you’re blind.

How? Download, and adapt the “scheduled map” exercise steps for a scheduled scan.

1. Navigate to the Scans tab within the Scans section.

2. Choose “Download” from the Quick Actions menu and download your scan results in PDF format

3. Download the scan results in CSV format and then open in Excel or OpenOffice.

4. Go to the “Schedules” tab under the “Scans” section. Choose “New > Schedule Scan ”. Schedule a Vulnerability Scan on asset group “Data Center” to run every evening at midnight, pause if not completed after 6 hours, and begin the next night.

5. Please deactivate this task before saving.

Scanning with Tags While we have set up scans using our Asset Groups, we haven’t yet scanned with tags. What if we have generated tags for our entire environment and we’d like to use those to kick off scans and reports?

Let’s start a scan on all of our assets that aren’t tagged with the “Critical Hosts” tag.

1. Click the Scans section. Then, click New > Scan.

2. Give the Title “Scan with Tags” to the scan. Then select the “Tags” button from the “Choose

Target Hosts From” section.

28

Notice the checkbox to “Use IP Network Range Tags”.

This checkbox is useful if we’d like to scan an IP range of hosts that haven’t yet been tagged. When the service processes scan results, it places tags on the hosts being scanned based on the rules we created when building the tags. We’ll leave this checkbox unchecked for now, as we are not scanning a range. Underneath that, we have the option to chose “Any” or “All” of the tags we’d like to include in the scan. All: This is an “and” operator, where the hosts will need to have all of the tags we list in order to be scanned. Any: The host can qualify to be scanned if it simply has one of the tags we provide in the lists.

3. Select the “Any” option from the dropdown menu. Then click the “Add Tag” link. A search box appears, along with an icon we can click to find our tags in our list. We can also see the “Recent Tags” and the “Favorite Tags”.

4. Click on the icon, and select the Desktops and Data Center tags.

5. For the “Do not include” section, find the “Critical” tag we created earlier.

6. Launch the scan.

29

LAB 2 -‐ Reporting QualysGuard stores your generated reports for a week. This is handy when you generate a large report that you want to share with your colleagues. Qualys only needs to process the data when you create the report; your colleagues can simply click to view the generated report.

Creating Reports High Severity Report As we’ve seen, using raw scan data can be overwhelming. It’s better to generate a report to consolidate, organize, filter and generally make scan and map data usable for reviewing. Let’s begin by creating a High Severity Report.

The High Severity report is useful for showing only the most severe vulnerabilities, levels 4 and 5 (red). It also introduces actions when created using the HTML format. Complete the following steps to create a High Severity Report:

1. From the Reports section, click the Reports tab. Choose “New > Scan Report > Template Based”

2. Input the following details: Title: Only The Worst Vulnerabilities Report Template: High Severity Report Report Format: HTML

3. Delete the word “All” from the Asset Groups field. Then, click on the “Add Tags” link and using the search box, type in “Desktops”. Select the tag when it appears in the window.

4. Click the “Run” button to view the report, and scroll down to the “Detailed Results” section.

30

Integrated Workflow Actions “Workflow actions” are integrated into the High Severity and Technical Reports using the icon (to the right of a vulnerability). Using “workflow actions” you can ignore vulnerabilities, create remediation tickets, or view remediation tickets that already exists.

Notice the vulnerability status next to the action icon. The first time a vulnerability is found with the latest scan, the word “New” will appear in the report. Once a vulnerability has been discovered, its status will change to “Active” with each successive vulnerability scan. If the vulnerability has been fixed, the word “Fixed” appears.

Also notice our tags appear within the report.

In the next steps, we will perform the actions to ignore a specific vulnerability for a single host device.

5. Click the icon for host 64.39.106.242 (NetBIOS Name: XP-‐SP2) to display its vulnerability details.

6. Locate the severity 5 vulnerability called “Microsoft SMB Remote Code Execution Vulnerability” (MS09-‐001) and expand it.

7. Mouse-‐over the menu for this vulnerability, and choose the option to “Ignore vulnerability”.

8. Enter an appropriate reason, such as “This host will be decommissioned next week and thus will not be patched” and click the “OK” button.

31

It is important to note that steps 4 through 6 above will ignore the Microsoft SMB Remote Code Execution Vulnerability specifically for host IP address 64.39.106.242. Other host devices that have this same vulnerability (64.39.106.243 and 64.39.106.249) will not be affected by these actions.

Patch Reports The Patch Report will identify vulnerabilities with available patches and can aid in keeping your environment up to date.

1. From the “Reports” section, navigate to the “Reports” tab

2. Choose “New > Patch Report…”

You will need to name your report, select a report template, report format and source.

3. Under report title type “Online Patch Report”.

4. Click the “Select” link next to the “Report Template” selection box.

5. Click on the “Template Library” tab and then select “Critical Patches Required v.1” for the report template. Click the “Import” button.

6. Click the “Make Global” button to share this template with others.

This enables other users in QualysGuard to use this template to report against the assets that have been assigned to them.

7. Select “Online Report” for the Report Format.

8. In the Asset Groups section type “All” and click Run.

32

9. When the report opens, click on the “Sev” column in the left pane (and sort most severe to least severe).

10. In the left pane, use the “Title” column, to click on the top patch in the list. Notice that the same patch might affect multiple hosts.

11. Click on the “Title” of other patches to see what hosts are impacted.

12. From the right pane, try clicking on the number of vulnerabilities (“Vulns” column) to display the vulnerabilities address by a patch.

13. To distribute this report to your system administrators, click File> Download (select PDF or CSV format).

33

Scorecard Reports Scorecard reports are part of the robust reporting mechanism within the QualysGuard environment. These reports provide “the state” of security within the enterprise. They are designed to assist IT line managers, Auditors, or the Board of Directors.

Using the Vulnerability Scorecard, users can evaluate Business Risk by asset group or tag and establish acceptable Business Risk levels for the organization. Also, the same scorecard can be used to identify vulnerabilities by type, status and age.

1. Navigate to the “Reports” section. Click “New” and then “Scorecard Report…”.

2. From the “New Scorecard Report” window, highlight “Vulnerability Scorecard Report,” and click the “Edit” link just below the Scorecard report list.

3. From the “Edit Scorecard Report” window, click on the “Report Source” tab. Then select the

“Asset Tags” radio button and add the Desktops hosts.

4. Go to the “Display” tab, and change the “Business Risk Goal” to 20.

The “Business Risk Goal” is a calculation on the percentage of hosts in an Asset Tag or Asset Group that are vulnerable with the selected QIDs.

34

Goal % = Vulnerable Hosts in Asset Group or Tag divided by Total Hosts in Asset Group or Tag.

5. Click “Save As…” and title the report “Adjusted Business Risk”.

6. Select the Scorecard option you just created and run the report with HTML as a format.

The report will show the status of the vulnerabilities in the list as they apply to individual hosts in the selected assets. Look at the risk data in the scorecard report. Is this the same “Business Risk” discussed earlier in class? ____________________ How is it different? __________________

35

Additional Exercises Technical Reports

Goal: View all vulnerabilities on systems in your network

Why? Get all the details from a vulnerability assessment

How? Create a technical report

1. Create a technical report (use the Technical Report Template) in HTML format. Select “All” as your target asset group.

2. Use the Technical Report to find the “Microsoft SMB Remote Code Execution Vulnerability (MS09-‐001)”. You can use your browser’s search tool (CTRL + F for Windows, Command + F for Mac) to locate this vulnerability. How was this vulnerability detected (Hint: Results section)? ___________________________________ How would you fix this vulnerability (Hint: Solution section)? ___________________________________ Was this vulnerability reported for host 64.39.106.242? Why not? ______________________________

3. Find the “SSH Protocol Version 1 Supported” vulnerability. You can use your browser’s search tool (CTRL + F for Windows, Command + F for Mac) to locate this vulnerability.

How many hosts does this vulnerability impact? _____________________________________________

4. Choose one of the impacted hosts and use the menu to create a new ticket for any vulnerability. Assign the new ticket to your user account, and give yourself 30 days to fix the problem.

Executive Report The Executive Report is a high-‐level trend report. It identifies changes to the vulnerability exposure of your network over time.

Presently, you do not have an adequate amount of scan history in your demo account to produce an effective trend report. For this reason, an illustrated description of the Executive Report will be provided.

When you have generated more scan data (after several days), feel free to return to this section to create an Executive Report. You can create an Executive Report by selecting the Executive Report Template.

36

Vulnerability Status

The “Filter” tab of the Executive Report Template contains Vulnerability Status. With all Vulnerability Status filters selected, we can produce the graphic seen above. Most of these are obvious, but there’s one hidden gem: Re-‐Opened. A re-‐opened vulnerability is a vulnerability that you previously fixed but has returned.

Re-‐opened vulnerabilities are typically the result of re-‐imaging a host from an un-‐patched image, or using compensating controls (e.g., a firewall rule that blocks access to a vulnerable service) in the absence of patches. Also, it could represent a service that was recently enabled on a host device (like a web server).

Vulnerabilities Over Time Showing vulnerabilities over time is, of course, the whole point of the Executive Report. The following chart visually illustrates both the number and the severity of vulnerabilities over time:

Top Vulnerability Categories

The “Top Vulnerability Categories” table is handy come hiring time: it illustrates the areas that need the most work, and how much the exposure has changed, so you can hire people to cover your most critical needs.

37

Scheduled Reporting Like with mapping and scanning, users now have the ability to schedule reports to run automatically at a scheduled time, on a recurring basis. Users can also set options to notify select distribution groups when a report is complete and ready for viewing.

There are several report types that can be scheduled. You can schedule template-‐based scan reports (set to Host Based Findings source selection), scorecard reports, patch reports, template-‐based compliance reports and remediation reports.

To create a new report schedule, go to Reports > Schedules and select the type of report you’re interested in from the New menu. In the steps that follow, a new template-‐based scan report will be scheduled.

1. Within the Reports section, navigate to the “Schedules” tab.

2. If prompted, click the “I Accept” button to enable scheduled reporting.

3. Click the New button and select Scan Report > Template Based.

38

4. From the Report Details section, give your report a title, such as “Demo Scheduled Report”.

5. For Report Template, click the Select link and select the Executive Report template.

6. For Report Format keep the selection for Portable Document Format (PDF).

7. In the Report Source section, leave the Asset Groups set to All.

8. Click the checkbox for Scheduling and Report Notification.

9. Leave today as your start date, and midnight (00:00) as your starting time.

10. Select (GMT-‐0800) United States (California): Los Angeles, San Francisco, San Diego, Sacramento as you time zone.

11. Set this scheduled report to occur every week (Weekly) on Friday.

39

12. In the Schedule Status section, please choose the check box to “Deactivate this report”.

13. Click the Schedule button to finish.

40

LAB 3 – Organization / Users User accounts form the basis for privileges and access control within QualysGuard. This section will explore creating users and the various levels of user privileges.

Creating A User We’ll start by creating a user and assigning some Asset Groups. Over several steps, in this section and the next, we’ll expand our new user’s capabilities. Along the way, we’ll cover the remaining organizational components of QualysGuard.

User Roles QualysGuard assigns trust/privileges by assigning one of four “User Roles” to users.

The accounts we’ve been using this morning are “Manager” accounts. They’re super-‐user accounts.

Most people on the security teams and trusted members of the IT teams receive “Scanner” accounts. Scanner accounts have the ability to scan and map assigned Asset Groups. They can also run reports on assigned Asset Groups, and create custom reports on assigned Asset Groups.

“Reader” accounts have the fewest privileges. They can run reports on assigned Asset Groups, and create custom reports on assigned Asset Groups from existing scan and map data, but cannot launch scans or maps.

Privileges Summary Manager Scanner Reader

Create Reports ü ü ü

Scan/Map: All Assets ü

Scan/Map: Assigned Assets ü

Create Option Profiles ü Optionally

Create User Accounts ü

Astute readers – that’s you! – will note that these are only three of the promised four User Roles. We’ll learn about the fourth one in the next section.

1. Under the “Users” section, click the “Users” tab.

2. Choose “New > User...”.

3. Fill in the blank fields in the “General Information” section with your info. Use a valid email address that you can get to from the computer you are seated at.

4. Under the “User Roles” tab, choose “Reader” as your User Role.

41

5. Under “Asset Groups,” add “Data Center” to “Assigned Asset Groups”.

6. Click the “Options” tab and view the Notification Options.

7. Save the user; close the window. You may activate this account by looking at the email sent by Qualys, clicking on the link, and viewing the credentials. The link can only be clicked once, so make sure you save the credentials.

42

Dashboard Because we’ve mapped and scanned, some information will be populated in our Dashboard.

1. Navigate to the “Dashboard” section.

2. Customize some items on the Dashboard by clicking on the “Configure” link.

43

Lab 4 – Fine Tuning Scanning and Reporting Search Lists One of the features within QualysGuard is the “Search Lists” feature under the KnowledgeBase section (you can also find it under the “Scans” and “Reports” sections as well).

Search Lists allow you a great deal of flexibility to customize Reporting, Remediation, and Option Profiles. Let’s go ahead and try a couple of these to use later.

Dynamic Search List A dynamic search list allows the user to create a search list that will automatically update the QIDs based on some search criteria. So, let’s say you want to create a list of all the confirmed and potential severity 4 and severity 5 vulnerabilities to generate remediation tickets:

1. Under the “Knowledgebase” section, click the “Search Lists” tab.

2. Click the New button and select the “Dynamic List” option.

The Saved Search screen looks very much like the KnowledgeBase search screen.

3. In the “Title” section, choose the name “Sev 4 and 5”.

44

4. From the “List Criteria” tab scroll down and choose Levels 4 and 5 for both Confirmed and Potential Severities.

5. Save the List.

Since we’re already here, let’s create a Static Search List. These come in handy when excluding QIDs.

Static Search List Like the dynamic search list, a static search list contains a list of vulnerabilities (QIDs) that you have selected, but does not get automatically updated. The number of QIDs that you add to a static search list will not change, unless you manually change them. So, let’s say you want to create a search list that contains a single vulnerability:

1. From any Search Lists tab, choose the option to create a New “Static List”. Name the search “Conficker Worm”.

2. From the QIDs tab, click the “Select” button.

3. Click the “Search” button at the top of the page.

4. Using the Vulnerability Title text box, search for “MS08-‐067” (omit the quotes). This is the Microsoft Windows Server Service vulnerability associated with the Conficker Worm.

5. Place a check next to QID 90464, and click the “OK” button to add this QID to your search list.

45

6. Click the “Save” button.

46

Option Profiles As QualysGuard learns about each hosts that it scans, it can categorically eliminate different vulnerability tests, dramatically reducing scan time in the process.

This occurs with a high level of granularity. For example, if QualysGuard deduces that a web server is running Apache (exclusively), it can eliminate IIS checks. Another more specific example illustrates the point: if QualysGuard detects Gnutella’s Web server, it knows this web server isn’t capable of running CGI applications, so all CGI checks are eliminated.

QualysGuard then builds a “dependency tree” to identify what conditions must be present for the system to be vulnerable. Using this “tree,” QualysGuard will test each system and, if the conditions are present, test the system for specific vulnerabilities.

Option Profiles provide additional directives used for performing a vulnerability scan.

This section presents configuration goals and then illustrates how to create Option Profiles to accomplish them. In this section we’ll address some common, and not-‐so-‐common, scan configuration settings.

Custom Vulnerability Detection and Exclusion Goal: Choose the vulnerabilities that will be detected and others that will be specifically excluded from a vulnerability scan.

Normally, scans are configured to detect all vulnerabilities. That said, there are times when you may want to scan for a single type of vulnerability, or a small subset of vulnerabilities, and exclude other vulnerabilities from a scan.

The steps that follow, will use the “Sev 4 and 5” and “Conficker” Search Lists that you created earlier, to perform a custom vulnerability detection and exclusion scan:

1. Under the “Scans” section, click the “Option Profiles” tab.

2. Click the New button and select “Option Profile…”.

3. Enter the title “Sev 4 and 5 without Conficker”.

4. Click the “Make this a globally available option profile” checkbox (so other QualysGuard users can use this profile).

5. In the left navigation pane, click the “Scan” tab.

6. Scroll down to the “Vulnerability Detection” section and select the “Custom” radio button.

The “Search List” dialog box will appear.

7. Click the “Add Lists” button. The search lists in your account will appear.

8. Select the check box next to the “Sev 4 and 5” Dynamic List, and then click “OK”.

47

9. Now scroll down just a bit further, and place a check in the “Excluded QIDs” check box.

10. Click the Add Lists button, and select the check box next to the “Conficker Worm” Static List.

11. Click the OK button.

12. Scroll to the end of the Option Profile and click “Save”.

You may now use this Option Profile to perform a vulnerability scan. The resulting scan report will only reflect the vulnerabilities identified in the Custom Search List attached to this profile, and will not include any vulnerabilities identified in the Excluded QIDs Search List.

48

Low Bandwidth Scan Use Case: Scan a remote office over a low bandwidth link.

QualysGuard has three performance options “pre-‐sets” and a “custom” option. The “Low” option is ideal for ISDN and DSL connected offices. “Normal” is a good general setting for Ethernet environments. “High” is best for minimally utilized 100Mbit links and 1Gbit networks.

The number of hosts to scan/map concurrently affects scanning speed and network bandwidth. QualysGuard adjusts its packet rate based on detected network load; your configuration choices dictate how aggressive it should be in throttling back when it detects that the network is under load. In this exercise, you will select different presets to see how each is configured; later, you can use what you learn here when creating “Custom” performance options.

1. Create a new Option Profile titled “Low Bandwidth Scan -‐ Option Profile”.

2. In the navigation pane on the left, choose the “Scan” tab. Under “Performance” click the “Configure…” button.

The “Configure Scan Performance” window will open.

3. Choose “Low” from the “Overall Performance” drop menu.

4. Close the performance window by clicking “OK”.

5. Save the Option Profile.

49

Configuring TCP Port Scans Goal: Maximize vulnerability detection

By default, QualysGuard’s “Standard Scan” scans 1900 well known TCP ports. This small, but important, fraction of the full 65,535 possible TCP ports has been selected by Qualys’ Security Research team to maximize detection – most things that you’re likely to find on a network will be found on these ports.

On rare occasion, a service may be found that is not expected, or recognizable. Sometimes, a service will not respond as expected, or will shut down based on the type of request sent by the QualysGuard Scanner Appliance. In the unlikely event this happens, in order to prevent such issues until a resolution is implemented, remove the port from the active scans and contact the vendor for any patches.

As a “Best Practice” it is a good idea to perform a “Full Port Scan” from time to time to make sure you’re not missing something. The steps that follow will configure an Option Profile to perform a Full Port Scan:

1. Create a new Option Profile titled “Full Port Scan -‐ Option Profile”.

2. From the left navigation pane, click the “Scan” tab.

3. Select “Full” in the “TCP Ports” and “UDP Ports” sections.

4. Save the Option Profile.

Caution: A “Full Port Scan” will consume more scanning time and resources.

Tip: To determine whether a “Standard” TCP port scan might miss some open ports, run two scans against the same IP addresses, one with the new “Full Port Scan” Option Profile and one with the Default/Standard Ports, and compare the two. If you find any differences, you can update the Default profile to include the differences.

Tip: You should regularly run Full Port Scans, even with their performance hit. Best practice: schedule a full port scan on a frequency one order of magnitude less than your standard scans. For example, if you run standard scans against your critical systems daily, then run a full port scan once a week; if you run standard scans against your desktops weekly, schedule full port scans to run monthly.

Authenticated Scanning QualysGuard can authenticate to numerous technology platforms. To identify the various authentication options, simple navigate to the Authentication tab within the Scans section, and click the “New” button.

Authentication gives the scanner direct access to systems, greatly enhancing QualysGuard’s assessment capabilities.

In this exercise, we’ll create a Windows authentication record and an Option Profile that uses it.

1. Under the “Scans” section, click the “Authentication” tab.

2. Click the New button and select “Windows Record…”

50

3. Enter “Local Windows Authentication” as the “Title” for the Authentication Record.

4. Click the “Login Credentials” tab on the left hand side, and then select the radio button for “Local” authentication.

5. In the Login section, leave the radio button for “Basic authentication” selected.

6. Enter “Administrator” (omit quotes) in the User Name field and “abc123” (omit quotes) in the Password and Confirm Password fields.

7. Click the IPs tab, and assign the IPs for your Windows-‐based host devices (64.39.106.242, 64.39.106.243, 64.39.106.248, 64.39.106.249).

8. Click the “Save” button to complete the creation of your new Authentication Record.

Authentication isn’t enabled by default. You’ll need to either enable it in existing Option Profiles or, as in our case, create a new Option Profile for it.

9. Navigate to the “Option Profiles” tab.

10. Create a new Option Profile titled “Windows Authenticated Scan”.

11. Click the “Scan” tab on the left hand side.

12. Locate the “Authentication” section and enable the Windows authentication method.

51

13. Click the “Save” button.

14. Now that you have created all of the necessary pieces, navigate to the Scans tab (within the Scans section), and launch a vulnerability scan using the “Windows Authenticated Scan” Option Profile, and select the “Desktops” Asset Group or Asset Tag as your target.

15. Launch the scan.

Windows Authentication comes in the following flavors:

Local Uses a local account, manually selected by IP address

Domain (NetBIOS, User-‐Selected IPs)

Uses a domain account to authenticate to user-‐selected IPs in domain

Domain (NetBIOS, Service-‐Selected IPs)

Uses a domain account to authenticate to service detected IPs in domain

Active Directory Uses an Active Directory forest to authenticate to hosts in domain

Other Authentication Mechanisms:

Unix Uses SSH; either name/password or key-‐pair

Oracle Username/password + SID

SNMP Community string; also tries well-‐known community strings (e.g., “public,” “private,” “admin”)

52

Role-‐Based Reporting Role-‐Based Reporting Overview Reports should match the needs and requirements of their target audience:

Managers need a broad view – looking across the network to identify where to allocate resources – that not only shows the state of things now, but provides an answer to the question: “How are we doing now, compared to the past?”

IT security and systems administrators need a more tactical view of things. Reporting, for them, should help identify which of the inevitably overwhelming pile of “things to fix” will result in the biggest security gains.

The “Executive Report” and “Technical Report” go a long way towards matching a user’s reporting to his or her role. An earlier section showed some of the ways that these stock reports could be customized. In this section, we’ll customize some Search Lists and then build some Report Templates from scratch to more fully explore QualysGuard’s reporting capabilities.

This section presents reporting goals and then illustrates how to create Report Templates to accomplish them. We’ll expand upon this by creating some custom reporting templates from scratch.

Web and Systems Vulnerability Reports Goal: Use the vulnerability scan data that you have successfully collected to create separate vulnerability reports for your Web and Systems Administrators.

It’s common to have separate administrative groups responsible for different services and applications that reside on a single host. Good examples of this are Web Admins that manage Web servers and Web applications, and System Admins that manage the operating system components of the very same hosts. Both groups require different vulnerability reports.

We will begin with the report template for the Web Administrators:

1. Navigate to Reports > Templates and create a new Scan Report Template titled “Web Vulnerabilities”.

2. Choose the “Data Center” Asset Group in the “Findings” Section.

3. Click on the “Display” tab, and check the “Vulnerability Details” box.

4. Select the “Filter” tab.

5. Find the “Included Categories” section and click the box to “Select/Deselect All.” (All of the included categories should now be deselected).

6. Check the Web related categories: “CGI,” E-‐Commerce,” “Web Application,” and “Web Server”.

You can check your work at any time without losing your changes by doing the following:

7. Click “Test” and confirm that everything is as expected; if it is, close the report and “Save” the Template, and return to the “Report Template” page.

53

That’s it. We’ve created the Web Admin report.

Now you will create the System Admin “flip-‐side” of the “Web Admin Vulnerability Report” completed in the previous exercise.

8. Create a new Scan Report Template titled “System Vulnerabilities”.

9. Use the same Asset Groups and setup options contained in the “Web Vulnerabilities” template created earlier except it should include all the categories except those that are web-‐related. Hint: start by editing the existing template, make changes, and when finished, choose “Save As…” View the report by clicking on the “Test” button. Save the template.

Selective Vulnerability Reporting Goal: Use the vulnerability data that you have successfully collected to create a vulnerability report that selectively includes and excludes vulnerabilities that you specify.

Earlier in this lab you saw how an Option Profile could be customized to target a specific list of vulnerabilities, and how other vulnerabilities could be simultaneously excluded from a scan. This next exercise will demonstrate these very same principles, only using the Selective Vulnerability Reporting section within a Report Template.

Best Practice: Scan for everything, and then be selective (customize) in your reporting.

1. Navigate to the Templates tab within the Reports section, and click the New button. Choose the “Scan Template…” option.

2. Title the report “Critical Vulnerabilities With Patches”.

3. From the left navigation tab click on the “Findings”, and use the “Desktops” Asset Tag as the target for this report.

4. From the left navigation pane, click the “Display” tab. In the Detailed Results section, choose the option to sort by vulnerability, and select the check box to include the Vulnerability Details.

5. From the left navigation pane, click the “Filter” tab. In the “Selective Vulnerability Reporting” section, click the Custom radio button, and then click the Add List button.

6. From the “Select Vulnerability Search Lists” window, click the Search List Library tab (left navigation pane), and import the “Critical Vulnerabilities with Vendor Patches v.1” Search List. Make the Search List Global.

54

7. Use the Test button to test your report options. When the report appears, record the number of Total Vulnerabilities.

8. Close the report and return to the Selective Vulnerability Reporting section.

9. Click the Exclude QIDs check box, and then click the Add Lists button.

10. From the “Select Vulnerability Search Lists” window, click the Search List Library tab (left navigation pane), and import the “Adobe Vulnerabilities v.1” Search List. Make the Search List Global.

55

We will make the assumption here that a different administrator will handle the Adobe-‐related vulnerabilities.

11. Use the Test button again to test your new exclusion option. When the report appears, compare the Total Vulnerabilities to the number you recorded earlier.

12. Close the report and “Save” the report template.

56

Additional Exercises Scan Based Findings Authentication Report Goal: Create a report that displays the authentication results from a specific Authenticated Scan.

Scan Based Findings are very useful, when creating a report that will focus on a specific scan result (one that you “manually” select at the time the report is generated). The following exercise will walk you through the steps of using manual data to build an “Authentication Report”:

1. Navigate to the Reports section and click on the Templates tab.

2. Click the New button and select the “Scan Template” option.

3. Enter the following Title: “Windows Authentication Report”, and select the check box to make this template globally available.

4. Navigate to the Findings Section, and select the “Scan Based Findings” radio button.

5. From the left navigation pane, click the Display tab. Under the Detailed Results section, select the Vulnerability Details check box and the Results check box (no other check boxes are required for this report).

6. From the left navigation pane, click the Filter tab. Click the Custom radio button, followed by the Add Lists button.

7. From the “Select Vulnerability Search Lists window, click on the Search List Library tab (left navigation pane), and import the “Windows Authentication Results v.1” Search List. After clicking the Import button, click the Make Global button to complete the import process.

8. While still within the Filter tab, scroll down and select the check box to add “Active” Information Gathered data to this report, and remove the check box for “Active” vulnerabilities.

57

9. Click the Test button to test your report template settings.

10. When you are prompted with the “Select Scan Results” window, select a check box that corresponds with a Trusted (authenticated) Scan.

11. Click the Run button to build the report.

Required and Unauthorized Services Report Goal: Identify the required and unauthorized services running on your host devices. Identify any required services that are missing.

Let’s assume that our Data Center hosts should have a web server running on them, but they are prohibited from running the FTP, Gnutella, and Kazaa services.

The steps that follow will create a custom Search List for “Required and Unauthorized Services and Ports” as well as a custom Report Template that lists these various ports and services for the Data Center hosts:

1. Navigate to any Search List tab, and click the New button. Select the “Static List” option.

2. Provide your new list with the following Title: “Required and Unauthorized Services and Ports”.

3. From the left navigation pane, click the “QIDs” tab, and then click the Manual button.

4. From the Manual Input window, enter the following QID numbers (separate each QID number with a comma): 82051, 82043, 38175, and 38228. Click the OK button.

Your Search List will be updated with a list of the QIDs you entered.

58

5. Click the Save button to save your Search List.

Now that you have successfully created a “Required and Unauthorized Services and Reports” Search List, it time to attach this list to a Report Template.

6. Navigate to the Reports section and click on the Templates tab.

7. Create a New Scan Template.

8. Provide a Title: “Required and Unauthorized Services Template”.

9. Click on the “Findings”, and select “Data Center” as the target Asset Group for this template.

10. Click on the “Display” tab, and remove all “Text Summary” check boxes. In the Detailed Results section, select the Vulnerability Details check box along with the Threat and Results check boxes.

11. Click the Filter tab, and select the Custom radio button.

12. From the Custom Vulnerability dialog box, click the Add List button, and then select the “Required and Unauthorized Services and Ports” Search List (the one you just created).

13. Click the Services and Ports tab, and add the http service to the “Required Services” list. Add ftp, gnutella, and kazaa to the “Unauthorized Services” list.

59

14. In the Unauthorized Ports field, enter 9001 – 65535.

15. Click the Test button to test your Report Template selections.

16. When you are satisfied with the results, click the Save button.

60

LAB 5 – Remediation and Trouble Ticketing QualysGuard includes a trouble-‐ticketing and workflow engine specifically designed for Vulnerability Remediation. There are two ways to do this – manually or automatically.

Let’s start with the automatic ticket creation process.

Automatic Ticket Creation Now create a remediation policy to have tickets created when a vulnerability is found.

Setting up trouble ticketing isn’t difficult. In fact, one rule should cover 90% of your needs. That rule, in English, is:

“Whenever a scan detects a level 4 or level 5 vulnerability, create a ticket and assign it to the person who ran the scan, giving them N days to fix it.” (Substitute your own value for N.)

We’ll translate that into a Policy next.

1. Under the “Remediation section, click the “Policies” tab.

2. Choose “New > Rule…”.

3. Enter “Only the Worst Rule” for the title.

4. Under the “Conditions” tab, notice the “Asset Groups” field. “All” is a keyword that includes all hosts in your account.

5. Under the “Vulnerability” Section, to the right, click on .

61

6. Select the checkbox next to title, “Sev 4 and 5” and press the “Ok” button.

7. Note that the “Assign to” column (in the “Actions” tab) is pre-‐configured to assign the tickets to the user who ran the scan. We’ll enforce a 7-‐day deadline. This is the default, so there’s no work to do here.

8. Save the rule by clicking the “Save” button.

9. Now that you have created a Remediation Policy, you will need to launch another vulnerability scan to allow QualysGuard to automatically create remediation tickets.

62

10. Go ahead and launch an authenticated scan against your “Desktops”.

Ticket List

1. After your vulnerability scan has been processed, navigate to the “Remediation” section and click on the “Tickets” tab.

Edit Ticket Let’s say we’ve gone and fixed a level 5 vulnerability. We can use the “Edit Ticket” functionality to indicate that we’ve done so.

2. Choose a ticket, and click on the “Edit” function from the Quick Actions menu.

3. Select “Resolve” for the “Action” and enter text describing why it’s resolved.


Rule-‐based Remediation Policies Now, let’s look at creating a rule-‐based Policy. This is a set of instructions to automatically create trouble tickets when certain conditions are met. Tickets are created/closed automatically after each scan.

We’ll use QualysGuard’s internal ticketing solution to demonstrate this; the same approach applies to integrations with third-‐party ticketing systems.

Exceptions While the “90% rule” works well in most situations, there are a couple of places where we might want to fine-‐tune things.

Let’s suppose that you lead a “Tiger Team” that gets assigned to handle worm outbreaks. We’ll set up a rule to assign a ticket to you whenever the Window RPC vulnerability is detected.

1. First, go back to the “Search List” tab under the KnowledgeBase section to create a new Static Search.

2. Create a new Static List titled “Window RPC Vulnerabilities”.

3. In the “QIDs” tab on the left hand side, search for the “Multiple Microsoft Windows RPC/DCOM Vulnerabilities (MS04-‐012)” select its check box, and click “OK”. Then click “Save” to save the list.

4. Now go back to the “Remediation” section, click on the “Policies” tab and create a new Remediation Rule titled “Window RPC Vulnerabilities”.

5. Add the new static search list for the vulnerability under the “Conditions” tab.

63

64

7. Under the “Actions” tab, change the “Assign To” user to you.

8. Save the rule, close the window, and return the Remediation Policies List.

Wait A Second! We have two rules that match the same vulnerability. The Multiple RPC Vulnerabilities issue is a level 5 vulnerability, so it matches the “No 4s and 5s” rule and, of course, it also matches the “Windows RPC Vulnerabilities” rule.

QualysGuard uses the order (or stack ranking) of rules to resolve conflicts like this. Start with the top rule, see if it matches. If it does not, move down to the next rule. The first rule that matches is processed; if no rule matches, no ticket is created.

So, for us to get the correct behavior, we need to move our “Windows RPC Vulnerabilities” rule above the “No 4s and 5s” rule.

9. Select “Reorder…” from the “New” menu.

10. In the “Reorder Policy Rules” window, select “Window RPC Vulnerabilities” and use the “Move Up” button to move it to the top of the list.

Tip: always ranks specific rules above more general rules.

65

A Final Note – Account Setup Before ending the training, it’s important that we cover some less conspicuous setup configurations of QualysGuard. These are items that aren’t essential, but may be needed here and there.

Setup Tabs The Setup tab is located in several sections of the UI. It has several items that don’t fall into one of the categories.

In the “Remediation” section:

In the “Scans” section:

In the “Reports” section:

66

In the “Assets” section:

In the “Users” section:

Excluding Hosts from Scans In some cases, you may have IP addresses within a segment that do not need to be scanned, and they will never need to be scanned. In this case, the “Excluded Hosts” section of the Setup menu comes in handy.

1. Navigate to the “Setup” tab in the “Scans” section, and click on Excluded Hosts section.

2. A new screen will appear.

3. Click the “Edit” button.

4. Add the IP 64.39.106.246 to the list. Click “Add”.

5. Add a comment (the Comment field is required).

6. Click “Close”.

Tip: it’s a good practice to add comments about “why” this is excluded in the event of an audit.

7. Rerun a light scan over the IP Segment containing the IP address you just excluded. You should not see the .246 address.

Keep in mind, once you exclude a host, it’s a global setting for your subscription, the IPs will be excluded from ALL activity, even though it’s still listed in your subscription.

67

Next, let’s look at how long you keep your data. By default, we delete saved scan results from the history list every six months. You may choose to extend this up to a year, or reduce it to one month. Under the “Setup” under the “Scan” section you will see:

You simply choose the amount of time, and click “Save”.

Remember in Remediation how we talk about automatically closing tickets once the scan shows the vulnerability is no longer available? Well, under the “Setup” tab in the “Remediation” section, you will find:

You may also need to determine if the lower privileged groups will be able to Close and Ignore tickets or allow them to Delete tickets – both can be allowed here.

The Security function under the “Setup” tab in the “Users” section allows for the more critical security settings for users and the service:

68

You may want to restrict which IPs have the ability to connect to your QG UI. For this reason, you can restrict access. You can also set password security, even allowing users to set their own passwords.

Finally, let’s take a look at the “Report Share” section.

8. Navigate to the “Setup” tab in the “Reports” section, and click on “Report Share”.

69

9. Choose to “Enable Secure PDF Distribution”.


11. Now navigate to Reports and choose a new Technical Report.

12. Click “Add Secure Distribution” and choose an email to send your report to.

13. Run the Report.

70

Now when you generate a PDF report you'll have the chance to enter a list of email addresses that you'd like the report distributed to securely. As long as you have Adobe on your computer and you know the report password, you'll be able to pull up the report...OUTSIDE of QualysGuard.

Choosing A Different QualysGuard Home Page What do you want to see when you login? If you want a snapshot of the current state of things, the “Dashboard” will work nicely.

1. Under your username in the upper right hand corner of QualyGuard, click on “Home Page…”.

2. Choose “Scan” From the “Pages” menu and click “Save”.

Configuring Business Risk The Executive Report (and templates you might create) have a metric called “Business Risk.”

Business Risk is the product of the “Average Security Risk” and the rating set by the Asset Group’s “Business Impact.” Let’s take a look at how the weights are calculated.

Choose “Business Risk” from the “Setup” tab under the “Reports” section.

71

These are the default values for Business Risk. As you can see, a level 5 vulnerability on a host whose Asset Group is of “Critical” importance is weighted 100 times greater than that of a level 1 vulnerability on a host whose asset group is of “Low” importance.

72

Contacting Support Overview Try as we may, inevitably you will need to contact support. In order for us to properly and efficiently troubleshoot issues, we will need information from you.

There are 3 ways to contact support:

o The QualysGuard Interface

o Email to [email protected]

o For Critical issues – call us:

§ U.S. and Canada: +1.866.801.6161 24x7

§ Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7

§ UK: +44 1753 872102 24x7

With the QualysGuard interface, you will have all the necessary information at your fingertips. From the QualysGuard User Interface, click on “Help” and then “Contact Support”

A popup screen will appear for the email.

73

So then, the question becomes – what information do you need to send to Qualys? Well, that can depend on the type of problems you are seeing.

False Positive If you believe that you have identified a false positive, please provide us with additional information so that we can resolve the issue as quickly as possible.

Please provide the following in this message:

§ Reasons you believe you have a false positive. Include steps you've taken to patch the system.

§ Was the issue reported during an authenticated scan? If yes, was the authentication successful? There are several appendices in your scan results that provide information related to authentication.

§ When was the vulnerability first detected? Have there been changes to the host since then?

§ For publicly-‐facing IPs, we can greatly expedite the investigation if we can perform a light scan on the host. Do you grant permission for us to scan the host?

After receiving a ticket number from Support, send a follow-‐up email referencing the ticket number and attach the following items:

§ A scan report with the vulnerability reported.

§ A packet capture of traffic to/from the affected service/port for its typical communications. (only if requested by DEV)

§ System configuration information. For Windows, this is provided by systeminfo.exe and MSinfo32.exe.

74

§ Additional information, such as a registry dump or a screenshot of the system showing that it is patched and not vulnerable.

False Negative On very rare occasions we may produce a False Negative. If you believe this to be the case, please provide the following in your message:

§ IP address, DNS hostname or NetBIOS hostname for the host.

§ QID, if available, for the potential false negative.

§ Reasons you believe you have a false negative. Include steps taken to troubleshoot the issue.

§ When was the vulnerability last detected? Have there been changes to the host since then?



§ A scan report of the scan that did not identify the vulnerability.

§ Additional information, such as a registry dump or screenshot of your system.

Service Stopped Responding This type of issue can have several causes, and rarely is caused by a test we have sent. Nevertheless, we need to determine what has happened and help expedite resolution. Quite often, resolution does require the vendor of the service to be involved in our troubleshooting effort.


§ A description of the symptoms. When did the issue first appear? If the issue is reproducible, please provide steps to reproduce the issue.

§ Detailed information for each affected system, including: operating system version and patch level, IP address, the system's primary function and the location of the system on the network (i.e. behind a firewall, in DMZ or behind a load balancer.)

§ Detailed information for each affected service, including: software name, exact version and build or patch level, the port number that the affected service is running on and whether the port is static or dynamic.



§ A scan report of the scan that caused the service to stop responding.

§ A packet capture of traffic to/from the affected service/port for its typical communications.

75

§ A list of open ports and services running on those ports.

o # On a Windows system, you can run the free tcpview.exe and save the output. This program is available at:http://www.sysinternals.com/ntw2k/source/tcpview.shtml

o # On a Linux system, you can run netstat -‐ntulp and save the output.

§ An image of the box is useful to help us reproduce the issue. For Windows machines, images may be created using MS Virtual PC (free). For *nix, VMWare may be used. If the host has custom software on it, then please also provide us with a copy of the software.

§ Additional information, such as screenshots and log files.

Scanner Appliance Issues Before submitting a request to Support, please see the QualysGuard Scanner Appliance User Guide for troubleshooting information. The user guide describes troubleshooting techniques you can use to respond to errors and performance conditions when using the Scanner Appliance.

If you have followed the troubleshooting techniques and are still experiencing difficulty, please provide us with additional information so that we can resolve the issue as quickly as possible.


§ The error message on the LCD display of the Scanner Appliance.

§ The IP configuration for the LAN interface (static or DHCP). For static configurations, include the IP address, netmask, gw, dns1, dns2, wins and domain.

§ If WAN is enabled, provide the IP configuration for the WAN interface. For static configurations, include the IP address, netmask, gw, dns1, dns2, wins and domain.

§ If proxy is enabled, identify the proxy software and list the proxy configuration. Indicate whether a username and password is used but do not send us the password.

§ How long is the timeout from when you hit Enter on "Really enable.." to when the "Network Error" message appears?

§ When you use a laptop with the same network configuration on the same network port, are you able to connect to the QualysGuard service at https://qualysguard.qualys.com?

Host Crash Qualys scans are generally non-‐intrusive. If a scan has caused a host to crash then we will make resolving this issue a top priority. We are eager to work with you and any third-‐party vendors to quickly isolate and resolve the problem.

Please provide the following in this message: § A description of the symptoms. When did the issue first appear? If the issue is reproducible,

please provide steps to reproduce the issue.

§ Detailed information for each affected system, including: operating system version and patch level, IP address, the system's primary function and the location of the system on the network (i.e. behind a firewall, in DMZ or behind a load balancer.)

76



§ A scan report of the scan that resulted in the host crash.

§ A packet capture of traffic to/from the affected service/port for its typical communications.

§ A list of open ports and services running on those ports.

o On a Windows system, you can run the free tcpview.exe and save the output.

o On a Linux system, you can run netstat -‐ntulp and save the output.

§ An image of the box is useful to help us reproduce the issue. For Windows machines, images may be created using MS Virtual PC (free). For *nix, VMWare may be used. If the host has custom software on it, then please also provide us with a copy of the software.

§ Additional information, such as screenshots and log files.

Documents

LABSsdsfds