Three Ways To Fill The Loopholes In The Enterprise System

Vulnerability management is a very important part of enterprise network security management. Just imagine, if we live in a dilapidated house, will we feel safe? The same is true of enterprise networks. How can a worn-out network ensure the security of enterprise information and network applications?

However, vulnerability management is a relatively complex work, and it is really not easy to do it well. The author believes that to implement this work, we have to consider the following contents.

1、 Network scanning or host tracing

If we want to fix the loopholes, we need to know what loopholes are first, and then we can fix them. Therefore, the first task of vulnerability management is to trace the existing hosts to see what vulnerabilities exist.

Generally, there are two ways of tracing. One is to trace all the hosts in the network from one host in the network. We can use some tracing tools, such as streamer, to trace all the computers in the network conveniently and find the loopholes in their operating systems. For example, you can easily find out which hosts in the enterprise network have no administrator account password or simply set a password (for example, 123456) by using the Streamer tool; You can also use this tool to trace which hosts in the enterprise have default sharing enabled, etc.

The other is to trace the host slightly. It is to install a tracing tool on all hosts in the network and trace the hosts one by one. For example, some anti-virus software, such as Kingsoft Poison Bully and Rising, have their own vulnerability tracing tools. With these tools, our network security administrator can easily find out the vulnerabilities that may be attacked in the operating system.

If these two methods are used to trace the same host, the scanned information may not be completely consistent. Why? In fact, the network is like a hacker scanning our network. The information it gets may be simple information, and due to other restrictions, it may not scan all the vulnerability information. If we scan the host side, we will get more detailed information, and may also find all known system vulnerabilities. It can be seen that if we can scan on the host, our administrator will know more information. Unfortunately, the workload of scanning each operating system on the host is very heavy.

Therefore, we need to achieve a balance between workload and security according to the actual situation.

The author suggests:

In practical work, the author adopts both methods. For example, the author finds and fixes the vulnerabilities of ordinary users' operating systems through network scanning. For network application servers, such as the company's database server and file server, they are regularly scanned on the local computer. On the one hand, the server is running 24 hours a day. We can use the task scheduling command to scan the server when it is idle, such as deep 12 o'clock. In this way, the scanning work will not affect the server's daytime operation; On the other hand, servers are only a few in the enterprise after all, so it will not be very troublesome to scan them. Moreover, the security of the server is more important than the operating system of ordinary users. Therefore, it is very necessary for the server to scan on the host side.

For ordinary users' operating systems, only remote network scanning is required. We only need to scan some vulnerabilities that can be scanned by hackers, trojans, etc. through network scanning, and then fix them. In this way, the probability of user's operating system being attacked by trojans and viruses can be reduced, and the security of enterprise network can be improved.

2、 When to scan

When should we scan the host? Is it once a day, once a week, or once a month? Ideally, the higher the frequency, the better. In this way, we can find the vulnerability as early as possible. However, we also know that both local scanning and network scanning consume resources, which will have a great impact on the performance of the host and the network. If network scanning is adopted, it will occupy more network bandwidth during the scanning process, thus reducing the efficiency of other network applications. For example, after a test, when I enable network scanning, I copy an image about 5M in size to a file server at the same time. It must take nearly half of the time when network scanning is not enabled. It can be seen that too frequent scanning will greatly affect the normal operation of other network businesses of the enterprise. Therefore, we need to set a reasonable scanning frequency to minimize the adverse impact on normal business while meeting security requirements.

The author suggests:

The author has a little research in this area. Now, I would like to share my views. Please give me more advice.

1. Without exception, the author will conduct a vulnerability scan on the enterprise's computers in two months. Generally, it is set at the last weekend at the end of February. The author will use the noon break on Friday to scan the company's computer. It will take about two hours. For our enterprise, we take a break of one and a half hours at noon, so the impact on user network speed is only about half an hour. Explain the reason to users, and they can accept it.

2. When there are some exceptions, we must take special measures. For example, we can see what viruses are popular recently on some virus websites, such as the website of Kingsoft Virus Bully. At this point, we can take some targeted scans. That is to say, at this time, we do not need to scan multiple operating systems from beginning to end, but need to scan specific vulnerabilities attacked by these viruses or trojans. In this way, the scanning range can be narrowed down, which can improve the efficiency of scanning and minimize the impact on users.

3. Any scan record must be streamed down for query. After each scan, the author will compare the scanned record with the previous record. By comparison, we can know which vulnerabilities we have not repaired, whether we have not found the appropriate patch, whether the patch conflicts with the existing software, or whether the vulnerability is not harmful to the enterprise. At the same time, if our employee system is reinstalled, we do not need to re scan it. According to the latest scanning results, the vulnerability can be patched. In this way, we can save scanning time. At the same time, these vulnerability scanning records can also help us solve network security failures. If once, a user reported to the author that someone else had logged into his mailbox. Some of the emails in his mailbox have not been read by him, but what is marked in his mailbox is already read. As soon as I checked the latest vulnerability scanning record of his computer, I found that there was a very serious vulnerability, and I didn't know how to fix it. This vulnerability is a vulnerability recently used by a popular trojan that steals user accounts and passwords. Then the author used this Trojan killing tool to check and kill on its computer, and found the trace of this Trojan. Therefore, if we can fully tap the value of this scanning record, it will be very helpful for our security work.

3、 Testing work shall be done well before repair

When we find the vulnerability, can we issue a patch for it? Actually not. In my opinion, we'd better test the vulnerability on local computers to see if the vulnerability patch conflicts with other software on the computer. Instead of waiting until there is a conflict to regret, why not do a good job in testing first?

Generally speaking, they will also carry out some tests on the patches released by Microsoft's operating system and its office software. However, the content of their tests may not involve all the software currently used by enterprises. As the author has met before, after installing the SP2 patch of XP system, an open source mapping software used by the author's enterprise cannot run. Later, I had to reinstall the system and upgrade the operating system directly to 2003. Fortunately, its hardware configuration can support the 2003 system. Otherwise, it would be a big trouble.

The author suggests:

The author has learned many lessons in this regard. When the patch is applied, the software running on the original operating system can no longer run normally, or the running speed has a great impact. To be honest, there are also several pirated Microsoft operating systems in my company. After the patch is installed, sometimes the pirated operating system cannot be used, or there is a prompt message such as user registration.

Therefore, in order to prevent us from doing bad things with good intentions, the author strongly suggests that enterprise network security administrators should conduct adequate tests when installing patches, and then be able to patch and repair vulnerabilities on a large scale. Otherwise, although the loophole is filled, it may have a great impact on the current application of the enterprise. Then we will lose more than we gain.