It may sound like a worst-case IT scenario, but it happens more commonly than you might think. Imagine a network with 1,000 servers running various versions of the Microsoft® Windows operating system. There’s an exploit at large that targets Microsoft Windows XP. You’ve sent out patches to 200 machines you think are running that operating system. But you find out later that you’ve attempted to patch the wrong OS, so the threats are still rampant. And, you’ve wasted a lot of time and IT resources.

A key aspect of effective vulnerability scanning is operating system (OS) identification. You can’t call a vulnerability audit of your network assets complete without accurate operating system identification. Granular detection (such as distinguishing Microsoft® Windows XP from Microsoft® Vista®, or different Microsoft Service Pack Levels) is critical for determining specific flaws and for correctly applying remediations that work.

The bad guys are getting better at honing in on vulnerabilities on specific applications that run on specific operating systems and even specific versions of operating systems. Many security exploits are written for a particular OS version. One thing you don’t want to do is waste time putting out fires where there aren’t any or allow threats to spread because you’ve patched the wrong OS.

The strength of vulnerability scanners lies in their ability to identify problems before they can be exploited and to ensure that patches are applied. Remote scanning is one way of determining whether an available service is susceptible or patched for a particular vulnerability. However, finding the IP addresses of devices on your network won’t get you very far when it’s time to patch vulnerabilities that are targets for dangerous attack vectors. And just knowing that a machine runs Microsoft Windows isn’t enough. There are a number of methods that can be used to pinpoint an OS. These include transmission control protocol (TCP) stack fingerprinting and internet control message protocol (ICMP) stack fingerprinting. Fingerprinting techniques send out probes to open ports and examine the reply packets. Text fingerprints are generated in response to packets and are matched against an existing list of operating system fingerprints. The process uses an algorithm that determines how closely the reply matches the list. Scanning stops either after a 100 percent match is achieved or after the highest percentage match is found after running through the entire list.

Stack fingerprinting methods and other techniques aren’t always the most accurate or most efficient ways to get a clear answer when querying systems about operating systems. Firewalls, network latency (transmission delays), and blocked or filtered ports at the host make it difficult for these probes to spot the OS. Also, network software developers sell their stacks to multiple OS vendors, so you might have the same stack on multiple operating systems. For example, the Server Message Block (SMB) /NetBIOS method can be fooled by Linux or other systems running SMB servers to act as file servers for Microsoft Windows systems on a network. These are all good reasons why the best scanners do not rely solely on the return from any one method but rather on a final decision algorithm that compares and assigns a weight to the scan data from all available methods.

Sharing data between different applications (integration) helps. For example, in McAfee Foundstone 6.0, we’ve added the ability to query the McAfee ePolicy Orchestrator® for Microsoft Windows OS data. Since the ePolicy Orchestrator agent runs on the target system, with access to all the host OS data, the information returned by the agent is 100 percent correct. There’s nothing to get in the way of accurate data. With the ePolicy Orchestrator agent working for you, you can leverage a knowledge base and save a great deal of time. There’s no need to question your network scan results when your scanner talks to your agent-based management platform. And that means you fight fewer fires. Plus, you no longer have to spend time running full-network scans (typically done during off-hours to prevent bogging down the network and slowing down normal business activities). Finally, you can zero in on critical assets and focus on the critical vulnerabilities you need to remediate first.

Every time you patch, you run the risk of shutting down your network or disrupting business-critical applications. In emergency or business-critical situations, you may not even have time to patch. Because ePolicy Orchestrator informs Foundstone about whether the target has the protection that matches current vulnerabilities through our countermeasure-aware feature, you can reduce the level of urgency and patch only the most vulnerable systems—and do it on your schedule, not the vendor’s or hacker’s. Tighter integration between the management platform and security applications in the future will likely provide even better capabilities for gathering data from remote systems.

The importance of accurate vulnerability assessment and targeted remediation can’t be emphasized enough. Even federal government agencies like Office of Management Budget are requiring CIOs of all civilian agencies to use “best practice hardening guides” for securing and auditing all Microsoft Windows XP and Microsoft Vista operating systems. If the government is doing it, isn’t it time you looked into tools to help you get a leg up on the bad guys too?