SecurePlus
Vulnerability Management Service (VMS)
SecurePlus - Vulnerability Management Service (VMS) delivers enterprise-level vulnerability management in flexible packages and costy-effective price suitable for any size organization.
SecurePlus - VMS helps organizations have an accurate view of their network, identify vulnerabilities, ensure regulatory compliance and prioritize remediation according to business risk with investments in infrastructure. It provides ease of deployment, scanning accuracy and allows organizatoions to take action to mitigate risks and demonstrate compliance.
How SecurePlus - VMS Works
Provides subscription based on-demand security audits and vulnerability management. It allows ASPGulf to initiate up to a maximum of unlimited scans - either pre-scheduled or on-demand from any web browser. As a managed service delivered over the web, the SecurePlus - VMS requires no installation, set-up, hardware or software purchases or maintenance, in-house security expertise or special training. Depending on the customized flavor, it may provide unlimited scans or pre-determined and pre-scheduled scans allowing network administrators to reassess vulnerabilities everytime they add, remove or change a device.
As shown in the figure below, subscribers get all service components including:
- Discovery of all networked IP devices
- Analysis against the most recent vulnerabilities
- Browser-accessed summary (Optional)
- Remedies and workarounds
Description of VMS
- SecurePlus-VMS is a web-based on-demand security auditing service that takes the hacker's point-of-view. It automatically but non-intrusively tests IP-based security infrastructure against all known vulnerabilities using daily updates from CERT, network hardware manufacturers, software providers and other sources.
- It is a self-contained web-based service. Users do not need any new hardware, software, staff or special training to get the benefits.
- Subscribers of the service may customize their own "flavor" according to their requirements, including unlimited security audits 24x7 and automated scheduling capability.
- With the SecurePlus-VMS, ASPGulf security personnel can view the scan report from any browser, link to remedial recommendations and download patches and fixes.
- It automatically inventories and fingerprints every IP device on the network. It creates a visual map of for spotting unauthorized hardware, poor system configurations and other potential attack points.
- The service provides automatic auditing of security quality for all network system elements. The audit service delivers results in web-based report that ranks and prioritizes vulnerabilities by severity.
- For vulnerability management, SecurePlus-VMS also provides one-click links to tested remedies, to bulletins from software vendors for resolving exposures or to workarounds.
Duration of Service: 12-Months or 24-Months
- The suggested number of scans is 12 per year or 1-scan per month. Unused scans after 12-months (or 24-months for 2-year service contract) are lost and do not carry forward.
- In addition, a flexible service plan suited for each Client maybe customized.
Evolving Technology and Coping with the Threats
- A "scan" is defined as a single scan of one host or IP.
- A "false positive" is a condition wherein the VMS found a suspected vulnerability, but in fact, the suspected vulnerability turns out to be non-existent or already patched or fixed.
- A false positive may occur although very rare.
- SecurePlus - VMS subtantially reduces the likelihood of generating false positives for all vulnerability scans by developing consistent audits and continuous, automated QA testing of all signatures in its knowledge repository - KnowledgeBase. Unlike other software-based solutions, the service architecture enables the R&D staff to automate quality testing and continuously update and enhance vulnerability signatures for accuracy and reliability. Any false positives reported by users are recorded and investigated immediately. Signatures are updated and automatically released to the scanners at the earliest opportunity.
- Although the scan process has been designed to operate as "non-intrusive"; during the process, the server may fail (i.e. hang or freeze) or the service is degraded or becomes non-available. This occurrence is rare but may happen. At times, the reason behind the server failure is not known.
- When a server fails during the scan process, ASPGulf shall re-start the server or restore the service at the earliest opportunity possible and to minimize the downtime or degradtion on best-efforts basis. The Client agrees not to hold ASPGulf liable or responsible for any material loss or damage whether direct or indirect as a result of the downtime or disruption or degradation of service.
Vulnerability Assessment Report
- At the end of each VMS exercise, the deliverable is the Scan Report.
- The Report may suggest any of the following remedial action(s):
- Patch and bug fixes
- Work-around procedures.
- Combination of the above
Patch and Bug Fixes
- These are known and tested permanent fixes and these are distributed by the software vendor, typically Microsoft for Windows system software components.
- Microsoft (or the software/application vendor) has established and determined solely on its own that these patches and fixes are designed to address the underlysing root cause and provide a permanent functional solution.
Workaround Procedures
- These are temporary fixes which do not address the root cause but may provide temporary or partial relief until a permanent solution is found.
- Many of these workarounds are determined by experts and industry-practitioners whereas, some are suggested by the software/ application provider themselves. The appropriateness, applicability and risk factors are determined solely by these entities and does not involve ASPGulf. ASPGulf does not warrant or guarranty the effectiveness or safety of these workarounds.
- Workaround procedure(s) may carry some amount of risk that require to be managed and these procedures require the Client's prior assessment and/or approval together with the application provider. ASPGulf shall be absolved from any responsibility for performing the workarounds which were approved by the Client.
- Workaround procedures because of its nature and varried scope of work is treated on a case-to-case basis. A separate fee is applicable at the rate of US$ 50 per man-hour. The minimum fee is $ 150.00 per incident.
- In the event the Client agrees to perform the workaround procedure(s) as a temporary fix to the vulnerability, but at a later date, it is found out that the vulnerability is a "false positive", the Client shall not hold ASPGulf responsible for any professional breach or mis-representation. However, the minimum fee of US$ 150.00 to perform the workaround procedures shall apply and may not be refunded specially after the workaround procedure is begun or completed. Any amount paid in excess of the minimum US$ 150.00 shall however be refunded to the Client as a credit.
Web Based Application Running on Windows IIS (or other web browser)
- Microsoft IIS is considered by most practioners as application layer component although Microsoft classifies this as system software.
- ASPGulf accepts both interpretations, however, any user-written code or script is strictly considered as application component. Hence, for example a website is an application or a component that runs at the application layer.
- The current SecurePlus - VMS service does not include scans at the application layer. Vulnerability assessment scans are limited currently to the system software layer.
- When a patch is recommended to be applied and this is available, ASPGulf shall apply the patch after consultations with the Client. This service is included in the VMS fee.
- If no patch is available from the software/application provider, the vulnerability is automatically reported to Microsoft (or the software/application provider) through the VMS application.
- ASPGulf shall not recommend the application of patches coming from other sources apart from the software/application provider itself. If the Client requests for the patch to be applied, ASPGulf may apply the patch provided that the Client absolves ASPGulf from any responsibility.
- It is entirely up to Microsoft (or the software/application vendor) as to when the patch will be made available.
- Any remedial action required at the application layer (or its components) shall be the ownership and responsibility of the Client.
Google wipes a/cs of 150,000 email users by mistake
Mar 2, 2011
LONDON: Search giant Google has confirmed that about 150,000 Gmail users around the world have had their accounts , including every email, application, contact and calendar information, deleted.
ZafinLabs partners with ASPGulf to offer NBAD Star Loyalty Programme on outsourced model
April 25, 2010
The National Bank of Abu Dhabi (NBAD), the Number One Bank in the UAE, has launched its NBAD Stars© Loyalty program, which allows credit cardholders earn NBAD Stars on every eligible credit card purchase and collect great rewards that offer choices and flexibility.....
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
