ISS enhances risk-assessment tools

Internet Security Systems Inc. this week announced new versions of its vulnerability and risk-assessment tools and took the first step toward integrating the management of all three products.

The new versions of ISS' products—Internet Scanner 6.0, Database Scanner 3.0 and System Scanner 4.0—provide significant improvements in dealing with the growing number and variety of attacks to which systems are being exposed.

"There are a great number of toolkits out there, and more and more vulnerabilities are being exploited by tools that are available over the Internet," said Mike Lortz, manager of ISS' vulnerability management product line. "It's not just the hard-core hackers anymore."

Most of the changes have occurred in ISS' main product, Internet Scanner, which deals with network-based vulnerabilities.

Acknowledging that the exploits are coming out faster than ever, ISS announced the new X-Press Updates, which will push the latest vulnerability checks out to customers much the same way anti-virus vendors push out checks for new virus signatures. "We do expect to be able to respond within 24 hours to a vulnerability that we feel to be a great risk to users," Lortz said.

This quick response to new vulnerabilities will make a big difference for large and small organizations dealing with new attacks on both old and new systems every day, analysts said.

"The ability to get pushed-out, real-time updates...is really a key benefit to all levels of users," said Matthew Kovar, senior analyst with the Yankee Group consulting firm, Boston, Mass.

To protect against BackOrifice 2000 and other widely available hacking programs, ISS also announced more than 24 new checks for back-door programs that allow unauthorized access to a system without an administrator noticing. Such attacks might come over the Internet or an internal network.

The administration interface also has changed. As ISS' products have become more comprehensive, it has become easier for users to get confused, especially because not all system administrators are technical security experts anymore, Lortz said.

To overcome the complexity, ISS has changed its interface to a tree structure in which administrators can turn on or off a large group of vulnerability checks by choosing a parent group of options or choosing specific checks within each group.

The new versions of both Internet Scanner and System Scanner, which monitors client vulnerabilities, now enable administrators to extend ISS' basic detection capabilities to fit custom applications within an enterprise.

This can be important in the federal market because of the high number of government-developed or -modified applications that do not have the same exploits as commercial off-the-shelf products, Lortz said. "We can't anticipate what it looks like, what it does, and we certainly can't know the vulnerabilities," he said.

System Scanner also has been extended to scan more variations of Unix, Microsoft Corp.'s Windows NT, Linux and Novell Inc.'s Netware. It also now provides instant alerts to administrators for more serious vulnerabilities or incidents.

Database Scanner is the newest addition to the ISS line, acquired from DbSecure in November 1998. In addition to extending the types of databases the product can scan, ISS is taking the first step in its long-range risk-assessment platform plan by integrating some of the basic functions of Database Scanner with Internet Scanner.

Through this integration, administrators can set Internet Scanner so that when it discovers a database on a network, it will issue a prompt asking administrators whether they wish to automatically launch Database Scanner to initiate a scan.

The improvements included in the new versions of these products are not just cosmetic, analysts said."They've really thought about what would improve their products," said Diana Kelley, analyst at the Hurwitz Group, Boston, Mass. "They're definitely moving in the right direction."

In the future, analysts said, users can expect to see a lot more of this type of application-specific risk-assessment product. And the focus on improving these products individually, in addition to extending their interoperability with the main network-scanning product, will only improve enterprise security, Kelley said.

ISS products are available on the General Services Administration schedule through Patriot Technologies Inc. and on NASA's Scientific and Engineering Workstation Procurement II program through Unisys Corp.