System and method for enabling remote registry service security audits

US 8,302,198 B2
Filed: 01/28/2010
Issued: 10/30/2012
Est. Priority Date: 01/28/2010
Status: Active Grant

First Claim

Patent Images

1. A system for enabling remote registry service security audits, comprising:

a vulnerability management system that maintains a model of a network, wherein the model of the network includes a plurality of devices discovered in the network that have a remote registry service; and

an active vulnerability scanner that actively scans the network to detect one or more vulnerabilities in the network, wherein the active vulnerability scanner is configured to;

identify one or more of the plurality of devices discovered in the network that have disabled the remote registry service;

communicate one or more activation messages to the devices that have disabled the remote registry service, wherein the activation messages enable the remote registry service on the identified devices;

interact with the enabled remote registry service on the identified devices to obtain registry information from the identified devices; and

communicate one or more deactivation messages to the identified devices in response to obtaining the registry information from the identified devices, wherein the deactivation messages disable the remote registry service on the identified devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.

81 Citations

View as Search Results

20 Claims

1. A system for enabling remote registry service security audits, comprising:
- a vulnerability management system that maintains a model of a network, wherein the model of the network includes a plurality of devices discovered in the network that have a remote registry service; and
  
  an active vulnerability scanner that actively scans the network to detect one or more vulnerabilities in the network, wherein the active vulnerability scanner is configured to;
  
  identify one or more of the plurality of devices discovered in the network that have disabled the remote registry service;
  
  communicate one or more activation messages to the devices that have disabled the remote registry service, wherein the activation messages enable the remote registry service on the identified devices;
  
  interact with the enabled remote registry service on the identified devices to obtain registry information from the identified devices; and
  
  communicate one or more deactivation messages to the identified devices in response to obtaining the registry information from the identified devices, wherein the deactivation messages disable the remote registry service on the identified devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising a passive vulnerability scanner that observes traffic travelling across the network to detect unauthorized attempts to enable or disable the remote registry service on the identified devices.
  - 3. The system of claim 2, wherein the vulnerability management system is configured to:
    - aggregate information obtained from the active vulnerability scanner and the passive vulnerability scanner with a plurality of events contained in one or more logs that describe activity in the network;
      
      identify one or more the plurality of events contained in the logs describing activity that includes enabling or disabling the remote registry service on the identified devices; and
      
      discard the identified events from the aggregated information.
  - 4. The system of claim 1, wherein the activation messages enable the remote registry service on the identified devices in response to the active vulnerability scanner having one or more credentials that control whether the remote registry service can be modified on the identified devices.
  - 5. The system of claim 1, wherein the active vulnerability scanner is further configured to:
    - interrogate the identified devices to determine whether the remote registry service has been disabled on the identified devices; and
      
      identify a potential vulnerability in the network in response to determining that the remote registry service has not been disabled on one or more of the identified devices.
  - 6. The system of claim 1, wherein the active vulnerability scanner is further configured to identify a potential vulnerability in the network in response to determining that the active vulnerability scanner lost connectivity to the network prior to obtaining the registry information from the identified devices.
  - 7. The system of claim 1, wherein the active vulnerability scanner is further configured to identify a potential vulnerability in the network in response to determining that the active vulnerability scanner was manually terminated prior to obtaining the registry information from the identified devices.
  - 8. The system of claim 1, further comprising one or more tools that continuously scan the network to detect whether the remote registry service has been enabled on one or more of the devices in the network, wherein the vulnerability management system is configured to prevent the one or more tools from scanning the identified devices until the active vulnerability scanner has obtained the registry information from the identified devices.
  - 9. The system of claim 1, wherein the active vulnerability scanner is further configured to identify at least one of the devices that have disabled the remote registry service in response to determining that the at least one device runs an operating system having a default setting that disables the remote registry service.
  - 10. The system of claim 1, wherein the registry information obtained from the identified devices includes one or more of keys, values, file levels, patches, remote operating system versions, or system file locations described in registries associated with the identified devices.

11. A method for enabling remote registry service security audits, comprising:
- maintaining a model of a network in a vulnerability management system, wherein the model of the network includes a plurality of devices discovered in the network that have a remote registry service;
  
  identifying, by an active vulnerability scanner that actively scans the network, one or more of the plurality of devices discovered in the network that have disabled the remote registry service;
  
  communicating one or more activation messages from the active vulnerability scanner to the devices that have disabled the remote registry service, wherein the activation messages enable the remote registry service on the identified devices;
  
  interacting with the enabled remote registry service on the identified devices, wherein the active vulnerability scanner interacts with the enabled remote registry service on the identified devices to obtain registry information from the identified devices; and
  
  communicating one or more deactivation messages from the active vulnerability scanner to the identified devices in response to the active vulnerability scanner obtaining the registry information from the identified devices, wherein the deactivation messages disable the remote registry service on the identified devices.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising observing traffic travelling across the network, wherein a passive vulnerability scanner observes the traffic travelling across the network to detect unauthorized attempts to enable or disable the remote registry service on the identified devices.
  - 13. The method of claim 12, further comprising:
    - aggregating, at the vulnerability management system, information obtained from the active vulnerability scanner and the passive vulnerability scanner with a plurality of events contained in one or more logs that describe activity in the network;
      
      identifying, at the vulnerability management system, one or more the plurality of events contained in the logs describing activity that includes enabling or disabling the remote registry service on the identified devices; and
      
      discarding the identified events from the information aggregated at the vulnerability management system.
  - 14. The method of claim 11, wherein the activation messages enable the remote registry service on the identified devices in response to the active vulnerability scanner having one or more credentials that control whether the remote registry service can be modified on the identified devices.
  - 15. The method of claim 11, further comprising:
    - interrogating, by the active vulnerability scanner, the identified devices to determine whether the remote registry service has been disabled on the identified devices; and
      
      identifying a potential vulnerability in the network in response to the active vulnerability scanner determining that the remote registry service has not been disabled on one or more of the identified devices.
  - 16. The method of claim 11, further comprising identifying a potential vulnerability in the network in response to determining that the active vulnerability scanner lost connectivity to the network prior to obtaining the registry information from the identified devices.
  - 17. The method of claim 11, further comprising identifying a potential vulnerability in the network in response to determining that the active vulnerability scanner was manually terminated prior to obtaining the registry information from the identified devices.
  - 18. The method of claim 11, further comprising preventing one or more tools that continuously scan the network to detect whether the remote registry service has been enabled on one or more of the devices in the network from scanning the identified devices until the active vulnerability scanner has obtained the registry information from the identified devices.
  - 19. The method of claim 11, wherein the active vulnerability scanner identifies at least one of the devices that have disabled the remote registry service in response to determining that the at least one device runs an operating system having a default setting that disables the remote registry service.
  - 20. The method of claim 11, wherein the registry information obtained from the identified devices includes one or more of keys, values, file levels, patches, remote operating system versions, or system file locations described in registries associated with the identified devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Deraison, Renaud
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US12/695,659
Publication Number

US 20110185431A1
Time in Patent Office

1,006 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

System and method for enabling remote registry service security audits

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enabling remote registry service security audits

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links