A vulnerable system is a system that possesses weakness that attackers can exploit to gain unauthorized access, steal data, or disrupt operations. In other words, it’s a system susceptible to cyber-attacks. A system missing critical, or security updates is an example of a vulnerable system.
Unfortunately, in our world we are exposed to cybercriminals who are constantly trying to find new ways to get into our systems, which requires proactive measures to prevent such attacks, like antiviruses and firewalls. We can consider that a system that lacks these measures is also a vulnerable system.
The manual method is logging in to the endpoint and checking firewall settings, antivirus software, installed patches, patching setting, etc. As the number of endpoints increases, this task becomes complicated. Management software facilitates this kind of task by automating and alerting about vulnerabilities found.
There are different endpoint weaknesses that can be easily seen with NinjaOne.
1. Finding patching weaknesses.
a) Finding endpoints with patching disabled. If patching is disabled on an endpoint, it will never be patched, a situation that needs to be corrected. Follow the next instructions to find such devices.
b) Finding endpoints with patch scan that is old. Patch scan is a critical part of patching, if an endpoint is found not running such scan, it´s a red light that needs to be addressed. Follow the next instructions to find devices with patch scan older than two weeks.
2. Finding antivirus software missing.
Normally, the antivirus software should be the same across the company, this software can be detected by NinjaOne, but in the same way, if this software is missing, that can be detected too. Follow the next steps for an example of how to do it.
Yes, using policies and conditions you can get alerts on vulnerabilities. There are multiple options, let´s go through some examples.
1. Get alerts on Windows Firewall Service down.
NinjaOne provides a native template for the Windows Firewall Service down. Follow the next instructions to enable it in the policy of your preference.
a) Go to Administration then Policies, then Agent policies.
b) Click on your preferred policy. The policy editor will open.
c) Click Use Template.
d) Under Security, select Firewall Service Stopped. A message saying that the condition has been added will show up.
e) At this point you can keep adding other conditions or Close.
f) By default, this condition does not alert. Using the policy editor, you can change the severity, priority, alerting options, etc.
g) Click Save at the top right corner of the screen. Enter your MFA method answer, then close.
There are several other templates you can use to get notified on other Windows Firewall events, like Windows Firewall settings changed, Windows Firewall Failed, Changes made to Windows Firewall Exceptions, you can use them to get the alerts that best fit your needs.
Similarly, there are specific templates to alert about known antivirus services down, like Webroot, ESSET, Windows Defender, Trend Micro, Kapersky, Symantec, etc.
2. Get alerts on Windows Firewall disabled.
This is a different method for getting alerts, using custom fields and a PowerShell script for triggering condition in a policy.
a) Setup a new Custom Field called FirewallStatus.
b) Write a script that pulls data from the endpoint and stores the data in our custom field. We will use the Ninja-Property-Set command, which is the NinjaOne’s Powershell command to set a custom field to a specific value. The script will return the device´s firewall status in the next format:
Domain True/False
Private True/False
Public True/False
c) Run the script at least once for all devices in the policy, which can easily be setup with a scheduled task or automation.
This automation will run the script at the designated time and fill in the custom field we created.
d) Add a policy condition that checks the FirewallStatus custom field, if the word “False” is present, that means that one or more firewall profiles is disabled, and an alert should be triggered.
After these three steps, any device linked to this policy and having any Windows firewall profile disabled, will create an alert, according to the preferences you chose in the condition.
More on CVEs
View Vulnerable Systems is a screen that shows an overview of systems that are considered vulnerable, due to some known weaknesses.
A vulnerable system means that the system has some weaknesses that make it prone to cyber-attacks.
Vulnerability patching is sometimes used to describe the action taken to solve a known vulnerability. Known vulnerabilities are documented as CVE (Common Vulnerabilities and Exposures) (Common Vulnerabilities and Exposures).
Get 5 bite-sized ways to grow your business or career every week!
Never Miss Out - Subscribe to the NinjaOne Newsletter