Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Management

Similar presentations


Presentation on theme: "Vulnerability Management"— Presentation transcript:

1 Vulnerability Management
Building an Effective Vulnerability Management Program for the Enterprise

2 …..but if a hat and boots aren’t enough, It may be time for an effective Vulnerability Management Program.

3 Fill the Bubble Contest
Submissions will be Judged by your presenter. Winner receives a $15 Starbuck Gift Card

4 Welcome and introduction
Your Speaker - Patrick McCrann, Information Security Director – Aetna In IT since 1993, InfoSec since 2004 Earned CISSP in 2007 Ohio Native – Cleveland Sports Fan 13 Years experience coaching youth sports Worked in Retail, Financial and Health Care Fields Diverse set of InfoSec Skills Implemented Vulnerability Management Program for New York Community Bank and HDMS

5 IT Hygiene Consists of:
Asset Management Configuration Management Vulnerability Management

6 50% of vulnerabilities exploited occur within 2-4 weeks of release of an update
90% of vulnerabilities exploited occur by days of software release The average enterprise can take up to 120 days to deploy vendor updates

7 Session Definitions Vulnerability Assessment: The act of gathering information regarding vulnerabilities on hosts within your network, often using scanning tools. It could also include penetration testing. Vulnerability Scanner: as its name implies, scans your network or system (such as a computer, server or router) and identifies and reports back on open ports, active Internet Protocol (IP) addresses and log-ons, not to mention operating systems, software and services that are installed and running Vulnerability Management: A business process that includes the following key components: Discovery Identification (Asset Management) Classification Reporting Decision / Decision Record Remediation / Mitigation

8 Does this reflect your current Infosec Program definitions
Does this reflect your current Infosec Program definitions? Let’s hope not.

9 Vulnerability Management 101
A Business Process that includes: Identifying Vulnerabilities Promotes Patching / Hardening / Fixing the issues Decision process regarding the remediation activities: Fix it, Risk Accept it, or Transfer the Risk Creates an auditable decision record A process for validation and for periodic review including “no action” where risk is accepted Decision process should include all stakeholders (Infrastructure, network engineering, InfoSec, DBAs, Business lines, etc.

10 Vulnerability Management cycle
Discover Analyze Prioritize Remediate Validate Report Repeat

11 Drawbacks of Vulnerability Scanners
Snapshot only: A vulnerability scanner can only assess a "snapshot of time" in terms of a system or network's security status. Therefore, scanning needs to be conducted regularly, as new vulnerabilities can emerge, or system configuration changes can introduce new security holes. Human judgement is needed: Vulnerability scanners can only report vulnerabilities according to the plug-ins installed in the scan database. They cannot determine whether the response is a false negative or a false positive. Human judgement is always needed in analyzing the data after the scanning process. Others: A vulnerability scanner is designed to discover known vulnerabilities only. It cannot identify other security threats, such as those related to physical, operational or procedural issues.

12 Who to Choose?

13 What features are important to you?
Flexibility and integration Role-based access Centralized dashboards Frequency and Method of Plug-in Updates Integration with Metasploit, SIEM, GRC, NMS etc. Integration with enterprise asset management tools Vulnerability Assessment Asset Discovery Database Vulnerability Detection (DB2, MySQL, Oracle, etc.) Rule-based Remediation Prioritization Patch management Support for Mobile Assets Support for Cloud Assets Support for Virtualized Assets Asset Tagging Rogue Asset Discovery Asset Profiling (e.g.: IP, OS, Ports etc.) Risk Analysis / Real Risk Score Application Security Testing (e.g.: OWASP Top 10, CWE 25)

14 What features are important to you?
Compliance and reporting Supports COBIT, PCI, HIPAA standards Configuration benchmarking (CIS, SCAP, OVAL standards) Asset/functionality based reports Allows customized reports Trend analysis Remediation Reporting Deployment Options Software Cloud-based Appliance

15 Types of Vulnerability Scanners
1. Port Scanners - Determine the list of open network ports in remote systems 2. Network-Based Scanners - Installed on a single machine that scans a number of other hosts on the network. 3. Web Application Scanners - Assess the security aspects of web applications (such as cross site scripting and SQL injection) running on web servers. Scanners-types are Static Code Analysis and Dynamic Code Analysis. 4. Host-Based Scanners - Installed in the host to be scanned, and has direct access to low-level data, such as specific services and configuration details of the host's operating system. 5. Database Scanners - Performs detailed security analysis of the authorization, authentication, and integrity of database systems, and can identify any potential security exposures in database systems, ranging from weak passwords and security mis-configurations

16 OSI Model What tool should I use?

17 Common Vulnerability Management Program Problems
Going Scan Crazy without a workflow to remediate Generate a report but do nothing with results Not organizing the report so that stakeholders can understand Generate False Positives – and lose Credibility (Superseded patches) No Accountability or Security Team to support the efforts Data Overload Not having a way to track progress

18 Scanning tips to make your life easier
CVSS is great. But it’s only part of the picture - The Common Vulnerability Scoring System (CVSS) is table stakes these days when examining vulnerability scan results and provides a score from 1 to 10, 10 being the most critical. You should also include a Risk Rating on your devices in the Risk Classification Score. Machines on the DMZ or the server the houses you OLTP database with a 5 CVSS should be considered riskier than a machine on your internal network with am 8 CVSS that is your print server. Authenticated scans are your friend- One of the common complaints of vulnerability scan results is false positives. While not foolproof, running authenticated scans can go a long way to removing false positives and has the added benefit in many cases of providing an exact version of what's running on the device. Don’t dump-and-run- “Here’s your 300 page PDF with a laundry list of every vulnerability known to man!” You need to make scan results consumable and actionable for those responsible for remediation. You can actually prioritize, rather than just analyze- Security teams spend tons of time putting together Excel spreadsheets and swimming through countless rows of data. By the time you make headway on the top findings, another wave will hit you in the next scan cycle. What you need to do is immediately prioritize the data in front of you. Avoid Load Balancer and Firewall gotchas- Many Load Balancers and Firewalls have virtual IP’s or NAT’d IP’s You should know your network and map it out. Also many firewalls will respond to all IP’s in a certain IP Range indicating all IP’s are live. Use DNS to your favor – Many devices on your network are entered into your internal DNS record. Once you identify a device that does not have a DNS name you should name it using your DNS infrastructure so that you can immediately identify it the next time around. Use a standard naming convention and document it.

19 What is the CVSS Score The CVSS score is a computation of base metrics that reflect how much risk a vulnerability poses to network security. The CVSS system rates all vulnerabilities on a scale of 0.0 to 10.0 with representing the greatest security risk. A ranking of 4.0 or higher indicates failure to comply with PCI standards

20 More About The Common Vulnerability Scoring System (CVSS)
- Provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view cve entries, vulnerabilities, related to them. You can view statistics about vendors, products and versions of products

21 Top 25 vendors by total number of vulnerabilities

22 PCI, CVSS and Risk scoring
Most Scanners calculates risk scores for every asset and vulnerability that it finds during a scan. The scores indicate the potential danger that the vulnerability poses to network and business security based on impact and likelihood of exploit. There are two Risk scoring models typically available: Temporal model - This model emphasizes the length of time that the vulnerability has been known to exist, as well as the nature of the risk. Older vulnerabilities are easier to exploit because attackers have known about them for a longer period of time. Weighted model - The Weighted risk model is based primarily on asset data and vulnerability types. Weighted risk scores scale with the number of vulnerabilities. A higher number of vulnerabilities on an asset means a higher risk score. The score is expressed in lower—usually single-digit— numbers with decimals

23 Open Vulnerability and Assessment Language (OVAL)
- Provides a unified, easy to use web interface to all IT security related items including patches, vulnerabilities and compliance checklists. It allows you to view exact details of OVAL definitions and see exactly what you should do to verify a vulnerability.

24

25 Vulnerability remediation SLA’s
Not only should you take the CVSS score into account when determining the remediation urgency but you should also classify your assets into Risk Levels Critical vulnerabilities are presently being exploited may should be patched immediately

26 Exploit DB - The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. A collection of exploits freely-available. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories.

27 Metasploit - The world’s most used penetration testing framework. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

28 Designing/planning your Scan
Some important things to consider

29 Discovery A successful Vulnerability Management Program aids in the Discovery of: Identifies all Assets Missing Patches Misconfigured Systems Vulnerabilities in Applications or Services Open Ports or Unknown Services Running Poorly Coded Applications Rogue Devices Remediation's that aren’t meeting their Patch Urgency

30 Discovery – identify all Assets on your network
Find out what you have: The first step in checking for vulnerabilities is to make sure you are checking all the assets in your organization. You can find basic information about the assets in your organization by conducting a discovery scan. Most applications include a built-in scan template for a discovery scan You might not be aware of every asset on your network. New assets are frequently added. You can conduct discovery scans to find and learn more about those assets, in preparation for developing an ongoing scanning program. I recommend initially checking the entire private IPv4 address space ( /8, /12 and ) as well as all of the public IP addresses owned or controlled by the organization. Doing so will help you find the largest possible number of hosts. Scanning so many assets could take some time. To estimate how long the scans will take, you may need to do some calculations to determine how long a RFC 1918 scan may take. In addition, a discovery scan can set off alerts through your system administration or antivirus programs; you may want to advise users before scanning……CYA!

31 Discovery – identify all Assets on your network
How a discovery scan should work – Four distinct phases: Ping Scan - Ping scanning, determines if the hosts are online Port Scan - Port Scanning is used to identify what ports are opened and what services are available on those ports OS and Version Detection -Your scanner will send a variety of probes to open ports and attempts to guess the service versions and operating systems based on how the system responds. Data Import - Scanner will collect the data and should enter the devices found into its database as assets and include the information gathered above. Suggestion - Perform a RFC 1918 Scan (10/8, /12, /16) on your entire network to ensure you get all devices attached to your network.

32 Do the math To determine how much time a discover scan may take
Time Calculations Notes: Scanning all TCP Ports (1-65,535) may take a lot of time. Set a the fastest Port Scan Speed allowed…for example: Insane (5) - Speeds up the scan. Assumes that you are on a fast network and sacrifices accuracy for speed. The scan delay is less than 5 ms. Aggressive (4) - Speeds up the scan. Assumes that you are on a fast and reliable network. The scan delay is less than 10 ms. Normal (3) - The default port scan speed and does not affect the scan. Polite (2) - Uses less bandwidth and target resources to slow the scan. Sneaky (1) - The speed used for IDS evasion. Paranoid (0) - The speed used for IDS evasion To focus on a large amount of systems in a relatively small amount of time, you must greatly cut back on the time spent per system. This starts with deciding which ports are the most important to look for. Should you Port scan all 65,535 ports? Use the Discovery scan as a Asset Inventory list and compare previous lists with the current list to discover new devices on you network. Some scanners have this built in via reporting. User Extra Scanners or Scan Engines to speed up your scans. You can never have enough Scan Engines

33 Typical Large Scale discovery config (nessus)
Explanation of settings: Important to learn to what each checkbox will do for your scan. For Example:

34 What devices can I expect to find on my Network?
Servers Workstations Routers Switches Load Balancers Firewalls ESX Hosts Door Readers KVM’s UPS/APC VDI Cameras HVAC Control Devices IP Phones Printers Blade Chassis Firewalls ILO’s Web Servers Scanners Wireless Access Points VPN Concentrators Storage Devices Tape Backup Systems Modems Fax Machines Media Devices Appliances Mobile Devices ESX Servers Pwnie Express Devices IoT Devices Amazon Echo’s Google Home Devices Thermostats Smart Locks Smart Bulbs Coffer Makers

35 Organize your assets What are Asset Groups
An asset group is a logical collection of assets to which specified users have access in order to view data about these assets. These users are typically in charge of monitoring these assets and reporting or remediating any vulnerabilities that the scanner discovers on them. An Example is: You can have more technical asset groups for different members of your security team, who are responsible for remediating vulnerabilities on specific types of assets, such as databases, workstations, or Web servers. There are Dynamic and Static Asset Groups. A Dynamic asset group contains scanned assets that meet a specific set of search criteria. You define these criteria with asset search filters. A Static asset group contains assets that meet a set of criteria that you define according to your organization’s needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually

36 Organize your assets Asset Tagging
Provides a flexible and scalable way to automatically discover and organize the assets in your environment Applying Real Context with Asset Tags When tracking assets in your organization, you may want to identify, group, and report on them according to how they impact your business An Example would be to tag all Windows Servers that deal with OLTP as OLTP Servers. You may then create a Dynamic Asset group that automatically adds all devices tagged with “OLTP Servers” to the Asset Group Asset Tags can also be added dynamically based on filters you set and they can be automatically added to Asset Groups by a Filter within the Asset group that includes this Custom Asset Tag Types of Tags You can tag and track assets according to their geographic or physical Locations, You can associate assets with Owners You can apply levels of Criticality to assets to indicate their importance to your business.

37 Organize your assets What is a Site
A Site is a physical group of assets assembled for a scan by a specific, dedicated scan engine. The grouping principle may be something meaningful to you, such as a common geographic location or a range of IP addresses. Or, you may organize a site for a specific type of scan using a specific Scan Template The difference between a Site and Asset group is: An asset group is a logical collection of assets to which specified users have access in order to view data about these assets. These users are typically in charge of monitoring these assets and reporting or remediating any vulnerabilities that the scanner discovers on them

38 Preparing for your First Vulnerability Scan
In order to scan a Site you need to create a Site and assign Assets to it You may add the following to a Site: An Individual IP Address or an IP Range A Hostname An Asset Group API Connection such as VM’s You may also Exclude Assets based on all the same Criteria

39 Set your authentication
Scanning with credentials allows you to gather information about your assets that you could not otherwise access. You can inspect assets for a wider range of vulnerabilities or security policy violations. Additionally, authenticated scans can check for software applications and packages and verify patches. When scanning Windows assets, we recommend that you use domain or local administrator accounts in order to get the most accurate assessment. Ports 135, 139 and 445 should be open from scanner. For scanning Unix/Linux, it is possible to scan most vulnerabilities without root access. You will need root access for a few vulnerability checks, and for many policy checks Most scanners are able to perform credentialed scans on assets that authenticate users with SSH public keys Scanning Web applications at a granular level of detail is especially important. There are two authentication methods available for Web Applications: Web site form authentication - Many Web authentication applications challenge users to log on with forms Web site session authentication - The Scan Engine sends the target Web server an authentication request that includes an HTTP header—usually the session cookie header—from the logon page

40 Scan Templates A scan template allows you to customize scans according to what your target devices may be for that assessment. A Scan Template Involves: You can choose a built-in template or create your own Discovery or Vulnerability Scan? Choosing TCP or UDP Protocols Whether you wish to perform a three-way handshake Choosing a sub-set of Ports or all 65,535 Throttling connections per second Whether you want Safe Checks only Performing password checks Scanning for all vulnerabilities in the scanners database or a subset Whether you wish to perform an authenticated scan Include Web-Spidering?

41 Built-in scan template examples
Discovery scan This scan on the network and identifies their host names and operating systems. This template does locates live assets not include enumeration, policy, or vulnerability Full audit without Web Spider This full network audit uses only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. The system scans only default ports and disables policy checking, which makes scans faster than with the Exhaustive scan. It also does not include the Web spider Full audit (Use this scan to run a thorough scan) This full network audit of all systems uses only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. The system scans only default ports and disables policy checking Exhaustive This thorough network scan of all systems and services uses only safe checks, including patch/hotfix inspections, policy compliance assessments, and application-layer auditing. This scan could take several hours, or even days, to complete, depending on the number of target assets. Penetration test This in-depth scan of all systems uses only safe checks. Host-discovery and network penetration features allow the system to dynamically detect assets that might not otherwise be detected. This template does not include in-depth patch/hotfix checking, policy compliance checking, or application-layer auditing.

42 Built-in scan template benchmark examples
CIS This template incorporates the Policy Manager scanning feature for verifying compliance with Center for Internet Security (CIS) benchmarks. The scan runs application-layer audits. DISA This scan template performs Defense Information Systems Agency (DISA) policy compliance tests with application-layer auditing on supported DISA- benchmarked systems. HIPAA Compliance This template uses safe checks in this audit of compliance with HIPAA section (“Technical Safeguards”). Use this template to scan assets in a HIPAA-regulated environment, as part of a HIPAA compliance program PCI Internal Audit This template is intended for discovering vulnerabilities in accordance with the Payment Card Industry (PCI) Data Security Standard (DSS) requirements. This template is intended for your organization's internal scans for PCI compliance purposes

43 Scan Schedule Frequency depends on:
Regulatory requirements that your business has to adhere to Number of devices and locations within your organization How often your have code releases/updates Human resources available to manage the scans, organize the reports, remediate the findings based on urgency requirements defined in your policies. All this has to be completed before you start the cycle again. There are benefits to aligning scan schedules in a monthly rotation, hitting all devices within the 30 day period which is in-line with vendor patch updates. Minimum recommended scan cycle should be quarterly

44 Creating Reports Reports that are too large and unorganized will be ignored

45 Pitfalls in reporting Approved Exceptions
How to prevent the same vulnerability from appearing on next month’s report. Superseded Patches Irritates the person responsible for the patches to keep seeing the same vulnerability every month for patches the were fixed by superseded patches. Duplicate Records - Multiple IP’s to one Device/Asset A switch, for example may have many IP’s associated with it but it is only one device. Each vulnerability would be multiplied by the number of IP’s on that device. No Fix Some vulnerabilities have no Fix/Patch. False Positives False Positives like Java Versions occur all the time. You don’t want to record them as Approved Exceptions

46 Report tips Assign all Assets to owners
Either by department or group such as Windows Desktops are assigned to the Desktop team Track Remediation efforts through internal scanner ticketing system if possible if possible (Easier to organize Approved Exceptions, Superseded Patches, Duplicate Record) Many ways to organize your report: By Asset Owner By Vulnerability By Department By Location By Risk Ranking/Rating

47 Data Overload!! Challenge: Analysis Paralysis
Does this look familiar to anyone? Raw Vulnerability Data Manually extracting data from vulnerability scanners is time consuming Output lacks context Contains numerous redundancies Difficult to get anything done or know even where to start Data Overload!!

48 Aetna’s Solution Automated Rationalization using QAE
QAE – Qualys Analytics Engine

49

50

51

52 Thank You! Questions?

53 Fill in the bubble contest And the winner is…


Download ppt "Vulnerability Management"

Similar presentations


Ads by Google