An Introduction to Vulnerability Management

Garrett Lanzy, Information Security SpecialistInformation Security OfficeMinnesota State Colleges and Universitiesgarrett.lanzy@so.mnscu.edu

March 28th, 2012

Presentation can be downloaded from http://home.comcast.net/~lanzyg

Slide 2

Ground Rules• Lectures are boring

– I don’t do lectures for a living– I don’t want to put you to sleep (let alone

myself!)– I’d rather have an interactive presentation

• All questions are welcome!– feel free to ask during the presentation– long(er) answers may be deferred to end

• Feel free to contact me anytime with any further questions/comments

• Examples are from several different scans, so they don’t all “match”

Slide 3

Professional history

• B.S. degrees in EE and CS from Michigan Tech

• 22 year career at IBM– 5 years hardware performance analysis– 3 years software change management– 14 years TCP/IP application

development• 2 years at Metropolitan State

University– Network/server/storage administration

(1 year)– Interim Director of IT Operations (1

year)• 2 years at MnSCU system office

– Information security/vulnerability management

Slide 4

Outline

• Introduction to Vulnerabilities• Evaluating Vulnerabilities• Identifying Vulnerabilities• Fundamentals of Vulnerability

Management• Vulnerability Management at

MnSCU• nCircle IP360 Deep Dive

Slide 5

VULNERABILITIESAn introduction to

Slide 6

Definition: Vulnerability• Wikipedia: “a weakness which allows an

attacker to reduce a system’s information assurance.”

• ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.”

• RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”

Slide 7

Examples of vulnerabilities

• Software bug allows unrestricted access to network share

• Network switch installed without changing the default administrator password

• Server application’s configuration file is writable by anyone

• Web application allows database contents to be “dumped”

Slide 8

CIA Triad

CIA = Confidentiality, Integrity, Availability

How can vulnerabilities affect the CIA triad?• Confidentiality: a vulnerability

might allow access to private or protected data

• Integrity: a vulnerability might allow unauthorized modification of data

• Availability: a vulnerability might cause a system to crash

Slide 9

(ISC)2

(ISC)2 = International Information Systems Security Certification Consortium

CBK = Common Body of Knowledge

(ISC)2 Certifications:• SSCP = Systems Security Certified

Professional• CAP = Certified Authorization Professional• CSSLP = Certified Secure Software Lifecycle

Professional• CISSP = Certified Information Systems

Security Professional

Slide 10

(ISC)2 CBK Domains• Access Control• Telecommunications and Network Security• Information Security Governance and Risk

Management • Software Development Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery

Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security

Which domains may be affected by a vulnerability?

Slide 11

How are vulnerabilities found?• “Something is wrong”• Formal testing/techniques

– Fuzzing– Bounds checking

• Automated tools• Security research/ethical hackers

(“White hats”)• Unethical hackers (“Black hats”)• “Grey hats”

Slide 12

Vulnerability Disclosure• “Responsible disclosure” (White hat)

– Discovered vulnerability first reported to vendor

– Disclosed to CERT later (2 weeks)• CERT = Computer Emergency Response

Team– Full disclosure to the public much later

• Quick disclosure (Grey hat)– Discovered vulnerability immediately (or

quickly) disclosed publically• No disclosure (Black hat)

– Remains a “zero-day” attack until someone else finds it

Slide 13

Vulnerability inventory databases• CVE = Common Vulnerabilities and Exposures

http://cve.mitre.org• SecurityFocus/BugTraq

http://www.securityfocus.com/• OSVDB = Open Source Vulnerability Database

http://www.osvdb.org/• OWASP = Open Web Application Security Project

https://www.owasp.org/index.php/Category:Vulnerability

• https://www.owasp.org/index.php/OWASP_Top_Ten_Project

• Vendor-specific databases (Microsoft, Apple, Adobe, RedHat, SuSE, Cisco, …)

Slide 14

Sample CVE entry

Slide 15

OWASP Top 10

OWASP Top 10 Application Security Risks:1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards

Slide 16

VULNERABILITIESEvaluating

Slide 17

Vulnerability evaluation

• Many different ways to evaluate vulnerabilities

• Many different “scoring” systems• CVSS = Common Vulnerability

Scoring System– 3 values: Base, Temporal,

Environmental– Each ranges from 0 to 10– Each value calculated from a formula

based on criteria– Nobody “owns” the CVSS values,

therefore numeric values should be accompanied by the scoring criteria (“vector”)

Slide 18

CVSS Scoring

• Base metric: Constant with time and users• What damage is possible?

• Temporal Metric: Varies with time• What is the current state of the vulnerability?

• Environmental metric: Varies by environment• How could the vulnerability affect me?

Slide 19

CVSS Base Metric Example

CVE-2012-0002 example – base metric (NIST)

CVSS Base Score : 9.3CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Access Vector = Network (can be exploited from anywhere)Access Complexity = Medium (it takes some work but not a PhD)Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will)Integrity Impact = Complete (attacker can change data at will)Availability Impact = Complete (attacker can crash system)

Slide 20

CVSS Temporal Metric Example

CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12)

nCircle CVSS Temporal Score : 6.9nCircle CVSS Temporal Vector : (E:U/RL:OF/RC:C)

Exploitability = Unproven (but now at least POC, probably Functional)Remediation = Official fix (Microsoft has released a patch)Report Confidence = Confirmed (it’s really out there)

My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9

Slide 21

CVSS Environmental Metric Example

CVE-2012-0002 example – environmental metric (MnSCU before remediation)

MnSCU CVSS Environmental Score : 6.3MnSCU CVSS Environmental Vector : (CDP:MH/TD:M/CR:M/IR:H/AR:M)

Collateral Damage Potential: Medium-High (significant productivity loss)Target Distribution: Medium (26%-75% of environment at risk)Confidentiality Requirement: MediumIntegrity Requirement: HighAvailability Requirement: Low

Slide 22

Another scoring formula: nCircle

Slide 23

VULNERABILITIESIdentifying

Slide 24

Tools for Finding Vulnerabilities• Port scanners/Network enumerators• Penetration testing tools• Web application scanners• Network vulnerability scanners• Specialized scanners

– Database, ERP, etc.

Slide 25

Port scanners/Network enumerators• Scan networks to find systems• Scan ports on a system for

applications/services• Scan TCP/IP stack behavior to

determine OS– Stack fingerprinting

• Scan for other system information– Open shares, application banners, etc.

• Example: Nmap (Network mapper)http://www.nmap.org– open source tool

Slide 26

Penetration Testing Tools

• Allow vulnerabilities to be found• Allow vulnerabilities to be

exploited• Many different techniques used• Example: Metasploit

http://www.metasploit.com– Open-source version: Metasplolit

Framework– Proprietary “free” : Metasploit

Community Edition– Paid versions: Metasploit Express,

Metasploit Pro– Proprietary versions developed by

Rapid7

Slide 27

Network vulnerability scanners• Start with network enumeration/port

scanning• Add additional function for finding

specific vulnerabilities• Agent vs. agentless:

– Scanners need to “see inside” system to find some vulnerabilities

– Some require software “agent” installed on systems to be scanned

– Agentless requires ability to “log in” to systems to discover these vulnerabilities

Slide 28

Vulnerability scanners• Nexpose

– Commercial, developed by Rapid7– Free and paid versions

• Nessus– Originally open-source, became commercial– Developed by Tenable Network Security

• OpenVAS = Open Vulnerability Assessment System– Open source, based on Nessus– Supported by German Federal Office for

Information Security• SAINT

– Commercial product• QualysGuard

– Commercial, SaaS (“cloud”) solution

Slide 29

IP360• Commercial vulnerability scanning product

from nCircle• Distributed, agentless vulnerability scanner

– Agentless: no software installed on devices scanned for vulnerabilities

– Distributed: local campus scanning appliances (device profilers) reduce network load

– Distributed: authorization model allows each campus to maintain own network and scan definitions

• Works with nCircle Security Intelligence Hub (SIH) product for reporting

• Limited web application scanning capability

Slide 30

IP360 Supported Credentials• SMB-DRT: [domain/]username/password

– Gives access to Windows systems• SSH-DRT username/private key or

username/password– Gives access to Linux/OS X/Unix/ESX/network

devices• SNMP-DRT: SNMP Community String

– Gives access to SNMP MIB data (printers, network devices, …

• Web applications (HTTP and web forms)DRT = Deep Reflex Testing

Slide 31

VULNERABILITY MANAGEMENT

Some fundamentals of

Slide 32

What is the basis of Information Security?• Governance: Policies, Procedures,

and Processes– Who

• Defines roles and responsibilities– What

• Defines how data is classified• Defines what needs to be protected

– Why• Defines how risk is assessed & managed

Slide 33

Vulnerability Management Process

Classify Assets

Identify Vulnerabilities

Classify (prioritize)

Vulnerabilities

Remediate/Mitigate

Vulnerabilities

Identify Assets Define Policy

• 5.23.1.5 – Security Patch Mgmt.• 5.23.1.6 – Vulnerability Scanning• 5.23.1.8 – Anti-malware Installation

and Management

Slide 34

Vulnerability Management Process vs. Tools

InventoryManagement

VulnerabilityScanner

Patching Firewalls

Identify Assets

X X

Classify Assets

X

Identify Vulnerabilities

X X

Classify/Prioritize Vulnerabilities

X X X

Remediate/MitigateVulnerabilities

X X

Slide 35

Vulnerability Mitigation/Remediation• Patching• Fixing configuration• Remove program/service

– Do we need it?• Disable program/service

– Can we live without it?• Block access to program/service

– Access controls– Firewalls

Slide 36

MNSCUVulnerability Management at

Slide 37

Information Security Program

• To protect information resources against unauthorized use, disclosure, modification, damage or loss

• Policies, procedures & guidelines• Risk analysis & assessment• Secure development & procurement practices• Incident response• Enterprise Access Management (new)

Slide 38

Vulnerability Management Infrastructure

• Regularly check every network device for actual or potential security problems– 30,000 devices scanned at least quarterly– 9,000 “visible” from Internet also scanned monthly– Problems found are prioritized for remediation

• 30% reduction of Internet-visible vulnerabilities in past 3 months

• Cost: $3.55/device scanned/year

Slide 39

Vulnerability Management System Guideline

Slide 40

VMI Roles & Responsibilities

• MnSCU Information Security Office– Contract administration & payment– System administration & maintenance– Hardware configuration– User assistance– Reporting to institution CIOs/campus

VMI contacts– “Institution IT” activities for system

data centers• Institution IT (“hamster wheel”)

– Campus scanning definition & configuration

– Vulnerability prioritization & remediation

Slide 41

IP360 architecture

2 types of systems:• VnE = Vulnerability Enumerator

– “command and control” server– User interface (via browser)– Configuration and scan data storage

• Device profiler– Appliance which performs scans– Configuration for local network– No data storage after scan is complete

Slide 42

VMI Architecture

Slide 43

IP360 DEEP DIVEnCircle

Slide 44

IP360 configuration objects

3 objects tied together define a “scan”:• Scan profile• Network profile• Device profiler

Slide 45

IP360 Scan Profile

• Options for discovering systems– ICMP (ping), port scans (TCP and/or

UDP)• Types of scanning to perform

– Stack fingerprinting?– Application detection?– Vulnerability scanning?– Web application scanning?– Configuration checks?– Use credentials?

• Schedules for scanning

Slide 46

IP360 Network Profile

• Address range(s) to scan• How systems are correlated between

scans– e.g., a system’s IP address may change

between scans– Need to be able to track changes to

same system• Asset value: relative “importance” of

a system– Sample criteria:

• 1 = printers and IP Phones• 3 = lab workstations• 5 = staff workstations• 10 = servers

Slide 47

Scanning process

Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan:• Host discovery• Port scanning• Application discovery• Stack fingerprinting• Vulnerability checking• Configuration checking

Slide 48

Anatomy of a VnE Scan

Slide 49

Host Discovery

Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile:• ICMP (ping)• TCP port scan on specified ports• UDP port scan on specified ports

Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).

Slide 50

Host Discovery Example

Slide 51

Port Scanning Example

Slide 52

Application Discovery

Device profiler scan to determine what applications/versions are available:• Port scans and application-layer

network checks• If credentials are configured:

– Registry checks– File checks

Slide 53

Application Discovery Example

Slide 54

Stack Fingerprinting

The profiler runs tests of sending various network and transport layer (IP, ICMP, TCP, and UDP) protocol options and checks responses to identify the operating system of the device• Different OSs behave differently• “Voting” algorithm used to

determine most likely OS• Useful if not able to scan device with

credentials

Slide 55

Stack Fingerprinting Example

Slide 56

Stack Fingerprinting Vote Example

Slide 57

Vulnerability Checks

For each application found, checks are performed for each known/detectable vulnerability. These use the same techniques as application discovery, but go into more detail.• May have completely different

checks for the same vulnerability in different versions of an application

• May have multiple checks for the same vulnerability

Slide 58

Vulnerability Check Example

Slide 59

Configuration Checks

If selected, specific checks are made to determine and report on configuration options. The available checks are highly dependent on each OS/application and whether or not credentialed scanning is being done.

Slide 60

Configuration Check Example

Slide 61

Reporting

• Many types of reports are available• Can “drill down” to extreme levels of

detail• Can aggregate data for management

reports and trend analysis

Slide 62

Sample Scan Report – Summary (pt. 1)

Slide 63

Sample Scan Report – Summary (pt. 2)

Slide 64

Sample Scan Report – Summary (pt. 3)

Slide 65

Vulnerabilities Report

Slide 66

Specific vulnerability (pt. 1)

Slide 67

Specific vulnerability (pt. 2)

Slide 68

Risk Matrix report

Slide 69

Summary

• Vulnerability Management is an important component of any Information Security program

• Need to start with policies and procedures so we know what to protect

• Variety of tools available, both free and $

• Tools give much more information that just what vulnerabilities are found

• Remediation ties into other IS processes

Slide 70

Questions?

• Presentation can be downloaded from:– http://home.comcast.net/~lanzyg

• Your time!