enterprise vulnerability management: back to basics
TRANSCRIPT
Enterprise Vulnerability ManagementBSIDES AUSTIN - April 2016Damon Small & Kevin Dunn - NCC Group
Agenda
Welcome & Introductions 03
Session Overview 07
Session Definitions 08
Vulnerability Management 101 09
Vulnerability Assessment Scans 10
Failing & Pitfalls 21
VMP: Making a Real Difference 22
Session Close 31
2
3
Welcome & Introductions
NCC Group – A Global Security Firm
• Formed in June 1999 showing immense growth over the past 16 years.• 1800 employees, in 30 office locations• North America, the United Kingdom, Europe and Australia.• We strive to provide Total Information Assurance for our clients.
NCC Group in North America• Currently 8 offices in the NA: New York, Atlanta, Chicago, Austin, Seattle,
San Francisco, Sunnyvale and Waterloo.• NCC Group combines the best of bread US security brands of iSEC
Partners, Matasano, Intrepidus Group and NGS.
4
Welcome & Introductions
NCC Group – Security Consulting
• Attack & Penetration Focus• Applications• Mobile• Networks & Infrastructure• Physical Security• Embedded Systems• Red Teaming• Incident Response & Forensics• Enterprise Risk / VA Strategy
5
Welcome & Introductions
Your Speakers – DAMON SMALL, Technical PM for NCC Group in NA
• In IT since 1995; InfoSec since 2001• Louisiana native: “Not from Texas but I got here as fast as I could!”• Studied music at LSU; grad school in 2005 for Information Assurance• Supported healthcare orgs. in the Texas Medical Center• Vulnerability Management Programs:
o Two for Health Care orgs.o One for Oil & Gaso Workflow Analysis & Developmento Scanner Platform Deployments
6
Welcome & Introductions
Your Speakers – KEVIN DUNN, Technical VP for NCC Group in NA
• Technical VP for NCC Group, based in Austin TX.• 14 year career focused on Attack & Penetration techniques & defenses• Prior to that security focused government/military background• Responsible for:
o Regional Development & Managemento Development of Strategic Technical Practices:
§ Strategic Infrastructure Security (SIS)§ NA Computer Incident Response Team (NA-CIRT)
• Specialist in Red Team / Black Ops engagementso (Forms of extreme penetration testing and attack modeling)
7
Session Overview
Blue Team is Harder than Red Team!
• You’re in charge of VM for your company• You have scanning sensors deployed• You have hardening plans in place• You have remediation strategies and goals
• A pentest is commissioned from an outside firm• They prove traversal from the outside to the inside• They become Domain Admin on your network• They access your most critical data and systems.
8
Session Definitions
• Vulnerability Assessment: The act of gathering information regardingvulnerabilities on specific hosts, often using scanning tools. (Does includepenetration testing).
• Vulnerability Management: A business process that includes the followingkey components:
o Identificationo Classificationo Decision/Decision Recordo Mitigation
9
Vulnerability Management 101
• A business process that includes:
1. Identifying Vulnerabilities (VA)2. Promotes Patching / Hardening / Fix of Issues3. Decision process regarding remediation activities:
a. Fix it, accept it, or transfer the risk.
b. Creates an auditable decision record, process for validation,and a process to periodically review “no action” remediationwhere risk is accepted.
c. Decision process should be multi-disciplinary and represent allstakeholders (IT, business, InfoSec, etc.)
10
Vulnerability Assessment Scans
Scanning - What is it Good For?
• Identifying Vulnerabilities• Remediation Information• Software Inventory• Asset Management
Scanning - What is it Not Good For?
• Identifying Vulnerabilities• Going Beyond Patching• Workflow/Business Processes
11
Electrons/Photons going though wire/fiber
What is being examinedWhat tool can be used
1. Physical
2. Datalink
3. Network
4. Transport
5. Session
6. Presentation
7. Application
Med
ia L
ayer
sH
ost L
ayer
s
OSI Model
The Right Tool for the Right Job
12
Patching vs. Hardening
• Patching - Applying a software fix, update or upgrade. This is a code-levelchange, packaged typically as a binary. It usually comes from the softwaremanufacturer / development team.
• Hardening - Changing configuration settings to increase the security ofsomething based on an understanding of which settings are ‘more secure’.Typically defined via some kind of ‘best practices document’. Hardeningadvice may come from a number of sources.
13
Over-Focus on Scanning / Patching
Depth of System Hardening is Typically Shallow
• Consider the following issues found on most Pentests!
o MSSQL Weak SA Passwordo Tomcat Manager Weak Passwordo Jenkins Groovy Script Command Executiono Printer Default Credentials
14
Over-Focus on Scanning / Patching
MSSQL Weak SA Password
• A few simple steps to full control of server!
15
Over-Focus on Scanning / Patching
Tomcat Manager Weak Password
16
Over-Focus on Scanning / Patching
Tomcat Manager Weak Password
17
Over-Focus on Scanning / Patching
Jenkins Groovy Script Command Execution• Jenkins Integration Manager (source code build env.)
18
Over-Focus on Scanning / Patching
Jenkins Groovy Script Command Execution
• When poorly configured visiting /script gets you to a ‘Script Console’
19
Over-Focus on Scanning / Patching
Jenkins Groovy Script Command Execution
• That’s OS command execution! You never know how many privs you have!
20
Over-Focus on Scanning / Patching
Printer Default Credentials
• Printers can be useful!
21
Failings & Pitfalls
Common VMP Problems
• Over-prioritization of Scanning - no workflow development• Scan All the Things - but do nothing with the results…• Generate False Positives - and lose credibility*• No Consideration for Network & Business Impact*• No Security Team & Support Org. Relationship• Mistaking VA (alone) as a DefensiveActivity
22
VMP: Making a Real Difference
HIGHEST PRIORITIES
• Asset Inventory Management• Decision & Remediation Workflows• Visualization & Metrics
LOWER PRIORITIES
• VulnerabilityAssessment Scanning• Penetration Testing• Buying Cool Toys
23
ScanData
HumanAnalysis
Actio
nabl
eIn
form
atio
n
Turning Data Into Information
24
VMP Process Overview
Visualizing VMP Workflows
• VMP workflows can be difficult to visualize without prior exposure!• Workflows and process will vary between organizations• For the purposes of this discussion we’ve created an example• Most of our workflows can scale up or down to your requirements
• Bring on the HUGE diagram!
25
26
NIST Cybersecurity Framework
• VMP allows you to IDENTIFY your assets.
• VMP allows you to PROTECT via remediation.
• VMP allows you to DETECT vulnerabilities.
• VMP helps with effective RESPONSE.
• VMP communication workflows help RECOVERY.
27
Considerations
Analysis Methods & Opportunities for Improvement
• Macro vs Micro Analysiso Vulnerabilities by Hosto Hosts by Vulnerability
• Minimizing False Positiveso Confirmation of Issues from VMP Team
§ How?o Prior to Escalation to Support Org.o Maintain Credibility
28
VMP Design Checklist (1)Before You Purchase a Scanning Solution…
• Do you know your environment?o Enterprise Planningo Asset Discovery
• Do you know your stakeholders?o Business Units / Ownerso Support Org. Teams
• How will the data be consumed?o Consumerso Storage & Transmissiono Format & Control
29
VMP Design Checklist (2)Before You Purchase a Scanning Solution…
• How will we fit in with existing support workflows?o Scheduling / Change Controlo Ticketing (Defect)o Hands on Keyboardo Outage Resolution
• What skills or capabilities does our VMP team have?o VulnerabilityAssessment - Hands-on Experienceo VulnerabilityAnalysis - Results Interpretation
• How will we measure VMP success or failure?o Metrics / Feedback / Process Improvement
30
Okay!
Now you can have lunch with a scanner sales person! J
31
Session Close
• Scanners have been around for 20 years and yet we still don’t know how to use them, consume their data properly, or fix the things they find to satisfaction.
Call to Action
• Orgs - If you think the number and types of scans you do is the critical success factor, you are doing it wrong.
• Be sure to consider your VMP design and workflows FIRST.
• Scanner Vendors - Flinging packets is easy. Workflow integration, data aggregation, ticketing and tracking is much harder than it should be. Please help!
32
Ways to Stay in Touch
Kevin DunnTechnical VP – NCC Group, Security Consulting E: [email protected]: https://www.linkedin.com/in/kevdunn T: @kdunn_ncc
Damon SmallTechnical PM - NCC Group, Security ConsultingE: [email protected]: https://www.linkedin.com/in/damon-small-7400501 T: @damonsmall