enterprise vulnerability management: back to basics

Enterprise Vulnerability ManagementBSIDES AUSTIN - April 2016Damon Small & Kevin Dunn - NCC Group

Agenda

Welcome & Introductions 03

Session Overview 07

Session Definitions 08

Vulnerability Management 101 09

Vulnerability Assessment Scans 10

Failing & Pitfalls 21

VMP: Making a Real Difference 22

Session Close 31

2

3

Welcome & Introductions

NCC Group – A Global Security Firm

• Formed in June 1999 showing immense growth over the past 16 years.• 1800 employees, in 30 office locations• North America, the United Kingdom, Europe and Australia.• We strive to provide Total Information Assurance for our clients.

NCC Group in North America• Currently 8 offices in the NA: New York, Atlanta, Chicago, Austin, Seattle,

San Francisco, Sunnyvale and Waterloo.• NCC Group combines the best of bread US security brands of iSEC

Partners, Matasano, Intrepidus Group and NGS.

4


NCC Group – Security Consulting

• Attack & Penetration Focus• Applications• Mobile• Networks & Infrastructure• Physical Security• Embedded Systems• Red Teaming• Incident Response & Forensics• Enterprise Risk / VA Strategy

5


Your Speakers – DAMON SMALL, Technical PM for NCC Group in NA

• In IT since 1995; InfoSec since 2001• Louisiana native: “Not from Texas but I got here as fast as I could!”• Studied music at LSU; grad school in 2005 for Information Assurance• Supported healthcare orgs. in the Texas Medical Center• Vulnerability Management Programs:

o Two for Health Care orgs.o One for Oil & Gaso Workflow Analysis & Developmento Scanner Platform Deployments

6


Your Speakers – KEVIN DUNN, Technical VP for NCC Group in NA

• Technical VP for NCC Group, based in Austin TX.• 14 year career focused on Attack & Penetration techniques & defenses• Prior to that security focused government/military background• Responsible for:

o Regional Development & Managemento Development of Strategic Technical Practices:

§ Strategic Infrastructure Security (SIS)§ NA Computer Incident Response Team (NA-CIRT)

• Specialist in Red Team / Black Ops engagementso (Forms of extreme penetration testing and attack modeling)

7

Session Overview

Blue Team is Harder than Red Team!

• You’re in charge of VM for your company• You have scanning sensors deployed• You have hardening plans in place• You have remediation strategies and goals

• A pentest is commissioned from an outside firm• They prove traversal from the outside to the inside• They become Domain Admin on your network• They access your most critical data and systems.

8

Session Definitions

• Vulnerability Assessment: The act of gathering information regardingvulnerabilities on specific hosts, often using scanning tools. (Does includepenetration testing).

• Vulnerability Management: A business process that includes the followingkey components:

o Identificationo Classificationo Decision/Decision Recordo Mitigation

9

Vulnerability Management 101

• A business process that includes:

1. Identifying Vulnerabilities (VA)2. Promotes Patching / Hardening / Fix of Issues3. Decision process regarding remediation activities:

a. Fix it, accept it, or transfer the risk.

b. Creates an auditable decision record, process for validation,and a process to periodically review “no action” remediationwhere risk is accepted.

c. Decision process should be multi-disciplinary and represent allstakeholders (IT, business, InfoSec, etc.)

10

Vulnerability Assessment Scans

Scanning - What is it Good For?

• Identifying Vulnerabilities• Remediation Information• Software Inventory• Asset Management

Scanning - What is it Not Good For?

• Identifying Vulnerabilities• Going Beyond Patching• Workflow/Business Processes

11

Electrons/Photons going though wire/fiber

What is being examinedWhat tool can be used

1. Physical

2. Datalink

3. Network

4. Transport

5. Session

6. Presentation

7. Application

Med

ia L

ayer

sH

ost L

ayer

s

OSI Model

The Right Tool for the Right Job

12

Patching vs. Hardening

• Patching - Applying a software fix, update or upgrade. This is a code-levelchange, packaged typically as a binary. It usually comes from the softwaremanufacturer / development team.

• Hardening - Changing configuration settings to increase the security ofsomething based on an understanding of which settings are ‘more secure’.Typically defined via some kind of ‘best practices document’. Hardeningadvice may come from a number of sources.

13

Over-Focus on Scanning / Patching

Depth of System Hardening is Typically Shallow

• Consider the following issues found on most Pentests!

o MSSQL Weak SA Passwordo Tomcat Manager Weak Passwordo Jenkins Groovy Script Command Executiono Printer Default Credentials

14


MSSQL Weak SA Password

• A few simple steps to full control of server!

15


Tomcat Manager Weak Password

16


Tomcat Manager Weak Password

17


Jenkins Groovy Script Command Execution• Jenkins Integration Manager (source code build env.)

18


Jenkins Groovy Script Command Execution

• When poorly configured visiting /script gets you to a ‘Script Console’

19


Jenkins Groovy Script Command Execution

• That’s OS command execution! You never know how many privs you have!

20


Printer Default Credentials

• Printers can be useful!

21

Failings & Pitfalls

Common VMP Problems

• Over-prioritization of Scanning - no workflow development• Scan All the Things - but do nothing with the results…• Generate False Positives - and lose credibility*• No Consideration for Network & Business Impact*• No Security Team & Support Org. Relationship• Mistaking VA (alone) as a DefensiveActivity

22

VMP: Making a Real Difference

HIGHEST PRIORITIES

• Asset Inventory Management• Decision & Remediation Workflows• Visualization & Metrics

LOWER PRIORITIES

• VulnerabilityAssessment Scanning• Penetration Testing• Buying Cool Toys

23

ScanData

HumanAnalysis

Actio

nabl

eIn

form

atio

n

Turning Data Into Information

24

VMP Process Overview

Visualizing VMP Workflows

• VMP workflows can be difficult to visualize without prior exposure!• Workflows and process will vary between organizations• For the purposes of this discussion we’ve created an example• Most of our workflows can scale up or down to your requirements

• Bring on the HUGE diagram!

26

NIST Cybersecurity Framework

• VMP allows you to IDENTIFY your assets.

• VMP allows you to PROTECT via remediation.

• VMP allows you to DETECT vulnerabilities.

• VMP helps with effective RESPONSE.

• VMP communication workflows help RECOVERY.

27

Considerations

Analysis Methods & Opportunities for Improvement

• Macro vs Micro Analysiso Vulnerabilities by Hosto Hosts by Vulnerability

• Minimizing False Positiveso Confirmation of Issues from VMP Team

§ How?o Prior to Escalation to Support Org.o Maintain Credibility

28

VMP Design Checklist (1)Before You Purchase a Scanning Solution…

• Do you know your environment?o Enterprise Planningo Asset Discovery

• Do you know your stakeholders?o Business Units / Ownerso Support Org. Teams

• How will the data be consumed?o Consumerso Storage & Transmissiono Format & Control

29

VMP Design Checklist (2)Before You Purchase a Scanning Solution…

• How will we fit in with existing support workflows?o Scheduling / Change Controlo Ticketing (Defect)o Hands on Keyboardo Outage Resolution

• What skills or capabilities does our VMP team have?o VulnerabilityAssessment - Hands-on Experienceo VulnerabilityAnalysis - Results Interpretation

• How will we measure VMP success or failure?o Metrics / Feedback / Process Improvement

30

Okay!

Now you can have lunch with a scanner sales person! J

31

Session Close

• Scanners have been around for 20 years and yet we still don’t know how to use them, consume their data properly, or fix the things they find to satisfaction.

Call to Action

• Orgs - If you think the number and types of scans you do is the critical success factor, you are doing it wrong.

• Be sure to consider your VMP design and workflows FIRST.

• Scanner Vendors - Flinging packets is easy. Workflow integration, data aggregation, ticketing and tracking is much harder than it should be. Please help!

32

Ways to Stay in Touch

Kevin DunnTechnical VP – NCC Group, Security Consulting E: [email protected]: https://www.linkedin.com/in/kevdunn T: @kdunn_ncc

Damon SmallTechnical PM - NCC Group, Security ConsultingE: [email protected]: https://www.linkedin.com/in/damon-small-7400501 T: @damonsmall

enterprise vulnerability management: back to basics

Technology