1 / 54

Establishing a Quality Vulnerability Management Program

Establishing a Quality Vulnerability Management Program. Zee Abdelnabi. TECH-W03. Red Team Lead Major Automotive Company @Infosec_17. Overview. What is VM? How to sell a story to build a Vulnerability management program Picking the Right Tool

cueva
Download Presentation

Establishing a Quality Vulnerability Management Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Establishing a Quality Vulnerability Management Program Zee Abdelnabi TECH-W03 Red Team Lead Major Automotive Company @Infosec_17

  2. Overview What is VM? How to sell a story to build a Vulnerability management program Picking the Right Tool Evaluate costs and advantages: Paying for Professional Services Deployment vs. Training your Team Mistakes to Avoid Creating a Runbook/Tabletop Exercises VM Lifecycle Problems Tips

  3. What is Vulnerability Management? The process when you accept, eliminate, or mitigate vulnerabilities based upon the business risk and the cost associated with fixing the vulnerabilities. Most vulnerabilities are long known before they are exploited.

  4. What do you REALLY think of VM? It’s repetitive, time-consuming, seems to never end

  5. Sell the Story to Establish Program to Management Competitor examples Growth What business goals are met Use regulations and compliance: S-Ox, HIPAA, GLBA or PCI DSS Maintaining companies image Improve security, IT, and the general business Specific deliverables Identify and reduce risk… its not about just fixing vulnerabilities

  6. What an Exploited Vulnerability Looks Like

  7. Compare VM Tools Learn how to pick the best tool set for your Environment. • Asset Management is important here: • When you know what you have; you can look at the systems that can be more effectively scanned • Scada env/or OS that the VM tool doesn’t scan why get it? • What tool will scan most of what you have • Have a score card – weigh what’s most important to you • List your most important assets Need a good Asset Management system/tool

  8. Tool Selection Criteria • Active vs. Passive VM: • If you cant get an Active scanning tool because you might have systems that are very fragile you can use Passive. • Passive doesn’t scan anything… • If you have a system you don’t want to actively scan (because if you do, it will die), put it in the Passive tool and get Alerts on it • Implementing Tools that aren’t used or configured properly is a waste: • Too many false positives uses resources, causes “alert fatigue” • Too many false negatives leads to overconfidence and false reassurance that all is well

  9. Make sure the Tool has…. Adequate documentation Detailed reports on the discovered vulnerabilities, including how they might be exploited and fixed General industry acceptance Availability of updates and support High-level reports that can be presented to managers or nontechnical types

  10. Tool Implementation Guidelines • Consult the readme and/or online Help files and FAQs. • Study the user guides. • Use the Tool in a lab or test environment first. • Make sure it plays well with your other Tools • Ensure Tool delivers promised functionality • Consider formal classroom training.

  11. Outsource or Build Capabilities • Evaluate the costs and advantages of paying for Professional Services deployment vs training your team • Determine the skills and competencies necessary to make a successful team • Figure out amount of time required to do this • Increases speed and the quality of delivery • Frees management time, enabling company to focus on core competencies while not being conferenced about consultants • Possible loss of control over a company’s business processes • Lower than expected realization of benefits and results

  12. Mistakes to Avoid • Remediate all things • Prioritization • Relying on one tool • Scanning, but not acting on the scan results • Identify assets to avoid scanning • Thinking that Patching = VM • Being unprepared for a zero day exploit • Roles and responsibilities – Process Improvement, escalation, accountability • Forgetting compliance standards to follow

  13. Mistakes to Avoid • People misinterpret the CVSS; if CVSS is low doesn’t mean risk is low • When prioritizing keep in mind the attack depth • Forgetting policy scanning • Intelligence gathering: Latest attacks • Garbage In – Garbage Out (GIGO) • Volumes of useless checks • Authentication vs. Un-authentication – Password (pw) changes • Who is responsible for giving you those pws or changing them • Alert your groups on pw changes

  14. Create a Runbook • Communication plan – Communications Matrix – RACI chart • Overview • Management/team  GOALS • Challenges the company has encountered during VM • Network information: Domain names, internal and external IP addresses, network architecture • Assets for grouping/tagging, Option Profiles built • Create scan profiles: scanning and reporting schedules. • Scan windows • How often can we scan? • Limits on bandwidth?

  15. Attacking an Attackers Plan

  16. Tabletop Exercises • Demonstrate real live attack scenarios: Biggest business impact (greatest relevance to org) • Review Scenario • Break it into tactics • Gain assurance on existing controls • How ready are you? • Helps see trend analysis (seeing this a lot) • Increases efficiency • Why were they breached, same vulnerability used? • Attack patterns • Where are they attacking, what are they doing?

  17. Results and Follow-Up • Now have attacker profiling – attack patterns built up from vulns • Build scenario model sensors and run experiments • Which vulns can be exercised through external system input to realize cyber effect • Actionable intelligence • Deep dive into dark side • Figuring out how can someone move through our network • Program maturity • Automatically inject public and private lists of vulnerabilities and organize them into standardized attack point system

  18. Vulnerability Management Lifecycle

  19. Discover Phase • What’s actually running in the different parts of your network. • Access points, web servers and other devices that can leave your network open to attack. • Operating system, finding open networks ports, determines what services are active on those ports. • Scan by network range. Gives hacker’s eye view of your network

  20. Discover Phase Helps Where devices, such as a firewall or an IPS, are placed on the network and how they’re configured What external attackers see when they perform port scans and how they can exploit vulnerabilities in your network hosts Network design, such as Internet connections, remote access capabilities, layered defenses, and placement of hosts on the network What protocols are in use Commonly attacked ports that are unprotected Network host configurations

  21. Prioritize • Asset classification system: Assign business value to assets • Identify the highest business risks using trend analysis, Zero-Day and Patch impact predictions. • Prioritize your systems so you can focus your efforts on what matters. • Some assets are more critical to business then others • Criticality depends of business impact • Identify asset owners

  22. Prioritize Which systems, if accessed without authorization, would cause the most trouble or suffer the greatest losses? Which systems appear most vulnerable to attack? Which systems crash the most? Which systems are not documented, are rarely administered, or are the ones you know the least about?

  23. Assess • Scan systems anywhere from the same console: • Your perimeter • Internal network and cloud environments • Target hosts by IP address, asset group or asset tag • Those things you find scan and find out what Vulnerabilities they have

  24. Reporting • Reporting Considerations: • What reports are currently generated? • Build/Import report templates • What information is needed from reports? • New data points • What levels receive reports (executive, line managers, line staff) • Make IT the hero – Promote them when they do a great job & use metrics • Hold people accountable

  25. Report Templates and Metrics Establish report templates and metrics you need to show your program is successful. • What is each team trying to accomplish? • Add/remove staff • Promote cost optimization • Demonstrate effectiveness • That’s how you will demonstrate metrics on how much work is being done, how many Vulnerabilities are being remediated • Make sure reports are providing value and giving management the right information

  26. Template Examples • Confirmed 4/5s only • Executive Trending Report • Executive Trending Report – 4/5s • Executive Trending Report – over 90 days • Overall Patches 4+5 – Last 30 days • Patch Report You can’t manage what you can’t measure

  27. Remediation: Fixing Vulnerabilities • How many groups are involved in remediation efforts? • This will drive asset groups/tagging • Patching/configuration process • Will take approximately 2-3 hours working with each group • How patching and Vulnerability remediation is currently performed if not create a plan • Patching schedule • What patching tool will you use • Patch testing (java) • What groups involved

  28. Remediation • If the risk outweighs the cost – eliminate or mitigate the Vulnerability! • Implement mitigating controls (defense in depth) • Intrusion prevention systems (IPS) • Intelligent firewalls • Have a Plan, make sure you have resources and permission to accept short-term risks to mitigate long-term vulnerabilities What happens if the Cost outweighs the Risk

  29. Verification • Verify applied patches and confirm compliance • Verify the tickets after they are closed

  30. Majority of 2’s and 3’s = Misconfiguration • Misconfigurations of systems, servers, and firewalls also lead to the compromise of networks. • Changes to Group Policy or other change methods. This is a way to reduce risk in the environment on a large scale with minimal effort. • Review non-patchable Vulnerabilities to identify quick wins on the configuration side to reduce risk. Remove the vulnerabilities and better secure your systems

  31. Problems: Don’t Ignore Issues • The High Impact Patches: • Report that identifies the areas that reduce the largest amount of Vulnerabilities and Vulnerabilities so effort can be prioritized. • Opening up tickets for each of these patchable Vulnerabilities over 90 days. • This will drive remediation and get these issues closed. • Not using IPs: • These IPs can be used to scan other systems to drive remediation and actual reduction of risk. • Reviewing hosts to identify if they are still in the environment. • Hosts that are not scanned can never show fixed Vulnerabilities, and keep the Vulnerability count artificially high.

  32. Problems • There are 305 IPs that have not been scanned in more than 60 days with some hosts not scanned since July 2010. • SCCM broken • Teams will not authorize the appropriate level of access to run authenticated scans. • Plug in the credentials • Re-opened Vulnerabilities

  33. Risk Management RISK= Assets x Vulnerabilities x Threats You can control Vulnerabilities. Focus on your high priority assets, and Reduce your threat landscape

  34. Tips • Most organizations do a good job of keeping Microsoft operating systems and applications up to date. • But don’t fair nearly as well when it comes to Linux, UNIX, Mac, and 3rd party applications such as Adobe. • Application scanning should be added to the types of tests performed to make sure that any new or existing application are not vulnerable. • Create a internal hacking lab (recon, scanning, exploitation): • ✓ Exploiting missing patches ✓ Attacking built-in authentication systems ✓ Breaking file system security ✓ Cracking passwords and weak encryption implementations

  35. Tips • Don’t Overlook Physical Security • When everyone has a stake, when every team has skin in the game, then the burden of VM is shared and perhaps lessened for each individual. • Act Fast

  36. Making Contact to Report Vulnerabilities

More Related