1 / 30

What Does Patching have to do with Compliance Management

What Does Patching have to do with Compliance Management. Michael J Wiser CISSP Vice President Citadel Security Software Inc. www.citadel.com/2minutebroadcast. Patching and Compliance Management. What Does Patching have to do with Compliance Management

grover
Download Presentation

What Does Patching have to do with Compliance Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What Does Patching have to do with Compliance Management Michael J Wiser CISSP Vice President Citadel Security Software Inc. www.citadel.com/2minutebroadcast

  2. Patching and Compliance Management What Does Patching have to do with Compliance Management Typically about 25% to 35% of policy can be achieved through Patching Customer ” S “ 28% compliant with a patching solution deployed Customer ” S “ 95% compliant with a EVM solution deployed

  3. The Real Issue • Today’s currency is bits, not gold • No gold bullion in the vault • “cloud of electrons at the right place at the right time” • Money is represented electronically • Trillions of e-$ flow through nations daily • BUT: Many executives do not understand or recognize the importance of their information systems and the threats that exist, and therefore do not invest in the security of these systems.

  4. Vulnerabilities So many ways to be attacked: • Physical Penetrations • Company Profiling – Open Source Research • Footprinting – Scanning – Enumeration • Penetration – • Escalate Privilege – Stealing/Damaging Corp. information • Trojans – remote controlling systems • Buffer Overflows • Port Redirection of Packets • Zone Transfers • SNMP Sweeps • Router Exploitation • Key Loggers – Software and Hardware devices • Denial of Service • ARP/DNS Poisoning

  5. Where Attacks Come From

  6. Some More Numbers • General Internet attack trends are showing a 64% annual rate of growth • Symantec • The average company experiences 32 cyber-attacks per week • Checkpoint • The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000 • UK Dept of Trade & Industry • Identify theft related personal information is selling for $500-$1000 per record • CFE Resource • Average of 79 new vulnerabilities per week in 2004!! • eEye Digital Security

  7. Hacking Trends

  8. And They’re Getting Better More vulnerabilities = higher likelihood of attack Faster attacks = less time to react

  9. What We See • Rapidly increasing threats and vulnerabilities • Rapidly decreasing time to exploit • No corresponding increase in IT resources CERT/CC CERT/CC, Microsoft, SANS

  10. Issues Leading to Compromise How do they do it? • Out of Date Systems • Systems and applications are not at the latest patch levels • Configuration Issues • What may be (somewhat) safe on a LAN is not safe on the Internet • Poor Password Choice • Remote administration or support access tends to be designed to make it easy to support, but also hack into • Lack of Security Controls • Firewalls, Intrusion Detection Systems, Encryption, 2-Factor Authentication are not present • Application Coding Problems • Lack of thorough testing leaves many flaws in web based applications such as: • URL/Directory permissions • SQL Injections • URL Manipulation • Session Issues

  11. Methods How do they find these problems? • Scanning, Scanning and More Scanning • Port Scanners • Vulnerability Scanners • Web Application Scanners • Trial and Error • Attackers have unlimited amounts of time and resources • Publish and Share • Attackers often find issues with sites and then publish their techniques to obscure locations (chat rooms, foreign language hacker forums, etc.)

  12. Case Study 1: POS Environment Processor Retail Store Internet Corporate Attacker

  13. Case Study 1: Timeline of Events Monday November 8th 2004 • 2:07 PM – Attacker named Мальчик begins scanning a network block known to be used by a US based ISP for its business DSL connections. • 3:14 PM – Мальчик finds a system with a Windows share open with full read/write permissions. • 3:23 PM – Мальчик mounts share on his system and begins to search for cardholder data using automated tools. • 4:05 PM – The system is found to contain several thousand card numbers and corresponding track data. Last transaction was at 4:03 PM. Мальчик realizes that this must be a POS system and knows he struck gold today. • 4:07 PM – Мальчик begins to copy all files containing cardholder data.

  14. Case Study 1: Timeline of Events (Cont’d) Wednesday November 10th 2004 • 1:11 AM – Мальчик returns to install an agent that each day will ZIP up all new transactions and HTTP post them to http://sneety02.devotchka7.ru • 2:51 AM – Мальчик runs the agent to test to ensure it work. 15,892 transactions were posted to his group’s site. • Future Work • Мальчик and his group will begin to emboss and sell “real” cards from this and future posts to his site. • If the street price for a “real” card is about $160 USD – They made about $2.5 million USD from the first harvest from this site.

  15. Case Study 2: eCommerce Sites Processor Web Hosting ISP Internet Customer Attacker

  16. Case Study 2: Timeline of Events Thursday October 28th 2004 • 11:40 AM – A hacking group by the name of L-Crew who had been scanning a large segment of the Internet for open database servers. They noticed that TCP port 3306 was open on a server and that they were able to execute queries against the database. • Note: This site is hosted at an Internet Hosting Provider that leverages a shopping cart driven by a backend database shared by all hosted customers.

  17. Case Study 2: Timeline of Events Friday October 29th 2004 • 2:29 AM – The L-Crew has been exploring the database for about 14 hours and discovered that they can query a table containing the username and password hashes for the shopping cart administrator accounts that each merchant uses. • 3:45 AM – The L-Crew downloaded a dump of the user table to their local system. They noticed on the main website for the hosting provider that a merchant can set up a demo shopping cart account. They created an account through the registration process. • 3:52 AM – After registering they are asked to pick a password for their account. They are told that the password can not be greater than 7 characters and must not contain numbers or symbols.

  18. Case Study 2: Timeline of Events (Cont’d) • Friday October 29th 2004 (Cont’d) • 4:10 AM – Using the information gathered during the registration process the L-Crew took the password hashes and began to attempt to crack them. Since they knew the “rules” that were applied to the password creation they were greatly able to narrow their cracking efforts. • 5:56 AM – The L-Crew had successfully cracked all 587 passwords, including the global administrator account used to set up custom fields and other environment specific shopping cart settings. • 7:14 AM – The L-Crew, using the global administrator account, modified the shopping cart to HTTP post a copy of each transaction (including CC#, Exp, CVV2/CID) from every merchant to another site they compromised located at http://visty45.miaku.co.jp • 8:23 AM – The L-Crew has gather over 1000 transactions on their site and decides to write a script on site receiving the transactions to batch these up each hour and e-mail them to 20 different “free mail” accounts.

  19. Case Study 2: Timeline of Events (Cont’d) Saturday October 30th 2004 • 9:22 AM – John Smith purchased a book from ACME Books’ website. This site is hosted at the Internet Hosting Provider that was compromised by the L-Crew. • 11:46 AM – The L-Crew has gathered about over 14,000 transactions (including John Smith’s) and has begun sorting and packaging them for resale. • If the street price for just cardholder information (no magnetic stripe) is about $10 – They will make about $140,000 USD for a little more than 24 hours of work.

  20. However……….

  21. Challenges: Business and Government Mandates The Computer Security Institute (CSI) reported over $141 billion damage from security incidents in the US in 2004. - 2004 CSI/FBI Computer Crime and Security Survey • FDIC • CA1386 • HIPAA • Sarbanes-Oxley • Gramm-Leach-Bliley • Protect Business Assets • Protect Business Reputation • PaymentCardIndustryData Security Standard • Securities&ExchangeCommission • Federal TradeCommission • Clinger-Cohen Act • PresidentialDecisionDirective 63 • Government InformationSecurityReformAct (GISRA) • FederalInformation SecurityManagementAct (FISMA)

  22. Documented Corporate Security Policy • Perimeter Security: • Firewalls • IPS • IDS • Internal Security: • Virus Scanning • Manual Remediation • Hand Coded Software Patches • Audit Corporate Security Policy • Assessment Scanners: • Unsecured Accounts • Unnecessary Services • Backdoors • Mis-configurations • Software Defects • Threat Management • Enforce CorporateSecurity Policy • Remediate Vulnerabilities • Manage Disconnected Users • Apply Policy Templates • Compliance and Validation Checking • Reporting Facing The Challenge: Shifting From Documenting To Enforcing Past Practices Current Practice Best Practice Documentation Enforcement

  23. Compliance Management • Okay, for your Desktops and Servers what is it? • Is it patch management? • Is it configuration management? • Is it Vulnerability Assessment scanning?

  24. So It‘s About Patching? • Well, no. • 90 to 95% of all network attacks target vulnerabilities for which there was an existing mitigation or repair. FBI, SANS, Gartner, Carnegie-Mellon • Software defects patching accounts for less than 35% of the known network/system vulnerabilities • The balance are “configuration” related • Weak, default or nonexistent passwords • Improperly configured software (OS, browser, email, ….) • Unnecessary services/open ports • Unauthorized/poor software (Peer-to-peer, Instant messaging)

  25. Unsecured Accounts Null Password, Admin no PW, no PW expiration… Unnecessary Services VNC, PCAnywhere, KaZaa, Telnet . . . Backdoors Spyware (KaZaa, DownloadWare, 180 Solutions, GAIN), MyDoom.A, BACKORIFICE, SUBSEVEN . . . Mis-configurations Netbios shares, Anonymous FTP world r/w, hosts.equiv . . . Software Defects (Missing Patches) Buffer overruns, RPC-DCOM, SQL Injection . . . Vulnerability: A weakness in process, administration or technology that can be exploited to compromise IT security – Gartner Five Classes of Vulnerabilities

  26. What We See • Rapidly increasing threats and vulnerabilities • Rapidly decreasing time to exploit • No corresponding increase in IT resources CERT/CC CERT/CC, Microsoft, SANS

  27. Approaches to Reducing IT Security Risk Top-down • Define asset baseline • Define security baseline • Enforce IT security config Bottom-up • Assess vulnerability state • Remediate detected vulnerabilities Targeted • New, critical vulnerabilities • Key assets Check Compliance or Enforce Policy Scan Validate Remediate Near Day Mitigation

  28. What We Need to Do

  29. What needs to be achieved • IT Security Compliance Continuous IT security policy enforcement • Reduced IT Security Risk Proactive elimination of vulnerabilities • Minimized Business Disruptions Consistent enterprise remediation • Thorough reporting on Security posture Document compliance to policy • Improved Utilization of Resources Automation and integration

  30. Security In the News The Internet Threat Regulator The Internet Traffic Report The Virus, Worm and Trojan Report And the Vulnerability Report www.citadel.com/2minutebroadcast Michael J Wiser CISSP Vice President Citadel Security Software Inc. 214-520-9292

More Related