460 likes | 638 Views
Managing IT Vulnerabilities Information Security Management 95-752. Sasha Romanosky October 08, 2009. whoami?. Over 10 years experience in information security – eBay, Morgan Stanley Published works on vulnerability management, security patterns
E N D
Managing IT Vulnerabilities Information Security Management 95-752 Sasha Romanosky October 08, 2009
whoami? • Over 10 years experience in information security – eBay, Morgan Stanley • Published works on vulnerability management, security patterns • Co-developer of CVSS (Common Vulnerability Scoring System) • Developed FoxTor: firefox extension for anonymous browsing • Now a PhD student in the Heinz College • Research: Measuring and modeling security and privacy laws • Also, your TA!
Managing IT Vulnerabilities • In this class, you’ve learned all about basic information security tools, practices and controls • The purpose of this talk is to discuss IT risk. Specifically, managing IT vulnerabilities. We’ll also look at some commercial tools. • This generally involves three steps • Finding the vulns (scanning: nessus, Qualys, nCircle, etc) • Scoring and Prioritizing vulns (CVSS) • Analyzing vulns (RedSeal, Skybox) • Remediating vulns
Quick definitions • IT Asset: some network-enabled IT device of value to an organization • Asset value: the value that the organization places on an IT asset • Vulnerability: an exposure or weakness of an asset • Threat: probability of an attack or other harmful event • Risk: damage caused when a threat exploits a vulnerability
Why Vulnerability Management? • Do we really need to worry about computer vulnerabilities given all the other security issues around the organization? • Only you can answer that. But, consider this: • Vulnerabilities are a quick win: • Detection is fairly straightforward (most products do this very well) • Fixing holes willreduce loss • It’s relatively easy to quantify progress • This might be your job one day? (anyone?)
Vulnerability Management Lifecycle 1) Identification and Validation 2) Risk Assessment and Prioritization 3) Remediation 4) Continual Improvement Scoping Systems Detecting Validate Assess Risks Prioritize Vulnerabilities Mitigate Leverage IT Processes Stop the Spread Establish OLAs Automate
Vulnerability Management Lifecycle1) Identification and Validation • Scoping systems: find all the networks; wireless, backup, transit, admin, test, production. Identify and document them all – even if you won’t be scanning them immediately. • Detecting vulns: all IT assets should be scanned or monitored, (even printers!) Scanners actively probe devices whereas monitoringpassively checks networks or hosts. • Validating findings: once you have the (mountain of) data, validate the results to weed out false positives
Vulnerability Management Lifecycle2) Risk Assessment and Prioritization • Assessing risks: perform a quick risk assessment. E.g. Risk = threat likelihood * vuln severity * asset value. Take note of security controls that limit or mitigate the actual risk of the vulns. • Prioritization: prioritize the remaining vulns according to their risk and the effort (cost) required to fix them. • Also consider how past incidents occurred, this may affect the prioritization. E.g. perhaps all past breaches occurred from 3rd party network connectivity.
Vulnerability Management Lifecycle3) Remediation • The challenge is: How to affect change when the motivations of the group finding the vulns aren’t (necessarily) those of the group fixing them? • Leverage (not circumvent) existing IT processes by delivering fixes as just another stock of planned work. i.e. Change Management. • IT can then test and coordinate the fixes as necessary. It may not done as fast, but it will get done. • For critical vulns: use the emergency change request process (most organizations will have one. If not, you can create it)
Vulnerability Management Lifecycle4) Continual Improvement • Stopping the spread: incorporate changes/patches of current findings into future system builds. • Setting Expectations: By setting proper SLAs, both parties have clear expectations as to what can be done when. • Automation: much of the efficiency and effectiveness can be achieved through automation of detection, reporting, and remediation (if possible)
Vuln Mgmt Review • Starts with discovery: networks, devices, and vulnerabilities • Prioritize according to risk and effort to fix • Achieve greater success by working with (not against) IT processes • Establish reasonable SLAs and automate as much as possible
Two Commercial Tools • Qualys • nCircle
Privately held since 1999, based in Redwood Shores, California, USA. Fewer than 200 employees Over two thousand customers running more than two million scans per month. They provide hardware appliances that customers install inside, throughout their network. Qualys
Appliances communicate only with the Qualys servers to: Update vulnerability signature, Listen for commands (map, scan, stop), and Upload scan data Customers manage scans, reports through web interface to Qualys servers. Two important points: Each device requires direct connectivity to Qualys servers – this isn’t always easy All vulnerability data is stored off-site Risks? Benefits? Qualys (2)
Won numerous awards for innovation and technology leadership (4 patents awarded, 5 pending) Named one of the top 100 best places to work in the San Francisco Bay Area. Headquartered in San Francisco, with offices in London, Toronto and Tokyo. Certified EAL level 3 under Common Criteria Customers include: Visa, American Express, Fujitsu, US Cellular, Shell, All US Federal Reserve Banks nCircle
IT Risk Analysis. Consider this… • A network with 10,000 IP devices, each with 10 vulnerabilities • That’s 100,000 different ways loss can occur • But of course, not all vulnerabilities cause the same amount of loss, and their likelihood of being exploited will differ • So the challenges are: • How do you figure out what’s at risk, and • How do you prioritize the work?
Prioritization is contextual • That is, different groups will have their own use for the results (which is good if you’re the one rolling this out!) • For the Network/firewall Engineer: show me any errors in my configurations • For the Security Manager: show me the top 10 most vulnerable devices • For the IT Manager: show me the most common vulnerabilities • For the Auditor: show me all machines that are out of SOX / PCI compliance
Two Commercial Risk Analysis Tools:Skybox and RedSeal Inputs: • Vulnerability scan data: identifies listening services/ports and vulnerable hosts • Router ACLs: describe how networks connect to one another • Firewall configs: identifies which protocols can talk to which hosts/networks • Asset values (optional): relative or absolute measure of value to the enterprise Outputs: • Network Topology • Attack paths through the network • Very specialized visualization and reporting: (riskiest hosts, most common vulns, trends)
Caveats • These tools only recognizes IT vulnerabilities • Cannot address policy, human or organizational weaknesses • They are not tools for calculating ROI of security controls • Countermeasures are implicitly considered • Cannot model on antivirus, change management, backup controls • Versus explicitly modeled in other methodologies
Skybox: A commercial tool for risk analysis A client/server application Runs on a java platform It can only model IT vulns, and risk, not social engineer or organizational weaknesses.
Skybox Step 1: import vuln data and router, firewall configs Step 2: group assets by function (or anything else that makes sense).
Skybox: Asset Definitions Step 3: define loss in terms of C, I, A (useful for regulatory compliance), Or asset value (either quantitative, or qualitative). Which approach is better? When, why? How do you estimate asset value?
Skybox: Displaying Asset Risks Now we can see the risk posed to each asset group You might think of that risk as a proxy for the benefit we receive from security activities (in terms of loss avoidance). Risk to Finance DB is $1.8M.
Skybox: Attack Graph Based on vuln, firewall and router data, skybox maps the attack paths through the network, into the core assets (the db) There are 5 vulnerabilities affecting the Finance DB group.
Skybox: Fixing Vulns But suppose we can fix a couple of the key vulns, what’s the result? These are useful “what-if” exercises. Makes for efficient remediation efforts. Let’s now recalculate the risk.
Skybox: New Risk Level Notice the new risk to the Finance DBs: $100k! $1.7M has been mitigated by fixing 5 vulns. Great, but what’s Missing from this cost- Benefit example?
Skybox: Sort by Vuln Suppose we have a great patch mgmt system deployed. The IT folks might want to know which vuln is most common. Looks like the oracle vuln poses the most risk (67 count): $1.1M
Skybox: Risk Calculation • So how is all this calculated? Loosely, it’s as follows: • Total risk to an asset: ∑ (risk from a single attack) • Where, risk from a single attack = f ( • Number of attack steps in attack path, • Difficulty in exploiting vulnerability, • Skill of attacker, • Commonness of the vulnerability, • Impact to the asset )
RedSeal (1) Number of hosts Most vulnerable hosts/networks Failures by severity
RedSeal Visual representation of hosts/ networks by severity
Risk Analysis Recap • Skybox and Redseal are incredibly sophisticated risk analysis engines • Inputs are: vulnerability data, network connectivity (router, firewall) • Requires customer configuration for: asset value, threat origin, • They help answer the following: • which assets are most at risk? • which vulnerabilities pose the biggest risk? • which threat sources pose the biggest risk? • Which assets are out of compliance? • Remember: they only recognize IT vulnerabilities