1 / 46

Managing IT Vulnerabilities Information Security Management 95-752

Managing IT Vulnerabilities Information Security Management 95-752. Sasha Romanosky October 08, 2009. whoami?. Over 10 years experience in information security – eBay, Morgan Stanley Published works on vulnerability management, security patterns

kitra
Download Presentation

Managing IT Vulnerabilities Information Security Management 95-752

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing IT Vulnerabilities Information Security Management 95-752 Sasha Romanosky October 08, 2009

  2. whoami? • Over 10 years experience in information security – eBay, Morgan Stanley • Published works on vulnerability management, security patterns • Co-developer of CVSS (Common Vulnerability Scoring System) • Developed FoxTor: firefox extension for anonymous browsing • Now a PhD student in the Heinz College • Research: Measuring and modeling security and privacy laws • Also, your TA! 

  3. Managing IT Vulnerabilities • In this class, you’ve learned all about basic information security tools, practices and controls • The purpose of this talk is to discuss IT risk. Specifically, managing IT vulnerabilities. We’ll also look at some commercial tools. • This generally involves three steps • Finding the vulns (scanning: nessus, Qualys, nCircle, etc) • Scoring and Prioritizing vulns (CVSS) • Analyzing vulns (RedSeal, Skybox) • Remediating vulns

  4. Quick definitions • IT Asset: some network-enabled IT device of value to an organization • Asset value: the value that the organization places on an IT asset • Vulnerability: an exposure or weakness of an asset • Threat: probability of an attack or other harmful event • Risk: damage caused when a threat exploits a vulnerability

  5. Why Vulnerability Management? • Do we really need to worry about computer vulnerabilities given all the other security issues around the organization? • Only you can answer that. But, consider this: • Vulnerabilities are a quick win: • Detection is fairly straightforward (most products do this very well) • Fixing holes willreduce loss • It’s relatively easy to quantify progress • This might be your job one day? (anyone?)

  6. Vulnerability Management Lifecycle 1) Identification and Validation 2) Risk Assessment and Prioritization 3) Remediation 4) Continual Improvement Scoping Systems Detecting Validate Assess Risks Prioritize Vulnerabilities Mitigate Leverage IT Processes Stop the Spread Establish OLAs Automate

  7. Vulnerability Management Lifecycle1) Identification and Validation • Scoping systems: find all the networks; wireless, backup, transit, admin, test, production. Identify and document them all – even if you won’t be scanning them immediately. • Detecting vulns: all IT assets should be scanned or monitored, (even printers!) Scanners actively probe devices whereas monitoringpassively checks networks or hosts. • Validating findings: once you have the (mountain of) data, validate the results to weed out false positives

  8. Vulnerability Management Lifecycle2) Risk Assessment and Prioritization • Assessing risks: perform a quick risk assessment. E.g. Risk = threat likelihood * vuln severity * asset value. Take note of security controls that limit or mitigate the actual risk of the vulns. • Prioritization: prioritize the remaining vulns according to their risk and the effort (cost) required to fix them. • Also consider how past incidents occurred, this may affect the prioritization. E.g. perhaps all past breaches occurred from 3rd party network connectivity.

  9. Vulnerability Management Lifecycle3) Remediation • The challenge is: How to affect change when the motivations of the group finding the vulns aren’t (necessarily) those of the group fixing them? • Leverage (not circumvent) existing IT processes by delivering fixes as just another stock of planned work. i.e. Change Management. • IT can then test and coordinate the fixes as necessary. It may not done as fast, but it will get done. • For critical vulns: use the emergency change request process (most organizations will have one. If not, you can create it)

  10. Vulnerability Management Lifecycle4) Continual Improvement • Stopping the spread: incorporate changes/patches of current findings into future system builds. • Setting Expectations: By setting proper SLAs, both parties have clear expectations as to what can be done when. • Automation: much of the efficiency and effectiveness can be achieved through automation of detection, reporting, and remediation (if possible)

  11. Vulnerability Management Metrics

  12. Vulnerability Management Metrics (2)

  13. Vulnerability Management Lifecycle

  14. Vuln Mgmt Review • Starts with discovery: networks, devices, and vulnerabilities • Prioritize according to risk and effort to fix • Achieve greater success by working with (not against) IT processes • Establish reasonable SLAs and automate as much as possible

  15. http://www.acct.org/Questions.jpg

  16. Two Commercial Tools • Qualys • nCircle

  17. Privately held since 1999, based in Redwood Shores, California, USA. Fewer than 200 employees Over two thousand customers running more than two million scans per month. They provide hardware appliances that customers install inside, throughout their network. Qualys

  18. Appliances communicate only with the Qualys servers to: Update vulnerability signature, Listen for commands (map, scan, stop), and Upload scan data Customers manage scans, reports through web interface to Qualys servers. Two important points: Each device requires direct connectivity to Qualys servers – this isn’t always easy All vulnerability data is stored off-site Risks? Benefits? Qualys (2)

  19. Reporting: Qualys

  20. Reporting: Qualys

  21. Won numerous awards for innovation and technology leadership (4 patents awarded, 5 pending) Named one of the top 100 best places to work in the San Francisco Bay Area. Headquartered in San Francisco, with offices in London, Toronto and Tokyo. Certified EAL level 3 under Common Criteria Customers include: Visa, American Express, Fujitsu, US Cellular, Shell, All US Federal Reserve Banks nCircle

  22. Reporting: nCircle

  23. Reporting: nCircle

  24. http://www.acct.org/Questions.jpg

  25. IT Risk Analysis. Consider this… • A network with 10,000 IP devices, each with 10 vulnerabilities • That’s 100,000 different ways loss can occur • But of course, not all vulnerabilities cause the same amount of loss, and their likelihood of being exploited will differ • So the challenges are: • How do you figure out what’s at risk, and • How do you prioritize the work?

  26. Prioritization is contextual • That is, different groups will have their own use for the results (which is good if you’re the one rolling this out!) • For the Network/firewall Engineer: show me any errors in my configurations • For the Security Manager: show me the top 10 most vulnerable devices • For the IT Manager: show me the most common vulnerabilities • For the Auditor: show me all machines that are out of SOX / PCI compliance

  27. Two Commercial Risk Analysis Tools:Skybox and RedSeal Inputs: • Vulnerability scan data: identifies listening services/ports and vulnerable hosts • Router ACLs: describe how networks connect to one another • Firewall configs: identifies which protocols can talk to which hosts/networks • Asset values (optional): relative or absolute measure of value to the enterprise Outputs: • Network Topology • Attack paths through the network • Very specialized visualization and reporting: (riskiest hosts, most common vulns, trends)

  28. Caveats • These tools only recognizes IT vulnerabilities • Cannot address policy, human or organizational weaknesses • They are not tools for calculating ROI of security controls • Countermeasures are implicitly considered • Cannot model on antivirus, change management, backup controls • Versus explicitly modeled in other methodologies

  29. Skybox!

  30. Skybox: A commercial tool for risk analysis A client/server application Runs on a java platform It can only model IT vulns, and risk, not social engineer or organizational weaknesses.

  31. Skybox Step 1: import vuln data and router, firewall configs Step 2: group assets by function (or anything else that makes sense).

  32. Skybox: Asset Definitions Step 3: define loss in terms of C, I, A (useful for regulatory compliance), Or asset value (either quantitative, or qualitative). Which approach is better? When, why? How do you estimate asset value?

  33. Skybox: Displaying Asset Risks Now we can see the risk posed to each asset group You might think of that risk as a proxy for the benefit we receive from security activities (in terms of loss avoidance). Risk to Finance DB is $1.8M.

  34. Skybox: Attack Graph Based on vuln, firewall and router data, skybox maps the attack paths through the network, into the core assets (the db) There are 5 vulnerabilities affecting the Finance DB group.

  35. Skybox: Fixing Vulns But suppose we can fix a couple of the key vulns, what’s the result? These are useful “what-if” exercises. Makes for efficient remediation efforts. Let’s now recalculate the risk.

  36. Skybox: New Risk Level Notice the new risk to the Finance DBs: $100k! $1.7M has been mitigated by fixing 5 vulns. Great, but what’s Missing from this cost- Benefit example?

  37. Skybox: Sort by Vuln Suppose we have a great patch mgmt system deployed. The IT folks might want to know which vuln is most common. Looks like the oracle vuln poses the most risk (67 count): $1.1M

  38. Skybox: Risk Calculation • So how is all this calculated? Loosely, it’s as follows: • Total risk to an asset: ∑ (risk from a single attack) • Where, risk from a single attack = f ( • Number of attack steps in attack path, • Difficulty in exploiting vulnerability, • Skill of attacker, • Commonness of the vulnerability, • Impact to the asset )

  39. RedSeal!

  40. RedSeal (1) Number of hosts Most vulnerable hosts/networks Failures by severity

  41. RedSeal Visual representation of hosts/ networks by severity

  42. RedSeal: Automatic network topology

  43. RedSeal: Attack Graph

  44. RedSeal: Summary Risk

  45. Risk Analysis Recap • Skybox and Redseal are incredibly sophisticated risk analysis engines • Inputs are: vulnerability data, network connectivity (router, firewall) • Requires customer configuration for: asset value, threat origin, • They help answer the following: • which assets are most at risk? • which vulnerabilities pose the biggest risk? • which threat sources pose the biggest risk? • Which assets are out of compliance? • Remember: they only recognize IT vulnerabilities

  46. http://www.acct.org/Questions.jpg

More Related