1 / 70

An Introduction to Vulnerability Management

An Introduction to Vulnerability Management. Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g arrett.lanzy@so.mnscu.edu March 28 th , 2012 Presentation can be downloaded from http:// home.comcast.net /~ lanzyg.

sitara
Download Presentation

An Introduction to Vulnerability Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to Vulnerability Management Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities garrett.lanzy@so.mnscu.edu March 28th, 2012 Presentation can be downloaded from http://home.comcast.net/~lanzyg

  2. Ground Rules • Lectures are boring • I don’t do lectures for a living • I don’t want to put you to sleep (let alone myself!) • I’d rather have an interactive presentation • All questions are welcome! • feel free to ask during the presentation • long(er) answers may be deferred to end • Feel free to contact me anytime with any further questions/comments • Examples are from several different scans, so they don’t all “match”

  3. Professional history • B.S. degrees in EE and CS from Michigan Tech • 22 year career at IBM • 5 years hardware performance analysis • 3 years software change management • 14 years TCP/IP application development • 2 years at Metropolitan State University • Network/server/storage administration (1 year) • Interim Director of IT Operations (1 year) • 2 years at MnSCU system office • Information security/vulnerability management

  4. Outline • Introduction to Vulnerabilities • Evaluating Vulnerabilities • Identifying Vulnerabilities • Fundamentals of Vulnerability Management • Vulnerability Management at MnSCU • nCircle IP360 Deep Dive

  5. An introduction to Vulnerabilities

  6. Definition: Vulnerability • Wikipedia: “a weakness which allows an attacker to reduce a system’s information assurance.” • ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.” • RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”

  7. Examples of vulnerabilities • Software bug allows unrestricted access to network share • Network switch installed without changing the default administrator password • Server application’s configuration file is writable by anyone • Web application allows database contents to be “dumped”

  8. CIA Triad CIA = Confidentiality, Integrity, Availability How can vulnerabilities affect the CIA triad? • Confidentiality: a vulnerability might allow access to private or protected data • Integrity: a vulnerability might allow unauthorized modification of data • Availability: a vulnerability might cause a system to crash

  9. (ISC)2 (ISC)2 = International Information Systems Security Certification Consortium CBK = Common Body of Knowledge (ISC)2 Certifications: • SSCP = Systems Security Certified Professional • CAP = Certified Authorization Professional • CSSLP = Certified Secure Software Lifecycle Professional • CISSP = Certified Information Systems Security Professional

  10. (ISC)2 CBK Domains • Access Control • Telecommunications and Network Security • Information Security Governance and Risk Management • Software Development Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security Which domains may be affected by a vulnerability?

  11. How are vulnerabilities found? • “Something is wrong” • Formal testing/techniques • Fuzzing • Bounds checking • Automated tools • Security research/ethical hackers (“White hats”) • Unethical hackers (“Black hats”) • “Grey hats”

  12. Vulnerability Disclosure • “Responsible disclosure” (White hat) • Discovered vulnerability first reported to vendor • Disclosed to CERT later (2 weeks) • CERT = Computer Emergency Response Team • Full disclosure to the public much later • Quick disclosure (Grey hat) • Discovered vulnerability immediately (or quickly) disclosed publically • No disclosure (Black hat) • Remains a “zero-day” attack until someone else finds it

  13. Vulnerability inventory databases • CVE = Common Vulnerabilities and Exposureshttp://cve.mitre.org • SecurityFocus/BugTraqhttp://www.securityfocus.com/ • OSVDB = Open Source Vulnerability Databasehttp://www.osvdb.org/ • OWASP = Open Web Application Security Projecthttps://www.owasp.org/index.php/Category:Vulnerability • https://www.owasp.org/index.php/OWASP_Top_Ten_Project • Vendor-specific databases (Microsoft, Apple, Adobe, RedHat, SuSE, Cisco, …)

  14. Sample CVE entry

  15. OWASP Top 10 OWASP Top 10 Application Security Risks: • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards

  16. Evaluating VULNERABILITIES

  17. Vulnerability evaluation • Many different ways to evaluate vulnerabilities • Many different “scoring” systems • CVSS = Common Vulnerability Scoring System • 3 values: Base, Temporal, Environmental • Each ranges from 0 to 10 • Each value calculated from a formula based on criteria • Nobody “owns” the CVSS values, therefore numeric values should be accompanied by the scoring criteria (“vector”)

  18. CVSS Scoring • Base metric: Constant with time and users • What damage is possible? • Temporal Metric: Varies with time • What is the current state of the vulnerability? • Environmental metric: Varies by environment • How could the vulnerability affect me?

  19. CVSS Base Metric Example CVE-2012-0002 example – base metric (NIST) CVSS Base Score : 9.3 CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) Access Vector = Network (can be exploited from anywhere) Access Complexity = Medium (it takes some work but not a PhD) Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will) Integrity Impact = Complete (attacker can change data at will) Availability Impact = Complete (attacker can crash system)

  20. CVSS Temporal Metric Example CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12) nCircle CVSS Temporal Score : 6.9 nCircle CVSS Temporal Vector : (E:U/RL:OF/RC:C) Exploitability = Unproven (but now at least POC, probably Functional) Remediation = Official fix (Microsoft has released a patch) Report Confidence = Confirmed (it’s really out there)My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9

  21. CVSS Environmental Metric Example CVE-2012-0002 example – environmental metric (MnSCU before remediation) MnSCU CVSS Environmental Score : 6.3 MnSCU CVSS Environmental Vector : (CDP:MH/TD:M/CR:M/IR:H/AR:M) Collateral Damage Potential: Medium-High (significant productivity loss) Target Distribution: Medium (26%-75% of environment at risk) Confidentiality Requirement: Medium Integrity Requirement: High Availability Requirement: Low

  22. Another scoring formula: nCircle

  23. Identifying VULNERABILITIES

  24. Tools for Finding Vulnerabilities • Port scanners/Network enumerators • Penetration testing tools • Web application scanners • Network vulnerability scanners • Specialized scanners • Database, ERP, etc.

  25. Port scanners/Network enumerators • Scan networks to find systems • Scan ports on a system for applications/services • Scan TCP/IP stack behavior to determine OS • Stack fingerprinting • Scan for other system information • Open shares, application banners, etc. • Example: Nmap (Network mapper)http://www.nmap.org • open source tool

  26. Penetration Testing Tools • Allow vulnerabilities to be found • Allow vulnerabilities to be exploited • Many different techniques used • Example: Metasploithttp://www.metasploit.com • Open-source version: Metasplolit Framework • Proprietary “free” : Metasploit Community Edition • Paid versions: Metasploit Express, Metasploit Pro • Proprietary versions developed by Rapid7

  27. Network vulnerability scanners • Start with network enumeration/port scanning • Add additional function for finding specific vulnerabilities • Agent vs. agentless: • Scanners need to “see inside” system to find some vulnerabilities • Some require software “agent” installed on systems to be scanned • Agentless requires ability to “log in” to systems to discover these vulnerabilities

  28. Vulnerability scanners • Nexpose • Commercial, developed by Rapid7 • Free and paid versions • Nessus • Originally open-source, became commercial • Developed by Tenable Network Security • OpenVAS = Open Vulnerability Assessment System • Open source, based on Nessus • Supported by German Federal Office for Information Security • SAINT • Commercial product • QualysGuard • Commercial, SaaS (“cloud”) solution

  29. IP360 • Commercial vulnerability scanning product from nCircle • Distributed, agentless vulnerability scanner • Agentless: no software installed on devices scanned for vulnerabilities • Distributed: local campus scanning appliances (device profilers) reduce network load • Distributed: authorization model allows each campus to maintain own network and scan definitions • Works with nCircle Security Intelligence Hub (SIH) product for reporting • Limited web application scanning capability

  30. IP360 Supported Credentials • SMB-DRT: [domain/]username/password • Gives access to Windows systems • SSH-DRT username/private key or username/password • Gives access to Linux/OS X/Unix/ESX/network devices • SNMP-DRT: SNMP Community String • Gives access to SNMP MIB data (printers, network devices, … • Web applications (HTTP and web forms) DRT = Deep Reflex Testing

  31. Some fundamentals of Vulnerability Management

  32. What is the basis of Information Security? • Governance: Policies, Procedures, and Processes • Who • Defines roles and responsibilities • What • Defines how data is classified • Defines what needs to be protected • Why • Defines how risk is assessed & managed

  33. Vulnerability Management Process • Define Policy • 5.23.1.5 – Security Patch Mgmt. • 5.23.1.6 – Vulnerability Scanning • 5.23.1.8 – Anti-malware Installation and Management

  34. Vulnerability Management Process vs. Tools

  35. Vulnerability Mitigation/Remediation • Patching • Fixing configuration • Remove program/service • Do we need it? • Disable program/service • Can we live without it? • Block access to program/service • Access controls • Firewalls

  36. Vulnerability Management at MnSCU

  37. Information Security Program • To protect information resources against unauthorized use, disclosure, modification, damage or loss • Policies, procedures & guidelines • Risk analysis & assessment • Secure development & procurement practices • Incident response • Enterprise Access Management (new)

  38. Vulnerability Management Infrastructure • Regularly check every network device for actual or potential security problems • 30,000 devices scanned at least quarterly • 9,000 “visible” from Internet also scanned monthly • Problems found are prioritized for remediation • 30% reduction of Internet-visible vulnerabilities in past 3 months • Cost: $3.55/device scanned/year

  39. Vulnerability Management System Guideline

  40. VMI Roles & Responsibilities • MnSCU Information Security Office • Contract administration & payment • System administration & maintenance • Hardware configuration • User assistance • Reporting to institution CIOs/campus VMI contacts • “Institution IT” activities for system data centers • Institution IT (“hamster wheel”) • Campus scanning definition & configuration • Vulnerability prioritization & remediation

  41. IP360 architecture 2 types of systems: • VnE = Vulnerability Enumerator • “command and control” server • User interface (via browser) • Configuration and scan data storage • Device profiler • Appliance which performs scans • Configuration for local network • No data storage after scan is complete

  42. VMI Architecture

  43. nCircle IP360 Deep Dive

  44. IP360 configuration objects 3 objects tied together define a “scan”: • Scan profile • Network profile • Device profiler

  45. IP360 Scan Profile • Options for discovering systems • ICMP (ping), port scans (TCP and/or UDP) • Types of scanning to perform • Stack fingerprinting? • Application detection? • Vulnerability scanning? • Web application scanning? • Configuration checks? • Use credentials? • Schedules for scanning

  46. IP360 Network Profile • Address range(s) to scan • How systems are correlated between scans • e.g., a system’s IP address may change between scans • Need to be able to track changes to same system • Asset value: relative “importance” of a system • Sample criteria: • 1 = printers • 3 = lab workstations • 5 = staff workstations • 10 = servers

  47. Scanning process Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan: • Host discovery • Port scanning • Application discovery • Stack fingerprinting • Vulnerability checking • Configuration checking

  48. Anatomy of a VnEScan

  49. Host Discovery Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile: • ICMP (ping) • TCP port scan on specified ports • UDP port scan on specified ports Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).

  50. Host Discovery Example

More Related