Achievements and Pitfalls of Creating and Maintaining Vulnerability

Achievements and Pitfalls of Creating and Maintaining Vulnerability

Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs Tim Proffitt March 2009 GIAC GCIH, GCPM, GLEG, GSEC, GSLC SANS Technology Institute - Candidate for Master of Science Degree 1 1 How are Successful Organizations Leveraging Vulnerability Assessment?

Identifying known vulnerabilities Identifying foreign systems and adhoc networks Auditing NAC initiatives Auditing patching efforts Auditing software lifecycles Assisting with web application security assessments Meeting compliancy requirements such as PCI Defining risk by providing risk assessment data SANS Technology Institute - Candidate for Master of Science Degree 2 Understand and Managing Risk

Network Inventory: Vulnerabilities do not exist in isolation. Vulnerability Overload: In most enterprise networks there are simply too many vulnerabilities to fix. Root-Cause Analysis: Fixing of vulnerabilities does not necessarily address the root cause. There will always be risk to the organization, so the goal is not to eliminate risk, but rather to understand and manage risk at an acceptable level. SANS Technology Institute - Candidate for Master of Science Degree 3 What Risk Level Is Acceptable? Aligning the right context of assets that relate back to the business is mandatory. Otherwise, data may not be

meaningful or actionable by management Focusing on certain vulnerabilities will enable a working group to ensure that the strategy will address the existing communities vulnerabilities of greatest concern. By reporting on groups of assets that are defined from a business viewpoint, the metrics suddenly take on an importance to the decision makers. SANS Technology Institute - Candidate for Master of Science Degree 4 Utilize a Known Scoring System

Teams can utilize the open common vulnerability scoring system (CVSS) or to address the goal of a common platform to discuss risk. Base Metrics qualities that are fundamental to any given vulnerability that do not change over time or in different environments. Temporal Metrics characteristics of a vulnerability that are time-dependent and change as the vulnerability ages. Environmental Metrics characteristics of vulnerabilities that are tied to implementation and environment SANS Technology Institute - Candidate for Master of Science Degree 5

Deriving Severity Levels Consequence - allow low to highs depending on the environment Probability - Some vulnerabilities are more likely than others to be exploited Criticality - allow more vulnerabilities on less critical systems than others Industry - You might be willing remediate vulnerabilities quicker if you manage FAA gear Time - Vulnerabilities are a moving target SANS Technology Institute - Candidate for Master of Science Degree 6 Real World Scenario VA scan reveals MS09-001 is missing from a server in a DMZ segmen Research shows MS09-001 is a Server Message Block (SMB) buffer overflow allowing attackers to take complete

control of the system and allowing remote execution of code Analysis determines the server in the DMZ is a MS fileserver containing customer data. SMB is allowed through the firewall to this network segment. High probability of loss with High probability of consequence causes risk to be Unacceptable with immediate action Cost benefit analysis shows only a patch is needed or a firewall rule change. Risk = Threat x Vulnerability x Impact Countermeasures SANS Technology Institute - Candidate for Master of Science Degree 7 Top Objectives for Approval and Defining Policies

Executive sign-off is crucial before VA efforts are started Understanding that VA will have an impact on systems Define what segments are out of scope Define what type of hardware is off limits Define external scanning versus internal scanning Define what you do with partner networks Include VA provisions in legal contracts SANS Technology Institute - Candidate for Master of Science Degree 8 Awareness Pitfalls Successful training includes details about: How is risk applied? Impacts to log files, authentication attempts, successive connections, trace files Generation of alerts and/or emails Bandwidth considerations

Frequency of scans for troubleshooting False positive remediation How does the VA scanning not impact systems: Effects on firewalls (state tables) or IPS Does the VA scanner block traffic? SANS SANSTechnology TechnologyInstitute Institute- -Candidate Candidatefor forMaster MasterofofScience ScienceDegree Degree 9 Know Which Information Assets Are Targets

Standard items such as workstations, laptops and servers are targets, but what about? Network enabled printers Printer specific vulnerabilities reported up 105% in 2008 VOIP Phones VIPER Lab has identified thousands of VOIP vulnerabilities since 2003 Security cameras, HVAC management , AV gear, medical equipment, SCADA, etc. Seems everything is becoming network manageable, but did the vendor consider security? How can these be compromised? What is the risk to the business of a compromise? SANS Technology Institute - Candidate for Master of Science Degree 10 Optimal Returns

With failed programs, teams typically will: Scan infrequently enough to be irrelevant Not utilize authentication Scan aggressively across entire segments Re-negotiate risk metrics to fit the situation Not break up assets into domains Successful scanning teams will consist of several components: Scan frequently, on a negotiated schedule Exclude known harmful vulnerabilities to equipment Utilize multiple authentication records Manage exceptions with system owners Organize assets into risk based groups SANS Technology Institute - Candidate for Master of Science Degree 11 Biggest Reporting Mistakes Producing reports detailing every vulnerability from informational to urgent for the entire assessment

Providing C-Level management (or auditors) a 300 page vulnerability report Not performing trending analysis Automatic blanket ticket generation from VA reporting Not producing actionable information utilizing risk metrics Not filtering the reports for specific system administrators SANS Technology Institute - Candidate for Master of Science Degree 12 Compliance and the life cycle Vulnerability Assessment has a never ending life cycle. This cycle continually scans, reports, assesses, remediates and evaluates. Any one piece of the lifecycle cannot be effective without the other. Pitfalls: Have reasonable life cycle expectations been set? Is the VA team working with

the correct set of administrators to accomplish their goals? Has the life cycle slowed as the program matured or become lax? The VA team is not generating SANS Technology Institute - Candidate for Masteron of Science Degree basis. 13 reports a regular Program Success Utilize metrics to assign risk. Scoring systems from high to low and/or 5 to 1 provided by VA solutions do not adequately reflect the true risk to the enterprise. Successful programs will scan more than traditional workstations and servers. Overlooking network aware devices is

painting a partial picture of your security landscape. Device attack vectors are on the rise. Utilize vulnerability assessment data to supplement other security efforts. This data can be manipulated to support compliance, NAC, user provisioning, licensing, etc. SANS Technology Institute - Candidate for Master of Science Degree 14 Summary A VA program can be leveraged to ease the burden of compliance efforts, reducing their risk levels, perform due diligence, provide forensic data and generate reports that can be used as technology metrics. By creating a comprehensive VA program, the organization will be adding yet another layer to the defense in depth. Identifying those key vulnerabilities to the organization, and performing mitigation actions before those vulnerabilities can be exploited. A successful comprehensive VA program will position the

organization for a safer, more secure computing environment. SANS Technology Institute - Candidate for Master of Science Degree 15

Recently Viewed Presentations

  • Abnormal Meiosis - Ms Lisa Ritcey

    Abnormal Meiosis - Ms Lisa Ritcey

    Record in your notes a definition, (including what happens to which chromosomes) for the following: Trisomy. Monosomy. Down Syndrome . Klinefelter Syndrome. Turner Syndrome. Multiple marker screen *Pages 116-121 *Diagrams would be helpful!
  • Emily Carr Secondary School Scholarships, Bursaries, Awards, Grants,

    Emily Carr Secondary School Scholarships, Bursaries, Awards, Grants,

    Emily Carr Secondary School Scholarships, Bursaries, Awards, Grants, Loans and Financial Aid Today's Agenda Where to Find Useful Resources Financing Your Education Definitions of Terms Variety of Ways to Qualify Diverse Criteria How to Begin the Search Specific Upcoming Application...
  • Morocco By: Patricia Beth Morocco is located in

    Morocco By: Patricia Beth Morocco is located in

    Asilah-Any art lover has to visit Asilah during the month of August when there is an International arts festival. Not only is this village one of the most beautiful places to visit, the art festival is a feast for the...
  • How to Give a Formal Presentation - University of Washington

    How to Give a Formal Presentation - University of Washington

    "Where facts are few, experts are many." Donald Gannon "An expert is a person who has made all the mistakes that can be made in a very narrow field."
  • Reason Why Letters - BRIDGEFORCE Financial

    Reason Why Letters - BRIDGEFORCE Financial

    Comme convenu, si vous deviez faire un retrait avant et que la valeur marchande était à la baisse, la valeur de votreplacement baisseraitd'autant. Vous placez votre argent dans un fonds d'actions canadiennes. Vous pouvez investir des sommes supplémentaires dans ce...
  • The Road to Meaningful Use: What it Takes

    The Road to Meaningful Use: What it Takes

    Chart 2: Sample Connection Points between EHR and Other Systems within the Hospital Ambulatory Care Environment Operating Room Inpatient Pharmacy Services Radiology Source: Avalere Health adaptation based on ProHealth Care's iCare hospital information system and electronic medical record.
  • Twisting Snake Guides

    Twisting Snake Guides

    Lee Gomolchak. Monument, CO. ... Mount in mill vise. Center mill head (I use a spotting scope) Drill wire holes (I use printed circuit drills to start the holes and follow up with standard micro drills) Drill/ream center hole. Fly...
  • Slide Presentation - Transportation Research Board

    Slide Presentation - Transportation Research Board

    CERT concept was developed by City of Los Angeles Fire Department in 1985. After September 11, 2001, Citizen Corps launched to strengthen community safety and preparedness. Airport CERT (A-CERT) Training Program extends role of CERT into airports to supplement airport...