an introduction to vulnerability management
DESCRIPTION
An Introduction to Vulnerability Management. Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g [email protected] March 28 th , 2012 Presentation can be downloaded from http:// home.comcast.net /~ lanzyg. - PowerPoint PPT PresentationTRANSCRIPT
An Introduction to Vulnerability Management
Garrett Lanzy, Information Security SpecialistInformation Security OfficeMinnesota State Colleges and [email protected]
March 28th, 2012
Presentation can be downloaded from http://home.comcast.net/~lanzyg
Slide 2
Ground Rules• Lectures are boring
– I don’t do lectures for a living– I don’t want to put you to sleep (let alone
myself!)– I’d rather have an interactive presentation
• All questions are welcome!– feel free to ask during the presentation– long(er) answers may be deferred to end
• Feel free to contact me anytime with any further questions/comments
• Examples are from several different scans, so they don’t all “match”
Slide 3
Professional history
• B.S. degrees in EE and CS from Michigan Tech
• 22 year career at IBM– 5 years hardware performance analysis– 3 years software change management– 14 years TCP/IP application
development• 2 years at Metropolitan State
University– Network/server/storage administration
(1 year)– Interim Director of IT Operations (1
year)• 2 years at MnSCU system office
– Information security/vulnerability management
Slide 4
Outline
• Introduction to Vulnerabilities• Evaluating Vulnerabilities• Identifying Vulnerabilities• Fundamentals of Vulnerability
Management• Vulnerability Management at
MnSCU• nCircle IP360 Deep Dive
Slide 5
VULNERABILITIESAn introduction to
Slide 6
Definition: Vulnerability• Wikipedia: “a weakness which allows an
attacker to reduce a system’s information assurance.”
• ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.”
• RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”
Slide 7
Examples of vulnerabilities
• Software bug allows unrestricted access to network share
• Network switch installed without changing the default administrator password
• Server application’s configuration file is writable by anyone
• Web application allows database contents to be “dumped”
Slide 8
CIA Triad
CIA = Confidentiality, Integrity, Availability
How can vulnerabilities affect the CIA triad?• Confidentiality: a vulnerability
might allow access to private or protected data
• Integrity: a vulnerability might allow unauthorized modification of data
• Availability: a vulnerability might cause a system to crash
Slide 9
(ISC)2
(ISC)2 = International Information Systems Security Certification Consortium
CBK = Common Body of Knowledge
(ISC)2 Certifications:• SSCP = Systems Security Certified
Professional• CAP = Certified Authorization Professional• CSSLP = Certified Secure Software Lifecycle
Professional• CISSP = Certified Information Systems
Security Professional
Slide 10
(ISC)2 CBK Domains• Access Control• Telecommunications and Network Security• Information Security Governance and Risk
Management • Software Development Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery
Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security
Which domains may be affected by a vulnerability?
Slide 11
How are vulnerabilities found?• “Something is wrong”• Formal testing/techniques
– Fuzzing– Bounds checking
• Automated tools• Security research/ethical hackers
(“White hats”)• Unethical hackers (“Black hats”)• “Grey hats”
Slide 12
Vulnerability Disclosure• “Responsible disclosure” (White hat)
– Discovered vulnerability first reported to vendor
– Disclosed to CERT later (2 weeks)• CERT = Computer Emergency Response
Team– Full disclosure to the public much later
• Quick disclosure (Grey hat)– Discovered vulnerability immediately (or
quickly) disclosed publically• No disclosure (Black hat)
– Remains a “zero-day” attack until someone else finds it
Slide 13
Vulnerability inventory databases• CVE = Common Vulnerabilities and Exposures
http://cve.mitre.org• SecurityFocus/BugTraq
http://www.securityfocus.com/• OSVDB = Open Source Vulnerability Database
http://www.osvdb.org/• OWASP = Open Web Application Security Project
https://www.owasp.org/index.php/Category:Vulnerability
• https://www.owasp.org/index.php/OWASP_Top_Ten_Project
• Vendor-specific databases (Microsoft, Apple, Adobe, RedHat, SuSE, Cisco, …)
Slide 14
Sample CVE entry
Slide 15
OWASP Top 10
OWASP Top 10 Application Security Risks:1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
Slide 16
VULNERABILITIESEvaluating
Slide 17
Vulnerability evaluation
• Many different ways to evaluate vulnerabilities
• Many different “scoring” systems• CVSS = Common Vulnerability
Scoring System– 3 values: Base, Temporal,
Environmental– Each ranges from 0 to 10– Each value calculated from a formula
based on criteria– Nobody “owns” the CVSS values,
therefore numeric values should be accompanied by the scoring criteria (“vector”)
Slide 18
CVSS Scoring
• Base metric: Constant with time and users• What damage is possible?
• Temporal Metric: Varies with time• What is the current state of the vulnerability?
• Environmental metric: Varies by environment• How could the vulnerability affect me?
Slide 19
CVSS Base Metric Example
CVE-2012-0002 example – base metric (NIST)
CVSS Base Score : 9.3CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector = Network (can be exploited from anywhere)Access Complexity = Medium (it takes some work but not a PhD)Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will)Integrity Impact = Complete (attacker can change data at will)Availability Impact = Complete (attacker can crash system)
Slide 20
CVSS Temporal Metric Example
CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12)
nCircle CVSS Temporal Score : 6.9nCircle CVSS Temporal Vector : (E:U/RL:OF/RC:C)
Exploitability = Unproven (but now at least POC, probably Functional)Remediation = Official fix (Microsoft has released a patch)Report Confidence = Confirmed (it’s really out there)
My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9
Slide 21
CVSS Environmental Metric Example
CVE-2012-0002 example – environmental metric (MnSCU before remediation)
MnSCU CVSS Environmental Score : 6.3MnSCU CVSS Environmental Vector : (CDP:MH/TD:M/CR:M/IR:H/AR:M)
Collateral Damage Potential: Medium-High (significant productivity loss)Target Distribution: Medium (26%-75% of environment at risk)Confidentiality Requirement: MediumIntegrity Requirement: HighAvailability Requirement: Low
Slide 22
Another scoring formula: nCircle
Slide 23
VULNERABILITIESIdentifying
Slide 24
Tools for Finding Vulnerabilities• Port scanners/Network enumerators• Penetration testing tools• Web application scanners• Network vulnerability scanners• Specialized scanners
– Database, ERP, etc.
Slide 25
Port scanners/Network enumerators• Scan networks to find systems• Scan ports on a system for
applications/services• Scan TCP/IP stack behavior to
determine OS– Stack fingerprinting
• Scan for other system information– Open shares, application banners, etc.
• Example: Nmap (Network mapper)http://www.nmap.org– open source tool
Slide 26
Penetration Testing Tools
• Allow vulnerabilities to be found• Allow vulnerabilities to be
exploited• Many different techniques used• Example: Metasploit
http://www.metasploit.com– Open-source version: Metasplolit
Framework– Proprietary “free” : Metasploit
Community Edition– Paid versions: Metasploit Express,
Metasploit Pro– Proprietary versions developed by
Rapid7
Slide 27
Network vulnerability scanners• Start with network enumeration/port
scanning• Add additional function for finding
specific vulnerabilities• Agent vs. agentless:
– Scanners need to “see inside” system to find some vulnerabilities
– Some require software “agent” installed on systems to be scanned
– Agentless requires ability to “log in” to systems to discover these vulnerabilities
Slide 28
Vulnerability scanners• Nexpose
– Commercial, developed by Rapid7– Free and paid versions
• Nessus– Originally open-source, became commercial– Developed by Tenable Network Security
• OpenVAS = Open Vulnerability Assessment System– Open source, based on Nessus– Supported by German Federal Office for
Information Security• SAINT
– Commercial product• QualysGuard
– Commercial, SaaS (“cloud”) solution
Slide 29
IP360• Commercial vulnerability scanning product
from nCircle• Distributed, agentless vulnerability scanner
– Agentless: no software installed on devices scanned for vulnerabilities
– Distributed: local campus scanning appliances (device profilers) reduce network load
– Distributed: authorization model allows each campus to maintain own network and scan definitions
• Works with nCircle Security Intelligence Hub (SIH) product for reporting
• Limited web application scanning capability
Slide 30
IP360 Supported Credentials• SMB-DRT: [domain/]username/password
– Gives access to Windows systems• SSH-DRT username/private key or
username/password– Gives access to Linux/OS X/Unix/ESX/network
devices• SNMP-DRT: SNMP Community String
– Gives access to SNMP MIB data (printers, network devices, …
• Web applications (HTTP and web forms)DRT = Deep Reflex Testing
Slide 31
VULNERABILITY MANAGEMENT
Some fundamentals of
Slide 32
What is the basis of Information Security?• Governance: Policies, Procedures,
and Processes– Who
• Defines roles and responsibilities– What
• Defines how data is classified• Defines what needs to be protected
– Why• Defines how risk is assessed & managed
Slide 33
Vulnerability Management Process
Classify Assets
Identify Vulnerabilities
Classify (prioritize)
Vulnerabilities
Remediate/Mitigate
Vulnerabilities
Identify Assets Define Policy
• 5.23.1.5 – Security Patch Mgmt.• 5.23.1.6 – Vulnerability Scanning• 5.23.1.8 – Anti-malware Installation
and Management
Slide 34
Vulnerability Management Process vs. Tools
InventoryManagement
VulnerabilityScanner
Patching Firewalls
Identify Assets
X X
Classify Assets
X
Identify Vulnerabilities
X X
Classify/Prioritize Vulnerabilities
X X X
Remediate/MitigateVulnerabilities
X X
Slide 35
Vulnerability Mitigation/Remediation• Patching• Fixing configuration• Remove program/service
– Do we need it?• Disable program/service
– Can we live without it?• Block access to program/service
– Access controls– Firewalls
Slide 36
MNSCUVulnerability Management at
Slide 37
Information Security Program
• To protect information resources against unauthorized use, disclosure, modification, damage or loss
• Policies, procedures & guidelines• Risk analysis & assessment• Secure development & procurement practices• Incident response• Enterprise Access Management (new)
Slide 38
Vulnerability Management Infrastructure
• Regularly check every network device for actual or potential security problems– 30,000 devices scanned at least quarterly– 9,000 “visible” from Internet also scanned monthly– Problems found are prioritized for remediation
• 30% reduction of Internet-visible vulnerabilities in past 3 months
• Cost: $3.55/device scanned/year
Slide 39
Vulnerability Management System Guideline
Slide 40
VMI Roles & Responsibilities
• MnSCU Information Security Office– Contract administration & payment– System administration & maintenance– Hardware configuration– User assistance– Reporting to institution CIOs/campus
VMI contacts– “Institution IT” activities for system
data centers• Institution IT (“hamster wheel”)
– Campus scanning definition & configuration
– Vulnerability prioritization & remediation
Slide 41
IP360 architecture
2 types of systems:• VnE = Vulnerability Enumerator
– “command and control” server– User interface (via browser)– Configuration and scan data storage
• Device profiler– Appliance which performs scans– Configuration for local network– No data storage after scan is complete
Slide 42
VMI Architecture
Slide 43
IP360 DEEP DIVEnCircle
Slide 44
IP360 configuration objects
3 objects tied together define a “scan”:• Scan profile• Network profile• Device profiler
Slide 45
IP360 Scan Profile
• Options for discovering systems– ICMP (ping), port scans (TCP and/or
UDP)• Types of scanning to perform
– Stack fingerprinting?– Application detection?– Vulnerability scanning?– Web application scanning?– Configuration checks?– Use credentials?
• Schedules for scanning
Slide 46
IP360 Network Profile
• Address range(s) to scan• How systems are correlated between
scans– e.g., a system’s IP address may change
between scans– Need to be able to track changes to
same system• Asset value: relative “importance” of
a system– Sample criteria:
• 1 = printers and IP Phones• 3 = lab workstations• 5 = staff workstations• 10 = servers
Slide 47
Scanning process
Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan:• Host discovery• Port scanning• Application discovery• Stack fingerprinting• Vulnerability checking• Configuration checking
Slide 48
Anatomy of a VnE Scan
Slide 49
Host Discovery
Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile:• ICMP (ping)• TCP port scan on specified ports• UDP port scan on specified ports
Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).
Slide 50
Host Discovery Example
Slide 51
Port Scanning Example
Slide 52
Application Discovery
Device profiler scan to determine what applications/versions are available:• Port scans and application-layer
network checks• If credentials are configured:
– Registry checks– File checks
Slide 53
Application Discovery Example
Slide 54
Stack Fingerprinting
The profiler runs tests of sending various network and transport layer (IP, ICMP, TCP, and UDP) protocol options and checks responses to identify the operating system of the device• Different OSs behave differently• “Voting” algorithm used to
determine most likely OS• Useful if not able to scan device with
credentials
Slide 55
Stack Fingerprinting Example
Slide 56
Stack Fingerprinting Vote Example
Slide 57
Vulnerability Checks
For each application found, checks are performed for each known/detectable vulnerability. These use the same techniques as application discovery, but go into more detail.• May have completely different
checks for the same vulnerability in different versions of an application
• May have multiple checks for the same vulnerability
Slide 58
Vulnerability Check Example
Slide 59
Configuration Checks
If selected, specific checks are made to determine and report on configuration options. The available checks are highly dependent on each OS/application and whether or not credentialed scanning is being done.
Slide 60
Configuration Check Example
Slide 61
Reporting
• Many types of reports are available• Can “drill down” to extreme levels of
detail• Can aggregate data for management
reports and trend analysis
Slide 62
Sample Scan Report – Summary (pt. 1)
Slide 63
Sample Scan Report – Summary (pt. 2)
Slide 64
Sample Scan Report – Summary (pt. 3)
Slide 65
Vulnerabilities Report
Slide 66
Specific vulnerability (pt. 1)
Slide 67
Specific vulnerability (pt. 2)
Slide 68
Risk Matrix report
Slide 69
Summary
• Vulnerability Management is an important component of any Information Security program
• Need to start with policies and procedures so we know what to protect
• Variety of tools available, both free and $
• Tools give much more information that just what vulnerabilities are found
• Remediation ties into other IS processes
Slide 70
Questions?
• Presentation can be downloaded from:– http://home.comcast.net/~lanzyg
• Your time!