Jeff  Buzzella,  Technical  Account  Manager  Grant  Johnson,  Technical  Account  Manager  

Salt Lake City September 26, 2013 �

Best  Prac*ces  Enterprise  Vulnerability  Management  

Key Elements of EVM �  

§  IT  Asset  Inventory  and  Control    

§  Risk-­‐based  Vulnerability  Management  &  Strategy  

§  Scan  Management  and  Strategy  

§  Vulnerability  Tracking  and  Closure  

§  Scan  Exclusion/ExcepIon  Process  

§  Some  Closing  Thoughts  

§  Some  Reference  and  Resources  

2  

Lifecycle of a Vulnerability�

3  

Scan �

Identification &

Reporting

Ticketing Patching

& Configuration

Verification

Some key things to remember as you are

planning your approach

There are some things to check

Vulnerability life Cycle

Some quick thoughts �

…an ongoing continuous cycle

IT  Asset  Inventory  &  Control  

IT Asset Inventory and Control �

5  

CMDB- Configuration Management Database Or IT Asset Inventory

“You cannot manage that which you do not track”

IT Asset Inventory and Control �

6  

Things to Know:

Some things to Check: ü  List-to-Floor, Floor-to-List inventory check (accuracy & completeness) ü  Inspect data center inventory for proper labeling on devices ü  Map the environment –[Tool based] and compare with inventory list

q  Inventories are VITAL to ensure vulnerability scan coverage is complete q  These inventories are difficult to maintain and are error prone q  Server Inventory should be tested or spot-checked for completeness q  Information could include, server, I.Ps, rack location, applications, owner,

data risk, etc.. q Maintenance for the inventories are usually a collective effort, don’t shoot

the messenger

Some  Ideas  on  Scan  Management  and  Strategy  

Scan Management & Strategy �

8  

Scan Intervals - There should be a controlled process that determines scan frequency and reporting frequency. Be observant of possible gaps created by intervals

Scan Metrics – Vulnerability scanning can be affected by network outages, firewalls, traffic management, DNS Errors etc. Scans require administrative access that can affect scan completeness and accuracy. Good vulnerability management will have a method of tracking scan success

Scan Management & Strategy �

9  

What to scan… Pretty much everything. Here is the short list:

ü Web Servers: Apache, Microsoft ISS; iPlanet; Lotus Domino; IpSwitch; Zeus; full support for virtual hosting.

ü SMTP/POP Servers: Sendmail; Microsoft Exchange; LotusDomino; Netscape Messaging Server;

QMail. ü FTP Servers: IIS FTP Server; WuFTPd; WarFTPd. ü Firewalls: Check Point Firewall-1/VPN-1 and NG; Cisco PIX; Juniper NetScreen; Gauntlet;

CyberGuard; Raptor. ü Databases: Oracle; Sybase; MS SQL; PostgreSQL; MySQL.

ü eCommerce: Icat; EZShopper; Shopping Cart; PDGSoft; Hassan Consulting Shopping; Perishop.

ü LDAP Servers: Netscape; IIS; Domino; Open LDAP.

ü Load Balancing Servers: Cisco CSS, Alteon, F5 BIG IP; IBM Network Dispatcher; Intel Routers; Administrable.

ü Switches and Hubs: Cisco; 3Com; Nortel Networks; Cabletron; Lucent; Alcatel.

ü Wireless Access Points: Cisco; 3Com; Symbol; Linksys; D-Link; Netgear; Avaya; Apple Airport; Nokia; Siemens

Scan Management & Strategy �

10  

Things to Know:

Some things to check: ü  Select a sample of high-risk servers and determine the last-scanned date and is it

within the stated goals of the scan strategy ü  Does the scan interval meet regulatory requirements? ü  Review the process for updating the scan signature and scan completeness –

Manual updates should be fully justified and tested. ü  Determine if any critical tests are excluded from review - Management should justify ü  Determine if Scan success and results are tracked ü  Are hardening guidelines published and followed – How?

q  Scan frequency should match the risk of loss associated with the data and system or patch cycles

q  Frequency can range from monthly/bi monthly to continuous q  Vulnerabilities garner differing levels of Risk . E.g. – associated with malware, remotely executable

etc..

q  Scan signature should be VERY current – Auto-update is recommended q  Approach needs to comply with local and national laws

Configura*on  Management  &  Hardening  Guidelines  

Configuration & Hardening �

12  

What is Configuration Management? The process by which management defines permissible services, settings and applications.

•  Should FTP be allowed for servers within the DMZ? •  Password Length and Age •  Port & Services •  Account Permissions Review

CIS Hardening Guidelines are a good place to start A solid hardening process will save hours of vulnerability management and reduce risk.

Configuration & Hardening �

13  

✓Monitor a larger range of transactions, controls, and systems than a person could ever assess using a manual process. ✓Provide a level of consistency that eliminates the subjectivity of human review. ✓Run metrics and reports that ultimately help you manage the quality of both your compliance program and operations overall ✓Reduce the number of found vulnerabilities and ensure a more secure platform

Benefits of Configuration Management

Configuration & Hardening �

14  

Best Practice #1: Remember the Big Picture Best Practice #2: Align IT Policy Compliance and Security with the Business Best Practice #3: IT Compliance Starts with Policy Best Practice #4: Establish Accountability Best Practice #5: Conduct a Pre-Audit or Readiness Assessment Best Practice #6: Centralize IT Policy Program Management Best Practice #7: Prioritize Remediation Activities Best Practice #8: Regularly Monitor the Whole Compliance Program

Developing  a    Risk  Based  Vulnerability  Strategy  

Risk Based Vulnerability Strategy�Three Broad Risks to consider.. �

16  

Public Network

Management should have a Defined data classification scheme There should be a concise inventory of systems that host, store and process sensitive data

Outward and Customer- Facing systems need to be prioritized These systems should be clearly identifiable

Risk Based Vulnerability Strategy�How do you priorities which high severity findings to fix first? �

17  

In Summary: Start with -High exposure systems – Public facing - Systems that hold or use High risk data - Fix the High probably/High severity, patchable vulnerabilities

Prioritize vulnerabilities when known exploits are published by third party vendors and/or publicly available sources. Good VM tools constantly correlate exploitability information from real-time feeds to provide up to date references to exploits and related security resources.

Look for malware associated vulnerabilities. Vulnerability scanners correlate malware information with vulnerabilities when malware threats for vulnerabilities are published within the Trend Micro Threat Encyclopedia or other authoritative sources

Prioritize the vulnerability can be detected using remote (unauthenticated) scanning.

Begin with vulnerabilities that are fixable with a patch that is currently available from the vendor.

Risk Based Vulnerability Strategy�

18  

The VM solution needs to provide the capability to scan for and fix vulnerabilities in a broad range of categories, including: q  Back Doors and Trojan Horses (bypass authentication systems).

q  Brute force attacks (defies cryptography by systematically trying different keys).

q  CGI (exploits the Common Gateway Interface).

q  Databases.

q  DNS and Bind (exploits Domain Name Services).

q  E-commerce applications.

q  File sharing.

q  File Transfer Protocol.

q  Firewalls.

Risk Based Vulnerability Strategy�

19  

Things to Know:

Things to Check: ü  Review system risk assessment used to identify HIGH risk systems based

on Data sensitivity ü  Review network diagrams used to track externally facing systems ü  Ensure HIGH risk systems are scanned in accordance with policy

guidelines ü  Review action plans associated with high severity vulnerabilities

q Management needs to have a plan to identify and priorities the systems that are subject to vulnerability management. It is very difficult if not impossible to “fix all” or “All Sev 4s and 5s”

q Risk differs from server to server depending on Host data, internet facing

q Vulnerabilities garner differing levels of threat q Start with the fixable vulnerabilities

Ideas  on  Vulnerability  Tracking  and  Closure  

Vulnerability Tracking and Closure �

21  

5 Stages of Greif in Vulnerability Management

1.  Denial

2.  Anger

3.  Bargaining

4.  Depression

5.  Acceptance

Stage Server Team Says… Security Says… “You need a new crack pipe, my servers are not vulnerable!” Who the heck gave you permission to scan my servers!?!” “This system is going away…” “It is impossible to fix all of these!” “Okay… I guess I will patch these”

“I am afraid they are and here is the proof…” “We need to scan everything on the network …” “It sill introduces an unacceptable risk and needs to be fixed” “A single patch will eliminate many of these” “Thank you for working with us. Let us know when you are ready for a rescan”

Vulnerability Tracking and Closure �

22  

Things to Know:

Things to Check: ü  Ensure system ownership is properly documented – lines of responsibility

for security are properly assigned ü  Is there a process in place to escalate overdue or unpatched systems

outside of policy- Test by reviewing scan results ü  Does management monitor aging of vulnerabilities of a system

q There needs to be a manageable, measurable process to track Vulnerabilities

q Many companies use ticketing systems q There will ALWAYS be exceptions to a policy – q Need to ensure that exceptions are approved

and reviewed at a regular interval q Vulnerability ageing is a commonly applied

metric

Scan  Exclusions    and    

Excep*on  Process  

Scan Exclusions & Exceptions �

24  

Some systems maybe appropriately excluded from vulnerability scanning!!

Possible Scenarios

ü  Process networks ü  Air-Gaped networks ü  Low risk, untrusted

systems – Be VERY wary of this justification

ü  Smart Equipment ü  System cannot tolerated

a scan without interruption

Scan Exclusion/Exceptions �

25  

Things to Know:

Things to Check: ü  Is there a formal, documented process to exclude a system from scanning? ü  Are scanning exceptions reviewed at a regular interval? ü  Select a sample of excluded hosts and trace to authorizing documents ü  Determine if there are action plans in place to remediate older systems and

subject them to future vulnerability scans

q High risk in that these are permanent blind spots for vulnerabilities to hide

q There are some systems that should be excluded – the need for security scanning does not outweigh business use.

q Scan-caused crashed can be an indication of a misconfigured system

q Exceptions to scanning should be documented/approved and subject to regular review

Some  Closing  Thoughts  

Other thoughts.... �

27  

q Vulnerability Management is best driven at the CISO level – Metrics should be designed to give “C” level management something to “manage to” q  number of days to close vulnerabilities q  number of days from identification to notification q  scan coverage as a % q  authentication %

q Patch Metrics and Configuration Management dashboards have been found to be more effective that voluminous reports of high severity vulnerabilities

q Be cautious when recommending automatic ticketing for

new vulnerabilities

Some  Good  References-­‐  free  

28  www.qualys.com/enterprises/qualysguard/resources/  

Free  Services  at  your  FingerIps  

29  

www.qualys.com/secure  

Thank You gjohnson@qualys.com