Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs Tim Proffitt March 2009 GIAC GCIH, GCPM, GLEG, GSEC, GSLC SANS Technology Institute - Candidate for Master of Science Degree 1 1 How are Successful Organizations Leveraging Vulnerability Assessment? – – – – – – – – Identifying known vulnerabilities Identifying foreign systems and adhoc networks Auditing NAC initiatives Auditing patching efforts Auditing software lifecycles Assisting with web application security assessments Meeting compliancy requirements such as PCI Defining risk by providing risk assessment data SANS Technology Institute - Candidate for Master of Science Degree 2 Understand and Managing Risk Network Inventory: Vulnerabilities do not exist in isolation. Vulnerability Overload: In most enterprise networks there are simply too many vulnerabilities to fix. Root-Cause Analysis: Fixing of vulnerabilities does not necessarily address the root cause. There will always be risk to the organization, so the goal is not to eliminate risk, but rather to understand and manage risk at an acceptable level. SANS Technology Institute - Candidate for Master of Science Degree 3 What Risk Level Is Acceptable? •Aligning the right context of assets that relate back to the business is mandatory. Otherwise, data may not be meaningful or actionable by management •Focusing on certain vulnerabilities will enable a working group to ensure that the strategy will address the existing communities vulnerabilities of greatest concern. •By reporting on groups of assets that are defined from a business viewpoint, the metrics suddenly take on an importance to the decision makers. SANS Technology Institute - Candidate for Master of Science Degree 4 Utilize a Known Scoring System Teams can utilize the open common vulnerability scoring system (CVSS) or to address the goal of a common platform to discuss risk. Base Metrics qualities that are fundamental to any given vulnerability that do not change over time or in different environments. Temporal Metrics characteristics of a vulnerability that are time-dependent and change as the vulnerability ages. Environmental Metrics characteristics of vulnerabilities that are tied to implementation and environment SANS Technology Institute - Candidate for Master of Science Degree 5 Deriving Severity Levels •Consequence - allow low to highs depending on the environment •Probability - Some vulnerabilities are more likely than others to be exploited •Criticality - allow more vulnerabilities on less critical systems than others •Industry - You might be willing remediate vulnerabilities quicker if you manage FAA gear •Time - Vulnerabilities are a moving target SANS Technology Institute - Candidate for Master of Science Degree 6 Real World Scenario •VA scan reveals MS09-001 is missing from a server in a DMZ segment •Research shows MS09-001 is a Server Message Block (SMB) buffer overflow allowing attackers to take complete control of the system and allowing remote execution of code •Analysis determines the server in the DMZ is a MS fileserver containing customer data. SMB is allowed through the firewall to this network segment. •High probability of loss with High probability of consequence causes risk to be Unacceptable with immediate action •Cost benefit analysis shows only a patch is needed or a firewall rule change. Risk = Threat x Vulnerability x Impact Countermeasures SANS Technology Institute - Candidate for Master of Science Degree 7 Top Objectives for Approval and Defining Policies • • • • • • • Executive sign-off is crucial before VA efforts are started Understanding that VA will have an impact on systems Define what segments are out of scope Define what type of hardware is off limits Define external scanning versus internal scanning Define what you do with partner networks Include VA provisions in legal contracts SANS Technology Institute - Candidate for Master of Science Degree 8 Awareness Pitfalls Successful training includes details about: – How is risk applied? – Impacts to log files, authentication attempts, successive connections, trace files – Generation of alerts and/or emails – Bandwidth considerations – Frequency of scans for troubleshooting – False positive remediation • How does the VA scanning not impact systems: – Effects on firewalls (state tables) or IPS – Does the VA scanner block traffic? SANS Technology Institute - Candidate for Master of Science Degree 9 Know Which Information Assets Are Targets Standard items such as workstations, laptops and servers are targets, but what about? – Network enabled printers • Printer specific vulnerabilities reported up 105% in 2008 – VOIP Phones • VIPER Lab has identified thousands of VOIP vulnerabilities since 2003 – Security cameras, HVAC management , AV gear, medical equipment, SCADA, etc. • Seems everything is becoming network manageable, but did the vendor consider security? How can these be compromised? What is the risk to the business of a compromise? SANS Technology Institute - Candidate for Master of Science Degree 10 Optimal Returns • With failed programs, teams typically will: – Scan infrequently enough to be irrelevant – Not utilize authentication – Scan aggressively across entire segments – Re-negotiate risk metrics to fit the situation – Not break up assets into domains • Successful scanning teams will consist of several components: – Scan frequently, on a negotiated schedule – Exclude known harmful vulnerabilities to equipment – Utilize multiple authentication records – Manage exceptions with system owners – Organize assets into risk based groups SANS Technology Institute - Candidate for Master of Science Degree 11 Biggest Reporting Mistakes •Producing reports detailing every vulnerability from “informational” to “urgent” for the entire assessment •Providing C-Level management (or auditors) a 300 page vulnerability report •Not performing trending analysis •Automatic “blanket” ticket generation from VA reporting •Not producing actionable information utilizing risk metrics •Not filtering the reports for specific system administrators SANS Technology Institute - Candidate for Master of Science Degree 12 Compliance and the life cycle Vulnerability Assessment has a never ending life cycle. This cycle continually scans, reports, assesses, remediates and evaluates. Any one piece of the lifecycle cannot be effective without the other. Pitfalls: •Have reasonable life cycle expectations been set? •Is the VA team working with the correct set of administrators to accomplish their goals? •Has the life cycle slowed as the program matured or become lax? •The VA team is not generating reports on a regular basis. SANS Technology Institute - Candidate for Master of Science Degree 13 Program Success •Utilize metrics to assign risk. Scoring systems from “high to low” and/or “5 to 1” provided by VA solutions do not adequately reflect the true risk to the enterprise. •Successful programs will scan more than traditional workstations and servers. Overlooking network aware devices is painting a partial picture of your security landscape. Device attack vectors are on the rise. •Utilize vulnerability assessment data to supplement other security efforts. This data can be manipulated to support compliance, NAC, user provisioning, licensing, etc. SANS Technology Institute - Candidate for Master of Science Degree 14 Summary A VA program can be leveraged to ease the burden of compliance efforts, reducing their risk levels, perform due diligence, provide forensic data and generate reports that can be used as technology metrics. By creating a comprehensive VA program, the organization will be adding yet another layer to the defense in depth. Identifying those key vulnerabilities to the organization, and performing mitigation actions before those vulnerabilities can be exploited. A successful comprehensive VA program will position the organization for a safer, more secure computing environment. SANS Technology Institute - Candidate for Master of Science Degree 15