Achievements and Pitfalls of
Creating and Maintaining
Vulnerability Assessment Programs
Tim Proffitt
March 2009
GIAC GCIH, GCPM, GLEG, GSEC, GSLC
SANS Technology Institute - Candidate for Master of Science Degree
1
1
How are Successful Organizations
Leveraging Vulnerability Assessment?
–
–
–
–
–
–
–
–
Identifying known vulnerabilities
Identifying foreign systems and adhoc networks
Auditing NAC initiatives
Auditing patching efforts
Auditing software lifecycles
Assisting with web application security assessments
Meeting compliancy requirements such as PCI
Defining risk by providing risk assessment data
SANS Technology Institute - Candidate for Master of Science Degree
2
Understand and Managing Risk
Network Inventory: Vulnerabilities do
not exist in isolation.
Vulnerability Overload: In most enterprise
networks there are simply too many
vulnerabilities to fix.
Root-Cause Analysis: Fixing of
vulnerabilities does not necessarily
address the root cause.
There will always be risk to the organization, so the goal is not to eliminate risk, but rather
to understand and manage risk at an acceptable level.
SANS Technology Institute - Candidate for Master of Science Degree
3
What Risk Level Is Acceptable?
•Aligning the right context of assets that relate back to the business is
mandatory. Otherwise, data may not be meaningful or actionable by
management
•Focusing on certain vulnerabilities will enable a working group to
ensure that the strategy will address the existing communities
vulnerabilities of greatest concern.
•By reporting on groups of
assets that are defined from
a business viewpoint, the
metrics suddenly take on an
importance to the decision
makers.
SANS Technology Institute - Candidate for Master of Science Degree
4
Utilize a Known Scoring System
Teams can utilize the open common vulnerability scoring system (CVSS) or to
address the goal of a common platform to discuss risk.
Base Metrics
qualities that are fundamental to any given
vulnerability that do not change over time or
in different environments.
Temporal Metrics
characteristics of a vulnerability that are
time-dependent and change as the
vulnerability ages.
Environmental Metrics
characteristics of vulnerabilities that are tied
to implementation and environment
SANS Technology Institute - Candidate for Master of Science Degree
5
Deriving Severity Levels
•Consequence - allow low to highs
depending on the environment
•Probability - Some vulnerabilities are more
likely than others to be exploited
•Criticality - allow more vulnerabilities on less
critical systems than others
•Industry - You might be willing remediate
vulnerabilities quicker if you manage FAA gear
•Time - Vulnerabilities are a moving target
SANS Technology Institute - Candidate for Master of Science Degree
6
Real World Scenario
•VA scan reveals MS09-001 is missing from a server in a DMZ segment
•Research shows MS09-001 is a Server Message Block (SMB)
buffer overflow allowing attackers to take complete control of the
system and allowing remote execution of code
•Analysis determines the server in the DMZ is a MS fileserver
containing customer data. SMB is allowed through the firewall to
this network segment.
•High probability of loss with High probability of consequence
causes risk to be Unacceptable with immediate action
•Cost benefit analysis shows only a patch is needed or a firewall
rule change.
Risk = Threat x Vulnerability x Impact
Countermeasures
SANS Technology Institute - Candidate for Master of Science Degree
7
Top Objectives for Approval and
Defining Policies
•
•
•
•
•
•
•
Executive sign-off is crucial before VA efforts are started
Understanding that VA will have an impact on systems
Define what segments are out of scope
Define what type of hardware is off limits
Define external scanning versus internal scanning
Define what you do with partner networks
Include VA provisions in legal contracts
SANS Technology Institute - Candidate for Master of Science Degree
8
Awareness Pitfalls
Successful training includes details about:
– How is risk applied?
– Impacts to log files, authentication attempts, successive
connections, trace files
– Generation of alerts and/or emails
– Bandwidth considerations
– Frequency of scans for troubleshooting
– False positive remediation
• How does the VA scanning not impact systems:
– Effects on firewalls (state tables) or IPS
– Does the VA scanner block traffic?
SANS Technology Institute - Candidate for Master of Science Degree
9
Know Which Information
Assets Are Targets
Standard items such as workstations, laptops and
servers are targets, but what about?
– Network enabled printers
• Printer specific vulnerabilities reported up 105% in 2008
– VOIP Phones
• VIPER Lab has identified thousands of VOIP vulnerabilities
since 2003
– Security cameras, HVAC management , AV gear, medical
equipment, SCADA, etc.
• Seems everything is becoming network manageable, but did
the vendor consider security? How can these be compromised?
What is the risk to the business of a compromise?
SANS Technology Institute - Candidate for Master of Science Degree
10
Optimal Returns
•
With failed programs, teams typically will:
– Scan infrequently enough to be irrelevant
– Not utilize authentication
– Scan aggressively across entire segments
– Re-negotiate risk metrics to fit the situation
– Not break up assets into domains
•
Successful scanning teams will consist of several components:
– Scan frequently, on a negotiated schedule
– Exclude known harmful vulnerabilities to equipment
– Utilize multiple authentication records
– Manage exceptions with system owners
– Organize assets into risk based groups
SANS Technology Institute - Candidate for Master of Science Degree
11
Biggest Reporting Mistakes
•Producing reports detailing every vulnerability from “informational” to “urgent”
for the entire assessment
•Providing C-Level management (or auditors) a 300 page vulnerability report
•Not performing trending analysis
•Automatic “blanket” ticket generation from VA reporting
•Not producing actionable information utilizing risk metrics
•Not filtering the reports for specific system administrators
SANS Technology Institute - Candidate for Master of Science Degree
12
Compliance and the life cycle
Vulnerability Assessment has a never ending life cycle. This cycle
continually scans, reports, assesses, remediates and evaluates. Any one
piece of the lifecycle cannot be effective without the other.
Pitfalls:
•Have reasonable life cycle
expectations been set?
•Is the VA team working with the
correct set of administrators to
accomplish their goals?
•Has the life cycle slowed as the
program matured or become lax?
•The VA team is not generating
reports on a regular basis.
SANS Technology Institute - Candidate for Master of Science Degree
13
Program Success
•Utilize metrics to assign risk. Scoring systems from “high to
low” and/or “5 to 1” provided by VA solutions do not
adequately reflect the true risk to the enterprise.
•Successful programs will scan more than traditional
workstations and servers. Overlooking network aware devices is
painting a partial picture of your security landscape. Device
attack vectors are on the rise.
•Utilize vulnerability assessment data to supplement other
security efforts. This data can be manipulated to support
compliance, NAC, user provisioning, licensing, etc.
SANS Technology Institute - Candidate for Master of Science Degree
14
Summary
A VA program can be leveraged to ease the burden of compliance
efforts, reducing their risk levels, perform due diligence, provide
forensic data and generate reports that can be used as
technology metrics.
By creating a comprehensive VA program, the organization will be
adding yet another layer to the defense in depth.
Identifying those key vulnerabilities to the organization, and
performing mitigation actions before those vulnerabilities can be
exploited.
A successful comprehensive VA program will position the
organization for a safer, more secure computing environment.
SANS Technology Institute - Candidate for Master of Science Degree
15