Vulnerability Management Let’s Get It Right This Time! Shon Harris CEO Logical Security
Evolving in our approaches to information security We are currently here
Steps of vulnerability management lifecycle What to do first is usually the hardest question for companies to answer…
Step 1: Define roles and responsibilities • All of the best practices, checklists and procedures do not add up to a pile of beans if individuals are not tasked with the necessary responsibilities • Roles, responsibility and enforcement go a lot farther than any new expensive gadget promising you everlasting security bliss
Step 2: Inventory • It is important to know what needs to be protected and then drill down into how to protect it. • Identify the roles of the different assets to your organization. • This will help you understand the business impact if one or more of these assets are negatively affected. • The following outlines the necessary steps of asset management; • Identify all assets, configurations, versions, software, and patches • Update and maintain this information on all assets through their life cycles – from procurement to disposal • Identify an individual who is responsible for asset management
Step 3: Develop metrics • Metrics for tracking and reporting • Number and type of incidents per month • Cost of recovery from incidents in man hours • Time it takes to resolve experienced incidents • Classifications that you could use can be mapped to maximum tolerable downtime (MTD) calculations; • Non-essential = MTD 30 days • Normal = MTD 7 days • Important = MTD 72 hours • Urgent = MTD 24 hours • Critical = MTD Minutes to hours
Step 4: Assess and baseline • Carry out initial vulnerability assessments to recognize your current level of vulnerability and threat level. • Types of assessments you choose to carry out depends upon your scope of vulnerabilities you are going to address. • Once you establish the metrics your company will use, then you need to determine the range of deviations your company can accept
Step 5: Develop a CSIRT • Many companies try to prevent bad things from taking place but do not properly plan for what to do when bad things take place. • The team should be made up of technical staff, management, legal and human resources. • http://www.csrc.nist.gov/publications/nistpubs/800-3/800-3.pdf.
Step 6: Control vulnerability information flow • Do not be overwhelmed with an excessive amount of alerts that do not affect you. • META Security Group • TruSecure IntelliShield Early Warning System (EWS) • SecureNet Solutions • Computer Associate’s eTrust Managed Vulnerability Service • There are many more out there…
Step 7: Develop threat classifications • Classify vulnerabilities based on their level of threat and degree of success • Classify asset according to their level of vulnerability, role in company and value • Decision on remediation activities are based on a combination of technical and business data
Step 8: Standardized procedures • Develop standardized procedures and checklists to follow when a new vulnerability is identified. • This formalized approach reduces wasted time and operational costs.
Vulnerability action stepsoverview We will dig a littler deeper into a few of these steps…
Vulnerability identification • Goal: • Identify weaknesses before they can be exploited • Process: • Continually scan for new vulnerabilities • Continually scan for rogue technology devices • Keep up-to-date on vulnerability alerts • Carry out compliance testing • Carry out operational availability analysis • Technologies: • Scanners • Vulnerability assessment tools • Penetration testing tools • New vulnerability alert subscription
Threat analysis • Goal: • Identify threat agents that can exploit identified vulnerabilities • Measure the efficiency of current controls and countermeasures • Minimize down time due threat activity and other negative ramifications • Process: • Classify new vulnerabilities based on probability of success of exploitation and potential damage • Classify vulnerable asset by role in company and business impact of disruption • Align threats with business impact and develop proper mediation steps • Use results of incidents to improve preventative measures • Technologies: • Vulnerability management automated tools • Intrusion detection systems • Event correlation • Content scanning • Antivirus
Remediation • Goal: • Reduce business down time and business impact • Contain and mitigate damages • Respond effectively and efficiently to incident • Process: • Role out temporary fix • Test and implement permanent fix • Carry out proper configuration management • Report activities to affected business units and personnel • Document change to environment • Technologies: • Patch management • Configuration and software deployment tools • Vulnerability management automated tools
Step 9: Improve preventative controls • When an intrusion is endured the security staff should treat this as an opportunity to reinforce necessary security barriers. • Too many times companies just “plug the hole” without investigating the layers of controls that had to be penetrated for this threat to be successful.
Step 10: Continual monitoring • Vulnerability management is a process, not a product or a project
Common vulnerabilities that are overlooked • Remote access servers • Is this traffic monitored via firewalls and IDS? • Out-going ports (egress filtering) • Are your employees carrying out hacking activities or are any of your systems infected with zombie software? • Hanging modems and rogue access points • Have new ones popped up on your environment you are unaware of? • Personnel security knowledge assessment • The most commonly overlooked item that can cause the most damage. • Data validation and buffer overflows in software • Have you properly tested for these types of attacks? • Proper configuration of security devices • IDS, firewalls, access controls misconfigurations count for most of the serious vulnerabilities in many of the environments today.
More vulnerabilities • Authorization creep • Employees and contractors gaining more and more access rights without their access needs being validated. • Internal fraud • Authorized users are the most difficult to audit and monitor because they have been granted privileged access. • Confidential data • Are your employees sending this type of information out through e-mail or saving it to disks to take out of the environment? • PBX fraud • Are you monitoring long distance use to ensure that phreakers are not selling access to your telephone service? • Wireless • Checking for rouge access points, possibility of sniffing, and man-in-the-middle attacks.
A process - not a product or a project • Do not throw money and resources at the issue • Develop a strategic and on-going process that is integrated into every day activities • A large corporation of over 200,000 employees created an 80-person staff dedicated just to vulnerability management. • They could not keep up and be successful because of lack of organization, vision, strategy, and process integration • Not from a lack of money
How do we do that again? • Process: • Capture baseline of security posture • Develop desired baseline of security posture • Acceptable risk level • Inventory and classify assets based on value to company • Develop a Computer Security Incident Response Team (CSIRT) • Control vulnerability information flow • Develop standardized procedures and checklists to follow when a new vulnerability is identified • Integrate activities with asset management, event and patch management processes • Review and improve upon preventative countermeasures currently in place • Continually to monitor environment’s security baseline