750 likes | 1.01k Vues
An Introduction to Vulnerability Management. Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g arrett.lanzy@so.mnscu.edu March 28 th , 2012 Presentation can be downloaded from http:// home.comcast.net /~ lanzyg.
E N D
An Introduction to Vulnerability Management Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities garrett.lanzy@so.mnscu.edu March 28th, 2012 Presentation can be downloaded from http://home.comcast.net/~lanzyg
Ground Rules • Lectures are boring • I don’t do lectures for a living • I don’t want to put you to sleep (let alone myself!) • I’d rather have an interactive presentation • All questions are welcome! • feel free to ask during the presentation • long(er) answers may be deferred to end • Feel free to contact me anytime with any further questions/comments • Examples are from several different scans, so they don’t all “match”
Professional history • B.S. degrees in EE and CS from Michigan Tech • 22 year career at IBM • 5 years hardware performance analysis • 3 years software change management • 14 years TCP/IP application development • 2 years at Metropolitan State University • Network/server/storage administration (1 year) • Interim Director of IT Operations (1 year) • 2 years at MnSCU system office • Information security/vulnerability management
Outline • Introduction to Vulnerabilities • Evaluating Vulnerabilities • Identifying Vulnerabilities • Fundamentals of Vulnerability Management • Vulnerability Management at MnSCU • nCircle IP360 Deep Dive
An introduction to Vulnerabilities
Definition: Vulnerability • Wikipedia: “a weakness which allows an attacker to reduce a system’s information assurance.” • ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.” • RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”
Examples of vulnerabilities • Software bug allows unrestricted access to network share • Network switch installed without changing the default administrator password • Server application’s configuration file is writable by anyone • Web application allows database contents to be “dumped”
CIA Triad CIA = Confidentiality, Integrity, Availability How can vulnerabilities affect the CIA triad? • Confidentiality: a vulnerability might allow access to private or protected data • Integrity: a vulnerability might allow unauthorized modification of data • Availability: a vulnerability might cause a system to crash
(ISC)2 (ISC)2 = International Information Systems Security Certification Consortium CBK = Common Body of Knowledge (ISC)2 Certifications: • SSCP = Systems Security Certified Professional • CAP = Certified Authorization Professional • CSSLP = Certified Secure Software Lifecycle Professional • CISSP = Certified Information Systems Security Professional
(ISC)2 CBK Domains • Access Control • Telecommunications and Network Security • Information Security Governance and Risk Management • Software Development Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security Which domains may be affected by a vulnerability?
How are vulnerabilities found? • “Something is wrong” • Formal testing/techniques • Fuzzing • Bounds checking • Automated tools • Security research/ethical hackers (“White hats”) • Unethical hackers (“Black hats”) • “Grey hats”
Vulnerability Disclosure • “Responsible disclosure” (White hat) • Discovered vulnerability first reported to vendor • Disclosed to CERT later (2 weeks) • CERT = Computer Emergency Response Team • Full disclosure to the public much later • Quick disclosure (Grey hat) • Discovered vulnerability immediately (or quickly) disclosed publically • No disclosure (Black hat) • Remains a “zero-day” attack until someone else finds it
Vulnerability inventory databases • CVE = Common Vulnerabilities and Exposureshttp://cve.mitre.org • SecurityFocus/BugTraqhttp://www.securityfocus.com/ • OSVDB = Open Source Vulnerability Databasehttp://www.osvdb.org/ • OWASP = Open Web Application Security Projecthttps://www.owasp.org/index.php/Category:Vulnerability • https://www.owasp.org/index.php/OWASP_Top_Ten_Project • Vendor-specific databases (Microsoft, Apple, Adobe, RedHat, SuSE, Cisco, …)
OWASP Top 10 OWASP Top 10 Application Security Risks: • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards
Evaluating VULNERABILITIES
Vulnerability evaluation • Many different ways to evaluate vulnerabilities • Many different “scoring” systems • CVSS = Common Vulnerability Scoring System • 3 values: Base, Temporal, Environmental • Each ranges from 0 to 10 • Each value calculated from a formula based on criteria • Nobody “owns” the CVSS values, therefore numeric values should be accompanied by the scoring criteria (“vector”)
CVSS Scoring • Base metric: Constant with time and users • What damage is possible? • Temporal Metric: Varies with time • What is the current state of the vulnerability? • Environmental metric: Varies by environment • How could the vulnerability affect me?
CVSS Base Metric Example CVE-2012-0002 example – base metric (NIST) CVSS Base Score : 9.3 CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) Access Vector = Network (can be exploited from anywhere) Access Complexity = Medium (it takes some work but not a PhD) Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will) Integrity Impact = Complete (attacker can change data at will) Availability Impact = Complete (attacker can crash system)
CVSS Temporal Metric Example CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12) nCircle CVSS Temporal Score : 6.9 nCircle CVSS Temporal Vector : (E:U/RL:OF/RC:C) Exploitability = Unproven (but now at least POC, probably Functional) Remediation = Official fix (Microsoft has released a patch) Report Confidence = Confirmed (it’s really out there)My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9
CVSS Environmental Metric Example CVE-2012-0002 example – environmental metric (MnSCU before remediation) MnSCU CVSS Environmental Score : 6.3 MnSCU CVSS Environmental Vector : (CDP:MH/TD:M/CR:M/IR:H/AR:M) Collateral Damage Potential: Medium-High (significant productivity loss) Target Distribution: Medium (26%-75% of environment at risk) Confidentiality Requirement: Medium Integrity Requirement: High Availability Requirement: Low
Identifying VULNERABILITIES
Tools for Finding Vulnerabilities • Port scanners/Network enumerators • Penetration testing tools • Web application scanners • Network vulnerability scanners • Specialized scanners • Database, ERP, etc.
Port scanners/Network enumerators • Scan networks to find systems • Scan ports on a system for applications/services • Scan TCP/IP stack behavior to determine OS • Stack fingerprinting • Scan for other system information • Open shares, application banners, etc. • Example: Nmap (Network mapper)http://www.nmap.org • open source tool
Penetration Testing Tools • Allow vulnerabilities to be found • Allow vulnerabilities to be exploited • Many different techniques used • Example: Metasploithttp://www.metasploit.com • Open-source version: Metasplolit Framework • Proprietary “free” : Metasploit Community Edition • Paid versions: Metasploit Express, Metasploit Pro • Proprietary versions developed by Rapid7
Network vulnerability scanners • Start with network enumeration/port scanning • Add additional function for finding specific vulnerabilities • Agent vs. agentless: • Scanners need to “see inside” system to find some vulnerabilities • Some require software “agent” installed on systems to be scanned • Agentless requires ability to “log in” to systems to discover these vulnerabilities
Vulnerability scanners • Nexpose • Commercial, developed by Rapid7 • Free and paid versions • Nessus • Originally open-source, became commercial • Developed by Tenable Network Security • OpenVAS = Open Vulnerability Assessment System • Open source, based on Nessus • Supported by German Federal Office for Information Security • SAINT • Commercial product • QualysGuard • Commercial, SaaS (“cloud”) solution
IP360 • Commercial vulnerability scanning product from nCircle • Distributed, agentless vulnerability scanner • Agentless: no software installed on devices scanned for vulnerabilities • Distributed: local campus scanning appliances (device profilers) reduce network load • Distributed: authorization model allows each campus to maintain own network and scan definitions • Works with nCircle Security Intelligence Hub (SIH) product for reporting • Limited web application scanning capability
IP360 Supported Credentials • SMB-DRT: [domain/]username/password • Gives access to Windows systems • SSH-DRT username/private key or username/password • Gives access to Linux/OS X/Unix/ESX/network devices • SNMP-DRT: SNMP Community String • Gives access to SNMP MIB data (printers, network devices, … • Web applications (HTTP and web forms) DRT = Deep Reflex Testing
Some fundamentals of Vulnerability Management
What is the basis of Information Security? • Governance: Policies, Procedures, and Processes • Who • Defines roles and responsibilities • What • Defines how data is classified • Defines what needs to be protected • Why • Defines how risk is assessed & managed
Vulnerability Management Process • Define Policy • 5.23.1.5 – Security Patch Mgmt. • 5.23.1.6 – Vulnerability Scanning • 5.23.1.8 – Anti-malware Installation and Management
Vulnerability Mitigation/Remediation • Patching • Fixing configuration • Remove program/service • Do we need it? • Disable program/service • Can we live without it? • Block access to program/service • Access controls • Firewalls
Information Security Program • To protect information resources against unauthorized use, disclosure, modification, damage or loss • Policies, procedures & guidelines • Risk analysis & assessment • Secure development & procurement practices • Incident response • Enterprise Access Management (new)
Vulnerability Management Infrastructure • Regularly check every network device for actual or potential security problems • 30,000 devices scanned at least quarterly • 9,000 “visible” from Internet also scanned monthly • Problems found are prioritized for remediation • 30% reduction of Internet-visible vulnerabilities in past 3 months • Cost: $3.55/device scanned/year
VMI Roles & Responsibilities • MnSCU Information Security Office • Contract administration & payment • System administration & maintenance • Hardware configuration • User assistance • Reporting to institution CIOs/campus VMI contacts • “Institution IT” activities for system data centers • Institution IT (“hamster wheel”) • Campus scanning definition & configuration • Vulnerability prioritization & remediation
IP360 architecture 2 types of systems: • VnE = Vulnerability Enumerator • “command and control” server • User interface (via browser) • Configuration and scan data storage • Device profiler • Appliance which performs scans • Configuration for local network • No data storage after scan is complete
nCircle IP360 Deep Dive
IP360 configuration objects 3 objects tied together define a “scan”: • Scan profile • Network profile • Device profiler
IP360 Scan Profile • Options for discovering systems • ICMP (ping), port scans (TCP and/or UDP) • Types of scanning to perform • Stack fingerprinting? • Application detection? • Vulnerability scanning? • Web application scanning? • Configuration checks? • Use credentials? • Schedules for scanning
IP360 Network Profile • Address range(s) to scan • How systems are correlated between scans • e.g., a system’s IP address may change between scans • Need to be able to track changes to same system • Asset value: relative “importance” of a system • Sample criteria: • 1 = printers • 3 = lab workstations • 5 = staff workstations • 10 = servers
Scanning process Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan: • Host discovery • Port scanning • Application discovery • Stack fingerprinting • Vulnerability checking • Configuration checking
Host Discovery Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile: • ICMP (ping) • TCP port scan on specified ports • UDP port scan on specified ports Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).