An Introduction to Vulnerability Management Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g [email protected]March 28 th , 2012 Presentation can be downloaded from http://home.comcast.net/~lanzyg
An Introduction to Vulnerability Management. Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g [email protected] March 28 th , 2012 Presentation can be downloaded from http:// home.comcast.net /~ lanzyg. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Introduction to Vulnerability Management
Garrett Lanzy, Information Security SpecialistInformation Security OfficeMinnesota State Colleges and [email protected]
March 28th, 2012
Presentation can be downloaded from http://home.comcast.net/~lanzyg
– I don’t do lectures for a living– I don’t want to put you to sleep (let alone
myself!)– I’d rather have an interactive presentation
• All questions are welcome!– feel free to ask during the presentation– long(er) answers may be deferred to end
• Feel free to contact me anytime with any further questions/comments
• Examples are from several different scans, so they don’t all “match”
Slide 3
Professional history
• B.S. degrees in EE and CS from Michigan Tech
• 22 year career at IBM– 5 years hardware performance analysis– 3 years software change management– 14 years TCP/IP application
development• 2 years at Metropolitan State
University– Network/server/storage administration
(1 year)– Interim Director of IT Operations (1
year)• 2 years at MnSCU system office
– Information security/vulnerability management
Slide 4
Outline
• Introduction to Vulnerabilities• Evaluating Vulnerabilities• Identifying Vulnerabilities• Fundamentals of Vulnerability
Management• Vulnerability Management at
MnSCU• nCircle IP360 Deep Dive
Slide 5
VULNERABILITIESAn introduction to
Slide 6
Definition: Vulnerability• Wikipedia: “a weakness which allows an
attacker to reduce a system’s information assurance.”
• ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.”
• RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”
• Many different “scoring” systems• CVSS = Common Vulnerability
Scoring System– 3 values: Base, Temporal,
Environmental– Each ranges from 0 to 10– Each value calculated from a formula
based on criteria– Nobody “owns” the CVSS values,
therefore numeric values should be accompanied by the scoring criteria (“vector”)
Slide 18
CVSS Scoring
• Base metric: Constant with time and users• What damage is possible?
• Temporal Metric: Varies with time• What is the current state of the vulnerability?
• Environmental metric: Varies by environment• How could the vulnerability affect me?
Slide 19
CVSS Base Metric Example
CVE-2012-0002 example – base metric (NIST)
CVSS Base Score : 9.3CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector = Network (can be exploited from anywhere)Access Complexity = Medium (it takes some work but not a PhD)Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will)Integrity Impact = Complete (attacker can change data at will)Availability Impact = Complete (attacker can crash system)
Slide 20
CVSS Temporal Metric Example
CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12)
Exploitability = Unproven (but now at least POC, probably Functional)Remediation = Official fix (Microsoft has released a patch)Report Confidence = Confirmed (it’s really out there)
My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9
Slide 21
CVSS Environmental Metric Example
CVE-2012-0002 example – environmental metric (MnSCU before remediation)
• Regularly check every network device for actual or potential security problems– 30,000 devices scanned at least quarterly– 9,000 “visible” from Internet also scanned monthly– Problems found are prioritized for remediation
• 30% reduction of Internet-visible vulnerabilities in past 3 months
• Cost: $3.55/device scanned/year
Slide 39
Vulnerability Management System Guideline
Slide 40
VMI Roles & Responsibilities
• MnSCU Information Security Office– Contract administration & payment– System administration & maintenance– Hardware configuration– User assistance– Reporting to institution CIOs/campus
VMI contacts– “Institution IT” activities for system
data centers• Institution IT (“hamster wheel”)
– Campus scanning definition & configuration
– Vulnerability prioritization & remediation
Slide 41
IP360 architecture
2 types of systems:• VnE = Vulnerability Enumerator
– “command and control” server– User interface (via browser)– Configuration and scan data storage
• Device profiler– Appliance which performs scans– Configuration for local network– No data storage after scan is complete
Slide 42
VMI Architecture
Slide 43
IP360 DEEP DIVEnCircle
Slide 44
IP360 configuration objects
3 objects tied together define a “scan”:• Scan profile• Network profile• Device profiler
Slide 45
IP360 Scan Profile
• Options for discovering systems– ICMP (ping), port scans (TCP and/or
UDP)• Types of scanning to perform
– Stack fingerprinting?– Application detection?– Vulnerability scanning?– Web application scanning?– Configuration checks?– Use credentials?
• Schedules for scanning
Slide 46
IP360 Network Profile
• Address range(s) to scan• How systems are correlated between
scans– e.g., a system’s IP address may change
between scans– Need to be able to track changes to
same system• Asset value: relative “importance” of
a system– Sample criteria:
• 1 = printers and IP Phones• 3 = lab workstations• 5 = staff workstations• 10 = servers
Slide 47
Scanning process
Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan:• Host discovery• Port scanning• Application discovery• Stack fingerprinting• Vulnerability checking• Configuration checking
Slide 48
Anatomy of a VnE Scan
Slide 49
Host Discovery
Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile:• ICMP (ping)• TCP port scan on specified ports• UDP port scan on specified ports
Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).
Slide 50
Host Discovery Example
Slide 51
Port Scanning Example
Slide 52
Application Discovery
Device profiler scan to determine what applications/versions are available:• Port scans and application-layer
network checks• If credentials are configured:
– Registry checks– File checks
Slide 53
Application Discovery Example
Slide 54
Stack Fingerprinting
The profiler runs tests of sending various network and transport layer (IP, ICMP, TCP, and UDP) protocol options and checks responses to identify the operating system of the device• Different OSs behave differently• “Voting” algorithm used to
determine most likely OS• Useful if not able to scan device with
credentials
Slide 55
Stack Fingerprinting Example
Slide 56
Stack Fingerprinting Vote Example
Slide 57
Vulnerability Checks
For each application found, checks are performed for each known/detectable vulnerability. These use the same techniques as application discovery, but go into more detail.• May have completely different
checks for the same vulnerability in different versions of an application
• May have multiple checks for the same vulnerability
Slide 58
Vulnerability Check Example
Slide 59
Configuration Checks
If selected, specific checks are made to determine and report on configuration options. The available checks are highly dependent on each OS/application and whether or not credentialed scanning is being done.
Slide 60
Configuration Check Example
Slide 61
Reporting
• Many types of reports are available• Can “drill down” to extreme levels of
detail• Can aggregate data for management
reports and trend analysis
Slide 62
Sample Scan Report – Summary (pt. 1)
Slide 63
Sample Scan Report – Summary (pt. 2)
Slide 64
Sample Scan Report – Summary (pt. 3)
Slide 65
Vulnerabilities Report
Slide 66
Specific vulnerability (pt. 1)
Slide 67
Specific vulnerability (pt. 2)
Slide 68
Risk Matrix report
Slide 69
Summary
• Vulnerability Management is an important component of any Information Security program
• Need to start with policies and procedures so we know what to protect
• Variety of tools available, both free and $
• Tools give much more information that just what vulnerabilities are found
• Remediation ties into other IS processes
Slide 70
Questions?
• Presentation can be downloaded from:– http://home.comcast.net/~lanzyg