Beyond the Scan: The Value Proposition of Vulnerability Assessment
4 likes2,799 views
The document discusses the evolution and value proposition of vulnerability assessments in information security. It emphasizes the importance of combining automated scanning with human expertise to identify vulnerabilities and improve organizational security. Additionally, it highlights case studies, specific considerations for healthcare and industrial control systems, and the critical need for understanding one's environment to effectively manage vulnerabilities.
![“The [DOJ]
became
concerned…
and
threatened to
press charges
against…Dan
Farmer….”
“…Internet
Scanner can
check for more
than 100 known
vulnerabilities.”](https://image.slidesharecdn.com/bsidesaustin-beyondthescan-150314090521-conversion-gate01/85/Beyond-the-Scan-The-Value-Proposition-of-Vulnerability-Assessment-10-320.jpg)
Beyond the Scan: The Value Proposition of Vulnerability Assessment
- 1. Beyond the Scan: The Value Proposition of Vulnerability Assessment Damon J. Small, MSc.IA, CISSP Managing Consultant, IOActive August 6, 2015
- 2. About @damonsmall • Managing Consultant at IOActive • Louisiana native “Not from Texas but I got here as fast as I could!” • In IT since 1995; infosec since 2001 • Spent much of my career supporting healthcare organizations in the Texas Medical Center • Studied music at LSU; grad school in 2005 for Information Assurance • Currently supporting a large oil & gas client in Houston
- 4. More than just clicking “scan…” Red Team Blue Team #BlueCollarSecurity
- 8. But first, a history lesson • Security Administrator Tool for Analyzing Networks (SATAN) • Released in 1995 and polarized the security industry
- 9. PC Mag, April 23, 1996
- 10. “The [DOJ] became concerned… and threatened to press charges against…Dan Farmer….” “…Internet Scanner can check for more than 100 known vulnerabilities.”
- 11. Where are they now? • http://en.wikipedia.org/wiki/Dan_Farmer • http://en.wikipedia.org/wiki/Wietse_Venema • Richard Carson & Donna Ruginski forked Security Administrator’s Integrated Network Tool (SAINT) from SATAN in 1995 • SAINT Became a commercial product in 1998
- 12. From those humble beginnings… • An entire new capability was created for infosec • Progression from - Simple scanning - Vulnerability Assessment - Vulnerability Management
- 13. Scanners have been around for two decades…. …but are still misunderstood.
- 14. Electrons/Photons going though wire/fiber What is being examined What tool can be used 1. Physical 2. Datalink 3. Network 4. Transport 5. Session 6. Presentation 7. Application MediaLayersHostLayers TCP/UDP/IP, ports nmap Thick-client apps IDA Pro, Sys Internals User-facing web app Web Inspect, Burp The entire stack Manual, human-based testing Network, software, & OS info Nexpose, Qualys, Nessus, SAINT TCP/IP, ports, protocols, MAC Wireshark, tcpdump, windump OSI Model
- 15. 1. Physical 2. Datalink 3. Network 4. Transport 5. Session 6. Presentation 7. Application MediaLayersHostLayers OSI Model Tools Network, software, & OS information Nexpose, Qualys, Nessus, SAINT People The entire stack Manual, human-based testing Automated Scanners Good for: • Longitudinal scans • Comparing results over time • Statistical reporting • Large number of hosts • Integration of data to other systems Limits: • False positives • Cannot correlate results to the environment • Software information is basic • “Dumb” • Unaware of business logic flaws Manual, Human-based Testing Good for*: • Detecting business logic flaws • Architecture design review • Code review • Validation of vulnerabilities • Advanced configuration issues • Memory analysis • Vulnerability chaining • Cannot be done with software alone Limits: • Resource-intensive *Although this seems straight-forward, it fills a methodology document that is hundreds of pages long. The tools are critical but their usefulness is limited without skilled security professionals For example: HTTP vulnerability false positives?
- 16. Define Your Lexicon • Application - the 7th layer of the OSI Model. • Application - software that a human uses. • Interface - connects a host to a network (NIC). • Interface - software that allows programs to share info. • Interface - software that allows humans to interact with computers/apps. • Session - the 5th layer of the OSI Model. • Session - interaction between a browser and server. • Server - hardware that runs a network OS. • Server - software that responds to client requests.
- 17. Know your Environment What is the architecture of your network, both logically and physically?
- 18. Know your Organization Critical Success Factor How will the data be consumed and acted upon?
- 19. Case Studies 1. Identifies potential vulnerabilities 2. Provides remediation information 3. Asset Management* 4. Software Management* 5. Compliance 6. Strategic – on-going operational intelligence 7. Tactical – Incident Response *Not generally a named feature, but a result of the activity.
- 20. Case Studies
- 21. 1. Identifies Potential Vulnerabilities “What are attractive targets?” “What patches are missing?” “Is our environment configured properly?”
- 22. • Perimeter scan revealed CIFS • Ports 135, 139, 445 • Hosts were largely Windows XP (late 2013) • Assessment team asked “why?” • Answer: “Necessary for support.” • LPT: It is never a good idea to expose NetBIOS ports on a Windows machine to the Internet • Legacy business app required IP-based authentication • Static NAT assignments were made - each host had a routable IP Address • Inbound rule was any any accept
- 23. • Multiple misunderstandings resulted in poor decisions • Poor decisions were left unchecked for many years • Scan resulted not only in identifying vulnerabilities, but also - Poor documentation - Broken Processes - Failures of the “Oral Tradition” - Lack of understanding of specific requirements
- 24. • Obsolete version of Java resulted in hundreds of findings • “Why?” • Misunderstanding of “required version” • Scan resulted not only in identifying vulnerabilities, but also - Poor documentation - Broken Processes - Failures of the “Oral Tradition” - Lack of understanding of specific requirements
- 25. 2. Provides Remediation Information
- 26. 3. Asset Management • Scanning known hosts vs CIDR blocks • Client discovered active “dark” network segments • Client compares scan information with CMDB • Anything with an IP Address - cameras / Nintendo • Drilling company - platforms had “exactly 4 hosts per rig”
- 29. 6. Compliance
- 31. 8. Tactical
- 32. Biomedical/ICS
- 33. Special Considerations: Biomedical Devices • FDA 510(k) limits changes to devices once marketed • http://tinyurl.com/FDA510kblog - Redirects to a post on http://blog.securitykitchen.website • Security vs Supportability - not unique to healthcare but leads to poor design decisions - Radiology Reading Stations with FTP - Clinical protocols like HL7 are cleartext so compensating controls are necessary - How do you manage your HL7 interface engines?
- 34. Special Considerations: Industrial Control Systems • Operational Technology (OT) is not the same as Information Technology (IT) • Shutting down ICS is costly - patch cycles are lengthy • Not unusual to operate with malware present • Purpose-built devices may not handle unexpected traffic with grace • Be extremely cautious with active scanning; consider passive scanning
- 35. In Conclusion…