PNNL Vulnerability Scanning

1
PNNL Vulnerability Scanning

• Integrating Contiguous Scanning While Maintaining
  a
• Comprehensive Program
• Presented by Vahid Hackler at NLIT 2007
• Unclassified Cyber Security (UCS)
• Pacific Northwest National Laboratory

2
Agenda

• Program Objective
• Vulnerabilities Focus
• Tools
• Detection and Follow-Through
• Scanning Timetable
• Remediation
• Metrics
• Lessons Learned

3
PNNL Network Environment

• Approx. 8,500 networked systems
• Windows operating system
• Server, XP, and 2000
• UNIX including Linux
• Redhat, Solaris, IRIX, Suse, and Ubuntu
• Macintosh
• Network printers and other operating systems

4
Program Objective

• Provide comprehensive and effective vulnerability
  and configuration management in a heterogeneous
  environment
• Managed and unmanaged systems
• Dispersed workforce environment
• Constant patch releases from various sources
• Users with administrative privileges
• with minimal impact to staff productivity

5
Vulnerabilities Focus

• Critical, High, and Medium
• Variety of operating systems and platforms
• Wide array of user and organizational deployed
  applications
• Configuration Management
• Clear text protocols such as telnet, ftp, rlogin,
  and xdcmp
• Inherently vulnerable protocols such as SSHv1,
  SNMP, and SMTP
• Unused services such as chargen, finger, echo,
  daytime, discard, and systat

6
Todays Tools

• Vulnerability Program Management System
• Managed system providing scheduled scans
• Ticketing system
• Foundstone Enterprise Management System
• Verification Scanner
• Accurate
• Common, reputable auditing tool
• Nessus
• Password Cracker
• L0phtcrack

7
Scanning TimetableIssues for Consideration

• Benefits of multiple types of scans
• Finite network bandwidth capacity
• Identify most critical issues quickly
• Strategic remediation of enterprise wide issues

8
Scanning Timetable

• Patch Tuesday
• Monthly
• Authenticated Scan
• Local Admin Password Scan
• Weekly
• Non-authenticated Scan
• Contiguously
• Top 20 Scan
• Targeted Scans (project scans)
• Used when tackling new issues (e.g. Symantec
  LiveUpdate vulnerability)

9
Monthly Authenticated Scan

• Acts as independent patch deployment verification
• Utilized for strategic remediation
• Conducted using Vulnerability Program Management
  System

10
Monthly Local Admin Password Scan

• Identify 10 to 15 of the most commonly guessed
  passwords
• Performed after authenticated scans
• Passwords identified as weak are changed through
  a separate, automated process
• Uses homegrown plug-in for Verification Scanner

11
Weekly Non-Authenticated Scan

• All non-authenticated checks
• Used to determine checks for the contiguous Top
  20 scans
• Remediation completed on all issues identified
• Uses a combination of the Vulnerability Program
  Management and Verification Scanner systems

12
Contiguous Top 20 Scan

• FBI/SANS recommendations
• PNNL previous vulnerability issues
• All issues identified are corrected on an
  individual basis by PNNL Help Desk

13
Targeted Scans

• Used to further assess specific issues identified
  in routine scans
• Performed as needed or requested by management
• Results dealt with as required

14
Remediation A Team Effort

• Unclassified Cyber Security (UCS)
• Scan and identify issues to be resolved
• Desktop and Hosting Services
• Implement strategic and large scale vulnerability
  remediation
• User Support Services
• Remediate isolated issues

Unclassified Cyber Security
Desktop and Hosting Services
User Support Services
15
Remediation After the Scan

• Authenticated scans
• Issues identified are passed via metric reports
  to Desktop and Hosting Services
• Non-authenticated scans
• Vulnerabilities are treated as isolated issues
  and passed to User Support Services for
  remediation
• All remediation actions are reported to UCS
• Effectiveness measured by follow-up scans

16
Measuring SuccessIssues to Consider

• Keep it simple
• Track number of vulnerabilities on the network
• Keep it readable
• Show the key issues and trends
• Provide data for management action
• Keep it consistent
• Give a clear picture that tells the story as it
  was told before

17
The Vulnerability Scanning Report

• General Discussion
• Narrative of authenticated and non-authenticated
  scan issues
• Scanning System Health
• Uptime, performance
• Password Scan Summary
• Non-Authenticated Vulnerabilities
• High and Medium
• Authenticated Vulnerabilities
• High and Medium

18
Vulnerability Scanning Report cont.

• Top Ten
• High Vulnerabilities
• Medium Vulnerabilities
• Worst Systems
• Number of Non-authenticated Vulnerabilities per
  Operating System
• Watch for non-managed operating system issues

19
Lessons Learned

• Increase Efforts to Fix Root Causes
• Bring more systems under managed umbrella
• Ensure system management tools are working
• Provide Realistic and Meaningful Reports
• Build metrics that management can act upon
• Integrate Asset and Vulnerability Management
• Vulnerability tracking system feeds and gets
  information to/from other systems such as Help
  Desk incident ticketing system
• Vulnerability tracking system that utilizes
  multiple scanning technologies through integrated
  management tool

20
Questions and Contact

• vahid.hackler_at_pnl.gov
• 509-372-6721