Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs

1
Achievements and Pitfalls of Creating and
Maintaining Vulnerability Assessment Programs

• Tim Proffitt
• March 2009
• GIAC GCIH, GCPM, GLEG, GSEC, GSLC

2
How are Successful Organizations Leveraging
Vulnerability Assessment?

• Identifying known vulnerabilities
• Identifying foreign systems and adhoc networks
• Auditing NAC initiatives
• Auditing patching efforts
• Auditing software lifecycles
• Assisting with web application security
  assessments
• Meeting compliancy requirements such as PCI
• Defining risk by providing risk assessment data

3
Understand and Managing Risk
Network Inventory Vulnerabilities do not exist
in isolation.
Vulnerability Overload In most enterprise
networks there are simply too many
vulnerabilities to fix.
Root-Cause Analysis Fixing of vulnerabilities
does not necessarily address the root cause.
There will always be risk to the organization, so
the goal is not to eliminate risk, but rather to
understand and manage risk at an acceptable
level.
4
What Risk Level Is Acceptable?

• Aligning the right context of assets that relate
  back to the business is mandatory. Otherwise,
  data may not be meaningful or actionable by
  management

• Focusing on certain vulnerabilities will enable a
  working group to ensure that the strategy will
  address the existing communities vulnerabilities
  of greatest concern.

• By reporting on groups of assets that are defined
  from a business viewpoint, the metrics suddenly
  take on an importance to the decision makers.

5
Utilize a Known Scoring System
Teams can utilize the open common vulnerability
scoring system (CVSS) or to address the goal of
a common platform to discuss risk.
Base Metrics
qualities that are fundamental to any given
vulnerability that do not change over time or in
different environments.
Temporal Metrics
characteristics of a vulnerability that are
time-dependent and change as the vulnerability
ages.
Environmental Metrics
characteristics of vulnerabilities that are tied
to implementation and environment
6
Deriving Severity Levels

• Consequence - allow low to highs depending on the
  environment

• Probability - Some vulnerabilities are more
  likely than others to be exploited

• Criticality - allow more vulnerabilities on less
  critical systems than others

• Industry - You might be willing remediate
  vulnerabilities quicker if you manage FAA gear

• Time - Vulnerabilities are a moving target

7
Real World Scenario

• VA scan reveals MS09-001 is missing from a server
  in a DMZ segment

• Research shows MS09-001 is a Server Message Block
  (SMB) buffer overflow allowing attackers to take
  complete control of the system and allowing
  remote execution of code

• Analysis determines the server in the DMZ is a MS
  fileserver containing customer data. SMB is
  allowed through the firewall to this network
  segment.

• High probability of loss with High probability of
  consequence causes risk to be Unacceptable with
  immediate action

• Cost benefit analysis shows only a patch is
  needed or a firewall rule change.

Risk Threat x Vulnerability  x
 ImpactCountermeasures
8
Top Objectives for Approval and Defining Policies

• Executive sign-off is crucial before VA efforts
  are started
• Understanding that VA will have an impact on
  systems
• Define what segments are out of scope
• Define what type of hardware is off limits
• Define external scanning versus internal scanning
• Define what you do with partner networks
• Include VA provisions in legal contracts

9
Awareness Pitfalls

• Successful training includes details about
• How is risk applied?
• Impacts to log files, authentication attempts,
  successive connections, trace files
• Generation of alerts and/or emails
• Bandwidth considerations
• Frequency of scans for troubleshooting
• False positive remediation
• How does the VA scanning not impact systems
• Effects on firewalls (state tables) or IPS
• Does the VA scanner block traffic?

9
SANS Technology Institute - Candidate for Master
of Science Degree
10
Know Which Information Assets Are Targets

• Standard items such as workstations, laptops and
• servers are targets, but what about?
• Network enabled printers
• Printer specific vulnerabilities reported up 105
  in 2008
• VOIP Phones
• VIPER Lab has identified thousands of VOIP
  vulnerabilities since 2003
• Security cameras, HVAC management , AV gear,
  medical equipment, SCADA, etc.
• Seems everything is becoming network manageable,
  but did the vendor consider security? How can
  these be compromised? What is the risk to the
  business of a compromise?

11
Optimal Returns

• With failed programs, teams typically will
• Scan infrequently enough to be irrelevant
• Not utilize authentication
• Scan aggressively across entire segments
• Re-negotiate risk metrics to fit the situation
• Not break up assets into domains

• Successful scanning teams will consist of several
  components
• Scan frequently, on a negotiated schedule
• Exclude known harmful vulnerabilities to
  equipment
• Utilize multiple authentication records
• Manage exceptions with system owners
• Organize assets into risk based groups

12
Biggest Reporting Mistakes

• Producing reports detailing every vulnerability
  from informational to urgent for the entire
  assessment
• Providing C-Level management (or auditors) a 300
  page vulnerability report
• Not performing trending analysis
• Automatic blanket ticket generation from VA
  reporting
• Not producing actionable information utilizing
  risk metrics
• Not filtering the reports for specific system
  administrators

13
Compliance and the life cycle
Vulnerability Assessment has a never ending life
cycle. This cycle continually scans, reports,
assesses, remediates and evaluates. Any one piece
of the lifecycle cannot be effective without the
other.
Pitfalls

• Have reasonable life cycle expectations been set?
• Is the VA team working with the correct set of
  administrators to accomplish their goals?
• Has the life cycle slowed as the program matured
  or become lax?
• The VA team is not generating reports on a
  regular basis.

14
Program Success

• Utilize metrics to assign risk. Scoring systems
  from high to low and/or 5 to 1 provided by
  VA solutions do not adequately reflect the true
  risk to the enterprise.

• Successful programs will scan more than
  traditional workstations and servers. Overlooking
  network aware devices is painting a partial
  picture of your security landscape. Device attack
  vectors are on the rise.

• Utilize vulnerability assessment data to
  supplement other security efforts. This data can
  be manipulated to support compliance, NAC, user
  provisioning, licensing, etc.

15
Summary

• A VA program can be leveraged to ease the burden
  of compliance efforts, reducing their risk
  levels, perform due diligence, provide forensic
  data and generate reports that can be used as
  technology metrics.
• By creating a comprehensive VA program, the
  organization will be adding yet another layer to
  the defense in depth.
• Identifying those key vulnerabilities to the
  organization, and performing mitigation actions
  before those vulnerabilities can be exploited.
• A successful comprehensive VA program will
  position the organization for a safer, more
  secure computing environment.