Getting Value out of VA Reports - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Getting Value out of VA Reports

Description:

Developing a good remediation plan. Scanning networks over time. Rock-Solid Internet Security ... in a limited number of situations. Rock-Solid Internet ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 22
Provided by: jday9
Category:
Tags: getting | out | reports | value

less

Transcript and Presenter's Notes

Title: Getting Value out of VA Reports


1
Getting Value out of VA Reports
  • Josh Daymont
  • Vice President of Research
  • State of Nevada Security Symposium 2004

2
Agenda
  • How scanners work
  • Why are scanners sometimes inaccurate
  • Three questions to ask yourself when reviewing
    any scan result
  • The Nessus scanner
  • Developing a good remediation plan
  • Scanning networks over time

3
How scanners work
  • Scanners interrogate remote machines
  • Banner checking
  • Version interrogation
  • Direct patch level checks
  • Neutered exploitation
  • Live exploitation

4
Banner Checking
  • The simplest form of scanner check
  • Connects to a remote service and checks the
    version advertised by the remote machines banner
  • Only applicable to certain services
  • These checks are easily fooled
  • Relatively accurate when they work

5
Version Interrogation
  • These checks attempt to determine version
    information via some method other than banners
  • Generally examines very detailed aspects of an
    applications behavior
  • Usually accurate but prone to false positives
    when applications are misidentified

6
Patch Level Checks
  • Examines patch level directly
  • Usually by logging onto the remote machine
  • Highly accurate
  • Generally unusable in larger networks due to the
    need for remote logon credentials
  • Very useful in a limited number of situations

7
Neutered Exploitation
  • One of the most common and oldest scanner check
    methods
  • Actually exercises a vulnerability in a way that
    does not incur any adverse consequence
  • Highly accurate when done correctly
  • One of the most difficult scanner check methods
    to get right

8
Live Exploitation
  • Similar to neutered exploitation except the bug
    is fully exercised
  • Generally avoided due to harmful consequences
  • Occasionally used for DoS attacks when other
    methods are unavailable

9
Why are Scanners Sometimes Inaccurate
  • Sometimes they have bad checks ?
  • In certain cases making a 100 accurate check is
    not possible
  • A vulnerability may be mitigated in a
    non-standard manner
  • There is an inherent tradeoff between accuracy
    and safety in scanner checks

10
Most Common False Positive Issues
  • Fails to detect workaround
  • Check detects on existence of service rather than
    vulnerability
  • Registers positive on network failure

11
Most Common False Negative Issues
  • Check requires logon credentials
  • Registers negative on network failure
  • Dependent on other vulnerability
  • Configuration issue that checks by version

12
Three Questions
  • How important is this machine?
  • How important is this vulnerability?
  • What is the cost to fix it?

13
An Examination of Nessus
  • The nessus scripting language
  • Example 1
  • Example 2
  • Example 3

14
Remediation
  • Two major types of remediation
  • Local
  • Remote
  • Always perform remote remediation except for
    certain servers

15
Remediation Plan
  • Analyze
  • Prioritize
  • Develop a schedule
  • Run Scans during the remediation plan not just
    after
  • Almost all remediation strategies should take
    between 3 12 months to implement

16
Prioritizing Remediation Plans
  • Perimeter and inter-network vulnerabilities first
  • Server vulnerabilities before desktop
  • Always fix remote issues before local privilege
    escalation
  • Generally better to fix well known issues before
    obscure ones

17
Remediation Scheduling
  • Perform remediation over nights and weekends
    whenever possible
  • Always notify desktop users of impending patches
  • Allow for server downtime during patches with at
    least a half hour to spare
  • Measure completion of milestones at least every
    quarter of the way through remediation

18
Remediation Plans
  • Do not change the remediation plan once finalized
  • New software rollouts should be planned around
    remediation
  • New deployments must be forward tested
  • This means test with the patch levels that
    systems will have during deployment, not the
    patch levels on the machines today

19
Scheduling Scans
  • Nighttime or daytime?
  • Both whenever possible
  • Try to avoid sampling
  • Striping scan targets can be a useful way to
    improve performance and accuracy
  • Few scanners support this feature

20
Options
  • Manage it yourself
  • Outsource
  • Do nothing

21
Questions
  • Josh Daymont, VP of Research
  • Email additional questions to info_at_secureworks.co
    m
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Getting Value out of VA Reports" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!