Future of Vulnerability Management

1
Future of Vulnerability Management
Penetration Testers
SOX/GLBA Auditors
2
Introduction

• Who am I?
• Vulnerability Detection Methods
• Vulnerability Management Techniques
• Compliance and Vulnerabilities
• The future Vulnerabilities in a world of
  well-maintained computers
• Your questions answered free

Warning This talk is not very technical, but it
may help you keep your day job
3
Who am I?

• Tenable Security
• Slimy Vendor
• Make innovative vulnerability detection and
  security event management tools
• Develop and supports the Nessus vulnerability
  scanner project
• Work with lots of MSPs and customers
• Vendor life
• Pimped IDS, IPS and VA
• Worked with lots of MSPs and customers
• Was in your shoes
• Ran vulnerability and IDS teams at a big bank
• Manned a NOC at a tier-1 ISP

4
Vulnerability Detection Methods
There are other ways to detect
vulnerabilities than running a scanner.
5
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

6
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?A method to collect information about
  what the users and admins are doing.
• ProsCan find out user actions, behaviors and
  reasons for why people run software.
• ConsPeople can lie, distort, forget, hide and be
  inaccurate.

7
Vulnerability Detection Methods
The Security Grind
Windows 2000with Service Pack 2.
Hey Joe, what kind of computer is that?
Holy cow! That is a really vulnerable version!!
8
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?Use a program to discover other
  networked computers and their vulnerabilities.
• ProsDont need to know about the targets before
  doing a scan.
• ConsNot as accurate as people think. Networks
  change fast and scanning can have negative
  impact. False positives. It can also hurt the
  network a lot!

9
Vulnerability Detection Methods

• Why do scans hurt the network?
• Crash hosts
• Crash network devices
• Firewalls
• Routers
• Switches
• Take away bandwidth
• Most devices which crash are DOSable
• Some network devices have limited resources and
  only work for a finite number of
  source/destination IP and source/destination ports

10
(No Transcript)
11
Vulnerability Detection Methods
The Security Grind
I crashed the credit card database with a
network scanner.
The only thing I have are openings at Googles
web crawler division.
Hi there, what sort of background do you have?
12
Vulnerability Detection Methods
The Security Grind
Hey, are you guys running a scan? The PIX just
went offline.
Not right now.
Hey Joe, stop that scan right away!
13
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?When the scanner discovers a host, we
  use credentials to look at files, configuration
  and patches.
• ProsExtremely fast and accurate.
• ConsThe system admin laughs at you when you ask
  for the credentials.

14
Vulnerability Detection Methods
15
Vulnerability Detection Methods
The Security Grind
So, youd like all of our passwords so you can
easily find out what were not doing or doing
wrong?
Hi there, Im from security would like access
to test the security of your systems.
How about you do something useful and help me
patch these laptops.
Thats right!
16
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?Its an agent that runs and reports
  on asset information or actually does
  vulnerability checks.
• ProsCan do deeper security checks than most
  remote scans.
• ConsGet in line to run yet another agent.

17
Vulnerability Detection Methods

• What is a deeper security check?
• With credential based scanners, we only get less
  than 5 minutes to perform a check to do it
  efficiently
• This is NOT ENOUGH time to search the hard drive
  for
• UNIX SUID root files
• Inappropriate Windows Registry settings
• virus or malware scanning
• Memory resident checks
• Host agents are persistent and can perform these
  checks at the pleasure of the IT admin, at
  scheduled times and sometimes when low CPU usage
  occurs

18
Vulnerability Detection Methods
The Security Grind
Hey there, can you add this agent to all of your
hosts?
Im already running 6 different agents on them
now!
At least this one doesnt have any known security
problems with it.
19
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?Break into the machines we find.
• ProsUndeniable proof that you have security
  issues.
• ConsIf you thought apologizing for crashing the
  firewall with the port scanner was fun, wait
  until you take out DNS and Oracle.

20
Vulnerability Detection Methods

• Network Scan with exploits
• Potentially more/less impact than a network scan
• Have more chance of hurting fewer machines
• Potentially more/less politically sensitive
• Scans can be debated, even patch audits
• If you broke in, the vulnerability is not
  theoretical
• Example tools
• Metasploit (open source)
• CANVAS (commercial)
• Core Impact (commercial)

21
Vulnerability Detection Methods
The Security Grind
We performed a penetration test found that all
of the W2K servers are vulnerable.
Your moms name is Mary and you havent logged
onto one of the servers in two weeks.
Thats impossible, we patched last week.
22
Metasploit Demo
METASPLOIT DEMO
23
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?I think I have a bunch of routers,
  therefore I care somewhat about router
  vulnerabilities.
• ProsCan be really accurate if you have a good
  asset list.
• ConsCan be really not accurate and misleading
  if you dont have a good asset list.

24
Vulnerability Detection Methods

• More accurate assets
• Get a list of hosts from the
• Switches
• DHCP servers
• much more on this later
• Look at what has been bought
• Make purchasing part of inventory
• Use vulnerability scanning data
• Use intrusion detection data
• Use firewall log data

25
Vulnerability Detection Methods
The Security Grind
Not very. Our entire data center only has AIX
servers in it.
How vulnerable is our network?
Meanwhile back at the data center
Thats great.
26
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?Based on network traffic alone,
  detect asset and vulnerability info.
• Pros24x7, no impact, can listen to those who you
  cant scan, client side vulns, .etc
• ConsIf it doesnt talk, you wont see it.

27
Vulnerability Detection Methods

• Sniffing vulnerabilities?
• Two types
• Sniff to guess the OS, then use the OS to guess
  vulnerabilities
• Sniff to get the application
• Both are very useful, but one is much more
  accurate
• Main advantages
• NO IMPACT
• 24x7 coverage
• Equivalent to many host agents without the pain
  of deploying host agents
• Can get remote info on folks you are not
  supposed to scan

28
Vulnerability Detection Methods
The Security Grind
Great. Remind me to turn off the video and MP3
server when it comes.
Hey Joe, when is the next scheduled vulnerability
scan?
Next week.
29
p0f Demo
p0f passive fingerprinting demo
30
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• What is it?3rd party analysis of our
  applications or code for security issues.
• ProsPotentially easier to find security issues
  before they enter into production.
• ConsThere are always other bugs which seem to
  not be found until after the audit.

31
Vulnerability Detection Methods
The Security Grind
Ever since we starting paying the developers to
find bugs, weve found more than ever.
The software audit program is a great success!
Really? How do you measure results?
32
Vulnerability Detection Methods

• Human Survey
• Network Scan
• Network Scan with host credentials
• Host Agents
• Network Scan with exploits
• Asset Based Inventories
• Network Based Sniffing
• Source-code audits
• Others?

• Use the results of last weeks scan to predict
  the results of tomorrow's scan
• If my IDS or IPS detects a successful attack, I
  must be vulnerable
• Cameras, background checks and all that physical
  stuff we didnt talk about
• Any others?

33
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

34
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Produce list of vulns and then give
  it out for fixing.
• Bad ScenarioJoe does a scan, gets lots of
  results, gives report. Comes back next year, does
  same.
• Good ScenarioScans occur more often and are
  formatted in a way that can be consumed by
  network management.
• Ideal ScenarioJoe scans and finds no
  vulnerabilities older than 30 days. Self patching
  systems.

35
Vulnerability Detection Methods

• This is a simple concept, why doesnt it work?
• Networks are changing too fast
• Dont know who owns what?
• In some cases, one groups owns the OS and another
  owns the application
• In some cases, we dont know who owns the box
• There are barely enough resources to keep the
  network running, let alone fix it.

36
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?When the OS or application does self
  updates.
• Who is doing it?Almost all vendors do this, but
  not everyone enables it. There is also a
  patch/configuration management industry.
• Configuration Management Who really controls the
  network or states how it is used?
• Automation trumps slow processes all the
  timeVariance increases complexity IT cost.
  Well always have zero-days, but shouldnt have
  1000-day-olds.

37
Vulnerability Detection Methods

• This is ANOTHER simple concept, why doesnt it
  work?
• Live updates may be good for my laptops or my
  single purpose servers, but not my complex
  applications such as
• Email
• Database
• DNS
• Firewalls
• Etc.
• Mature organizations track change success rates
  which means if they make the same change to 100
  servers, and they only work on 97 of them, they
  have a 97 change success rate

38
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Its a form of risk management use
  a different control to mitigate a vulnerability.
• What is it really?If it is vulnerable, dont let
  it talk.
• Who is doing it?Firewall, IPS and authentication
  vendors.
• ExamplesIPSs claim to do this no matter what the
  vulnerability is. IPSs can virtually patch based
  on specific vulnerabilities. Scanners can block
  by talking to firewalls.

39
Vulnerability Detection Methods

• Virtual Patching at the OS
• If stack protection or host-based IPS is enabled,
  am I still vulnerable?
• Virtual patching at the network
• If I know I am vulnerable to attack XYZ, yet my
  network IPS has a rule to block exploits for
  this, am I still vulnerable?
• If I block access to this at the firewall, am I
  still vulnerable?

Vulnerable your network is!
Yes. Virtual patching is surely the path to the
dark side.
40
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Balances response to potential risk
  by evaluating the threats.
• What is it really?Much confusion. Most folks
  dont realize that we inflict 80 of our downtime
  and security incidents only account for 5.
• Huh?What is a bigger threat a new worm, or the
  upgrade to the SQL server for which my app is
  dependent on?
• What about top 20 checks?If you have 1000 unique
  vulns, and you fix your top 20, you get a new top
  20. Were working on the wrong problem.

41
Vulnerability Detection Methods
The Security Grind
We worked all night to figure out why the server
went down.
Ha we wish! One of the developers made a code
change at 500 and didnt tell anyone.
What was it? Bug in the OS? Hacker? Run out of
drive space?
42
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Uses comparative reporting to
  identify poor security performers.
• What is it really?Joe has 5x as many vulns as
  Bill. Accountings servers have 5x as many vulns
  as HRs.
• Its more than thatThere can be many stake
  holders which do not subscribe to the security
  mantra and are slow or unwilling to effect
  change.

43
Vulnerability Detection Methods
The Security Grind
Bills group has twice as many servers as you,
half the staff no security issues. Im moving
your data to his group.
Joe, I really need to know why your data servers
arent passing their audits.
I dont have enough resources and need more time.
44
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Based on your vulnerabilities, you
  cant go places in the network.
• We are doing this alreadyRemote VPN users must
  self-report they have updated virus signatures.
• Expanding 802.1x allows all sorts of models to
  enforce vuln detection when IP addrs are
  released, when communicating on the Intranet and
  so on
• Products that do thisThe various NAC programs,
  Perfigo, Vernieer, Sygate, .etc

45
Vulnerability Management Techniques

• Dont authenticate at VPN
• Are your virus, spyware and patches up to date?
• Dont authenticate on the network with DHCP or at
  the switch
• Microsoft will ship this in 2007
• Cisco shipping it now, but locks you into Cisco
  gear
• How does this work?
• Run an agent, scan a host, quarantine when NIDS
  sees something
• Switch technology is 802.1x for enforcement
• Sometimes can black-hole at Ethernet layer
• Will people use it?
• Could be the next form of inline intrusion
  prevention
• Could be deployed, but turned on during next
  worm

46
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Things are so bad (or the future is
  so bright) that we do a bulk upgrade with better
  security
• Bad boy go to your room!If you dont have the
  controls in place today, what makes you think
  this will be any different?
• Yes, we do need new tech Successful upgrades
  should be results based and measured by the stake
  holders. However, were still guilty of deploying
  the latest tech to keep up with the Jones

47
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• What is it?Things are so bad that we need to
  literally pull the plug
• This is happening right now!Court cases forcing
  orgs to disconnect, leveraging common
  infrastructure which is dated, other stories?
• What is this symptomatic of?Lack of vision. In
  each of these cases, there was one or more
  whistle-blowers whos call went unanswered

48
Vulnerability Management Techniques

• Scan and Report
• Automated Patching
• Virtual Patching
• Risk Management
• Peer Pressure
• Dont Authenticate
• Starting over with new design
• Disconnect from the Internet
• Others?

• Non-cooperativeEasier to change banners or
  registry settings than patch.Refuting the
  vulnerability detection technology
  accuracy.Pushing out scan testing less and less
  often.
• CooperativeOpening up change-control to security
  for approval.Opening up change-control to
  security during incidents.

49
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

50
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Do I still need security?Absolutely.
• What will security do?Security needs to help
  establish configurations, approve changes, select
  new technology, do incident response, .etc
• What will security NOT do?Anything operational
  like running IPS, IDS, firewalls, VPNs, virus
  gateways, .etc?
• Even scanning and running anomaly systems?Yeah
  many IT orgs buy vuln management tools.

51
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Will we still scan and find vulnerabilities?Absol
  utely.
• However Instead of saying machine 10.20.10.22
  has an IMAP overflow on it, IT and security will
  determine how the machine was placed there
  outside of change management.
• Detecting managed and unmanaged systems Its
  more than scanning specific products, your
  router, your firewall, .etc will find new hosts

52
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Will we still have them?Absolutely.
• Question 1Would you rather fight a worm
  outbreak where you new the configuration of your
  servers and they were all similar, or would you
  rather have randomness?
• Question 2Would you like to have more time to
  do incident response, or are you happy helping IT
  fix one fire after another?

53
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Whats the issue here?If all my stuff is
  configured the same, wont the same vulnerability
  be on all of it?
• Question 1Would you rather fight a worm
  outbreak where you new the configuration of your
  servers and they were all similar, or would you
  rather have randomness?
• Question 2Would you like to have more time to
  do incident response, or are you happy helping IT
  fix one fire after another?

54
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Not really.Network management does lots of other
  stuff which effect performance, availability and
  end user experience.
• We cant be part of opsFox watching the
  hen-house. Cant audit controls and really assert
  that are systems are being managed correctly.

55
The Future

• Dont worry, well patch it for you
• Vulnerability management turns into detecting
  variance
• What about zero-days and worm outbreaks?
• What about monoculture?
• Wait isnt that network management?
• So will we work for the CIO or the CSO? Or the
  CFO?

• Hard to sayWe should still have jobs, but need
  to get much smarter about compliancy issues and
  IT management theory.
• Why?Because the audits are using IT best
  practices as the language for the evaluation. If
  you have never heard of COBIT, ITEL or ISO, you
  may be doing exactly the right thing, but wont
  be able to articulate it.
• When all else fails . Choose the CFO, because
  she has all the money working for the CFO is
  the Dilbert equivalent of working in marketing

56
Questions??
57
Contact Information

• ps ltatgt tenablesecurity.com
• http//www.tenablesecurity.com
• http//www.nessus.org
• Free NeWT Class C scanner!
• White papers!

Read the Blended Security Assessments white
paper at http//www.tenablesecurity.com