Vulnerability Management

1
Vulnerability Management

• Kent Landfield
• Security Group Director
• Citadel Security Software
• klandfield_at_citadel.com

2
Imagine a Perfect World

• Imagine a (almost) perfect world
• Your IT systems are in-vulnerable to a desired
  level based on risk analysis
• Every morning you can review an enterprise wide
  status your vulnerability management policy being
  enforced and status of any vulnerabilities
• You do not employ an army of system/security
  administrators to secure it, and keep it secure

3
Real World

• Now the real world
• You may not know where you are at in terms of
  vulnerabilities
• Threats
• Risks
• Exposures
• You are always in a reactive mode
• Your staff of administrators are stressed by the
  scramble to keep up
• You are hoping you are not compromised!

4
Some Numbers

• General Internet attack trends are showing a 64
  annual rate of growth
• Symantec (2004)
• Average of 79 new vulnerabilities per week in
  2004
• eEye Digital Security
• The average company experiences 32 cyber-attacks
  per week
• Checkpoint
• The average measurable cost of a serious security
  incident in Q1/Q2 2004 was approximately 500,000
  
• UK Dept of Trade Industry
• Identify theft related personal information is
  selling for 500-1000 per record
• CFE Resource

5
Hacking Trends
6
And Theyre Getting Better

• More vulnerabilities higher likelihood of
  attack
• Faster attacks less time to react

7
So Its About Patching?

• Well, no.
• 90 to 95 of all network attacks target
  vulnerabilities for which there was an existing
  mitigation or repair.
• FBI, SANS, Gartner Group, Carnegie-Mellon
• Flawed Software (35 of all vulnerabilities)
  Gartner Group
• Buffer overruns
• Denial of service susceptibility
• Design Flaws
• Attacks based on flawed software
• Blaster
• SQL Slammer
• Code Red
• So what constitutes the other 65?

8
Configuration-based Vulnerabilities

• Backdoors
• MyDoom.A
• W32.Beagle.I_at_mm
• NETBUS
• BACKORIFICE
• SUBSEVEN
• Unneeded Software
• IIS on desktops
• Non-standard web browser
• Spyware, Adware,
• Missing Software
• Personal firewall
• VPN Client
• Virus Scanner

• Disabled or Mis-configured Software
• Personal firewall
• Unneeded Services/Ports
• Telnet
• FTP
• SNMP

Gartner estimates that 65 of successful attacks
exploit configuration mistakes. Taxonomy of
Software Vulnerabilities, Gartner
9
More Configuration-based Vulnerabilities

• Unneeded Files
• File Access Permissions
• Read/write/execute where only read/execute is
  required
• User Accounts
• Guest account present
• Missing or weak passwords or password policies
• Ex-employees accounts not removed from all
  systems
• User Account Permissions
• Unneeded Processes
• Network File Shares
• Registry Settings (Windows)
• Unauthorized Devices
• User brings in personal laptop and connects to
  network

• Text file-based configuration settings
• sshd_config configuration allows host-based
  authentication (Unix)
• Settings in web.config/machine.config (Windows)
• Local Security Settings
• All users allowed network logon right in Windows
  Local Security Policy
• Auditing
• Auditing turned off
• Access control to audit logs allows tampering by
  anyone
• Unused Protocols
• HTTP and HTTPS is allowed, where HTTPS only was
  authorized

10
Vulnerability Management
Enterprises that implement a vulnerability
management process will experience 90 percent
fewer successful attacks than those that make an
equal investment only in intrusion detection
systems. Gartner
Security demands drive shift to vulnerability
management.. Gartner
11
Vulnerability Management Policies
Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, FISMA,
SB1386, .
Corporate Security Policy
Vulnerability Management Policy
12
Vulnerability Management Process
Vulnerability Management Policy
Compliance Reports
Audit And Compliance
Monitor And Review
Threats
Countermeasures
Asset
Remediate Vulns
Identify Assets
Vulnerabilities
Exposures
Assess Vulns
Vulnerability Assessment Reports
Risks
13
Condition A Establish Baseline

• Identify Assets
• Discover or import network assets
• Assess Vulnerabilities
• Scan network assets for vulnerabilities
• Threats - risks - exposures
• Establish Remediation Policies for Classes Assets
• Mission criticality/exposure
• Operating system/applications on the device
• Servers or desktop device
• Geographic location of the device
• Organizational role of device person using the
  device
• When remediation takes place is a reboot
  required
• Remediate Vulnerabilities
• Schedule configuration-based remediations
• Schedule patch-based remediations
• Review And Monitor
• Remediation Results
• Audit And Compliance
• Generate Reports

14
Condition B Maintain Baseline

• Assess Vulnerabilities
• Review the latest vulnerabilities published by
  security groups and vendors
• Include new vulnerabilities directly into
  remediation policies
• Or, update vulnerability assessment tool database
  and re-scan your network
• Or, search assets for vulnerable devices
• Remediate Vulnerabilities
• Remediate identified devices to bring them into
  compliance
• Review And Monitor
• Remediation Results
• Audit And Compliance
• Generate Reports
• Re-assess vulnerabilities in network for
  independent verification

15
Condition C Zero-Day Exploit

• Assess Vulnerabilities
• Review the Zero-day exploit details
• Acquire or create new remediation for the
  vulnerability
• Include new vulnerabilities directly into
  remediation policies
• Or, update vulnerability assessment tool database
  and re-scan your network
• Or, search assets for vulnerability devices
• Remediate Vulnerabilities
• Remediate critical devices to protect them
• Review And Monitor
• Remediation Results

16
Condition D Devices Join the Network

• Identify Assets
• Authorized Device First Time Deployment
• Discover new assets
• Detect new devices joining the network
• Automatic joining to the vulnerability management
  system
• Authorized Device Reconnect
• Verify compliance/remediate prior to allowing
  network connection
• Visiting Devices
• Block from the network
• Assess Vulnerabilities
• Authorized Device First Time Deployment
• Establish a minimal remediation policy for
  connecting devices
• Authorized Device Reconnect
• Establish a minimal remediation policy for
  connecting devices
• Visiting Device
• Establish a minimal remediation policy for
  visitor devices

• Remediate Vulnerabilities
• Authorized Device First Time Deployment
• Remediate prior to deployment
• Or, install a remediated image
• Or, quarantine and remediate upon initial
  connection
• Authorized Device Reconnect
• Quarantine and remediate to minimal connection
  baseline
• Visiting Device
• Quarantine and remediate to minimal visitor
  connection baseline
• Review And Monitor
• Remediation Results

17
Approaches to Vulnerability Management

• Top Down (Policy Enforcement)
• Bottom Up (Scan and Remediate)
• Targeted (Zero-day Asset Identification)
• All of the above

18
Policy Enforcement (Top-down)

• This enforces compliance with an existing
  baseline. Based upon a hardening policy or
  checklist configuration template. Additionally,
  this method can be used to proactively patch and
  manage devices against new vulnerabilities as
  they are discovered.  Normally based on the site
  security policy needs.
• Good Starting Point http//checklists.nist.gov

19
Scan and Remediate (Bottom-up VM)

• This helps you establish a security baseline.
  Requires site to scan the network to identify
  the vulnerabilities in your environment and
  remediate selected vulnerabilities, then report
  on success vs. business requirements (SLA, asset
  priority, etc.) For better coverage and
  identification multiple scanners should be
  considered.

20
Zero-Day Asset Identification (Targeted VM)

• With asset information centrally stored on a
  network, you can query that information to
  determine the set of systems in your network that
  need immediate attention. Asset information
  needs to store some software state at time of
  snapshot as well as normal software and hardware
  information. This approach allows for rapid
  identification when time is short and scanning is
  not an option.

21
Vulnerability Management Policy

• Remediate based on detected vulnerability
  identification/criticality
• CVE Numbers, Vendor Advisories
• Remediate based on asset configuration
• All Windows 2000 Servers with IIS 5.0
• Remediate based on Corporate security policy
• Services/ports are disabled
• Password policies are in effect
• All Microsoft security patches are applied
• Specific desktop applications allowed
• When/who remediates what devices
• When is network assessed for vulnerabilities

22
New Network Devices

• Policy for new devices joining the network
• Approved desktops/servers
• Traveler laptops
• Visitor laptops
• Scan and Block only vs Scan, Block, Remediate and
  Allow
• Upcoming technology in end-point security
• Ciscos Network Admission Control (NAC)
• Microsofts Network Access Protection (NAP)

23
Automated Tools and Lifecycle Vulnerability
Management
24
Automated Tools By Category

• Enterprise Vulnerability Management
• Hercules AVR (Citadel)
• Class 5 AVR (Secure Elements)
• Vulnerability Assessment
• Retina Network Security Scanner (eEye)
• FoundScan Engine (Foundstone)
• STAT Scanner (Harris)
• Internet Scanner (ISS)
• SiteProtector (ISS)
• System Scanner (ISS)
• Microsoft Baseline Security Analyzer (Microsoft)
• IP360 Vulnerability Management System (nCircle)
• Nessus Scanner (Nessus)
• SecureScout SP (NexantiS)
• QualysGuard Scanner (Qualys)
• SAINT Scanning Engine (Saint)
• Lightning Console (Tenable)
• NeWT Scanner (Tenable)
• WebInspect (SPI Dynamics )

• Patch Management
• System Management Server (Microsoft)
• Windows Update Service (Microsoft)
• PatchLink (PatchLink)
• Big Fix (BigFix)
• UpdateExpert (St. Bernard)
• HFNetChk (Shavlik)
• Policy Management
• Active Directory Group Policy Objects
  (Microsoft)
• Security Policy Management (NetIQ)
• Enterprise Security Manager (Symantec)
• Compliance Center (BindView)
• Configuration/Asset Management
• System Management Server (Microsoft)
• TME (Tivoli)
• Unicenter (CA)
• Enterprise Configuration Manager (Configuresoft)
• Asset Management Suite (Altiris)

25
Deployment of Automated Vulnerability Management
Tools

• Network Considerations
• Network bandwidth and topology
• Patch distribution and caching
• Vulnerability and remediation update distribution
• Network security and protocols
• HTTP vs HTTPS, SFTP vs FTP,
• Placement with respect to firewalls
• protocols allowed in/out, assets in DMZ,
• Scalability in terms of number of assets
• Scalability in terms of geographic distribution
• Scalability in terms of levels of
  management/reporting

26
Additional Deployment Items

• Agent-less
• No enterprise-wide deployment
• Limits on what is scanned/remediation
• Open vulnerabilities to allow remote
  scanning/remediation
• Agent-based
• Thorough scanning/remediation
• Requires enterprise-wide deployment
• Increased local machine resources
• Decreased network resources
• Agent Deployment
• Manual install by user
• Remote install
• Install via existing deployment infrastructure
• Install via images
• Upon login
• On visitor devices connecting to the network

27
Additional Deployment Considerations

• Access Control
• Who identifies assets
• Who assesses vulnerabilities
• Who defines and executes remediations
• Who accesses which assets
• Who monitors and reviews
• Who audits

28
Implementation Considerations

• Identify Assets
• Network Discovery
• AD Discovery
• DHCP and DNS Imports
• File Import (from existing sources)
• Upon network connection (NAC/NAP)
• Assess Vulnerabilities
• How are vulnerability definitions updated,
  frequency
• Map vulnerabilities to industry/vendor
  nomenclature (CVE, MS0-xxx)
• Types of vulnerabilities found (configuration and
  patch)
• When to do the assessment
• Remediate Vulnerabilities
• How are remediations updated, frequency
• Configuration and patch-based remediations
• Use of industry/vendor nomenclature (CVE,
  MS0-xxx)
• Different remediation policies for different
  classes of assets
• Different remediation schedules for different
  classes of assets
• Manage rebooting of different classes of assets

29
Additional Implementation Considerations

• Monitor and Review
• Real-time displays
• Status of enterprise
• Reports for routine operations
• Audit and Compliance
• Reports for regulatory compliance

30
Automated Vulnerability Management is Required

• Quantity of devices to manage
• Quantity of vulnerabilities to remediate
• Immediacy of exploit code
• Propagation speed of exploits
• Severity of the impacts
• Polymorphic/encrypted viruses/worms evade virus
  detection tools
• Spyware putting software onto your systems

31
Perfect World (almost) A Scenario

• Anytime a machine joins (or re-joins) the
  corporate network, it is automatically
  quarantined, assessed, and remediated to bring it
  into compliance, prior to gaining access to
  network resources
• Every night, critical vulnerability configuration
  compliance checks are performed on all Windows
  desktops and remediated if needed
• Every Saturday, from 200 AM 300 AM, newly
  approved patches are automatically applied to all
  Windows desktops
• Every Sunday from 200 AM 300 AM, all Windows
  and Unix servers are checked for security policy
  compliance. Selected items are remediated, others
  items generate alerts
• During monthly maintenance intervals, Unix and
  Windows servers are fully patched and rebooted if
  required
• Monthly, a full, automated network assessment is
  performed to independently scan for
  vulnerabilities
• Quarterly, remediation policies are reviewed and
  updated to incorporate new vulnerability
  remediations
• Critical, zero-day remediations are applied where
  needed in the enterprise within an hour of
  notification and remedy availability

32
Final Words

• Vulnerability Management is a critical part of
  your overall security program
• Driven by goals and risks / benefits
• Automated vulnerability management allows you to
  choose
• Frequency of assessments
• Frequency of remediation
• What gets remediated
• When things get remediated
• verses having them chosen for you

33
Resources

• Automated Vulnerability Remediation-The Wave of
  the Future Eric Cole/Institute for Applied
  Network Security
• http//www.ianetsec.com/news/all_fc_cole1.htm
• The Entire Enterprise on IT's Shoulders Bill
  Brenner/SearchSecurity.com
• http//searchsecurity.techtarget.com/originalConte
  nt/0,289142,sid14_gci1045756,00.html?trackNL-102
  ad502802
• Vulnerability Management Quiz Shon Harris
• http//searchsecurity.techtarget.com/tip/0,289483,
  sid14_gci1043849,00.html?trackNL-20ad500993
• Vulnerability Management WebCast Shon Harris
• https//event.on24.com/eventRegistration/EventLobb
  yServlet?targetregistration.jspalignleftregwid
  th450eventid10251sessionid1key55482691F47B9
  759E5065796AA61CE7EpartnerrefQuizreferrerhttp
  3A2F2Fsearchsecurity.techtarget.com2Ftip2F02C
  2894832Csid14_gci10438492C00.htmlsourcepagereg
  ister
• Open Vulnerability and Assessment Language
  (OVAL) Mitre
• http//oval.mitre.org/
• Application Vulnerability Description Language
  (AVDL) Oasis
• http//www.avdl.org/
• http//www.oasis-open.org/committees/tc_home.php?w
  g_abbrevavdl
• Introduction to Network Access Protection (NAP)
  Microsoft
• http//www.microsoft.com/windowsserver2003/techinf
  o/overview/napoverview.mspx
• Network Admission Control (NAC) Cisco
• http//www.cisco.com/en/US/netsol/ns466/networking
  _solutions_sub_solution_home.html
• Vulnerability Assessment Services CSC
• http//www.csc.com/solutions/security/offerings/10
  73.shtml