infosec fright night: more macabre tales of vulnerability management gone awry
TRANSCRIPT
I want to share some stories from my consulting
experience.
They will SHOCK and AMAZE you!
Or maybe not.
But they’re pretty funny.
Or sad. Or both.
A Security Horror Story:
Macabre Tales of Vulnerability
Management Gone Awry
Dave Shackleford
Voodoo Security
The Problem
• As a consultant, I see a lot of really bad
vulnerability management practices
• Sometimes organizations are “doing it
wrong”.
– OK, nobody’s perfect.
• There are lessons to be learned in these
stories, though…DESPITE how painful
they may be.
The Case of The…
The Story
• Mid-sized organization in the
manufacturing industry
• Had set up an enterprise vulnerability
scanner configured for authenticated
scans
• An admin account had been added to the
environment for scanning Windows
systems
So…What’s the Big Deal?
• This credential was WEAK
• As in… “Password1” weak.
• Yeah.
• So...things went in an interesting direction
• And by interesting...
– ...well, we all know what that means.
Strange Things Were Seen…
…IN THE LOGS!!!!!
The Story?
• The scanning account got popped.
• You have to secure the account used for
authenticated scans and lock it down
TIGHT
• This one:
– Weak
– Never Expired
– And everywhere…
Where the %$*& are the METRICS?
Where it all began…
• This, my friends, is a sad tale of political
failure
• The organization was a midsize financial
firm
• The vulnerability management program
was slowly gaining traction
• Gains were won! The program marched
onward!
But Then! THEY GOT A NEW CIO!!!
The team…
…WAS UNPREPARED!!!
The Aftermath
• The CIO was not impressed with the
team’s lack of metrics and tracking
• She diverted her attention to other projects
and initiatives
• The group didn’t lose all funding, but saw
a reduction in budget
– They also did not get headcount approval
10,000 Page
Report!
The Setup
• Company: Large Healthcare Organization
• 3 people doing vulnerability management
• Their program:
– Scanning
– Some threat intel
– Patch and config guidance
• They thought they were doing everything
right…
There was a DISCONNECT
• The Ops teams had no direction
• They were prioritizing three things:
– Availability
– Availability
– Availability
• They didn’t have time to pick and choose
what to fix…and the security team...
provided a 10,000 page report!!!
The Lesson Learned
• The Ops team had analysis paralysis.
• The security team had to focus the results
they provided:
– Reduce and vet false positives
– Prioritize the top 10 issues
– Work with the team to socialize the expose
the fixes proposed (patches, etc.)
The Mystery of the Selective Patching
The Setup
• Large, distributed insurance company
• Many different business units
• Semi-autonomous IT teams in different
areas
– Lots of acquisitions and mergers
• Central vulnerability management
(scanning)
– NOT centralized patching and config mgmt
Patch Reporting
• Several local operations teams “self
reported” on patch application status:
This is where I come in.
• I was hired to work with the internal audit team to assess their vulnerability management program.
• We selected sample servers across all groups.
• Some of the “self reporter” groups’ servers were included.
• These groups had high patch compliance ratings up to this point.
What We Found! The Admins Were…
LYING!!!!
The Lesson
• The admins were only reporting on
RECENT patches – they were still missing
may old ones!
• Are you surprised?
– Don’t answer this.
• You absolutely need to perform
authenticated scans and audits to confirm
patch levels!
What’s in your wallet?
DEFAULT
CREDENTI
ALS
The Setup
• Company: Global multi-billion
SUPERMEGACORP
• Security team: ~40 people
• The gig: Internal pen test
Day 1: Start the Pen Test
• Day 1, hour 3:
• Dave: Guys, are these network devices in
scope?
• Team: Yes, everything in the subnet.
• Dave: Cool.
• Team: Cool.
• Cool.
Day 1: P0wnage Hell
• Day 1, hour 4:
• Dave: Guys, I own most of your network
devices in this subnet.
• Team: Nah.
• Dave: Yeah.
• Team: Nope
• Dave: Dudes.
Username: ADMIN
Password: ADMIN!!!!
The Report. The Meeting.
• Was I the super 1337 guy for all of this?
• No.
• What got me ownership of Palo Alto,
Cisco, and F5 systems?
• DEFAULT. SYSTEM. CREDENTIALS.
The Lesson?
• Testing network devices is CRITICAL as
part of your vulnerability management
program.
• These were the Achilles Heel of the whole
place…and you can do a lot of damage
from here.
ADVANCED
PERSISTENT
VULNERABILITY MANAGEMENT
FAILS
Fail #1: Patching
• I routinely tell my SANS classes and
clients, “It’s hard to find missing patches
these days”
– I’m lying, of course
• Sure, most DMZ systems aren’t missing
MS08-067, but it happens.
– Even ANCIENT patches like MS03-026 (RPC
DCOM)
Patch Failure? Why?
• Platform coverage
• Deployment scenarios
• Patch installation control
– Retries
– Loading on boot
– Mobile connectivity
• Rollback ability
• Validation ability
• Reporting
Fail #2: Desktop Configs
• Organizations routinely suck at this.
• Many lack real standards that are applied
at the desktop level
• Everyone SAYS they follow Microsoft or
CIS…but they LIE.
• Develop and maintain a standard...and
SCAN and AUDIT it.
Fail #3: Communication
• Vulnerability management is a team effort.
• Without buy-in and commitment from
operations teams and others:
YOU.
WILL.
FAIL.
• Make sure you have visibility and regular
meetings to get this done.
The Rub
• Vulnerability management can be HARD.
• In 2016, there’s no excuse to be failing THIS badly though.
Retina Enterprise
Vulnerability Management
Alex DaCosta
RETINA VULNERABILITY MANAGEMENT
POWERBROKER PRIVILEGED ACCOUNT MANAGEMENT
41
PRIVILEGE MANAGEMENT
ACTIVE DIRECTORY BRIDGING
PRIVLEGED PASSWORD
MANAGEMENT
AUDITING & PROTECTION
ENTERPRISE VULNERABILITY MANAGEMENT
BEYONDSAAS CLOUD-BASED
SCANNING
NETWORK SECURITY SCANNER
WEB SECURITY SCANNER
BEYONDINSIGHT CLARITY THREAT ANALYTICS
BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM
EXTENSIVE
REPORTING
CENTRAL DATA
WAREHOUSE
ASSET
DISCOVERY
ASSET
PROFILING
ASSET SMART
GROUPS
USER
MANAGEMENT
WORKFLOW &
NOTIFICATION
THIRD-PARTY
INTEGRATION
Product Demonstration
Poll
Thank you for attending!