technicalcolloquium cuenca 2019 - cedia

Vulnerability Management

Overview

André R. LANDIMRILDO Souza

Technical ColloquiumCuenca 2019


Workshop: Vulnerability Management Overview

CAIS/RNP

• AGENDA

• About RNP/CAIS

• Intro

• Vulnerability Management Process• Prerequisites

• Steps and Tools

• Vulnerability Management at RNP

• Conclusion

*** INFORMATION ***

This is not a Risk Management training, the informations shown here is onlyabout fundamentals skills related to RM process.



CAIS/RNP

“We are an advanced national

network for higher education,

research and innovation. In 1992, we

helped bringing the internet to Brazil

and we continue promoting

innovative use of Information and

Communication Technologies,

driving science and education for

all.”

• 27 Points of Presence (PoPs)

• +1500 campuses and units of

education, research and health

institutions throughout the country

• Benefiting more than 3.5 million

users.



CAIS/RNP


• Assets

• Any object that have significant importance or value to the organization.That object can be physical or not.

• Ex.: Informations, systems, devices, pictures, reputation and others.


CAIS/RNP


• Information Security Risk

• It’s a result of combination between likelihood and impact.

• R = L x I


CAIS/RNP


• Threats

• Possible occurrence of a security incident, that can result in a damage foran asset

Ex.: system break, hurricanes/earthquake, unavailability


CAIS/RNP


• Vulnerabilities

• Weakness in a device or group of devices that can be exploited

• Vulnerability classification

• https://www.first.org/cvss/specification-document


CAIS/RNP


• Exploits & Attacks

• Intention to execute non-authorized actions like:

• Destroy data;

• Leak or Theft of sensitive informations;

• Misuses of devices;

• Exploits, in simple words, is a tool or group of tools they are used bymalicious user to explore a vulnerability in a system.


CAIS/RNP


• Basic “modus-operandi” of an attack

• Is very close of a vulnerability assessment, but the big difference is the mainobjective

• An attacker run a scan against a target network searching for devices,services and open ports;

• After this step, he tries to exploit the discovered vulnerabilities ;

• If the exploit get success, the attacker usually start another step that canbe a “lateral movement” or a “privilege scalation”, for example.


CAIS/RNP


• Well... What is Vulnerability Management?

• Is a group of coordinated activities with the main goal is to reduce at anacceptable levels the discovered vulnerabilities during a vulnerabilityanalisys of an environment or devices.


CAIS/RNP


• Benefits of Vulnerability Management

• If an organization don't have a risk management, a vulnerabilitymanagement can help in many aspects related some technical decisions.

• VM process don't cover aspects like "reputation".

• The reputation of an organization can be impacted in case of data leak,for example.


CAIS/RNP


• Some benefits of VM process

• Knowledge about your environment

• VM process enforce the needs about an updated inventory of HW andSW and their owners

• Clearness

• Clear information about any asset and what is necessary to do

• Helps in decision making

• Priority


CAIS/RNP


• Some obstacles of VM

• (Un)Controlled environment

• Complexity, continuous growth, lack of standards...

• Operation cost

• Tools, expertise, time...

• Compliance

• Laws, standards, regulamentations...


CAIS/RNP


• What about “Risk Management”?

• According with previously information, the VM process is very similar to theRM process. But, VM process has focus in IT environment

• According ISO 27001, RM is described by:

• “Coordinated activities to direct and control an organization with regardto risk”


CAIS/RNP


• Prerequisites for Vulnerability Management

• Looking for establish a minimal efective VM process, we need some basicpoints. Let’s see :

• Asset Inventory and Scope definition

• Type of scans and authorization

• Mitigation process

• Status report process


CAIS/RNP


• Asset Inventory

• HW inventory

• SW inventory

• Asset contact owner

• Licensing and support information

• How often and how to update asset inventory ?

• What services or group of services each asset or group of asset support

• Help for RM process


CAIS/RNP


• Scope definition

• If you are running a VA for the first time, it is recommended to reduce thescan scope.• With a small scope, is possible to adequate the scan with some specific

aspects of environment.• We can reduce the types of vulnerabilities too. Instead of run a “full-

scan”, we can select some vulnerabilities to scan, like:• NTP vulnerabilities• RDP vulnerabilities• ...

• Is very difficult define a scope without assets inventory


CAIS/RNP


• About asset inventory...

• Described on ISO 27001

• Fundamental for the organization know your assets and know eachservice or system supported for these assets

• If the asset inventory is not updated we can use some tools to help usdiscover devices in our network

• fping

• NMAP

• OpenVAS + GSA (GreenBone Security Assistant)


CAIS/RNP


• fping


CAIS/RNP


• NMAP


CAIS/RNP


• OpenVAS


CAIS/RNP


• Type of scans and Authorization

• We can have different scan schedules in according to type of assets orgroup of assets

• Authorization

• Before start a scan, we must inform the owners of assets assets aboutscan

• The owners of assets they are interested in receive reports immediately atthe end of scans or the results must be presented in a status reportmeeting?

• False Positve X “PATCH NOW!”


CAIS/RNP



• Vulnerability classification X Priority patches

• High X Medium X Low?

• https://www.first.org/cvss/specification-document

• Estimated time to apply critical patches?

• External X Internal services

• In critical scenarios, what are the primary steps?

• External X Internal services


CAIS/RNP



• What information a report must have?

• How frequency ?

• Should critical vulnerabilities have a different communication process?


CAIS/RNP


• Vulnerability Analisys - RUN VA Scan... RUN!!!

• The VA scan can be different focus and some tools that fits better,depending of your goals. IE:

• Network scan + Simple vulnerability discover : NMAP + NSE Scripts

• Vulnerability Assessment System: OpenVAS

• Web Application vulnerability scan: w3af


CAIS/RNP


• NMAP

• “Nmap ("Network Mapper") is a free and open source (license) utility fornetwork discovery and security auditing.”

• https://nmap.org/


CAIS/RNP


• NMAP + NSE scripts

• SMTP Relay

• DNS Recursion


CAIS/RNP


• Greenbone Vulnerability Management (OpenVAS)• Greenbone develops OpenVAS as part of their commercial vulnerability management

product family "Greenbone Security Manager" (GSM). OpenVAS is one element in alarger architecture. In combination with additional Open Source modules, it formsthe Greenbone Vulnerability Management solution

• Open Vulnerability Assessment System

• OpenVAS is a full-featured vulnerability scanner. Its capabilities includeunauthenticated testing, authenticated testing, various high level and low level Internetand industrial protocols, performance tuning for large-scale scans and a powerfulinternal programming language to implement any type of vulnerability test.

• Born from Nessus (fork from old open-source version);

• More than 50k Network Vulnerability Tests (NVTs);

• Source code or virtual appliance


CAIS/RNP


• Greenbone Vulnerability Management (OpenVAS)


CAIS/RNP


• W3AF

• Web Application Attack and Audit Framework

• “w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.”

• http://w3af.org/


CAIS/RNP


• W3AF


CAIS/RNP


• Microsoft MBSA

• Microsoft Baseline Security Analyzer

• “The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations.”

• https://www.microsoft.com/en-us/download/details.aspx?id=7558

• Many MS systems supported

• Integration with WUA & WSUS

• Run local & remote


CAIS/RNP


• Microsoft MBSA


CAIS/RNP


• Mitigations process

• Countermeasures

• Patches

• “Virtual patch”

• Fix configuration

• Disable specific module

• Update system

• And... “C’est la vie”


CAIS/RNP



• What we need to consider about mitigations• Cost of mitigation

• Renew license, buy new version of SW...• Downtime

• Scheduled maintenance X Emergencial maintenance• Severity• Attack surface

• Systems affected• Exposition

• Areas involved• Fallback plan


CAIS/RNP



• Apply mitigations in a controlled environment

• Test environment

• Used to TEST functions, configurations and updates

• Non-production environment

• Used to VALIDATE functions, configurations and updates in anenvironment similar of the “production”


CAIS/RNP



• Collecting, analysing and validate results

• Before to share results of a scan is necessary analyze the reports andthen, and in some cases, validate the information.

• Validate = Exploit the vulnerability

• Is very recommended not share reports generated automaticaly!!!

• The document may contain false-positives that can impact the confidence of the report by the recipient


CAIS/RNP



• There are different type of reports, in different formats and types ofinformations

• Technical: contain detailed informations about each one vulnerabilityfounded

• Executive: Consolidate informations about total of vulnerabilities, totalfor assets, severity classification, etc.

• Remediation: must have detailed informations about how to fix eachvulnerability found.


CAIS/RNP



• Include on the report only relevant information

• What is relevant?

• Informations must be aligned with recipients

• Managers X Analysts X Auditors


CAIS/RNP





CAIS/RNP




• Can you see inconsistent data in previous informations?

• Discussion...


CAIS/RNP



• Quality of information is fundamental

• The informations needs focus in:

• Public

• managers, auditors, analysts...

• Bring relevant information to take decisions about next steps

• Show the actual scenario of vulnerabilities in defined scope


CAIS/RNP



• Recommended informations for technical staff

• Assets & areas affected by vulnerability

• Description of vulnerability & Severity

• Exploits information

• Evidence of compromisse

• How the vulnerability was discovered

• Type of scan or tool used in this case

• Countermeasures available



CAIS/RNP



• Recommended informations for managers



• Mitigation process• Scheduled maintenance X Emergencial maintenance X Downtime


CAIS/RNP



• Recommended informations for auditors



• Exploits information• Evidence of compromisse

• Applied countermeasures• Mitigation process

Patched X Scheduled maintenance


CAIS/RNP



• Common mistakes

• Confused mitigation informations


CAIS/RNP

n



• Common mistakes

• Confused mitigation informations


CAIS/RNP



• Common mistakes

• False-positives


CAIS/RNP


• Environment validation

• This step is like a “re-scan” of environment

• Is recommended that it be executed by same analyst that who does the firstexecution

• All previous premisses are they applied here


CAIS/RNP


• Environment validation

• The same tools and steps must be repeated here

• Collect evidence about mitigations

• They are fixed vulnerabilities?

• Create final report


CAIS/RNP


• CONCLUSION...

• All areas must be involved in Vulnerability Management process

• Tools, just is tools

• “Time is money...”

• Run different tools bring more quality to the process, but make this morecomplexity;

• Stay update always...


CAIS/RNP


• CAIS/RNP - Vulnerability Management Guide

• Structured document with the basic steps to implement a vulnerabilitymanagement process.

• Available in:

• https://www.cais.rnp.br/docs/guia-gest-vulns-v2.pdf

• PT-BR


CAIS/RNP


REFERENCES

ABNT NBR ISO/IEC 27002:2013 - Código de prática para segurança da informação.

FIRST. Common Vulnerability Scoring System version 3.1: Specification Document.

Disponível em: <https://www.first.org/cvss/specification-document>. Acesso em: 10 de outubro e 2019.

Greenbone Networks GmbH. Technical Documentation for Greenbone Technologies - OpenVAS Documentation. Disponível em: <https://docs.greenbone.net>. Acesso em: 15 de agosto de 2019.

Greenbone Networks GmbH. GreenBone Gitub. Disponível em: <https://github.com/greenbone>. Acesso em: 15 de agosto de 2019.

JUNIOR, Gildásio. Processo de Gestão de Vulnerabilidades de Seguranla na UFBA. Disponível em: <https://gtergts.nic.br/files/apresentacao/arquivo/227/07-GestaoVulnerabilidades.pdf> . Acesso em: 10 deoutubro de 2019.

KANDEK, W. Vulnerability management for dummies. 2 edition. Editora John Wiley & Sons, Ltd. 2015.

KLEINERT, Peter. Enhancing os vulnerability scanners: from a single box to hardened multinode scan clusters. FIRST, fevereiro de 2018. Disponível em:<https://www.first.org/resources/papers/hamburg2018/20180206-TFCSIRT-Hamburg-Final.pdf> . Acesso em: 28 de maio de 2019.

LANDIM, A e Conceição, J. Gestão de vulnerabilidades de segurança – dia 1. Disponível em: <https://video.rnp.br/portal/video.action?idItem=27864>. Acesso em: 15 de agosto de 2019.





PALMAERS, Tom. Implementing a vulnerability management process. SANS Institute Reading Room, 2019. Disponível em <http://goo.gl/pSdpN3>. Acesso em: 28 de maio de 2019.

Shanks, Wylie. Building a vulnerability management program: A project management approach. SANS Institute Reading Room, 2019. Disponível em: <https://www.sans.org/reading-room/whitepapers/projectmanagement/buildingvulnerability-management-program-project-management-pproach-35932>. Acesso em: 28 de maio de 2019.


CAIS/RNP


OBRIGADO!!!

André Ricardo LANDIM

[email protected]

RILDO Antonio Souza

[email protected]

https://www.rnp.br/en/services/security


CAIS/RNP

technicalcolloquium cuenca 2019 - cedia

Documents