icalAccountManagerSalt Lake CitySeptember 26, 2013

Key Elements of EVM2§ ITAssetInventoryandControl§ Risk- ‐basedVulnerabilityManagement&Strategy§ ScanManagementandStrategy§ VulnerabilityTrackingandClosure§ ScanExclusion/ExcepIonProcess§ SomeClosingThoughts§ SomeReferenceandResources

Some quick thoughtsLifecycle of a VulnerabilitySome key things toremember as you areplanning your lnerabilitylife CyclePatching&ConfigurationTicketing an ongoing continuous cycle3There are some thingsto check


IT Asset Inventory and ControlCMDB- ConfigurationManagement DatabaseOr IT Asset Inventory“You cannot manage that which you donot track”5

IT Asset Inventory and ControlThings to Know:Inventories are VITAL to ensure vulnerability scan coverage is completeThese inventories are difficult to maintain and are error proneServer Inventory should be tested or spot-checked for completenessInformation could include, server, I.Ps, rack location, applications, owner,data risk, etc.q Maintenance for the inventories are usually a collective effort, don’t shootthe messengerq q q q Some things to Check:ü List-to-Floor, Floor-to-List inventory check (accuracy & completeness)ü Inspect data center inventory for proper labeling on devicesü Map the environment –[Tool based] and compare with inventory list6


Scan Management & StrategyScan Intervals - There should be a controlledprocess that determines scan frequency andreporting frequency. Be observant of possiblegaps created by intervalsScan Metrics – Vulnerability scanning can beaffected by network outages, firewalls, trafficmanagement, DNS Errors etc. Scans requireadministrative access that can affect scancompleteness and accuracy. Good vulnerabilitymanagement will have a method of tracking scansuccess8

Scan Management & StrategyWhat to scan Pretty much everything. Here is the short list:ü Web Servers: Apache, Microsoft ISS; iPlanet; Lotus Domino; IpSwitch; Zeus; full support forvirtual hosting.ü SMTP/POP Servers: Sendmail; Microsoft Exchange; LotusDomino; Netscape Messaging Server;QMail.ü FTP Servers: IIS FTP Server; WuFTPd; WarFTPd.ü Firewalls: Check Point Firewall-1/VPN-1 and NG; Cisco PIX; Juniper NetScreen; Gauntlet;CyberGuard; Raptor.ü Databases: Oracle; Sybase; MS SQL; PostgreSQL; MySQL.ü eCommerce: Icat; EZShopper; Shopping Cart; PDGSoft; Hassan Consulting Shopping; Perishop.ü LDAP Servers: Netscape; IIS; Domino; Open LDAP.ü Load Balancing Servers: Cisco CSS, Alteon, F5 BIG IP; IBM Network Dispatcher; Intel Routers;Administrable.ü Switches and Hubs: Cisco; 3Com; Nortel Networks; Cabletron; Lucent; Alcatel.9ü Wireless Access Points: Cisco; 3Com; Symbol; Linksys; D-Link; Netgear; Avaya; Apple Airport;Nokia; Siemens

Scan Management & StrategyThings to Know:q Scan frequency should match the risk of loss associated with the data and systemor patch cyclesq Frequency can range from monthly/bi monthly to continuousq Vulnerabilities garner differing levels of Risk . E.g. – associated with malware, remotely executableetc.q Scan signature should be VERY current – Auto-update is recommendedq Approach needs to comply with local and national lawsSome things to check:ü Select a sample of high-risk servers and determine the last-scanned date and is itwithin the stated goals of the scan strategyü Does the scan interval meet regulatory requirements?ü Review the process for updating the scan signature and scan completeness –Manual updates should be fully justified and tested.ü Determine if any critical tests are excluded from review - Management should justifyü Determine if Scan success and results are trackedü Are hardening guidelines published and followed – How?10


Configuration & HardeningWhat is Configuration Management?The process by which management defines permissible services,settings and applications. Should FTP be allowed for servers within the DMZ?Password Length and AgePort & ServicesAccount Permissions ReviewCIS Hardening Guidelines are a good place to startA solid hardening process will save hours of vulnerability managementand reduce risk.12

Configuration & HardeningBenefits of Configuration Management Monitor a larger range of transactions, controls, and systemsthan a person could ever assess using amanual process. Provide a level of consistency that eliminates the subjectivity ofhuman review. Run metrics and reports that ultimately help you manage thequality of both your compliance program and operations overall Reduce the number of found vulnerabilities and ensure a moresecure platform13

Configuration & HardeningBest Practice #1: Remember the Big PictureBest Practice #2: Align IT Policy Compliance and Security with the BusinessBest Practice #3: IT Compliance Starts with PolicyBest Practice #4: Establish AccountabilityBest Practice #5: Conduct a Pre-Audit or Readiness AssessmentBest Practice #6: Centralize IT Policy Program ManagementBest Practice #7: Prioritize Remediation ActivitiesBest Practice #8: Regularly Monitor the Whole ComplianceProgram14


Risk Based Vulnerability StrategyThree Broad Risks to consider.Outward andCustomerFacing systems needto be prioritizedPublicNetworkThese systems should be clearly identifiableManagement should have aDefined data classification schemeThere should be a concise inventory ofsystems that host, store and processsensitive data16

Risk Based Vulnerability StrategyHow do you priorities which high severity findings to fix first?Prioritize vulnerabilities when known exploits are published by third party vendors and/or publiclyavailable sources. Good VM tools constantly correlate exploitability information from real-time feeds toprovide up to date references to exploits and related security resources.Look for malware associated vulnerabilities. Vulnerability scanners correlate malware information withvulnerabilities when malware threats for vulnerabilities are published within the Trend Micro ThreatEncyclopedia or other authoritative sourcesPrioritize the vulnerability can be detected using remote (unauthenticated) scanning.Begin with vulnerabilities that are fixable with a patch that is currently available from the vendor.In Summary: Start with-High exposure systems – Public facing- Systems that hold or use High risk data- Fix the High probably/High severity, patchable vulnerabilities17

Risk Based Vulnerability StrategyThe VM solution needs to provide the capability to scan for and fix vulnerabilitiesin a broad range of categories, including:q Back Doors and Trojan Horses (bypass authentication systems).q Brute force attacks (defies cryptography by systematically trying different keys).q CGI (exploits the Common Gateway Interface).q Databases.q DNS and Bind (exploits Domain Name Services).q E-commerce applications.q File sharing.q File Transfer Protocol.q Firewalls.18

Risk Based Vulnerability StrategyThings to Know:q Management needs to have a plan to identify and priorities thesystems that are subject to vulnerability management. It is verydifficult if not impossible to “fix all” or “All Sev 4s and 5s”q Risk differs from server to server depending on Host data, internetfacingq Vulnerabilities garner differing levels of threatq Start with the fixable vulnerabilitiesThings to Check:ü Review system risk assessment used to identify HIGH risk systems basedon Data sensitivityü Review network diagrams used to track externally facing systemsü Ensure HIGH risk systems are scanned in accordance with policyguidelinesü Review action plans associated with high severity vulnerabilities19


Vulnerability Tracking and Closure5 Stages of Greif in Vulnerability ManagementStage1. Denial2. Anger21Server Team Says Security Says “You need a new crack pipe, myservers are not vulnerable!”“I am afraid they are andhere is the proof ”Who the heck gave you permissionto scan my servers!?!”“We need to scaneverything on the network ”“It sill introduces anunacceptable risk andneeds to be fixed”3. Bargaining“This system is going away ”4. Depression“It is impossible to fix all of these!”“A single patch willeliminate many of these”5. Acceptance“Okay I guess I will patch these”“Thank you for working withus. Let us know when youare ready for a rescan”

Vulnerability Tracking and ClosureThings to Know:q There needs to be a manageable, measurableprocess to track Vulnerabilitiesq Many companies use ticketing systemsq There will ALWAYS be exceptions to a policy –q Need to ensure that exceptions are approvedand reviewed at a regular intervalq Vulnerability ageing is a commonly appliedmetricThings to Check:ü Ensure system ownership is properly documented – lines of responsibilityfor security are properly assignedü Is there a process in place to escalate overdue or unpatched systemsoutside of policy- Test by reviewing scan resultsü Does management monitor aging of vulnerabilities of a system22


Scan Exclusions & ExceptionsSome systems maybe appropriately excluded fromvulnerability scanning!!Possible Scenariosü Process networksü Air-Gaped networksü Low risk, untrustedsystems – Be VERY waryof this justificationü Smart Equipmentü System cannot tolerateda scan withoutinterruption24

Scan Exclusion/ExceptionsThings to Know:q High risk in that these are permanent blind spots for vulnerabilitiesto hideq There are some systems that should be excluded – the need forsecurity scanning does not outweigh business use.q Scan-caused crashed can be an indication of a misconfiguredsystemq Exceptions to scanning should be documented/approved andsubject to regular reviewThings to Check:ü ü ü ü 25Is there a formal, documented process to exclude a system from scanning?Are scanning exceptions reviewed at a regular interval?Select a sample of excluded hosts and trace to authorizing documentsDetermine if there are action plans in place to remediate older systems andsubject them to future vulnerability scans


Other thoughts.q Vulnerability Management is best driven at the CISOlevel – Metrics should be designed to give “C” levelmanagement something to “manage to”q q q q number of days to close vulnerabilitiesnumber of days from identification to notificationscan coverage as a %authentication %q Patch Metrics and Configuration Managementdashboards have been found to be more effective thatvoluminous reports of high severity vulnerabilitiesq Be cautious when recommending automatic ticketing fornew vulnerabilities27

SomeGoodReferences- sources/

Thank [email protected]

Scan Management & Strategy 8 Scan Intervals - There should be a controlled process that determines scan frequency and reporting frequency. Be observant of possible gaps created by intervals Scan Metrics – Vulnerability scanning can be affected by network outages, firewalls, traffic