Date post: | 31-Jul-2015 |
Category: |
Technology |
Upload: | security-weekly |
View: | 701 times |
Download: | 1 times |
Robots, Ninjas, Pirates and Building an Effective Vulnerability
Management Program
© Copyright Defensive Intuition, LLC 2004-2015
Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly
Agenda
• Some slides with random pictures from the Internet
• Paul talks about vulnerability management over said slides
• Folks may have questions or challenge my thoughts/ideas (please do)
• More random Internet pictures
• Paul ranting a bit more while laughing at ridiculous pictures
• These are the only bullets in this presentation…
• End with tips on how to be successful
© Copyright Defensive Intuition, LLC 2004-2015 Slide 3
Vulnerability Management…
© Copyright Defensive Intuition, LLC 2004-2015 Slide 4
You have all the right tools…
A Robot, Ninja & Pirate Get Into a Fight, Who Wins?
© Copyright Defensive Intuition, LLC 2004-2015 Slide 5
We have arguments like this all the time.
!
Sometimes they center around vulnerability management…
Why Do We Need Vulnerability Management?
© Copyright Defensive Intuition, LLC 2004-2015 Slide 6
YouThe Internet
Don’t Be Blind…
You can’t fix what you don’t know is broken…
© Copyright Defensive Intuition, LLC 2004-2015
Meet The Robots, Ninjas and Pirates in the Security Dept.
© Copyright Defensive Intuition, LLC 2004-2015
The Robot
Without a care in the world…
© Copyright Defensive Intuition, LLC 2004-2015
“Going to scan the network!”
The Robot
Cares even less how long the report will be…
© Copyright Defensive Intuition, LLC 2004-2015
File -> Print…Reporting!!!!
The Robot
What your network looks like after the scan…
© Copyright Defensive Intuition, LLC 2004-2015
The Robot
What the sysadmins, network admins, developers, help desk and operations are saying about you…
© Copyright Defensive Intuition, LLC 2004-2015
Robots reporting to management
© Copyright Defensive Intuition, LLC 2004-2015
“The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer
overflow attacks aren’t quite stable. The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!]. They’ve encased the web server in a WAF, it should be quite well protected, unless there is a
bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”
The Ninjas
© Copyright Defensive Intuition, LLC 2004-2015
Wrote Nmap script
to patch everything and
disable TELNET.
Pirates
To find the booty…
© Copyright Defensive Intuition, LLC 2004-2015
I’m gonna scan your network.
Hard.
Pirate in meeting after report has been distributed
© Copyright Defensive Intuition, LLC 2004-2015
Patch your shit! Aaaaaaaaaarrgh!!
Pirates Lack Social Skillz
Perception Of Scanning
Even a broken clock is right twice a day
© Copyright Defensive Intuition, LLC 2004-2015
“Your slave?”
“You wish! You'll do shitwork, scan, crack
copyrights…"
Attackers, like robots, automate…
Attacks above are common, but less severe (typically)
© Copyright Defensive Intuition, LLC 2004-2015
Cyber Pirate Attackers
Pirates will steal bandwidth, often very loud.
© Copyright Defensive Intuition, LLC 2004-2015
Now We Understand Some Of The Dynamics
What we learned up to this point: !
Vulnerability Management is HARD, attackers will not let up.
© Copyright Defensive Intuition, LLC 2004-2015
“We’ll just scan once per quarter” !
“We can just use the default scan policy” !
“We can just scan parts of the network”
© Copyright Defensive Intuition, LLC 2004-2015
© Copyright Defensive Intuition, LLC 2004-2015
“We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother
showing me everything.”
#1 What you don’t know will probably be the thing that
hurts you
© Copyright Defensive Intuition, LLC 2004-2015
#2 Ask any evil bad guy or penetration tester and they
will tell you “we string together seemingly low
severity vulnerabilities to achieve a goal”
© Copyright Defensive Intuition, LLC 2004-2015
Example: Chris Gates from Low to Pwned (2012) https://www.youtube.com/watch?v=u68QvWXYW_Q
#3 External conditions change, so not patching a
vulnerabilities because there is no public exploit today
doesn’t mean there will not be an exploit in the future (or
someone has it already)
© Copyright Defensive Intuition, LLC 2004-2015
#4 Internal conditions change. Not discovering
vulnerabilities in XYZ software because you don’t
use XYZ software is dangerous
!
Someone could be installing XYZ software as we speak
© Copyright Defensive Intuition, LLC 2004-2015
#5 Vulnerability management is a historical
reference. !
You may not care which USB device were plugged into your systems today, but
when malware spreads via USB devices tomorrow…
© Copyright Defensive Intuition, LLC 2004-2015
!
“Just send them the raw results”
!
“Just patch CVSS > 8.0”
Goals & Results Matter…© Copyright Defensive Intuition, LLC 2004-2015
Results Matter, Don’t Be Lazy
No one reads raw results
© Copyright Defensive Intuition, LLC 2004-2015
Goal: Prevention – prevent bad things with the resources
you have
© Copyright Defensive Intuition, LLC 2004-2015
Stop waiting around for the perfect
solution!
Goal: Detection
!
Know where you
are vulnerable
and monitor © Copyright Defensive Intuition, LLC 2004-2015
Goal: React - Define priorities and enable people to take
action
Vulnerability management is a repeatable process.
© Copyright Defensive Intuition, LLC 2004-2015
Goal: Do it yourself.
!
Vulnerability scanning is not
what a pen tester should
do for youTools have matured to allow for continuous scanning.
© Copyright Defensive Intuition, LLC 2004-2015
Goal: Evaluate tools – Define the evaluation criteria
Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps.© Copyright Defensive Intuition, LLC 2004-2015
Goal: Checks and Balances: How are my other defenses
working or not?
Anti-Virus, Firewalls, Compliance/System Hardening Programs
© Copyright Defensive Intuition, LLC 2004-2015
Goal: Metrics: Don’t Give Up On Them
© Copyright Defensive Intuition, LLC 2004-2015
Searches for “dating tips”
Searches for “fleshlight”
What does management want to see?
Goal: Don’t just find a standard or copy what may
work for others
Be a LEADER and set your own standards.
© Copyright Defensive Intuition, LLC 2004-2015
Goal: Get people to understand and change their
behavior
Become a remarkable IT Security Leader© Copyright Defensive Intuition, LLC 2004-2015
Some Fun Facts
Podcasts/Blogs/Videos: http://securityweekly.com Contact Me: [email protected]
© Copyright Defensive Intuition, LLC 2004-2015
http://securityweekly.com/attend
Security Weekly & Tenable are always hiring. !
You can some to our studio on Thursday nights and watch the show live. !
I post all my slides to http://slideshare.net/securityweekly !
Larry really does have a tattoo in “that place”. !
Jack is really old. !
Also, Ninja is the winner.