Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results

11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018Tanja Hanauer, Stefan Metzger

1

23.07.18 Leibniz-Rechenzentrum 2

Agenda

Ø MotivationØ State of the ArtØ Process Framework Vis4SecØ Exemplary Process Iterations

§ Limitation and Control of Network Ports§ Vulnerable OpenSSL Library

Ø Conclusion

23.07.18 Leibniz-Rechenzentrum 3

Motivation

Ø Overview

Ø Organizational Knowledge

Ø Compliance -> Implementation

23.07.18 Leibniz-Rechenzentrum 4

State of the Art

Ø Visualization and Data Guidelines§ Gestalt Theory§ Tufte‘s Design Criteria§ Shneiderman‘s Information Seeking Mantra

7/23/18 Leibniz-Rechenzentrum 5

Data Quality Dimensions according to Data Management Association UK

Ø Completeness: Proportion of stored data against the potential of 100 % complete.

Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified.

Ø Timeliness: The degree to which data represent reality from the required point in time.

Ø Validity: The data conforms to the syntax (format, type range) of its definition.

Ø Accuracy: The degree to which data correctly describes the „real world“ object or event being described.

Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition.

23.07.18 Leibniz-Rechenzentrum 6

State of the Art

Ø Visualization and Data Guidelines

Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls

23.07.18 Leibniz-Rechenzentrum 7

Security Best Practices

Ø ISO/IEC 27001

Ø Critical Security Controls

§ 13.1.2 Security of network services§ 18.2.3 Technical review to ensure compliance with

information security policy

CSC 9 Limitation and control of network ports§ 9.1 Only ports, protocols, and services

with validated business needs are running on each system

§ 9.3 Automated regular port scans against all key servers andcomparison of the results to a known baseline

23.07.18 Leibniz-Rechenzentrum 8

State of the Art

Ø Visualization and Data Guidelines

Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls

Ø Existing Publications

23.07.18 Leibniz-Rechenzentrum 9

Existing Publications

23.07.18 Leibniz-Rechenzentrum 10

State of the Art

Ø Visualization and Data Guidelines

Ø Security Best Practices

§ ISO/IEC 27001

§ Critical Security Controls

Ø Existing Publications

Ø Visualization and Knowledge Processes

§ Ware, Fry, Marty, and Balakrishnan

§ Burkhard

23.07.18 Leibniz-Rechenzentrum 11

Process Framework Vis4Sec

Ø Initiation§ Environment§ Requirements§ Stakeholders§ Planned Actions

Ø Question PhaseØ Data Preparation Phase

§ Data Sources§ Ensure Data Quality

Ø Visualization PhaseØ Interaction PhaseØ Iterations

23.07.18 Leibniz-Rechenzentrum 12

Initiation

Ø Environment: Scientific Data Center LRZ

Ø Requirements § Know running services

§ Detect new services§ Detect and patch potentially vulnerable services

Ø Stakeholders § System- and security-admins

§ IT management

Ø Planned Actions § Automation of network scans

§ Stakeholder specific filtering and distribution of results

23.07.18 Leibniz-Rechenzentrum 13

Question Phase

Ø What are the reachable ports on each system?

§ Externally§ Internally

?

23.07.18 Leibniz-Rechenzentrum 14

Data Preparation Phase – Data Source I

DR Portscan

§ Centralized regular network scans

§ Aggregated

§ Automated ∆-reporting

§ Information à operations

7/23/18 Leibniz-Rechenzentrum 15

Data Preparation Phase - Ensure Data Quality I

7/23/18 Leibniz-Rechenzentrum 16

Data Preparation Phase - Ensure Data Quality II

7/23/18 Leibniz-Rechenzentrum 17

Data Preparation Phase - Data Source II

Ø DR Portscan

Ø Organizational§ CMDB§ Inventory DB§ LDAP

7/23/18 Leibniz-Rechenzentrum 18

Visualization Phase

”Visualization gives you answers to questions you didn’t know you had.” Ben Shneiderman

23.07.18 Leibniz-Rechenzentrum 19

Interaction Phase

Ø Data

Ø Dashboards

23.07.18 Leibniz-Rechenzentrum 20

Iteration

Redefined Question:

Ø What are the externally reachable servicesthat use a vulnerable OpenSSL library?

23.07.18 Leibniz-Rechenzentrum 21

Data Preparation Phase

§ Port Scanner

Ø Data Sources

§ Scan: SSL Cipher-Suites

§ Common Vulnerabilities and Exposures

§ Installed software on each system

§ Organizational

23.07.18 Leibniz-Rechenzentrum 22

Visualization + Interaction Phase

Ø Data

Ø Dashboards

Ø Reports

23.07.18 Leibniz-Rechenzentrum 23

Conclusion Process Iterations

Various iterationsØ Vulnerabilities Ø Unneeded open ports

§ Printer (9100)§ Ntp (123)

Ø StakeholdersØ Controls

§ Authorized devices§ Updates and patching

ImprovementØ Settings correctedØ …Ø Awareness

7/23/18 Leibniz-Rechenzentrum 24

Further Iterations

Ø Updates

Ø Vulnerabilities

Ø Transferable to further§ Vulnerabilities§ Security controls§ Security approaches

23.07.18 Leibniz-Rechenzentrum 25

Conclusion

Ø Initiates§ Communication among stakeholders

§ Revision of security settings § Security and data awareness

Ø Supports§ Implementation of compliance requirements

§ Organizational knowledge generation and transfer§ Overview of existing systems and security state

Ø Knowledge IT management + IT operations

23.07.18 Leibniz-Rechenzentrum 26

Thank you for your attention

Source adapted https://xkcd.com /1354/