Vulnerability management - Security Forum 2018 · What is Vulnerability Management? ... Use...
Transcript of Vulnerability management - Security Forum 2018 · What is Vulnerability Management? ... Use...
Vulnerability management
Hagenberg, April 2014
What is Vulnerability Management?
Definition
Vulnerability Patch
Security flaw
Threat to the IT-infrastructure
Piece of code developed to address problems
Addresses features or security flaws
Security practice to proactively prevent the exploitation of IT vulnerabilities
The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities
April 2014 2Köck, Krumböck / Vulnerability Management
Vulnerability Management ProcessNIST 800-40 Release 2: Creating a Patch and Vulnerability Management Program
Vulnerability Management Process
4Köck, Krumböck / Vulnerability Management
1•Create IT infrastructure inventory
2•Monitor for vulnerabilities
3•Prioritize vulnerabilities & mitigation
4•Create vulnerability database
5•Test remediations
April 2014
Vulnerability Management Process
5Köck, Krumböck / Vulnerability Management
6•Deploy vulnerability remediation
7•Inform administrators
8•Deploy patches
9•Verify successful deployment
10•Train administrators
April 2014
Vulnerability Management Process
6
Reuse existing inventories Configuration Managing Database (CMDB)
Hardware equipment Software applications Owner System administrator Relations
Prioritise assets Update regularly as part of configuration management
process Information retrieval should be automated as
much as possible
Köck, Krumböck / Vulnerability Management
1 •Create IT infrastructure inventory
April 2014
Vulnerability Management Process
7
Monitor a variety of sources Concentrate on software mainly used in the
company Monitor for vulnerabilities, remediations and
threats Vendors are the authoritative source of
information for patches Often won’t release information for
vulnerabilities until a patch is available Use vendor and third party security mailing lists
Köck, Krumböck / Vulnerability Management
2 •Monitor vulnerabilities
April 2014
Vulnerability Management Process
8
Consider impact for organisation for each threat Which systems are exposed What is the impact on these systems
Availability of malicious code Worms Exploits
Patches are often reverse engineered quickly Determine risk involved with applying the patch and other countermeasures
Establish what degree of risk is acceptable
Köck, Krumböck / Vulnerability Management
3 •Prioritize vulnerabilities & mitigation
April 2014
Vulnerability Management Process
9
Create a database of remediations that need to be applied within the organization Usually provided by enterprise patch management tools Patches to install and workarounds for vulnerabilities
Save Patches locally Reduce internet traffic or internet is not available Difficult to get older patches
Save work time
Köck, Krumböck / Vulnerability Management
4 •Create vulnerability database
April 2014
Vulnerability Management Process
10
Create testing infrastructure for standard configurations Reduce redundant testing Software not monitored by the vulnerability management
must be tested by administrators Carefully read patch notes from vendor Precautions
Check patch against authenticity methods provided by the vendor (PGP etc.)
Virus scan Test on not production systems Check for patch dependencies
Document problems
Köck, Krumböck / Vulnerability Management
5 •Test Remediations
April 2014
Vulnerability Management Process
11
Security patch installation Repairs the vulnerability
Configuration adjustment Reduce the threat or block attack vectors
Modifying rights Disable services
Software Removal Software might no longer be needed Removing the software also prevents from
future vulnerabilities
Köck, Krumböck / Vulnerability Management
6 •Deploy vulnerability remediation
April 2014
Vulnerability Management Process
12
Often different teams are involved in the vulnerability management process Create mailing lists for each Team Give them access to resources
Vulnerability database
Köck, Krumböck / Vulnerability Management
7 •Inform administrators
April 2014
Vulnerability Management Process
13
Use the same process as for other configuration changes
Testing systems Quality systems Production systems
Organize maintenance windows Central database for feedback
Problems and solutions Document patch installation in configuration
management database
8 •Deploy Patches
Köck, Krumböck / Vulnerability Management April 2014
Vulnerability Management Process
14
Use vulnerability scanners to verify that systems are patched Checks with credentials gain a lot of information Not possible for all vendors Not completely accurate Software without installation routine is often a problem
Review patch logs Check if patch was installed successfully Compare logs between equal systems
Perform penetration tests
Köck, Krumböck / Vulnerability Management
9 •Verify successful deployment
April 2014
Vulnerability Management Process
15
Many specialists within the organization Use their knowledge
Less used configurations should be monitored by the administrators itself
Administrators need the knowledge how to identify new patches and vulnerabilities
Second line of defense
Köck, Krumböck / Vulnerability Management
10 •Train administrators
April 2014
CHALLENGES & BEST Practice
challenges
17
Keep time that systems are vulnerable as short as possible Install patches immediately?
Limited resources? Testing?
Quality of vendor patches increased Patch Bundle (Oracle) Patch Day (Microsoft)
Prioritising Externally exposed systems
Testing Automation?
Non-standard Systems
Köck, Krumböck / Vulnerability Management April 2014
Best Practices 1
18
Use automated patch management tools
Expedite the distribution of patches to systems
Assess and mitigate the risks associated with deploying enterprise patch management tools
Weapon of mass destruction?
Use standardized configurations for IT resources
Less testing effort
Predefine maintenance windows for patching
Emergency procedures
Define authorities
Gain publicity
Köck, Krumböck / Vulnerability Management April 2014
Best Practices 2
19
Consistently measure the effectiveness of thevulnerability management process
Define KPIs
Number of identified vulnerabilities
Number of failed patches
Mean time to install patches
Mean time to remediate a vulnerability
Automate tasks
Schedule vulnerability scans
Consider smart purchasing
Remove unnecessary software!
Köck, Krumböck / Vulnerability Management April 2014
Information Source
20
• Vulnerability databases
• Common Vulnerabilities and Exposures (CVE)
• The Open Source Vulnerability Database (OSVDB)
• CERT Advisories
• Mailing Lists
• Full Disclosure
• Vendor Information
• Microsoft Security Bulletins
• RedHat Network
• Tool Support
Köck, Krumböck / Vulnerability Management April 2014
TOOLS
Tools
22
Vulnerability scanner
Nessus
Qualys
OpenVAS
GFI LANGuard
System hardening
Microsoft Security Base Line Analyzer
OSSEC
Update Services
Windows Server Update Services
RedHat Network Satellite Server / Spacewalk
Security Incident & Event Management
AlienVault / OSSIM
Köck, Krumböck / Vulnerability Management April 2014
Our own internal Scanning tooL
23
Integration into the patch management process
Agentless scanning
Double checked
Missing patches with Nessus
Installed patches with inventory tool
Coupled with password management
Automated reporting to operational teams
Compliance Scans
ISO 27000
ISAE 3402
PCI-DSS
...
Köck, Krumböck / Vulnerability Management April 2014
Contact
24
Herwig Köck
Security SpecialistT-Systems Austria GesmbH
Rennweg 97-99
1030 Wien
Phone: +43 (0) 57057 8617
Fax: +43 (0) 57057 958617
Mobile: +43 (0) 676 8642 8617
E-Mail: [email protected]
Martin Krumböck
Security SpecialistT-Systems Austria GesmbH
Rennweg 97-99
1030 Wien
Phone: +43 (0) 57057 8689
Fax: +43 (0) 57057 958689
Mobile: +43 (0) 676 8642 8689
E-Mail: [email protected]
Köck, Krumböck / Vulnerability Management April 2014
THANK YOU!