Vulnerability management

Hagenberg, April 2014

What is Vulnerability Management?

Definition

Vulnerability Patch

Security flaw

Threat to the IT-infrastructure

Piece of code developed to address problems

Addresses features or security flaws

Security practice to proactively prevent the exploitation of IT vulnerabilities

The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities

April 2014 2Köck, Krumböck / Vulnerability Management

Vulnerability Management ProcessNIST 800-40 Release 2: Creating a Patch and Vulnerability Management Program

Vulnerability Management Process

4Köck, Krumböck / Vulnerability Management

1•Create IT infrastructure inventory

2•Monitor for vulnerabilities

3•Prioritize vulnerabilities & mitigation

4•Create vulnerability database

5•Test remediations

April 2014

Vulnerability Management Process

5Köck, Krumböck / Vulnerability Management

6•Deploy vulnerability remediation

7•Inform administrators

8•Deploy patches

9•Verify successful deployment

10•Train administrators

April 2014

Vulnerability Management Process

6

Reuse existing inventories Configuration Managing Database (CMDB)

Hardware equipment Software applications Owner System administrator Relations

Prioritise assets Update regularly as part of configuration management

process Information retrieval should be automated as

much as possible

Köck, Krumböck / Vulnerability Management

1 •Create IT infrastructure inventory

April 2014

Vulnerability Management Process

7

Monitor a variety of sources Concentrate on software mainly used in the

company Monitor for vulnerabilities, remediations and

threats Vendors are the authoritative source of

information for patches Often won’t release information for

vulnerabilities until a patch is available Use vendor and third party security mailing lists

Köck, Krumböck / Vulnerability Management

2 •Monitor vulnerabilities

April 2014

Vulnerability Management Process

8

Consider impact for organisation for each threat Which systems are exposed What is the impact on these systems

Availability of malicious code Worms Exploits

Patches are often reverse engineered quickly Determine risk involved with applying the patch and other countermeasures

Establish what degree of risk is acceptable

Köck, Krumböck / Vulnerability Management

3 •Prioritize vulnerabilities & mitigation

April 2014

Vulnerability Management Process

9

Create a database of remediations that need to be applied within the organization Usually provided by enterprise patch management tools Patches to install and workarounds for vulnerabilities

Save Patches locally Reduce internet traffic or internet is not available Difficult to get older patches

Save work time

Köck, Krumböck / Vulnerability Management

4 •Create vulnerability database

April 2014

Vulnerability Management Process

10

Create testing infrastructure for standard configurations Reduce redundant testing Software not monitored by the vulnerability management

must be tested by administrators Carefully read patch notes from vendor Precautions

Check patch against authenticity methods provided by the vendor (PGP etc.)

Virus scan Test on not production systems Check for patch dependencies

Document problems

Köck, Krumböck / Vulnerability Management

5 •Test Remediations

April 2014

Vulnerability Management Process

11

Security patch installation Repairs the vulnerability

Configuration adjustment Reduce the threat or block attack vectors

Modifying rights Disable services

Software Removal Software might no longer be needed Removing the software also prevents from

future vulnerabilities

Köck, Krumböck / Vulnerability Management

6 •Deploy vulnerability remediation

April 2014

Vulnerability Management Process

12

Often different teams are involved in the vulnerability management process Create mailing lists for each Team Give them access to resources

Vulnerability database

Köck, Krumböck / Vulnerability Management

7 •Inform administrators

April 2014

Vulnerability Management Process

13

Use the same process as for other configuration changes

Testing systems Quality systems Production systems

Organize maintenance windows Central database for feedback

Problems and solutions Document patch installation in configuration

management database

8 •Deploy Patches

Köck, Krumböck / Vulnerability Management April 2014

Vulnerability Management Process

14

Use vulnerability scanners to verify that systems are patched Checks with credentials gain a lot of information Not possible for all vendors Not completely accurate Software without installation routine is often a problem

Review patch logs Check if patch was installed successfully Compare logs between equal systems

Perform penetration tests

Köck, Krumböck / Vulnerability Management

9 •Verify successful deployment

April 2014

Vulnerability Management Process

15

Many specialists within the organization Use their knowledge

Less used configurations should be monitored by the administrators itself

Administrators need the knowledge how to identify new patches and vulnerabilities

Second line of defense

Köck, Krumböck / Vulnerability Management

10 •Train administrators

April 2014

CHALLENGES & BEST Practice

challenges

17

Keep time that systems are vulnerable as short as possible Install patches immediately?

Limited resources? Testing?

Quality of vendor patches increased Patch Bundle (Oracle) Patch Day (Microsoft)

Prioritising Externally exposed systems

Testing Automation?

Non-standard Systems

Köck, Krumböck / Vulnerability Management April 2014

Best Practices 1

18

Use automated patch management tools

Expedite the distribution of patches to systems

Assess and mitigate the risks associated with deploying enterprise patch management tools

Weapon of mass destruction?

Use standardized configurations for IT resources

Less testing effort

Predefine maintenance windows for patching

Emergency procedures

Define authorities

Gain publicity

Köck, Krumböck / Vulnerability Management April 2014

Best Practices 2

19

Consistently measure the effectiveness of thevulnerability management process

Define KPIs

Number of identified vulnerabilities

Number of failed patches

Mean time to install patches

Mean time to remediate a vulnerability

Automate tasks

Schedule vulnerability scans

Consider smart purchasing

Remove unnecessary software!

Köck, Krumböck / Vulnerability Management April 2014

Information Source

20

• Vulnerability databases

• Common Vulnerabilities and Exposures (CVE)

• The Open Source Vulnerability Database (OSVDB)

• CERT Advisories

• Mailing Lists

• Full Disclosure

• Vendor Information

• Microsoft Security Bulletins

• RedHat Network

• Tool Support

Köck, Krumböck / Vulnerability Management April 2014

TOOLS

Tools

22

Vulnerability scanner

Nessus

Qualys

OpenVAS

GFI LANGuard

System hardening

Microsoft Security Base Line Analyzer

OSSEC

Update Services

Windows Server Update Services

RedHat Network Satellite Server / Spacewalk

Security Incident & Event Management

AlienVault / OSSIM

Köck, Krumböck / Vulnerability Management April 2014

Our own internal Scanning tooL

23

Integration into the patch management process

Agentless scanning

Double checked

Missing patches with Nessus

Installed patches with inventory tool

Coupled with password management

Automated reporting to operational teams

Compliance Scans

ISO 27000

ISAE 3402

PCI-DSS

...

Köck, Krumböck / Vulnerability Management April 2014

Contact

24

Herwig Köck

Security SpecialistT-Systems Austria GesmbH

Rennweg 97-99

1030 Wien

Phone: +43 (0) 57057 8617

Fax: +43 (0) 57057 958617

Mobile: +43 (0) 676 8642 8617

E-Mail: herwig.koeck@t-systems.at

Martin Krumböck

Security SpecialistT-Systems Austria GesmbH

Rennweg 97-99

1030 Wien

Phone: +43 (0) 57057 8689

Fax: +43 (0) 57057 958689

Mobile: +43 (0) 676 8642 8689

E-Mail: martin.krumboeck@t-systems.at

Köck, Krumböck / Vulnerability Management April 2014

THANK YOU!