Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

Robots, Ninjas, Pirates and Building an Effective Vulnerability

Management Program

© Copyright Defensive Intuition, LLC 2004-2015

Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly

© Copyright Defensive Intuition, LLC 2004-2015 Slide 2

About Paul

Agenda

• Some slides with random pictures from the Internet

• Paul talks about vulnerability management over said slides

• Folks may have questions or challenge my thoughts/ideas (please do)

• More random Internet pictures

• Paul ranting a bit more while laughing at ridiculous pictures

• These are the only bullets in this presentation…

• End with tips on how to be successful


Vulnerability Management…


You have all the right tools…

A Robot, Ninja & Pirate Get Into a Fight, Who Wins?


We have arguments like this all the time.

!

Sometimes they center around vulnerability management…

Why Do We Need Vulnerability Management?


YouThe Internet

Don’t Be Blind…

You can’t fix what you don’t know is broken…


Meet The Robots, Ninjas and Pirates in the Security Dept.


The Robot

Without a care in the world…


“Going to scan the network!”

The Robot

Cares even less how long the report will be…


File -> Print…Reporting!!!!

The Robot

What your network looks like after the scan…


The Robot

What the sysadmins, network admins, developers, help desk and operations are saying about you…


Robots reporting to management


“The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer

overflow attacks aren’t quite stable. The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!]. They’ve encased the web server in a WAF, it should be quite well protected, unless there is a

bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”

Moral of the story…


The Ninjas


Wrote Nmap script

to patch everything and

disable TELNET.

The Report


The Network

Problems can be mysterious….


Sysadmins be like…

Sysadmins be like…


Ninjas be like…


Pirates

To find the booty…


I’m gonna scan your network.

Hard.

During the scan…


The Report


+

Pirate in meeting after report has been distributed


Patch your shit! Aaaaaaaaaarrgh!!

Pirates Lack Social Skillz

Sysadmins: Fear them…


Meet the Robots, Ninja and Pirate Attackers


Perception Of Scanning

Even a broken clock is right twice a day


“Your slave?”

“You wish! You'll do shitwork, scan, crack

copyrights…"

Attackers, like robots, automate…

Attacks above are common, but less severe (typically)


Or APT, or Cyber<something>


Ninjas


Cyber Pirate Attackers

Pirates will steal bandwidth, often very loud.


Now We Understand Some Of The Dynamics

What we learned up to this point: !

Vulnerability Management is HARD, attackers will not let up.



Shortcuts Are Trouble

“We’ll just scan once per quarter” !

“We can just use the default scan policy” !

“We can just scan parts of the network”



“We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother

showing me everything.”

5 Reasons Why This Will End Badly


#1 What you don’t know will probably be the thing that

hurts you


#2 Ask any evil bad guy or penetration tester and they

will tell you “we string together seemingly low

severity vulnerabilities to achieve a goal”


Example: Chris Gates from Low to Pwned (2012) https://www.youtube.com/watch?v=u68QvWXYW_Q

https://www.youtube.com/watch?v=u68QvWXYW_Q

#3 External conditions change, so not patching a

vulnerabilities because there is no public exploit today

doesn’t mean there will not be an exploit in the future (or

someone has it already)


#4 Internal conditions change. Not discovering

vulnerabilities in XYZ software because you don’t

use XYZ software is dangerous

!

Someone could be installing XYZ software as we speak


For Example…


#5 Vulnerability management is a historical

reference. !

You may not care which USB device were plugged into your systems today, but

when malware spreads via USB devices tomorrow…


Malware Here?


!

“Just send them the raw results”

!

“Just patch CVSS > 8.0”

Goals & Results Matter…© Copyright Defensive Intuition, LLC 2004-2015

Results Matter, Don’t Be Lazy

No one reads raw results


Can You Make That 8 a 7?

CVSS is subjective


Vulnerability Management

Goals


Goal: Prevention – prevent bad things with the resources

you have


Stop waiting around for the perfect

solution!

Goal: Detection

!

Know where you

are vulnerable

and monitor © Copyright Defensive Intuition, LLC 2004-2015

Goal: React - Define priorities and enable people to take

action

Vulnerability management is a repeatable process.


Goal: Do it yourself.

!

Vulnerability scanning is not

what a pen tester should

do for youTools have matured to allow for continuous scanning.


Goal: Evaluate tools – Define the evaluation criteria

Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps.© Copyright Defensive Intuition, LLC 2004-2015

Goal: Checks and Balances: How are my other defenses

working or not?

Anti-Virus, Firewalls, Compliance/System Hardening Programs


Goal: Metrics: Don’t Give Up On Them


Searches for “dating tips”

Searches for “fleshlight”

What does management want to see?

Goal: Threat Modeling


Goal: Don’t just find a standard or copy what may

work for others

Be a LEADER and set your own standards.


Goal: Get people to understand and change their

behavior

Become a remarkable IT Security Leader© Copyright Defensive Intuition, LLC 2004-2015

Some Fun Facts

Podcasts/Blogs/Videos: http://securityweekly.com Contact Me: [email protected]


http://securityweekly.com/attend

Security Weekly & Tenable are always hiring. !

You can some to our studio on Thursday nights and watch the show live. !

I post all my slides to http://slideshare.net/securityweekly !

Larry really does have a tattoo in “that place”. !

Jack is really old. !

Also, Ninja is the winner.

http://securityweekly.com

mailto:[email protected]?subject=

Technology

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program