Post on 08-Jun-2015
description
Tiptoe Through The Network:
Practical Vulnerability Assessments in Control Systems Environments
Paul Asadoorian
Product Evangelist
Tenable Network Security
About Me
• Currently Product Evangelist at Tenable Network Security• Founder & CEO of Security Weekly (formerly “PaulDotCom”)• Worked for Digital Bond in 2008/2009• Love hacking and breaking embedded systems
Warning: Sub-Themes I am Known to Use in All My Presentations
•Ninjas (Check)•Star Wars Reference•ONE lolcat•Old Joke directed at my friend Jack Daniel•Wife/Kids related humor•Unicorns
I can “scan” your networks without breaking “stuff”
And spoons don’t really sound like airplanes?
You Don’t Have to Feel Vulnerable
•There is typical hesitation when scanning a network and/or any systems
•Scans may “cause an undesirable condition on a remote host” (Okay, it could crash it)
•Problem is you must:o Identify the deviceo Enumerate vulnerabilities
Goals
• Identify assets•Don’t break stuff•Discover vulnerabilities•Report them to people who can fix them
•Continuously discover vulnerabilities that remain
•Report progress to management
You Can’t Fix it if You Don’t Know it Exists
•Detect hosts:o Netflow Datao Firewall Logso Arp Tableso Sniff Network Traffico Connection tableso Query VMWareo Look at your logs
Check out Bro IDS
•Regex for your network
•Write rules to discover hosts, attacks, vulnerabilities and more
•Command line kung fu, Security Onion
Liam has the coolest title: “Brovangelist”
P0f – Passive OS and Host detection
•This tool is 14 years old…(Been around a long time)•Big thanks to Rob over at the SANS ISC, nice articles and exampleso http://isc.sans.org/diary/Passive+Scanning+Two+Ways+-+H
ow-Tos+for+the+Holidays/17246
o http://isc.sans.org/diary/Scanning+without+Scanning/17189 Not as long as Jack….
Sniffing the Network
•Passive sniffing•Firewalls•Virtualization•This shouldn’t be on the network
Sniffing & Logging – New Hosts
Nessus for Host Discovery
• Nessus is an active vulnerability scanner, however:
o You can use credentials to audit patches
o Configuration auditing points out flaws
o Policies are highly configurable
• http://www.tenable.com/blog/using-nessus-for-host-discovery
Ninja convention
Credentials: Checking for Patches
•Easy to create, use the wizard
•Upload the SSH keys •Nessus automatically selects the appropriate plugins
Credentials: Checking for Patches (2)
Lots of Results, “No Problem”
Credentials: Checking
Configuration
Credentials: Checking Configuration (2)
VMware Virtual Machine Info
Vulnerability Management•You must keep up with patches on ALL of your systems
•You must identify easily exploitable vulnerabilities and patch them FAST
The Patch Management Struggle
Security Guy Sysadmin
Our systems
are missing patches!
Step 1 – Define•Policy – What you will do and where you will do it•Procedures – How you will do it and who you will do it with
•Get management to sign off on both of the above
Step 2 – Communication & Process
•Communicate your policy and procedures to the right people!
•Management, security, administrators and end users
Step 3 – Find Them All
•Scan your network (frequently)•Perform authenticated vulnerability scanso Servers & Desktopso Network infrastructureo Virtualization platformo Storage systems
•Sniff your network for vulnerabilities
•Mine your logs for data
These are not the vulnerabilities you’re looking for
Application Discovery
•Get rid of applications not supported or not in use
•Reduce your attack platform•Less stuff to patch
Eek, why TELNET?
Phone + Wifi
Here’s my number, call me after you patch your phone.
Applications
How many browsers do you need?
Scanning Embedded Systems
This is not a tablet, phone or “phablet”
2012 Wife Christmas Gift
•Has Wifi• “Runs” Android
2013 Wife Christmas Gift
•Has Wifi•Runs….?
“Scanning” Embedded Systems
•Many embedded devices are Wifi-only•Some devices are transient or only are online for a short time then go away
•Many do not react well to an active network-based scan (ICS type devices for example)
•Resources are an issue (not enough CPU/RAM)
Passive Vulnerability Scanner Trending
Conclusions
•There are many ways to continually perform host discovery, from sniffing to log monitoring
•Once you’ve identified all the hosts, have a process for vulnerability management
•There are numerous ways in which to “scan” a host, including credentialed patch audits and configuration auditing
•Embedded systems are tricky, require special attention, and passive scanning is best in this case
Sub-Themes Check list
Ninjas Star Wars ReferenceONE lolcatOld Joke directed at my friend Jack DanielWife/Kids related humorUnicorns
Tenable Resources
Blog:http://blog.tenable.com
Podcast:http://www.tenable.com/podcast
Videos:http://www.youtube.com/tenablesecurity
Discussion portal:https://discussions.nessus.org
Buy Nessus, Perimeter Service, Training & Bundles:https://store.tenable.com
Become a Tenable Partner:https://www.tenable.com/partners
Try SecurityCenter and Nessus now
For more information, or to evaluate
SecurityCenter Continuous View:
http://www.tenable.com/products/securitycenter-continuous-view
Evaluate Nessus free for 14 days:http://www.tenable.com/products/nessus/evaluate
Questions?
????
Thank you
Contact me:
Paul Asadoorian – paul@nessus.org for Tenable related items
paul@securityweekly.com for anything else…