Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... ·...
Transcript of Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... ·...
![Page 1: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/1.jpg)
Enterprise Vulnerability Management
Alexander Leonov, Ekaterina Pukhareva, Alex Smirnoff
![Page 2: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/2.jpg)
1. A variety of Vulnerability Scanners
2. Experience in the use of Tenable SecurityCenter and Nessus
3. How to make an efficient vulnerability management?
4. Vulnerability Scanner as a valuable asset
5. Beyond scanners
Content
![Page 3: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/3.jpg)
A variety of Vulnerability Scanners
![Page 4: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/4.jpg)
• When the scan is finished, the results may already be outdated
• False positives
• Per-host licensing
Knowledge base
• How quickly vendor adds new vulnerability checks?
• No scanners will find all vulnerabilities of any software
• Some vulnerabilities may be found only with authorization or correct service banner
• You will never know real limitations of the product
A variety of Vulnerability Scanners
Some problems
![Page 5: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/5.jpg)
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus:
3787;25453;9579
![Page 6: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/6.jpg)
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus:
3787;25453;9579
2673 OpenVAS
plugins
6639 Nessus plugins
38207 OpenVAS plugins and
50896 Nessus plugins
All NASL plugins:
OpenVAS: 49747
Nessus: 81349
![Page 7: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/7.jpg)
• Old ul era ilities
• Vendor forgot to add links to CVE id
• Vulnerabilities in plugins (N: WordPress VideoWhisper)
• Do ’t support Lo al soft are N: ope Mairie
• Stopped adding new vulnerabilities (N: vBulletin, O: Solaris)
Why?
![Page 8: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/8.jpg)
In other words
•Vulnerability Scanner is a necessity •Don't depend too much on them •Scanner does not detect some vulnerability —
it’s YOUR problem not your VM vendor •Choose VM solution you can control •Have alternative sources of Vulnerability Data (vulners.com, vFeed)
![Page 9: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/9.jpg)
Sometimes a free service detects better
![Page 10: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/10.jpg)
• Linux OS vulnerability scan
• Immediate results
• Dramatically simple
https://vulners.com/#audit
Vulners Linux Audit GUI
![Page 11: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/11.jpg)
•RedHat •CentOS •Fedora •Oracle Linux •Ubuntu •Debian
Vulners Linux Audit GUI
![Page 12: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/12.jpg)
Vulners Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X
POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-
common-4.2.3-11.el7_2.noarch", "gnu-free-fonts-common-20120503-
8.el7.noarch", "libreport-centos-2.1.11-32.el7.centos.x86_64", "libacl-
2.2.51-12.el7.x86_64"],"version":"7"}'
https://vulners.com/api/v3/audit/audit
+ Agent Scanner
![Page 13: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/13.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
![Page 14: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/14.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
![Page 15: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/15.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Discovery
Finding a live host
Assessment
What assets?
Analysis
What to fix first?
Remediation
Fix the problem
• What time for fixing?
• Risks?
Scan:
• External and Internal perimeters
Scan for specific assets:
• Workstations, Network Servers
• What CVSS score?
• Fixing
• Accepting risks
![Page 16: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/16.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Reporting and dashboards
![Page 17: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/17.jpg)
Nessus .audit files (built-in or highly customized plug-ins)
- Operation systems (SSH, password policy, local accounts, audit, etc.)
- Databases (privileges, login expiration check, etc.)
- Network devices (SSH, SNMP, service finger is disable, etc.)
- Etc.
Experience in the use of Tenable SecurityCenter and Nessus
Compliance checks
Checking the PCI DSS requirements and others
![Page 18: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/18.jpg)
Custom VM Reporting
Graphs: • MS Critical + Exploitable • MS Critical • MS Other • Windows Software Tables: • Legend • Top vulnerable hosts • Top vulnerabilities
![Page 19: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/19.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Ticketing
![Page 20: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/20.jpg)
● Scanners updating by scripts
● New plugins
● Log-management and monitoring
● Harmless pentest
● FalsePositive
● Authentication Failure
Experience in the use of Tenable SecurityCenter and Nessus
Usage Problems
![Page 21: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/21.jpg)
Nessus Agents
![Page 22: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/22.jpg)
Vulnerability Scanner as a valuable asset
Dangerous audit file
![Page 23: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/23.jpg)
Domain + two-factor authentication
Role model in SecCenter
Monitoring of using nessus account
Vulnerability Scanner as a valuable asset
Monitoring
![Page 24: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/24.jpg)
Restricting Nessus permissions
Defaults:scanaccount !requiretty Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo [0-
9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXA = ! /bin/sh -c echo nessus_su_`echo [0-
9]*[0-9]` ; *;*; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXB = ! /bin/sh -c echo nessus_su_`echo [0-
9]*;*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXC = ! /bin/sh -c echo nessus_su_`echo [0-
9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*;*[0-9]` scanaccount ALL = (root) NESSUSAA, NESSUSXA, NESSUSXB,
NESSUSXC
Not officially supported May stop working anytime More like security through obscurity rather than efficient protection
![Page 25: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/25.jpg)
What is still wrong
(from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
![Page 26: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/26.jpg)
Risk management? Asset management? Threat intelligence? Detecting scanning gaps? Do ou reall eed e pe si e state of the art solutio ?
..a d hat’s e o d ul era ilit s a i g?
![Page 27: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/27.jpg)
For pentesters For splunk, big data and fancy tech
HUBBLESTACK.IO For the rest of us
There is an alternative
![Page 28: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/28.jpg)
Import all you scans data to the database ..do anything you want! Monitor changes, create scopes, custom reports, whatever Avoid VM vendor lock-in
Simple as that
![Page 29: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/29.jpg)
We do not have critical asset inventory! Wait.. e do. It is alled o itori g Use zabbix data to create asset lists Push back alerts to zabbix
Use case: asset management
![Page 30: Enterprise Vulnerability Managementopennet.client02.prostoy.ru/wp-content/uploads/2017/02/... · 2017-02-04 · Vulnerability Scanner is a necessity Don't depend too much on them](https://reader034.fdocuments.us/reader034/viewer/2022042313/5edd8065ad6a402d66689e20/html5/thumbnails/30.jpg)
Create exploit capabilities description (CVSS sucks!) Add environment data (internal and external scans at least) Add anything you want (threat intel) No part is mandatory!
Use case: advanced risk management