Tiptoe Through The Network:

Practical Vulnerability Assessments in Control Systems Environments

Paul Asadoorian

Product Evangelist

Tenable Network Security

About Me

• Currently Product Evangelist at Tenable Network Security• Founder & CEO of Security Weekly (formerly “PaulDotCom”)• Worked for Digital Bond in 2008/2009• Love hacking and breaking embedded systems

Warning: Sub-Themes I am Known to Use in All My Presentations

•Ninjas (Check)•Star Wars Reference•ONE lolcat•Old Joke directed at my friend Jack Daniel•Wife/Kids related humor•Unicorns

I can “scan” your networks without breaking “stuff”

And spoons don’t really sound like airplanes?

You Don’t Have to Feel Vulnerable

•There is typical hesitation when scanning a network and/or any systems

•Scans may “cause an undesirable condition on a remote host” (Okay, it could crash it)

•Problem is you must:o Identify the deviceo Enumerate vulnerabilities

Goals

• Identify assets•Don’t break stuff•Discover vulnerabilities•Report them to people who can fix them

•Continuously discover vulnerabilities that remain

•Report progress to management

You Can’t Fix it if You Don’t Know it Exists

•Detect hosts:o Netflow Datao Firewall Logso Arp Tableso Sniff Network Traffico Connection tableso Query VMWareo Look at your logs

Check out Bro IDS

•Regex for your network

•Write rules to discover hosts, attacks, vulnerabilities and more

•Command line kung fu, Security Onion

Liam has the coolest title: “Brovangelist”

P0f – Passive OS and Host detection

•This tool is 14 years old…(Been around a long time)•Big thanks to Rob over at the SANS ISC, nice articles and exampleso http://isc.sans.org/diary/Passive+Scanning+Two+Ways+-+H

ow-Tos+for+the+Holidays/17246

o http://isc.sans.org/diary/Scanning+without+Scanning/17189 Not as long as Jack….

Sniffing the Network

•Passive sniffing•Firewalls•Virtualization•This shouldn’t be on the network

Sniffing & Logging – New Hosts

Nessus for Host Discovery

• Nessus is an active vulnerability scanner, however:

o You can use credentials to audit patches

o Configuration auditing points out flaws

o Policies are highly configurable

• http://www.tenable.com/blog/using-nessus-for-host-discovery

Ninja convention

Credentials: Checking for Patches

•Easy to create, use the wizard

•Upload the SSH keys •Nessus automatically selects the appropriate plugins

Credentials: Checking for Patches (2)

Lots of Results, “No Problem”

Credentials: Checking

Configuration

Credentials: Checking Configuration (2)

VMware Virtual Machine Info

Vulnerability Management•You must keep up with patches on ALL of your systems

•You must identify easily exploitable vulnerabilities and patch them FAST

The Patch Management Struggle

Security Guy Sysadmin

Our systems

are missing patches!

Step 1 – Define•Policy – What you will do and where you will do it•Procedures – How you will do it and who you will do it with

•Get management to sign off on both of the above

Step 2 – Communication & Process

•Communicate your policy and procedures to the right people!

•Management, security, administrators and end users

Step 3 – Find Them All

•Scan your network (frequently)•Perform authenticated vulnerability scanso Servers & Desktopso Network infrastructureo Virtualization platformo Storage systems

•Sniff your network for vulnerabilities

•Mine your logs for data

These are not the vulnerabilities you’re looking for

Application Discovery

•Get rid of applications not supported or not in use

•Reduce your attack platform•Less stuff to patch

Eek, why TELNET?

Phone + Wifi

Here’s my number, call me after you patch your phone.

Applications

How many browsers do you need?

Scanning Embedded Systems

This is not a tablet, phone or “phablet”

2012 Wife Christmas Gift

•Has Wifi• “Runs” Android

2013 Wife Christmas Gift

•Has Wifi•Runs….?

“Scanning” Embedded Systems

•Many embedded devices are Wifi-only•Some devices are transient or only are online for a short time then go away

•Many do not react well to an active network-based scan (ICS type devices for example)

•Resources are an issue (not enough CPU/RAM)

Passive Vulnerability Scanner Trending

Conclusions

•There are many ways to continually perform host discovery, from sniffing to log monitoring

•Once you’ve identified all the hosts, have a process for vulnerability management

•There are numerous ways in which to “scan” a host, including credentialed patch audits and configuration auditing

•Embedded systems are tricky, require special attention, and passive scanning is best in this case

Sub-Themes Check list

Ninjas Star Wars ReferenceONE lolcatOld Joke directed at my friend Jack DanielWife/Kids related humorUnicorns

Tenable Resources

Blog:http://blog.tenable.com

Podcast:http://www.tenable.com/podcast

Videos:http://www.youtube.com/tenablesecurity

Discussion portal:https://discussions.nessus.org

Buy Nessus, Perimeter Service, Training & Bundles:https://store.tenable.com

Become a Tenable Partner:https://www.tenable.com/partners

Try SecurityCenter and Nessus now

For more information, or to evaluate

SecurityCenter Continuous View:

http://www.tenable.com/products/securitycenter-continuous-view

Evaluate Nessus free for 14 days:http://www.tenable.com/products/nessus/evaluate

Questions?

????

Thank you

Contact me:

Paul Asadoorian – paul@nessus.org for Tenable related items

paul@securityweekly.com for anything else…