what does patching have to do with compliance management
Download
Skip this Video
Download Presentation
What Does Patching have to do with Compliance Management

Loading in 2 Seconds...

play fullscreen
1 / 30

What Does Patching have to do with Compliance Management - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

What Does Patching have to do with Compliance Management. Michael J Wiser CISSP Vice President Citadel Security Software Inc. www.citadel.com/2minutebroadcast. Patching and Compliance Management. What Does Patching have to do with Compliance Management

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' What Does Patching have to do with Compliance Management' - grover


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what does patching have to do with compliance management

What Does Patching have to do with Compliance Management

Michael J Wiser CISSP

Vice President

Citadel Security Software Inc.

www.citadel.com/2minutebroadcast

patching and compliance management
Patching and Compliance Management

What Does Patching have to do with

Compliance Management

Typically about 25% to 35% of policy can be achieved through Patching

Customer ” S “ 28% compliant with a

patching solution deployed

Customer ” S “ 95% compliant with a

EVM solution deployed

the real issue
The Real Issue
  • Today’s currency is bits, not gold
    • No gold bullion in the vault
      • “cloud of electrons at the right place at the right time”
    • Money is represented electronically
      • Trillions of e-$ flow through nations daily
  • BUT: Many executives do not understand or recognize the importance of their information systems and the threats that exist, and therefore do not invest in the security of these systems.
vulnerabilities
Vulnerabilities

So many ways to be attacked:

  • Physical Penetrations
  • Company Profiling – Open Source Research
  • Footprinting – Scanning – Enumeration
  • Penetration –
  • Escalate Privilege – Stealing/Damaging Corp. information
  • Trojans – remote controlling systems
  • Buffer Overflows
  • Port Redirection of Packets
  • Zone Transfers
  • SNMP Sweeps
  • Router Exploitation
  • Key Loggers – Software and Hardware devices
  • Denial of Service
  • ARP/DNS Poisoning
some more numbers
Some More Numbers
  • General Internet attack trends are showing a 64% annual rate of growth
    • Symantec
  • The average company experiences 32 cyber-attacks per week
    • Checkpoint
  • The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000
    • UK Dept of Trade & Industry
  • Identify theft related personal information is selling for $500-$1000 per record
    • CFE Resource
  • Average of 79 new vulnerabilities per week in 2004!!
    • eEye Digital Security
and they re getting better
And They’re Getting Better

More vulnerabilities = higher likelihood of attack

Faster attacks = less time to react

what we see
What We See
  • Rapidly increasing threats and vulnerabilities
  • Rapidly decreasing time to exploit
  • No corresponding increase in IT resources

CERT/CC

CERT/CC, Microsoft, SANS

issues leading to compromise
Issues Leading to Compromise

How do they do it?

  • Out of Date Systems
    • Systems and applications are not at the latest patch levels
  • Configuration Issues
    • What may be (somewhat) safe on a LAN is not safe on the Internet
  • Poor Password Choice
    • Remote administration or support access tends to be designed to make it easy to support, but also hack into
  • Lack of Security Controls
    • Firewalls, Intrusion Detection Systems, Encryption, 2-Factor Authentication are not present
  • Application Coding Problems
    • Lack of thorough testing leaves many flaws in web based applications such as:
      • URL/Directory permissions
      • SQL Injections
      • URL Manipulation
      • Session Issues
slide11

Methods

How do they find these problems?

  • Scanning, Scanning and More Scanning
    • Port Scanners
    • Vulnerability Scanners
    • Web Application Scanners
  • Trial and Error
    • Attackers have unlimited amounts of time and resources
  • Publish and Share
    • Attackers often find issues with sites and then publish their techniques to obscure locations (chat rooms, foreign language hacker forums, etc.)
case study 1 pos environment
Case Study 1: POS Environment

Processor

Retail Store

Internet

Corporate

Attacker

case study 1 timeline of events
Case Study 1: Timeline of Events

Monday November 8th 2004

  • 2:07 PM – Attacker named Мальчик begins scanning a network block known to be used by a US based ISP for its business DSL connections.
  • 3:14 PM – Мальчик finds a system with a Windows share open with full read/write permissions.
  • 3:23 PM – Мальчик mounts share on his system and begins to search for cardholder data using automated tools.
  • 4:05 PM – The system is found to contain several thousand card numbers and corresponding track data. Last transaction was at 4:03 PM. Мальчик realizes that this must be a POS system and knows he struck gold today.
  • 4:07 PM – Мальчик begins to copy all files containing cardholder data.
case study 1 timeline of events cont d
Case Study 1: Timeline of Events (Cont’d)

Wednesday November 10th 2004

    • 1:11 AM – Мальчик returns to install an agent that each day will ZIP up all new transactions and HTTP post them to http://sneety02.devotchka7.ru
    • 2:51 AM – Мальчик runs the agent to test to ensure it work. 15,892 transactions were posted to his group’s site.
  • Future Work
    • Мальчик and his group will begin to emboss and sell “real” cards from this and future posts to his site.
    • If the street price for a “real” card is about $160 USD – They made about $2.5 million USD from the first harvest from this site.
case study 2 ecommerce sites
Case Study 2: eCommerce Sites

Processor

Web Hosting ISP

Internet

Customer

Attacker

case study 2 timeline of events
Case Study 2: Timeline of Events

Thursday October 28th 2004

  • 11:40 AM – A hacking group by the name of L-Crew who had been scanning a large segment of the Internet for open database servers. They noticed that TCP port 3306 was open on a server and that they were able to execute queries against the database.
  • Note: This site is hosted at an Internet Hosting Provider that leverages a shopping cart driven by a backend database shared by all hosted customers.
case study 2 timeline of events1
Case Study 2: Timeline of Events

Friday October 29th 2004

  • 2:29 AM – The L-Crew has been exploring the database for about 14 hours and discovered that they can query a table containing the username and password hashes for the shopping cart administrator accounts that each merchant uses.
  • 3:45 AM – The L-Crew downloaded a dump of the user table to their local system. They noticed on the main website for the hosting provider that a merchant can set up a demo shopping cart account. They created an account through the registration process.
  • 3:52 AM – After registering they are asked to pick a password for their account. They are told that the password can not be greater than 7 characters and must not contain numbers or symbols.
case study 2 timeline of events cont d
Case Study 2: Timeline of Events (Cont’d)
  • Friday October 29th 2004 (Cont’d)
    • 4:10 AM – Using the information gathered during the registration process the L-Crew took the password hashes and began to attempt to crack them. Since they knew the “rules” that were applied to the password creation they were greatly able to narrow their cracking efforts.
    • 5:56 AM – The L-Crew had successfully cracked all 587 passwords, including the global administrator account used to set up custom fields and other environment specific shopping cart settings.
    • 7:14 AM – The L-Crew, using the global administrator account, modified the shopping cart to HTTP post a copy of each transaction (including CC#, Exp, CVV2/CID) from every merchant to another site they compromised located at http://visty45.miaku.co.jp
    • 8:23 AM – The L-Crew has gather over 1000 transactions on their site and decides to write a script on site receiving the transactions to batch these up each hour and e-mail them to 20 different “free mail” accounts.
case study 2 timeline of events cont d1
Case Study 2: Timeline of Events (Cont’d)

Saturday October 30th 2004

  • 9:22 AM – John Smith purchased a book from ACME Books’ website. This site is hosted at the Internet Hosting Provider that was compromised by the L-Crew.
  • 11:46 AM – The L-Crew has gathered about over 14,000 transactions (including John Smith’s) and has begun sorting and packaging them for resale.
  • If the street price for just cardholder information (no magnetic stripe) is about $10 – They will make about $140,000 USD for a little more than 24 hours of work.
challenges business and government mandates
Challenges: Business and Government Mandates

The Computer Security Institute (CSI) reported over $141 billion damage from security incidents in the US in 2004.

- 2004 CSI/FBI Computer Crime and Security Survey

  • FDIC
  • CA1386
  • HIPAA
  • Sarbanes-Oxley
  • Gramm-Leach-Bliley
  • Protect Business Assets
  • Protect Business Reputation
  • PaymentCardIndustryData Security Standard
  • Securities&ExchangeCommission
  • Federal TradeCommission
  • Clinger-Cohen Act
  • PresidentialDecisionDirective 63
  • Government InformationSecurityReformAct (GISRA)
  • FederalInformation SecurityManagementAct (FISMA)
facing the challenge shifting from documenting to enforcing

Documented Corporate Security Policy

  • Perimeter Security:
    • Firewalls
    • IPS
    • IDS
  • Internal Security:
    • Virus Scanning
    • Manual Remediation
    • Hand Coded Software Patches
  • Audit Corporate Security Policy
  • Assessment Scanners:
    • Unsecured Accounts
    • Unnecessary Services
    • Backdoors
    • Mis-configurations
    • Software Defects
  • Threat Management
  • Enforce CorporateSecurity Policy
  • Remediate Vulnerabilities
  • Manage Disconnected Users
  • Apply Policy Templates
  • Compliance and Validation Checking
  • Reporting
Facing The Challenge: Shifting From Documenting To Enforcing

Past Practices

Current Practice

Best Practice

Documentation

Enforcement

slide23

Compliance Management

  • Okay, for your Desktops and Servers what is it?
  • Is it patch management?
  • Is it configuration management?
  • Is it Vulnerability Assessment scanning?
so it s about patching
So It‘s About Patching?
  • Well, no.
  • 90 to 95% of all network attacks target vulnerabilities for which there was an existing mitigation or repair.

FBI, SANS, Gartner, Carnegie-Mellon

  • Software defects patching accounts for less than 35% of the known network/system vulnerabilities
    • The balance are “configuration” related
      • Weak, default or nonexistent passwords
      • Improperly configured software (OS, browser, email, ….)
      • Unnecessary services/open ports
      • Unauthorized/poor software (Peer-to-peer, Instant messaging)
five classes of vulnerabilities
Unsecured Accounts

Null Password, Admin no PW, no PW expiration…

Unnecessary Services

VNC, PCAnywhere, KaZaa, Telnet . . .

Backdoors

Spyware (KaZaa, DownloadWare, 180 Solutions, GAIN), MyDoom.A, BACKORIFICE, SUBSEVEN . . .

Mis-configurations

Netbios shares, Anonymous FTP world r/w, hosts.equiv . . .

Software Defects (Missing Patches)

Buffer overruns, RPC-DCOM, SQL Injection . . .

Vulnerability: A weakness in process, administration or technology that can be exploited to compromise IT security – Gartner

Five Classes of Vulnerabilities
what we see1
What We See
  • Rapidly increasing threats and vulnerabilities
  • Rapidly decreasing time to exploit
  • No corresponding increase in IT resources

CERT/CC

CERT/CC, Microsoft, SANS

approaches to reducing it security risk
Approaches to Reducing IT Security Risk

Top-down

  • Define asset baseline
  • Define security baseline
  • Enforce IT security config

Bottom-up

  • Assess vulnerability state
  • Remediate detected vulnerabilities

Targeted

  • New, critical vulnerabilities
  • Key assets

Check Compliance or

Enforce Policy

Scan Validate

Remediate

Near Day Mitigation

what needs to be achieved
What needs to be achieved
  • IT Security Compliance

Continuous IT security policy enforcement

  • Reduced IT Security Risk

Proactive elimination of vulnerabilities

  • Minimized Business Disruptions

Consistent enterprise remediation

  • Thorough reporting on Security posture

Document compliance to policy

  • Improved Utilization of Resources

Automation and integration

michael j wiser cissp vice president citadel security software inc 214 520 9292

Security In the News

The Internet Threat Regulator

The Internet Traffic Report

The Virus, Worm and Trojan Report

And the Vulnerability Report

www.citadel.com/2minutebroadcast

Michael J Wiser CISSP

Vice President

Citadel Security Software Inc.

214-520-9292

ad