What does patching have to do with compliance management
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

What Does Patching have to do with Compliance Management PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on
  • Presentation posted in: General

What Does Patching have to do with Compliance Management. Michael J Wiser CISSP Vice President Citadel Security Software Inc. www.citadel.com/2minutebroadcast. Patching and Compliance Management. What Does Patching have to do with Compliance Management

Download Presentation

What Does Patching have to do with Compliance Management

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


What does patching have to do with compliance management

What Does Patching have to do with Compliance Management

Michael J Wiser CISSP

Vice President

Citadel Security Software Inc.

www.citadel.com/2minutebroadcast


Patching and compliance management

Patching and Compliance Management

What Does Patching have to do with

Compliance Management

Typically about 25% to 35% of policy can be achieved through Patching

Customer ” S “ 28% compliant with a

patching solution deployed

Customer ” S “ 95% compliant with a

EVM solution deployed


The real issue

The Real Issue

  • Today’s currency is bits, not gold

    • No gold bullion in the vault

      • “cloud of electrons at the right place at the right time”

    • Money is represented electronically

      • Trillions of e-$ flow through nations daily

  • BUT: Many executives do not understand or recognize the importance of their information systems and the threats that exist, and therefore do not invest in the security of these systems.


Vulnerabilities

Vulnerabilities

So many ways to be attacked:

  • Physical Penetrations

  • Company Profiling – Open Source Research

  • Footprinting – Scanning – Enumeration

  • Penetration –

  • Escalate Privilege – Stealing/Damaging Corp. information

  • Trojans – remote controlling systems

  • Buffer Overflows

  • Port Redirection of Packets

  • Zone Transfers

  • SNMP Sweeps

  • Router Exploitation

  • Key Loggers – Software and Hardware devices

  • Denial of Service

  • ARP/DNS Poisoning


Where attacks come from

Where Attacks Come From


Some more numbers

Some More Numbers

  • General Internet attack trends are showing a 64% annual rate of growth

    • Symantec

  • The average company experiences 32 cyber-attacks per week

    • Checkpoint

  • The average measurable cost of a serious security incident in Q1/Q2 2004 was approximately $500,000

    • UK Dept of Trade & Industry

  • Identify theft related personal information is selling for $500-$1000 per record

    • CFE Resource

  • Average of 79 new vulnerabilities per week in 2004!!

    • eEye Digital Security


Hacking trends

Hacking Trends


And they re getting better

And They’re Getting Better

More vulnerabilities = higher likelihood of attack

Faster attacks = less time to react


What we see

What We See

  • Rapidly increasing threats and vulnerabilities

  • Rapidly decreasing time to exploit

  • No corresponding increase in IT resources

CERT/CC

CERT/CC, Microsoft, SANS


Issues leading to compromise

Issues Leading to Compromise

How do they do it?

  • Out of Date Systems

    • Systems and applications are not at the latest patch levels

  • Configuration Issues

    • What may be (somewhat) safe on a LAN is not safe on the Internet

  • Poor Password Choice

    • Remote administration or support access tends to be designed to make it easy to support, but also hack into

  • Lack of Security Controls

    • Firewalls, Intrusion Detection Systems, Encryption, 2-Factor Authentication are not present

  • Application Coding Problems

    • Lack of thorough testing leaves many flaws in web based applications such as:

      • URL/Directory permissions

      • SQL Injections

      • URL Manipulation

      • Session Issues


What does patching have to do with compliance management

Methods

How do they find these problems?

  • Scanning, Scanning and More Scanning

    • Port Scanners

    • Vulnerability Scanners

    • Web Application Scanners

  • Trial and Error

    • Attackers have unlimited amounts of time and resources

  • Publish and Share

    • Attackers often find issues with sites and then publish their techniques to obscure locations (chat rooms, foreign language hacker forums, etc.)


Case study 1 pos environment

Case Study 1: POS Environment

Processor

Retail Store

Internet

Corporate

Attacker


Case study 1 timeline of events

Case Study 1: Timeline of Events

Monday November 8th 2004

  • 2:07 PM – Attacker named Мальчик begins scanning a network block known to be used by a US based ISP for its business DSL connections.

  • 3:14 PM – Мальчик finds a system with a Windows share open with full read/write permissions.

  • 3:23 PM – Мальчик mounts share on his system and begins to search for cardholder data using automated tools.

  • 4:05 PM – The system is found to contain several thousand card numbers and corresponding track data. Last transaction was at 4:03 PM. Мальчик realizes that this must be a POS system and knows he struck gold today.

  • 4:07 PM – Мальчик begins to copy all files containing cardholder data.


Case study 1 timeline of events cont d

Case Study 1: Timeline of Events (Cont’d)

Wednesday November 10th 2004

  • 1:11 AM – Мальчик returns to install an agent that each day will ZIP up all new transactions and HTTP post them to http://sneety02.devotchka7.ru

  • 2:51 AM – Мальчик runs the agent to test to ensure it work. 15,892 transactions were posted to his group’s site.

  • Future Work

    • Мальчик and his group will begin to emboss and sell “real” cards from this and future posts to his site.

    • If the street price for a “real” card is about $160 USD – They made about $2.5 million USD from the first harvest from this site.


  • Case study 2 ecommerce sites

    Case Study 2: eCommerce Sites

    Processor

    Web Hosting ISP

    Internet

    Customer

    Attacker


    Case study 2 timeline of events

    Case Study 2: Timeline of Events

    Thursday October 28th 2004

    • 11:40 AM – A hacking group by the name of L-Crew who had been scanning a large segment of the Internet for open database servers. They noticed that TCP port 3306 was open on a server and that they were able to execute queries against the database.

    • Note: This site is hosted at an Internet Hosting Provider that leverages a shopping cart driven by a backend database shared by all hosted customers.


    Case study 2 timeline of events1

    Case Study 2: Timeline of Events

    Friday October 29th 2004

    • 2:29 AM – The L-Crew has been exploring the database for about 14 hours and discovered that they can query a table containing the username and password hashes for the shopping cart administrator accounts that each merchant uses.

    • 3:45 AM – The L-Crew downloaded a dump of the user table to their local system. They noticed on the main website for the hosting provider that a merchant can set up a demo shopping cart account. They created an account through the registration process.

    • 3:52 AM – After registering they are asked to pick a password for their account. They are told that the password can not be greater than 7 characters and must not contain numbers or symbols.


    Case study 2 timeline of events cont d

    Case Study 2: Timeline of Events (Cont’d)

    • Friday October 29th 2004 (Cont’d)

      • 4:10 AM – Using the information gathered during the registration process the L-Crew took the password hashes and began to attempt to crack them. Since they knew the “rules” that were applied to the password creation they were greatly able to narrow their cracking efforts.

      • 5:56 AM – The L-Crew had successfully cracked all 587 passwords, including the global administrator account used to set up custom fields and other environment specific shopping cart settings.

      • 7:14 AM – The L-Crew, using the global administrator account, modified the shopping cart to HTTP post a copy of each transaction (including CC#, Exp, CVV2/CID) from every merchant to another site they compromised located at http://visty45.miaku.co.jp

      • 8:23 AM – The L-Crew has gather over 1000 transactions on their site and decides to write a script on site receiving the transactions to batch these up each hour and e-mail them to 20 different “free mail” accounts.


    Case study 2 timeline of events cont d1

    Case Study 2: Timeline of Events (Cont’d)

    Saturday October 30th 2004

    • 9:22 AM – John Smith purchased a book from ACME Books’ website. This site is hosted at the Internet Hosting Provider that was compromised by the L-Crew.

    • 11:46 AM – The L-Crew has gathered about over 14,000 transactions (including John Smith’s) and has begun sorting and packaging them for resale.

    • If the street price for just cardholder information (no magnetic stripe) is about $10 – They will make about $140,000 USD for a little more than 24 hours of work.


    However

    However……….


    Challenges business and government mandates

    Challenges: Business and Government Mandates

    The Computer Security Institute (CSI) reported over $141 billion damage from security incidents in the US in 2004.

    - 2004 CSI/FBI Computer Crime and Security Survey

    • FDIC

    • CA1386

    • HIPAA

    • Sarbanes-Oxley

    • Gramm-Leach-Bliley

    • Protect Business Assets

    • Protect Business Reputation

    • PaymentCardIndustryData Security Standard

    • Securities&ExchangeCommission

    • Federal TradeCommission

    • Clinger-Cohen Act

    • PresidentialDecisionDirective 63

    • Government InformationSecurityReformAct (GISRA)

    • FederalInformation SecurityManagementAct (FISMA)


    Facing the challenge shifting from documenting to enforcing

    • Documented Corporate Security Policy

    • Perimeter Security:

      • Firewalls

      • IPS

      • IDS

    • Internal Security:

      • Virus Scanning

      • Manual Remediation

      • Hand Coded Software Patches

    • Audit Corporate Security Policy

    • Assessment Scanners:

      • Unsecured Accounts

      • Unnecessary Services

      • Backdoors

      • Mis-configurations

      • Software Defects

    • Threat Management

    • Enforce CorporateSecurity Policy

    • Remediate Vulnerabilities

    • Manage Disconnected Users

    • Apply Policy Templates

    • Compliance and Validation Checking

    • Reporting

    Facing The Challenge: Shifting From Documenting To Enforcing

    Past Practices

    Current Practice

    Best Practice

    Documentation

    Enforcement


    What does patching have to do with compliance management

    Compliance Management

    • Okay, for your Desktops and Servers what is it?

    • Is it patch management?

    • Is it configuration management?

    • Is it Vulnerability Assessment scanning?


    So it s about patching

    So It‘s About Patching?

    • Well, no.

    • 90 to 95% of all network attacks target vulnerabilities for which there was an existing mitigation or repair.

      FBI, SANS, Gartner, Carnegie-Mellon

    • Software defects patching accounts for less than 35% of the known network/system vulnerabilities

      • The balance are “configuration” related

        • Weak, default or nonexistent passwords

        • Improperly configured software (OS, browser, email, ….)

        • Unnecessary services/open ports

        • Unauthorized/poor software (Peer-to-peer, Instant messaging)


    Five classes of vulnerabilities

    Unsecured Accounts

    Null Password, Admin no PW, no PW expiration…

    Unnecessary Services

    VNC, PCAnywhere, KaZaa, Telnet . . .

    Backdoors

    Spyware (KaZaa, DownloadWare, 180 Solutions, GAIN), MyDoom.A, BACKORIFICE, SUBSEVEN . . .

    Mis-configurations

    Netbios shares, Anonymous FTP world r/w, hosts.equiv . . .

    Software Defects (Missing Patches)

    Buffer overruns, RPC-DCOM, SQL Injection . . .

    Vulnerability: A weakness in process, administration or technology that can be exploited to compromise IT security – Gartner

    Five Classes of Vulnerabilities


    What we see1

    What We See

    • Rapidly increasing threats and vulnerabilities

    • Rapidly decreasing time to exploit

    • No corresponding increase in IT resources

    CERT/CC

    CERT/CC, Microsoft, SANS


    Approaches to reducing it security risk

    Approaches to Reducing IT Security Risk

    Top-down

    • Define asset baseline

    • Define security baseline

    • Enforce IT security config

      Bottom-up

    • Assess vulnerability state

    • Remediate detected vulnerabilities

      Targeted

    • New, critical vulnerabilities

    • Key assets

    Check Compliance or

    Enforce Policy

    Scan Validate

    Remediate

    Near Day Mitigation


    What we need to do

    What We Need to Do


    What needs to be achieved

    What needs to be achieved

    • IT Security Compliance

      Continuous IT security policy enforcement

    • Reduced IT Security Risk

      Proactive elimination of vulnerabilities

    • Minimized Business Disruptions

      Consistent enterprise remediation

    • Thorough reporting on Security posture

      Document compliance to policy

    • Improved Utilization of Resources

      Automation and integration


    Michael j wiser cissp vice president citadel security software inc 214 520 9292

    Security In the News

    The Internet Threat Regulator

    The Internet Traffic Report

    The Virus, Worm and Trojan Report

    And the Vulnerability Report

    www.citadel.com/2minutebroadcast

    Michael J Wiser CISSP

    Vice President

    Citadel Security Software Inc.

    214-520-9292


  • Login