1 / 29

Lessons Learned in the Establishment of a Vulnerability Assessment Program

Lessons Learned in the Establishment of a Vulnerability Assessment Program. James Perry Statewide Security Team Lead University of Tennessee jperry1@utk.edu. Today’s Agenda. WHAT is a Vulnerability Assessment? WHY do a Vulnerability Assessment? Establish security baseline

brier
Download Presentation

Lessons Learned in the Establishment of a Vulnerability Assessment Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons Learned in the Establishment of a Vulnerability Assessment Program James Perry Statewide Security Team Lead University of Tennessee jperry1@utk.edu

  2. Today’s Agenda • WHAT is a Vulnerability Assessment? • WHY do a Vulnerability Assessment? • Establish security baseline • The “SORRY!” Factor • Regulatory Compliance • HOW to perform a Vulnerability Assessment? • Methodology • Open-Source and Commercial Tools • Questions! (hopefully answers)

  3. WHAT is a Vulnerability Assessment? • The process of identifying technical vulnerabilities in computers and networks as well as weaknesses in policies and practices relating to the operation of these systems.

  4. WHY do a Vulnerability Assessment Establish Security Baseline • Identify “critical” IT Infrastructure/Data • Identify potential RISKs and THREATs to confidentiality, integrity, and availability. • Identify EXPOSUREs through assessment. • Develop remediation plans to address exposures. How do you effectively create a defense-in-depth security posture without knowing what you’re protecting and how it needs to be protected?

  5. WHY do a Vulnerability Assessment The “SORRY!” Factor Hacker hits California University Computer [San Francisco | Reuters News Service, 20 October 2004] – A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said yesterday. The names accessed by the hacker were being used by a UC Berkeleyresearcher.

  6. WHY do a Vulnerability Assessment The “SORRY!” Factor ATHENS, Ga. (AP) — The University of Georgia has notified 27,000 students via e-mail that a hacker may have accessed their personal information through a school computer server …. are records for every student who applied for undergraduate admission to UGA since August 2002, totaling about 31,000 people. 59,000 Social Security Numbers Stolen from the University of Texas March 6: Over 59,000 SSNs belonging to current and former students, faculty, and staff were seized by attackers who hacked into a University of Texas at Austin computer system. Presumably, the goal was identity theft.

  7. WHY do a Vulnerability Assessment The “SORRY!” Factor A former Boston College student was indicted on Thursday for allegedly installing keystroke-recording software on more than 100 campus computers and accessing databases containing personal information on other students, staff, and faculty. The records of more than 30,000 people have been stolen from George Mason University in Virginia, opening up the possibility of ID theft for staff and students. George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders. The attackers broke into a server that held details used on campus identity cards, the university said.

  8. WHY do a Vulnerability Assessment The “SORRY!” Factor Hacker hits California State University [Chico, California | Associated Press, March 22 2005] – Hackers gained personal information of 59,000 people affiliated with a California university -- the latest in a string of high-profile cases of identity theft. Last April, hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants.

  9. WHY do a Vulnerability Assessment The “SORRY!” Factor • MAY 14, 2005 Middle Tennessee State Universityofficials are recommending current and past university faculty and students take precautions to protect their personal information after asecurity breach into an MTSU computer serverwas recently discovered. The university announced Friday that someone gained unauthorized access to one of the university's file servers that contained limited personal information. The breach, discovered by an information officer at MTSU, is under investigation by the appropriate authorities, said Lucinda Lea, vice president of the Division of Information Technology at MTSU. Officials are not releasing what information could have been accessed or for what length of time someone had unauthorized access due to the ongoing investigation.

  10. WHY do a Vulnerability Assessment Regulatory Compliance • HIPAA • GLBA • PCI Data Security Standards • VISA CISP (Cardholder Information Security Program) • MasterCard SDP (Site Data Protection Plan) • Others coming soon….

  11. How to perform a Vulnerability Assessment? A Successful Vulnerability Assessment Program Requires Three Things! • Support from Administration • A Formal Methodology • Assessment Tools

  12. Administration Support • Approval • Scope of Assessment • Handling of Information • Cost to get started

  13. Methodology Assessment Basics • Assessments are not audits! • Assessments should be helpful! • Assessments should use a consistent and documented methodology

  14. Methodology Assessment Process • 6 Step Process • Assessment Planning • Entrance Conference • Fieldwork • Preparing the Report • Exit Conference • Report to Management

  15. Methodology Assessment Planning • Initial Research • Policies & Procedures • Applicable Laws • Best Practices • Determine assessment scope (signed document) • Determine assessment strategy • What and How • Create an assessment checklist

  16. Methodology Entrance Conference • Who should come? • Management • System Owner • System Administrator • Assessment Team • What should be covered? • Scope Document • Assessment Process • Assessment Roles • Time Frame

  17. Methodology Fieldwork • Execution of strategy using checklist • Report new issues in a timely and professional manner to system owner/administrator as defined in the scope documentCommunication is the key: • Humbly report what is found, how you found it, and why it is an issue • Be helpful, offer potential solutions to the issue • Documentation

  18. Methodology Preparing the Report • Report should include: • Executive Summary • Describe Purpose of Assessment • Describe Scope of Assessment • Findings and Recommendations (bullet points) • Conclusion • Draft report reviewed and commented by system owner/admin

  19. Methodology Exit Conference • Who should come? • Management (?) • System Owner • System Administrator • Assessment Team • Review report • What to cover • Review report • Assign tasks for remediation/mitigation • Establish schedule for future assessments

  20. Methodology Report to Management • Clear and concise presentation • Executive summary • Status of mitigation/remediation efforts • Discussion/Questions • “Attaboys” & “Kudos”

  21. Needed Assessment Tools • General purpose scanner with a well rounded and well documented database • Web server and web application scanner • Database scanners (Oracle, DB2, MySql, MS SQL) • Network dump utilities (tcpdump, ethereal) • Host based tools (CIS benchmark) • Other miscellaneous utilities (e.g. nmap, snmp utilities, individual vulnerability scanners)

  22. General Purpose Tools • Nessus – configurable and free but, be careful of your results. http://www.nessus.org/ • Typhon III – NGS Software; very fast, written in assembly language, few false positives, relatively low cost compared to well known commercial products. http://www.nextgenss.com/ • ISS Internet Scanner – high cost, slow but, provides some corroboration and has nice information. http://www.iss.net/

  23. Web Assessment Tools • Spy Dynamics Web Inspect – easily the best web server and web application scanner; huge database that is kept current – analyzes attack possibilities so that some things aren’t thrown at servers that don’t need to be (yet, this still needs some work – if no 404 then test) http://www.spidynamics.com/

  24. Database Scanners • AppSec Inc. AppDetective – can run pen tests against MS SQL, DB2, Lotus, MySql, Oracle, and Sybase. http://www.appsecinc.com/ • Next Generation Software Squirrel for Oracle and Squirrel for MS SQL; they also make a DB2 product. http://www.nextgenss.com/

  25. OtherUtilities • Nmap – used for information gathering http://www.insecure.org/nmap/ • Ethereal – used to determine if network traffic is encrypted, look for anomalies in how an application behaves on the network, and to see other systems that may be attempting connections to a given application http://www.ethereal.com/

  26. Host Based Tools and Methods • CIS Benchmarks – very well written documentation • One of the recommendations of CIS, on Unix/Linux machines, is to search for files that are setuid/setgid root • Account policies • File and directory permissions • Protection of sensitive data http://cisecurity.com/

  27. Other Utilities • Nmap – what did we do without it? • SNMP utilities that allow browsing of MIBs, retrieval of community names, etc. • Special purpose scanners (e.g. free things from EeYe and occasionally ISS • MetaSploit http://www.metasploit.com/ • Core Impact (for the rich) http://www.coresecurity.com

  28. Final Words • Never completely trust the output from scanners • Corroborate and verify all results using other scanners, logging onto the console of a given machine(s), analyzing network traffic, manually grabbing banners, attempting to login, manually trying exploits, etc. • Errors in diplomacy • In general, you’re better off writing your own summary reports even though vendor X says “Hey! Guess what! We create really cool reports and pie charts and everything!” – because often the reports are filled with jargon that most people don’t always understand and sometimes are just plain wrong

  29. Questions?

More Related