EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016
PERSONAL BACKGROUND Senior Managing Consultant at IBM Global Business Services ISACA Certifications: CISA, CISM Other Certifications: CISSP Vulnerability Management Practitioner: 2001-Present Federal Information System Security Officer (ISSO/AISSO): 2011-Present PCI Compliance and Privacy Lead Risk Management Lead Disaster Recovery, Business Continuity and Crisis Mgmt. Practitioner
AGENDA 1. Scanning Where & How It Fits Into a Vulnerability Management Program 2. Review Key Definitions 3. Vulnerability Severity/Risk Assessment - Into to CVSS 4. What Nessus 5. Nessus Scan Output 6. Understanding Nessus Output 7. Before You Start Considerations 8. Refining & Assessing the Output 9. Additional Checks 10. Presenting your results
WHY IS VULNERABILITY MANAGEMENT IMPORTANT COST OF A BREACH Numerous Cost Models exist. However, Verizon s data is based on statistics collected from a more holistic sample: Source: Verizon 2015 Data Breach Investigations Report (p. 30)
FOUNDATIONS OF A HOLISTIC VULNERABILITY MANAGEMENT PROGRAM 1. Monitor and Track Threat and Vulnerability Feeds/Sources 2. Access New Threats and Vulnerabilities for Relevance 3. Develop a Repeatable/Sustainable Patch Management Process 4. On-Going Monitoring of Vulnerabilities, Misconfigurations & Defects 5. Review Scan Output, Access Findings and Follow-up with Stakeholders 6. Track Remediation Progress 7. Pay Attention to Lingering Vulnerabilities/Risks
HOLISTIC SCANNING: 1. Hardware and Software Vulnerability Scans (e.g. Nessus, NexPose) Patch Management / Open vulnerabilities (e.g. weak SSL) Software and Firmware Currency Communications and Protocol Weaknesses 2. Configuration (Hardening) Compliance Scans Measures Hardening Compliance (e.g. DISA STIGS, CIS Benchmark, Agency Guidance) Policy Enforcement (e.g. Active Directory Group Policy) 3. Application Code Scanning Static Code Scans (SAST) IBM AppScan, HP Fortify, Trustwave Dynamic Code Scanning (DAST) Interactive Code Scanning (RAST) Mobile Code Scanning combination of SAST & DAST
KEY DEFINITIONS: Vulnerability: A flaw or weakness in hardware or software design, implementation that may result in the loss of Confidentiality, Integrety or Availability (CIA) Threat: The potential for a specific vulnerability to be exercised either intentionally or accidentally Control: measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information. Vulnerability Management: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
KEY DEFINITIONS - CONTINUED: NVD: National Vulnerability Database CPE: Common Platform Enumeration CVE: Common Vulnerabilities and Exposures (i.e. CVE-2016-002) CVSS: Common Vulnerbability Scoring System
ACCESSING VULNERABILITY SEVERITY INTRO TO THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) Defined: The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. Consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability, The Temporal group reflects the characteristics of a vulnerability that change over time, The Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. Created & Managed by: FIRST.ORG -The Forum of Incident Response and Security Teams
CVSS BENEFITS: 1. Standardized Approach to Scoring Vulnerability. Allows an organization to use a common algorithm for scoring vulnerabilities across all IT platforms. Allows for an organization wide Remediation Policy and standardized remediation times 2. Open Framework Vendor independent 3. Supports Risk Prioritization
CVSS HISTORY Launched in 2005 (CVSS 1.0) Updated in February 2007 (CVSS 2.0) and June 2015 (CVSS 3.0): Source: First.Org CVSS v3.0 Specification (v1.7), Pg. 5
CVSS 3.0 MAJOR CHANGES CVSS v3.0 creates the ability to score vulnerabilities that exist in one software component (vulnerable component) but which impact a separate software, hardware, or networking component (impacted component). This is captured by the new metric called, Scope Source: First.Org CVSS v3.0 Users Guide (v1.4), Pg. 5
TENABLE NESSUS / SECURITY CENTER Two flavors: Stand Alone Scanner or Bundled with Security Center Scan Output Results File Types 1. CSV or Excel File 2. XML (.nessus) File (ideal for scripting) 3. PDF Report (least useful/actionable) 4. Online via Security Center Dashboard (access restricted) Scan Output - Content 1. Vulnerabilities (plugins < 1000000) 2. Configuration Checks (Plugins >= 100000) Plugin A unique test (query) to determine if a vulnerability or a misconfiguration exists Security Center Version 4 - Focus of this presentation
NESSUS OUTPUT KEY FIELDS Risk: Severity, CVSS Base & Temporal Score, STIG Rating, Exploit? What: Plugin #, Plugin Name, Plugin Text, etc Where: IP, DNS Name, NetBIOS Name, etc When: First & Last Observed, Vuln Publication Date, Patch Publication Date, Plugin Publication Date, and Plugin Modification Date Exploitability: Exploit?, Exploit Ease, Exploit Frameworks
CONSIDERATIONS BEFORE YOU START 1. Assets Know thy Inventory Hardware (Type, Make, Model, Names, function) Software (O/S, COTS Packages installed, Misc Other, e.g. Java, etc) Environment & Network (PROD vs Non-Prod) 2. Scan Specifics When: Scan Run Date Scan Type: (Vulnerability, Configuration, Both, Other e.g. NMAP,) Authentication: (Credentialed versus Non-Credentialed) LETS REVIEW SAMPLE OUTPUT..
REFINING THE DATA. Check the Output and Refine as Appropriate Limit / Refine Output to Only Include Rows with Plugin ID # s Limit Output to Include Only Current Results (i.e. Last Observed Date) Remove Word Wrapping Initial High-Level Analysis Exploring the Power of the PIVOT Table or Power Shell Summary View Explore Various PIVOTS: i.e. By: Assets Only, Severity/Vulnerability, etc Access the Plausability of the Data Does it look/smell right Looking Beyond the Plugin Name It May Not Tell the Whole Story The Power of the Plugin Text Review examples Consolidates key data in to one cell (Security Center v4 ONLY) Enhance Readability via excel or copy/paste in to word or email Plugin Output shows what was found and where (actionable at a granular Level)
ADDITIONAL CHECKS Scan Completeness All applicable assets scanned; All Applicable Assets Scanned Scans Completed Successfully? Use Plugin ID to Determine Authentication Success Windows: / Unix: Apache & Java Embedded in many Products There may be multiple versions on the same host Nessus typically reports only fixed version not current version Vet the Data Ask SME s/admins to Validate Results = Nessus is Not Always Correct Protect and Enhance your Credibility Through Research and Vetting
PRESENTING YOUR RESULTS: Present the Data in a Format Relevant to Your Audience (Rollup & Exec Summary) Make the Data as Actionable as Possible Include Positive News Where possible (e.g. xx% are New) AVOID SUPRISES Where possible Expect Pushback and Angst It s human Focus on Highest Risks (exploitable) First / Everything Can t Fixed at once Pay Attention to Older / Languishing Vulnerabilities. Understand why they are. Offer to Work with SME s / Admins / Engineers to Understand the Data Focus on Sustainable and Repeatable Process to Ensure Timely Remediation (target dates)
RESOURCES AND LINKS: 2015 Verizon Data Breach Investigations Report (DBIR) http://www.verizonenterprise.com/dbir/2015/ First.Org Common Vulnerability Scoring System (CVSS v3.0) https://www.first.org/cvss https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf https://www.first.org/cvss/cvss-v30-user_guide_v1.4.pdf https://www.first.org/cvss/cvss-v30-examples_v1.1.pdf https://www.first.org/cvss/calculator/3.0 Tenable (Nessus) Plugin Info: http://www.tenable.com/plugins/ Microsoft Patch Tuesday Bulletins https://technet.microsoft.com/en-us/library/security/dn631938.aspx
EXAMPLE RESEARCHING A MICROSOFT PATCH NVD publishes both CVSS 2.0 and 3.0 scores now. The example below traces a Microsoft Patch Tuesday Vulnerability thru to the NVD Site along with a trace through the Nessus Site to determine Plugin ID and Text. Example: Microsoft Patch: MS16-001 - https://technet.microsoft.com/en-us/library/security/ms16-jan.aspx Has two (2) CVE's associated with it in the above link. If you click on CVE-2016-002, it takes you to the Mitre CVE site: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0002 Clicking on the "learn more at NVD" link you get to NISTs NVD Detail site: https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0002 You will see CVSSv3 score of the left side of the page along with the older CVSSv2 score of the right Nessus shows one plugin ID for this vulnerability (#87887). You can figure this out by selecting "View All Plugins" from the main Tenable plugin page: https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0002 From there select, "Microsoft Bulletins" http://www.tenable.com/plugins/index.php?view=all&family=windows+%3a+microsoft+bulletins From this page, select MS16-001 and you get: http://www.tenable.com/plugins/index.php?view=single&id=87877 Scrolling down Currently Nessus only lists the CVSSv2 score
WRAP UP/QUESTIONS QUESTIONS?
CONTACT INFORMATION Paul R. Lazarr, CISSP, CISA, CIPP, CRISC Managing Consultant, Cybersecurity and Biometrics IBM Global Business Services - US Federal Team Mobile: 703-628-0024 prlazarr@us.ibm.com Lazerp13@gmail.com