The Security Vulnerability Assessment Process, Best Practices & Challenges

good thanks that's good that's I hope everyone's enjoying themselves uh my name is cellb Charles and thank you for coming by to listen to listen into the security vulnerability assessment process best practices and challenges uh the agenda for today is basically to just give you a little information about myself um do a little topic introduction talk about the process some of the best challenges um excuse me best practices and challenges then I'll conclude and take any questions uh my name is cellb Charles uh but many people refer to me by KC which is my initials it's a lot easier to remember so feel free to call me Casey or cellb Charles uh I'm a government

contractor I've been a government contractor in the Washington DC area since um early 90s and I'm currently working on a NASA contract in Green Belt Maryland and I served as an adic professor professor at Capitol College which is located in uh Laurel Maryland uh but now I've switched hats and um trying to pursue and get my doctorate with research areas and human computer interaction as well as honey pots just looking at different aspects of Honeypot on um the attractability of honeypots especially with these anti- Honeypot uh techniques and uh software that's around right now just trying to get some basic on that information and I also operate a security blog site called security orb.com uh so feel free to check that

out um if you're ever on the web uh just to give a little introduction about the topic um one thing I've realized in recent times is that security assessments has become a very vital part in many government organizations and and it's been it's due to many reasons and one of the reasons that I'm seeing is when I used to work at the Pentagon we had a rollout system for our desktops and about 98% of our system were the same it was a Windows XP image um everyone from the engineers to the admin had the same type of desktop uh depending on your functionality you may have some extra software if you were a firewall administrator you you had

Cisco works if you were in the publishing uh Department uh you might have had some sort of Adobe Illustrator type of product but for the most part all the systems was rolled out from one image what I've been seeing in recent years is that that's not the case anymore we go into an organization to do a security assessment you have different flavors of Windows you have uh Windows Vista XP Windows 7 um max is something that we've been seeing a lot lot lately compared to about five six years ago everyone has um a Mac and Linux uh a lot of system administrators you know want Linux and when we talk about Linux it's yantu uh

FreeBSD uh Susi all different kind of Linux so your environment is no longer um just a single operating system it's a very diverse environment what we see when we conduct our security assessments and we look at the is that most operating systems have at least 20 to 25 applications you're talking about your web browsers Firefox Google you're talking about Adobe products such as Adobe Reader and so forth and even applications such as those label maker um labor maker applications that you put in to do CDs or badges again multiple applications this Distributing Computing um a lot of systems are doing work from home programs with the telor programs with the government prog uh with the

government agencies um you have people staying at remote locations that's VPN or that's accessing resource at the headquarter agency so you have distributed computing as well as inter internet facing um systems so one of the things that we realize is that the need to understand your whole security infrastructure is very important and the security assessment process is one of the ways to get a good grip on this particular situation now we all have read and we know especially with the defense and depth uh model is that doing a defensive approach with firewalls and VPN um is not the best way to do it sometimes it's insufficient and one of the things that we realize is that just having the

defense only approach sometimes you may have a misconfigured firewall sometimes you may have a vulnerability in the firewall so these things doesn't make you very secure by adding the security assessment process you're able to get to the node level and close that particular Gap from your defensive security your perimeter security and the node levels that you have on your systems on your network excuse me one of the things that we see is that performing a regular security vulnerability assessment process um helps bridge that Gap as I stated it also allows the organization to take a proactive approach as compared to waiting if a breach would have happened and you would patch the system you'll find out about the system but

performing a regular security assessment process um and getting the vulnerabilities in the findings and patching them on a regular basis it makes that organization follow more proactive security posture and one of the things that I'll be talking about a lot is compliance dealing with um NASA and N um the bottom line is that you want to make sure that you Safeguard your systems as well as uh follow and meet the compliance that your organization um falls under one of the things that we also see is that most systems are un patch and this is due to a couple of things one uh We've run into lazy system administrators um you know they just don't patch the system they just don't

do what they're supposed to do uh many times we run into overwork system administrators they're the guys that are doing everything they're the guys that when they do go to training they're getting phone calls at training and walking out the room to try to help out back at The Hite and you also have misinformed system administrators system administrators who've gotten the position because they were around or maybe someone left and they're in charge of the security as well as the operations of um of the network and the systems and they're just not informed with um getting the right information doing the right process to make sure that these systems are patched another thing that we've been

able to identify is that many systems that are compromised are compromised with a patch that is available for the system um a few years back um with the my doom and some of these other High um visibility and High Media related malware that came out there were patches for these particular systems just that they weren't appli so when we do our security assessment and when we do some of our incident response and we get to the root cause of the information we are able to identify that there was a patch for that particular system that was compromised is just that it wasn't part of a vulnerability management program or some sort of program that would make

sure and check that these systems are patched one of the things um that we identify also is that some systems cannot be patched I'm not sure if anybody here was at the Derby con um 2012 um but HD Moore was talking about when he scanned the whole network and he came up with all these uh systems that he was able to find and within his data was six Windows NT systems and a lot of people were kind of laughing and snickering but I didn't find it too funny because we have four Windows n systems and I was wondering with those uh four systems of the six that he found hours sometimes the system cannot be patched and it could be because of

technical reasons um in our particular situation we have custom code running on the Windows n systems and when uh assessment was was done to see if we could upgrade to a higher operating system a more secure operating system it was stated that the code would have to be Rewritten and that would take about $2 million the upper brass didn't find that to be something that can be implemented so we did a workaround to secure that system but sometimes you do have systems on a network that cannot be patched and conducting a security assessment vulnerability assessment process is the way that you find many of this information and again a proactive security posture which is a very

important thing and compliance so when we talk about security assessment levels you have your basic security assessment level this is just a unintrusive process um let's say that you have a site that might be a business partner real soon you want to go in and just do an initial assessment to see what their policies are before you trade documents and share information you have the in-depth security assessment which covers everything from uh credential scannings document reviews walkthroughs manual checks of their systems um it's definitely much more thorough from there you have the external testing um if you have a e-commerce type site or some site that just wants to have uh a external review to see how they are compared um in the

eyes of the external world the external vulnerability testment testing is the way that's conducted and then you have the internal this is what happens when a hacker gets inside my network do I have proper segmentation um if a worm or some sort of malware was to land in my system would it spread fast or would it be able to be contained in any type of fashion and again that's the uh internal formability testing so one of the things that we found that works very well is to have an effective security assessment posture um excuse me program uh we've seen and heard of stories where some Security administrator will run a scanning tool and come to the system administrator and

give them a sheet of 500 pages saying hey these are all the vulnerabilities that we found in your system and that kind of relationship that kind of process from what we've been able to observe usually leads to some sort of animosity between the security group and the system administrators group so following a process that can be replicated that both sides understand um is one of the first steps to having a good security vulnerability Assessment program um also by using the reports in the security vulnerability Assessment program it gives you the ability the ability to work work on shortterm goals um as well as long-term goals one of the things that we find that's very valuable

when we do continuous scanning is the trending reports if you're able to show that you went from 100 findings to maybe about 50 findings within a six month period this is the kind of stuff when you show management that they understand the value of what's happening within their security Assessment program and it also allows the organization to better protect themselves because they have a blueprint they have a map of what vulnerabilities are out there if a particular advisory comes out they're able to understand um if that patch has been fixed or if they do have that particular patch uh within their systems so we'll just go into the vulnerability um assessment process real quick and it's usually a six phase

process and this is a process that we conduct regardless if if it's an internal system or an external system first you have the preassessment process this is where you contuct the system administrator as well as the system owner you let them know that you would like to come out on this particular date to conduct a security assessment um so basically it's the engagement letter once they've given you the okay you're able to allocate the resources if it's traveling if it's local um if it's a big Network and you need multiple assessors or if it's a small Network the engagement letter gives you the ability to start on phase one of the assessment process from there uh once you re re uh

reach the location you do a security assessment in brief where you meet with all the parties um if you're the manager will be there the system owner um again if you need access to firewalls or um systems you have the system admin administrator the Security administrator the network administrators just everyone that will be there to help you within the process and it also helps you with scheduling because as part of the assessment um you do interviews you do walk through you do manual checks you do um security scanning so at this particular point you work on the schedule you have the actual field work where you do the scanning the field work and all the stuff that I just described

and then once you've collected all that information the assessment team goes off on their own and this is multiple days this does not happen in one day uh the assessment team goes on their own and analyze the reports and put everything together basically if you've identified false positives if they have any particular waivers um again all of that information is collected to be put in a report for uh the the organization and this is just a a quick example of the report again um scanning information uh documents that are reviewed um and all the scores scores are tallied up over here to give a final vulnerability rating score in the security assessment outbrief the document as well as the

report is handed to the organization and you go through an interactive discussion talking about recommendations um talking about uh future plans as well as the next uh security briefing as well as the next security briefing and one of the things that we always do is the post assessment security process is when the assessment teams goes back to their location and they talk about that security assessment process and we talk about it from a technical term um as well as traveling as well as as the kind of politics and uh resistance or non resist resistment that um we face during that particular security assessment and this information is good because every 8 to 12 months we

go back to these sites so if someone else is going back out there they'll be able to look at this information and know different things about travel and uh who's the troubl makers of that particular site um just some quick definition because as part of the security assessment and when you talk with uh many of the organizations they usually kind of crisscross um penetration testing security audit and verbil assessment with the verbil assessment the process is to collect all the findings all the findings that you could find in a particular network with a penetration test the main thing is you just want to see if you could breach the network so you're looking for maybe one

or two vulnerabilities whereas with the the security audit um it's pretty much what we do when the interview questions when we go through the NIS 800. 53 checklist and we just go through and ask questions so the security audit is more of just asking some questions doing a checklist making sure that they are compliant with that particular aspect another issue that we run into is conducting credential scanning um we want to run a scan we asked them for credentials to get a more in-depth scan and we get a lot of resistance within that and one of the things that we try to explain to them is that a credential scan allows for more information to be

collected um and one of the analogies that I always use is um if you were to go to a mechanic and you had the mechanic look at your car he would open up the hood he could listen notice that some spark plugs are misfiring but if you allowed a mechanic to plug his computer into the car he could tell you which cylinder which spark plug um and much more additional information as compared to just listening to it by ear um so that's where the benefits come in doing some credential scans and one of the things that I did um I took a Windows 7 system a fresh vanilla one uh like I stated most um systems have at least 25 maybe 30

applications this one only had about four or five applications but I did a scan the first one was a non- credential scan and as you can see um it came up with zero highs zero mediums one low and five informationals um I initiated the credentials and ran the same scan no about a minute later and the results were different where it came out with seven highs eight mediums and five lows and about 172 informationals so again if we did have the Adobes and different applications on the system uh these num numbers would be a lot higher and that's why we usually push to conduct credential scans but one of the issues with conducting um just to

show you some of the vulnerabilities I it's hard to read but within the highs we have some denial of service uh some remote execution type type vulnerabilities um with the cred with the non-credentialed not access any part of the system but with the credential scans we had access to remote registry remote file system access as well as administrative authentication and what I was alluding to is most of the times when systems are deployed they usually follow some secure configuration um template such as CIS Benchmark fdcc uh scap and so forth but to get credential scans we require some of these configurations to be rolled out and that's where some of the political battles usually occur stating that the

system is secure and you can't get into it well that means that you know compromise or hacker shouldn't be able to get into it but one of the things that we usually kind of let them know is that many of the breaches that usually occur happens from the application layer such as Adobe uh Internet Explorer and so forth so um so we kind of bring that to the attention that credentials is not the only way to get access to a system one of the things that we conduct once we're there we we we set up a vulnerability Management program if you have a system that has 200 findings by the time you leave um we don't recommend

that you try to patch everything at once and at the same time we try to go through some sort of um prioritization you know the high um maybe the things that could be easily patched and you work on a particular plan to get into a good posture and continually um monitoring it is part of the management program within that particular group and again as I talked earlier about compliance uh for vulnerability management and uh scanning uh fsma which is the one that I'm linked very closely to but you also have nerg PCI and some other ones and one of the things that we always try to emphasize is that just because your compliance doesn't mean that you're cure

uh many agencies that I belonged to had a real good fsma score when we handed in but a week or two later you know an embarrassing breach would occur and you would always hear well they had a A or B um with their fsma score you know how did they get hacked and we just try to let them know that just because your compliance does that mean that you're secure I'll go through these real quick but some other things to consider waivers versus plan of action uh We've run into sites that has remote desktop and that's something that's a no no within the government uh but sometimes there's some sort of mission or some sort of uh thing that it's necessarily

needed so at that particular time they would issue a waiver and that risk would fall off of our hands so if something would have happened um with that remote desktop it wouldn't fall back to the accessors as well as the system owner plan of action uh and Milestone this just states that okay okay we are using remote desktop right now but in 3 or 4 months we plan to implement VPN or something and we'll get rid of the virtual desktop so at that particular time it's more of a plan of action and Milestone which is called a poan um again these are just some other things to consider consider I'll be more than happy to talk

about them afterwards I'm kind of running out of time I've talked about a lot of things that vulnerability scanning can do for you but what it can't do for you it can't find zero days in malware um it it only um find the most obvious and known security threats like antivirus when it comes to signatures um it can patch your system even though we've seen tools like uh GFI stated that it can patch I haven't met anybody that was able to get that to work and it can determine if something is a false positive you know that part comes to the assessor the assessor needs to do some research to find out if it's a false positive and

[Music] um just to conclude um again as I started off defense in depth is the best way to do it there's no one particular thing that you need to do to secure your organization um you need the protective side with firewalls the detective side with IDs even security awareness when organizations Implement a good security awareness program we've seen a drop in many um security issues that were there before and again taking a proactive approach to um with security scanning again that total package brings down that exposure one of the things is by doing um security scanning is that you've met your due diligence so if something were to happen um and you could show trending

reports and and um action reports and so forth your liability is not as bad as compared to if you weren't doing scanning and another security related information um again um this is my Twitter information if you just want to stay in contact uh feel free and I'll just take any questions at this particular time I know I had kind of rushed through it a little bit so if anyone has any questions are you and your company on automated assessment Tool uh we're very Reliant right well I mean uh a majority of the things that we do are automated assessment tools um as part of the nist as well as the um the sand uh controls

ask for Automation and and following that aspect that's how we do many of our scanning through automated scanning um as well as um some manual stuff as well but the automated is where our bread and butter and our focus is

located all right thank you everyone thank [Applause]

you

[Music]

just leave it

here I'm open some other so that's going to go on the website or I don't know I mean I'm not really but here just a speaker and I proposed to bring my camera I just send it to jannice and I guess she can the speaker yeah I believe Janice is going to put them up on YouTube iiz I miss the first minute of that's fine that's fine I think I got all of it so you have at least one version yeah all

right last [Music]

Monday

so what I do usually was mine is um not or software can read the format that son uses um and I don't um or cannot and what I use I use convert it into N4 and it works so

I yeah I guess work is pretty good at at converting I have the command line I can probably send it over all let hope this

works blah blah blah blah he like minutes he hey can

we but this company

let me bring it just in case Janice might figure it out

H

fun I did I stayed there cuz when I went to book my hotel room available