EFFECTIVE VULNERABILITY SCANNING
DEMYSTIFYING SCANNER OUTPUT DATA
Paul R. Lazarr, CISSP, CISA, CIPP, CRISK
Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016
PERSONAL BACKGROUND
• Senior Managing Consultant at IBM Global Business Services • ISACA Certifications: CISA, CISM
• Other Certifications: CISSP
• Vulnerability Management Practitioner: 2001-Present
• Federal Information System Security Officer (ISSO/AISSO): 2011-Present • PCI Compliance and Privacy Lead
• Risk Management Lead
AGENDA
1. Scanning – Where & How It Fits Into a Vulnerability Management Program 2. Review Key Definitions
3. Vulnerability Severity/Risk Assessment - Into to CVSS 4. What Nessus
5. Nessus Scan Output
6. Understanding Nessus Output 7. Before You Start Considerations 8. Refining & Assessing the Output 9. Additional Checks
WHY IS VULNERABILITY MANAGEMENT IMPORTANT
COST OF A BREACH
Numerous Cost Models exist. However, Verizon’s data is based on statistics collected from a more holistic sample:
FOUNDATIONS OF A HOLISTIC VULNERABILITY MANAGEMENT
PROGRAM
1. Monitor and Track Threat and Vulnerability Feeds/Sources 2. Access New Threats and Vulnerabilities for Relevance
3. Develop a Repeatable/Sustainable Patch Management Process
4. On-Going Monitoring of Vulnerabilities, Misconfigurations & Defects 5. Review Scan Output, Access Findings and Follow-up with Stakeholders 6. Track Remediation Progress
HOLISTIC SCANNING:
1. Hardware and Software Vulnerability Scans (e.g. Nessus, NexPose)
• Patch Management / Open vulnerabilities (e.g. weak SSL) • Software and Firmware Currency
• Communications and Protocol Weaknesses
2. Configuration (Hardening) Compliance Scans
• Measures Hardening Compliance (e.g. DISA STIGS, CIS Benchmark, Agency Guidance)
• Policy Enforcement (e.g. Active Directory Group Policy)
3. Application Code Scanning
• Static Code Scans (SAST) – IBM AppScan, HP Fortify, Trustwave • Dynamic Code Scanning (DAST)
• Interactive Code Scanning (RAST)
KEY DEFINITIONS:
Vulnerability: A flaw or weakness in hardware or software design,
implementation that may result in the loss of Confidentiality, Integrety
or Availability (CIA)
Threat: The potential for a specific vulnerability to be exercised either
intentionally or accidentally
Control: measures taken to prevent, detect, minimize, or eliminate
risk to protect the Integrity, Confidentiality, and Availability of
information.
Vulnerability Management: The process of identifying, quantifying,
and prioritizing (or ranking) the vulnerabilities in a system.
KEY DEFINITIONS - CONTINUED:
NVD: National Vulnerability Database
CPE: Common Platform Enumeration
CVE: Common Vulnerabilities and Exposures (i.e. CVE-2016-002)
CVSS: Common Vulnerbability Scoring System
ACCESSING VULNERABILITY SEVERITY
INTRO TO THE COMMON VULNERABILITY SCORING SYSTEM (CVSS)
• Defined: The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.
• Consists of three metric groups: Base, Temporal, and Environmental.
• The Base group represents the intrinsic qualities of a vulnerability,
• The Temporal group reflects the characteristics of a vulnerability that change over time,
• The Environmental group represents the characteristics of a vulnerability that are unique to
a user's environment.
• The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.
CVSS BENEFITS:
1. Standardized Approach to Scoring Vulnerability.
• Allows an organization to use a common algorithm for scoring vulnerabilities across all IT platforms.
• Allows for an organization wide Remediation Policy and standardized remediation times
2. Open Framework – Vendor independent 3. Supports Risk Prioritization
CVSS HISTORY
Launched in 2005 (CVSS 1.0)
Updated in February 2007 (CVSS 2.0) and June 2015 (CVSS 3.0):
CVSS 3.0 MAJOR CHANGES
• CVSS v3.0 creates the ability to score vulnerabilities that exist in one software component (vulnerable component) but which impact a separate software, hardware, or networking
component (impacted component). This is captured by the new metric called, Scope
TENABLE NESSUS / SECURITY CENTER
• Two flavors: Stand Alone Scanner or Bundled with Security Center • Scan Output Results – File Types
1. CSV or Excel File
2. XML (.nessus) File (ideal for scripting)
3. PDF Report (least useful/actionable)
4. Online via Security Center Dashboard (access restricted)
• Scan Output - Content
1. Vulnerabilities (plugins < 1000000)
2. Configuration Checks (Plugins >= 100000)
• Plugin – A unique test (query) to determine if a vulnerability or a misconfiguration exists • Security Center Version 4 - Focus of this presentation
NESSUS OUTPUT – KEY FIELDS
• Risk: Severity, CVSS Base & Temporal Score, STIG Rating, Exploit? • What: Plugin #, Plugin Name, Plugin Text, etc
• Where: IP, DNS Name, NetBIOS Name, etc
• When: First & Last Observed, Vuln Publication Date, Patch Publication Date, Plugin Publication Date, and Plugin Modification Date
CONSIDERATIONS… BEFORE YOU START
1. Assets – Know thy Inventory
Hardware (Type, Make, Model, Names, function)
Software (O/S, COTS Packages installed, Misc Other, e.g. Java, etc) Environment & Network (PROD vs Non-Prod)
2. Scan Specifics
When: Scan Run Date
Scan Type: (Vulnerability, Configuration, Both, Other e.g. NMAP,) Authentication: (Credentialed versus Non-Credentialed)
REFINING THE DATA….
• Check the Output and Refine as Appropriate
Limit / Refine Output to Only Include Rows with Plugin ID #’s
Limit Output to Include Only Current Results (i.e. Last Observed Date) Remove Word Wrapping
• Initial High-Level Analysis – Exploring the Power of the PIVOT Table or Power Shell Summary View
Explore Various PIVOTS: i.e. By: Assets Only, Severity/Vulnerability, etc Access the Plausability of the Data – Does it look/smell right
• Looking Beyond the Plugin Name – It May Not Tell the Whole Story The Power of the Plugin Text – Review examples
Consolidates key data in to one cell (Security Center v4 ONLY) Enhance Readability via excel or copy/paste in to word or email
ADDITIONAL CHECKS
• Scan Completeness All applicable assets scanned; All Applicable Assets Scanned
Scans Completed Successfully?
• Use Plugin ID to Determine Authentication Success Windows: / Unix:
• Apache & Java Embedded in many Products
There may be multiple versions on the same host
Nessus typically reports only fixed version – not current version • Vet the Data
Ask SME’s/Admins to Validate Results = Nessus is Not Always Correct Protect and Enhance your Credibility Through Research and Vetting
PRESENTING YOUR RESULTS:
• Present the Data in a Format Relevant to Your Audience (Rollup & Exec Summary) • Make the Data as Actionable as Possible
• Include Positive News Where possible (e.g. xx% are New) • AVOID SUPRISES – Where possible
• Expect Pushback and Angst – It’s human
• Focus on Highest Risks (exploitable) First / Everything Can’t Fixed at once
• Pay Attention to Older / Languishing Vulnerabilities. Understand why they are. • Offer to Work with SME’s / Admins / Engineers to Understand the Data
• Focus on Sustainable and Repeatable Process to Ensure Timely Remediation (target dates)
RESOURCES AND LINKS:
2015 Verizon Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/DBIR/2015/
First.Org – Common Vulnerability Scoring System (CVSS v3.0)
https://www.first.org/cvss
https://www.first.org/cvss/cvss-v30-specification-v1.7.pdf https://www.first.org/cvss/cvss-v30-user_guide_v1.4.pdf https://www.first.org/cvss/cvss-v30-examples_v1.1.pdf https://www.first.org/cvss/calculator/3.0
Tenable (Nessus) Plugin Info:
http://www.tenable.com/plugins/
Microsoft Patch Tuesday Bulletins
EXAMPLE – RESEARCHING A MICROSOFT PATCH
NVD publishes both CVSS 2.0 and 3.0 scores now. The example below traces a Microsoft Patch Tuesday Vulnerability thru to the NVD Site along with a trace through the Nessus Site to determine Plugin ID and Text.
Example:
• Microsoft Patch: MS16-001 - https://technet.microsoft.com/en-us/library/security/ms16-jan.aspx
• Has two (2) CVE's associated with it in the above link. If you click on CVE-2016-002, it takes you to the Mitre CVE site:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0002
• Clicking on the "learn more at NVD" link you get to NISTs NVD Detail site:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0002
• You will see CVSSv3 score of the left side of the page along with the older CVSSv2 score of the right
• Nessus shows one plugin ID for this vulnerability (#87887). You can figure this out by selecting "View All Plugins" from the main Tenable plugin page: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0002
• From there select, "Microsoft Bulletins"
http://www.tenable.com/plugins/index.php?view=all&family=Windows+%3A+Microsoft+Bulletins
• From this page, select MS16-001 and you get: http://www.tenable.com/plugins/index.php?view=single&id=87877
