Vulnerability management

Hagenberg, April 2014

What is Vulnerability Management?

Definition

Security practice to proactively prevent the exploitation of IT vulnerabilities

The expected result is to reduce the time and money spent dealing with vulnerabilities and
exploitation of those vulnerabilities

Vulnerability Patch
Security flaw Piece of code developed to
Threat to the IT- address problems
infrastructure Addresses features or
security flaws

Kck, Krumbck / Vulnerability Management April 2014 2

Vulnerability Management Process
NIST 800-40 Release 2: Creating a Patch and Vulnerability Management Program
Vulnerability Management Process

Create IT infrastructure inventory

1

Monitor for vulnerabilities

2

Prioritize vulnerabilities & mitigation

3

Create vulnerability database

4

Test remediations
5

Kck, Krumbck / Vulnerability Management April 2014 4

Vulnerability Management Process

Deploy vulnerability remediation

6

Inform administrators
7

Deploy patches
8

Verify successful deployment

9

Train administrators
10

Kck, Krumbck / Vulnerability Management April 2014 5

Vulnerability Management Process

1 Create IT infrastructure inventory

Reuse existing inventories

Configuration Managing Database (CMDB)
Hardware equipment
Software applications
Owner
System administrator
Relations
Prioritise assets
Update regularly as part of configuration management
process
Information retrieval should be automated as
much as possible

Kck, Krumbck / Vulnerability Management April 2014 6

Vulnerability Management Process

2 Monitor vulnerabilities

Monitor a variety of sources

Concentrate on software mainly used in the
company
Monitor for vulnerabilities, remediations and
threats
Vendors are the authoritative source of
information for patches
Often wont release information for
vulnerabilities until a patch is available
Use vendor and third party security mailing lists

Kck, Krumbck / Vulnerability Management April 2014 7

Vulnerability Management Process

3 Prioritize vulnerabilities & mitigation

Consider impact for organisation for each threat

Which systems are exposed
What is the impact on these systems
Availability of malicious code
Worms
Exploits
Patches are often reverse engineered quickly
Determine risk involved with applying the patch and other countermeasures
Establish what degree of risk is acceptable

Kck, Krumbck / Vulnerability Management April 2014 8

Vulnerability Management Process

4 Create vulnerability database

Create a database of remediations that need to be applied within the organization

Usually provided by enterprise patch management tools
Patches to install and workarounds for vulnerabilities
Save Patches locally
Reduce internet traffic or internet is not available
Difficult to get older patches
Save work time

Kck, Krumbck / Vulnerability Management April 2014 9

Vulnerability Management Process

5 Test Remediations

Create testing infrastructure for standard configurations

Reduce redundant testing
Software not monitored by the vulnerability management
must be tested by administrators
Carefully read patch notes from vendor
Precautions
Check patch against authenticity methods provided by the
vendor (PGP etc.)
Virus scan
Test on not production systems
Check for patch dependencies
Document problems

Kck, Krumbck / Vulnerability Management April 2014 10

Vulnerability Management Process

6 Deploy vulnerability remediation

Security patch installation

Repairs the vulnerability
Configuration adjustment
Reduce the threat or block attack vectors
Modifying rights
Disable services
Software Removal
Software might no longer be needed
Removing the software also prevents from
future vulnerabilities

Kck, Krumbck / Vulnerability Management April 2014 11

Vulnerability Management Process

7 Inform administrators

Often different teams are involved in the vulnerability management process

Create mailing lists for each Team
Give them access to resources
Vulnerability database

Kck, Krumbck / Vulnerability Management April 2014 12

Vulnerability Management Process

8 Deploy Patches

Use the same process as for other configuration

changes
Testing systems
Quality systems
Production systems
Organize maintenance windows
Central database for feedback
Problems and solutions
Document patch installation in configuration
management database

Kck, Krumbck / Vulnerability Management April 2014 13

Vulnerability Management Process

9 Verify successful deployment

Use vulnerability scanners to verify that systems are patched

Checks with credentials gain a lot of information
Not possible for all vendors
Not completely accurate
Software without installation routine is often a problem
Review patch logs
Check if patch was installed successfully
Compare logs between equal systems
Perform penetration tests

Kck, Krumbck / Vulnerability Management April 2014 14

Vulnerability Management Process

10 Train administrators

Many specialists within the organization

Use their knowledge
Less used configurations should be monitored by
the administrators itself
Administrators need the knowledge how to
identify new patches and vulnerabilities
Second line of defense

Kck, Krumbck / Vulnerability Management April 2014 15

CHALLENGES & BEST Practice
challenges

Keep time that systems are vulnerable as short as possible

Install patches immediately?
Limited resources?
Testing?
Quality of vendor patches increased
Patch Bundle (Oracle)
Patch Day (Microsoft)
Prioritising
Externally exposed systems
Testing
Automation?
Non-standard Systems

Kck, Krumbck / Vulnerability Management April 2014 17

Best Practices 1

Use automated patch management tools

Expedite the distribution of patches to systems
Assess and mitigate the risks associated with
deploying enterprise patch management tools
Weapon of mass destruction?
Use standardized configurations for IT resources
Less testing effort
Predefine maintenance windows for patching
Emergency procedures
Define authorities
Gain publicity

Kck, Krumbck / Vulnerability Management April 2014 18

Best Practices 2

Consistently measure the effectiveness of the

vulnerability management process
Define KPIs
Number of identified vulnerabilities
Number of failed patches
Mean time to install patches
Mean time to remediate a vulnerability
Automate tasks
Schedule vulnerability scans
Consider smart purchasing
Remove unnecessary software!

Kck, Krumbck / Vulnerability Management April 2014 19

Information Source

Vulnerability databases
Common Vulnerabilities and Exposures (CVE)
The Open Source Vulnerability Database (OSVDB)
CERT Advisories
Mailing Lists
Full Disclosure
Vendor Information
Microsoft Security Bulletins
RedHat Network
Tool Support

Kck, Krumbck / Vulnerability Management April 2014 20

TOOLS
Tools

Vulnerability scanner
Nessus
Qualys
OpenVAS
GFI LANGuard
System hardening
Microsoft Security Base Line Analyzer
OSSEC
Update Services
Windows Server Update Services
RedHat Network Satellite Server / Spacewalk
Security Incident & Event Management
AlienVault / OSSIM

Kck, Krumbck / Vulnerability Management April 2014 22

Our own internal Scanning tooL

Integration into the patch management process

Agentless scanning
Double checked
Missing patches with Nessus
Installed patches with inventory tool
Coupled with password management
Automated reporting to operational teams
Compliance Scans
ISO 27000
ISAE 3402
PCI-DSS
...

Kck, Krumbck / Vulnerability Management April 2014 23

Contact

Herwig Kck
Security Specialist
T-Systems Austria GesmbH
Rennweg 97-99
1030 Wien
Phone: +43 (0) 57057 8617
Fax: +43 (0) 57057 958617
Mobile: +43 (0) 676 8642 8617
E-Mail: herwig.koeck@t-systems.at

Martin Krumbck
Security Specialist
T-Systems Austria GesmbH
Rennweg 97-99
1030 Wien
Phone: +43 (0) 57057 8689
Fax: +43 (0) 57057 958689
Mobile: +43 (0) 676 8642 8689
E-Mail: martin.krumboeck@t-systems.at

Kck, Krumbck / Vulnerability Management April 2014 24

THANK YOU!