BSIDESLV 2018 - Proving Ground - Day One

numbers going up we pure storage as a start-up or was a startup and so we were growing extremely rapidly so we were in you know getting more people but that was mostly because they all new hires and so we do find that a fair percentage of the raw passwords that are cracked are new hires so people end up learning this and we're doing it because this type of password policy doesn't really work well right so this is I took this off of the internet I mean it's everybody's seen this most of us probably agree that it doesn't really work that well so they give you these requirements they have character type requirements but at the end of the day

that password policy says the first one is not okay but the second one is and the reality is that both of those are just as easy to discover or guess as the other one so there's no reason for that policy it's not it's not effective and I think I saw a couple nods in the audience but I think I'm not the only one that thinks this so there's a number of people on InfoSec Twitter that they kind of agrees with assist so I said you know but no we're not going to force people to change their passwords so how did we do this so has anyone cracked passwords before used tools like that a few people excellent excellent

so my goal is to get like you know basically have you able to do this tonight but there's a couple things that you have to prepare so you've got to have some sort of CPU or GPU usage that you can use so you've got to have a mount of raw horse power but I'm going to show you that it's not that significant you need to collect some word lists or dictionaries or something like that and this can be things like the stuff from Troy hunt they he releases or or the latest note from Krebs and so those are previously cracked passwords that have been released to the wild or just word list and English dictionaries and they also

understand your your audience or your user base because things like where they are in the world or the language they speak or their culture both the corporate culture or the the kind of local culture so if you if your target is mostly in the Bay Area like mine you know words like Stanford and and San Francisco and Golden Gate pop-up but if they're out somewhere else then different local words or calming and you've got to have some sort of tool so these are a couple of them that I've used in the past we landed on hash cat for no more reason than I kind of started with using it wanted to use it was in all of the hash

cat team doing attract me if you can at Def Con so we use that but John the Ripper is equally good there and there's also a lot of cross-training there so you learn one you can kind of understand the rules very quickly in the other and then one of used in the past it's quite a while ago was Cain and Abel it's a Window System and this one was a lot of fun back in the day when all of our workstations were on the same collision domain because it would sniff the traffic and actually pick the hashes up off that wire and just start tracking away it's not really under development anymore but it was pretty fun so so what

we do is we spend about seven days doing this testing process and the first thing we do is extract the NTDs it out of Active Directory using a live domain controller but creating shadow volume copy and extracting that out again that procedure step-by-step is documented on the github so like get you going you just need Ivan credentials in your set or you know red teaming mini cats and that works too and then we spend a couple days brute-forcing up to eight characters and then a couple more days using word lists and rules followed by some mass processing which is like targeted brute-forcing followed up kind of round a7 when we're starting to get diminishing returns and we feel like I

think we've got enough this quarter we start sending out the notifications tell people that they've got to change their passwords and you've got two weeks to do it so imma go over each one of those a little bit so the brute force you want is again super straightforward and the reason we do it is even though we've got a setting of say nine characters in our in our active directory settings the realities admins can override that right and you may have legacy servers accounts that are still being used or something along those lines but the big occurrence is someone walks up the help desk says hey and he changed my password help desk admin right clicks on their name and

they and they can type in anything and they override the policy we also use this since it takes about two days for us to get through eight characters that the key space we also use this time to prepare the next steps we might find we might have in the last quarter discovered a new tool there might have been a talk and a different b-sides about a I've got this novel approach or someone had a new idea they want to prepare that for their word lists and the rules so the word list kind of went over this already are just basically dictionaries and then you can use tools like word Smith that will generate that kind of pop culture of

that local culture information which is a really cool tool to just quickly generate a tailored word list for your area and then so but that's not going to do it myself right imagine an English dictionary probably you don't have hopefully you don't have any character passwords that are just all lowercase characters right so then you've got apply these rules and this is what the tool does for you the tool will take those rules and do things like substitute an O for a zero or double up the word or something like that there's a lot of different rules to toggle or to truncate or to append to duplicate and so you have a lot it's really a tool kit

that you can use when you're using hash cat to crack the passwords and then we use the mask so it's like I said are basically kind of in two ways one it's it's a tailored brute force so in my example up here what we found is that people like to create passwords with really common patterns right so they will say uppercase a bunch of lowercase and append a couple numbers so that they meet that policy right so you do that and then you by narrowing that key space to this pattern you will notice an echoing you'll notice I'm not going so you'll notice that you you can go through a lot of that key space very

quickly and without hitting a lot of the password combinations that are very unlikely for people to use another thing you can do is append or prepend a shorter mask to your common words so you'll see that we get things like with our company name in there with a bang one two three so if these types of methods work pretty well when you're approaching it that way so I've got some examples up here for each one of those but it's a little bit of an eye chart there's more detailed explanation in the notes so this is more of a slide for you to review but I thought it might be fun to kind of show you what that looks like so I've

got an example here and at the top you see the command line and I'm using an attack mode of 3 which just means brute force I've got user names in the in the hash file so I've got to tell tell actual cat that so I'm not actually thinking that that's part of the hash and 1000 means it's active directory I putting your results in a specific file is helpful because then you it's easier to analyze later but then you can see I'm just doing question mark a if you are not I am sorry

why doesn't okay

I need some help I'm not I don't know um it worked in the yard speaker lounge

that's here

you get that okay it's um Wow that is yeah but it's it's changed the resolution now so it's an anyway so there at the top you can see the passwords and what I'm doing is

now you can see it at the top so the the nine question mark days are just telling a brute force any character nine lengths right and so you'll see that in that long amount of time that we did that then I discovered two whole passwords right so but by narrowing it to the pattern that I mentioned earlier with the with an uppercase a bunch of lowers and then a few numbers you can see that already I'm getting better results right I'm getting much more results it's got me to in the couple minutes while we were fumbling with that and then BOOM I've got a few so that's that's pretty good right that's that's better obviously but what if we do something a

little bit different so this is that hybrid attack so in this case I'm taking a word list of the eye link in the notes of three hundred four thousand probable passwords so very likely passwords that have either been released in breaches or have been generated because it's a pattern that people use and then I'm just tacking on four characters afterwards and you'll see that I actually get a lot more passwords very quickly and this is on a MacBook Air I kind of ran out of time but on the on the nine character boot force was going to take this two hundred nine years to go through that so you can see that this is working a little bit better so back

to [Music] okay so so that's how we do it and then and then I'd like to show you what we've seen out of this so one thing that we've seen is that you will find and this is very evident from the test that I just ran is that depending on the way you structure your tests you will you can you can get diminishing returns very quickly so it's very likely that if you put them in the right order you will discover the more than 50% of the passwords you're going to discover in about the first four hours or so of testing and then the rest of the week it kind of tapers off now that doesn't

apply to us because we're starting with that brute force method which is really a way to give us time to to prepare the remaining tests but that is how it ends up working is you'll get a lot of it very quickly and then start slowing off and then this is off of one test not not all of the two years worth of data but in in one test you'll see that we still get a couple of those eight character and seven character passwords even though they violate the settings in Active Directory so that's why we test those and then yes the bulk is in nine because that's what's required but we even get some in the 12 and the 16 and

24 character range just based on those rules we're certainly not brute-forcing than 24 characters and we've also found that people tend to create the same password so some of these are going to be the same person creating multiple service accounts but in some cases it's it's that things like walking the keyboard going straight down the first two columns it's very easy for people to do and this is this is data over the course of the two years aggregated and then figured out and what you will also notice is that people really like to use corporate culture at least for us who we kind of bleed orange and our company with for the top passwords have the word

pur in it which is pretty funny so then we started looking at our data a little bit further and this is something we've only started doing in the past year or so is we noticed that certain people were not only repeat offenders continually creating weak passwords but they were creating the same password or basically the same it won't let you create the same obviously so Rhoda scripts to to calculate similarity between this discovery and last discovery so for people that fail two times in a row and we started out with a 180 - the first time we test I said that's a lot of people and then we sent them a notes we sent them a separate email we told

them hey your password this time is X percentage similar to your last one of X and we put their last password in the email and that gets a visceral reaction let me tell you people are like Oh aren't you the security guy like how can you be putting the password in the email that's totally insecure don't you know anything and I say yes well you're using the same password over and over again you are you have to change this whoa this is not your current password it is to your previous one and thirdly you've got less than two weeks to change it so I feel like the risk is minimized especially if you do what you should do

and create something very fairly different and to kind of demonstrate how would that look like give in to two tests in one quarter we discovered 805 passwords following quarters about 490 of those 334 people were the failed both times and then in that group 138 of the people were of that 70% or so threshold and let's be honest like 60 or 50% is still pretty similar but we're given people a break here while we're training them to do this and so the last thing that I kind of want to talk about is that passwords aren't the only thing right like I have all this stuff about passwords we spend all this time but it's not it's

certainly not the only thing protecting our network right we've got multi-factor authentication I hope you do too we've got a you know a great blue team who's looking at the data and identifying anomalies like logins from different locations and other things that indicate that an account might be compromised or things of that nature so we take all of those and then we face the toughest challenge because everything up to now was easy now we've got to convince our auditors that this approach works and that can be a little bit daunting and the biggest thing that I found is that they say we want to know the policy and when they say that they mean group policy out of

Active Directory and I say no no no no no that's not the policy our policy is super simple it's published it's signed by corporate leadership and it says Bourgh it's a little bit longer in this but more or less says your password must be strong it must not be weak and if it's weak you got to change it within two weeks so that's what we say and then it's got a little bit about the testing process and kind of stuff which I just went through and so we tell them that that's the policy they say well we're gonna screenshot the policy I'm like cool I gave you the PDF of the policy want a screenshot of it too because I

don't get it like this takes time and time again but eventually you kind of convince them we've convinced our auditors we've convinced our customers that this works and we've gotten past all of that so with that and a little bit of a hiccup that is the presentation I had for you special thanks to Russell in the audience who was my mentor for this and without him without him this would have been a jumble of misguided slides that were in no particular order so I hope that worked for you and I don't know if I've time but I'm certainly open for questions yeah I've got time saw you first how did you get management to sign off on this so two

pieces so one big piece was what I talked on so it's Timmy it was actually easier to get management to sign off then internal and primarily external audit so that's that is your biggest roadblock it is very difficult to fight the kind of incumbents policy that's there inertia is a real thing and it's a let me tell you but I had a big leg up in that I came to this company to start the security program and they didn't have much in the way of incumbent policies or inertia that I had to fight I also had a extremely great boss who was was very bought into this so I report to the CIO and he has been

telling his peers about this approach and they're like they're they're like whoa how can we do this like they also asked the exact same question they're like how did you do that so I think it's it's with a lot of documentation so in fact a lot of the documentation that I posted on github at least the technical details are things that we needed to produce to our to our auditors mostly the internal audit and once they buy in the management trust them usually and so that helps a lot and we also take all of our kind of evidence we treat it like like an audit ourselves I call it the password audit process and we we commit everything that we do all

the the extracted passwords the rules that we use the word lists sometimes all the masks and we commit them to an internal git repository that only the security team has access to but we can provide that to the auditors if they if they really want to get into it nobody so far nobody's taking me up on that they don't want to dig into that cuz I start talking I gonna hash cat and they're like what but but that's that's how I did it how do people actually deal with being told that possible it's a crap actually you know react against it all they learn from it they react in a number of ways no I mean of course the feedback you get

is gonna be mostly negative anyway most people don't just like hey this was great but so there's a number of ways so one a big one especially when we started this program was no you didn't write you didn't crack my password I don't believe you right that is the biggest one and that's the that's the fun one let me tell you because because what they will often not I'm sorry we're a very open communication culture and we communicate in slack a lot and so they will ask that in a public forum so that's the fun once I don't paste our password but I give them hints about why we like that I know it right so the example with the 1qa Z

or Z XE vbn I just say well what what happens is it's easy for us to find passwords where people walk the keyboard or give them a hint and they won in that case the guy was like oh haha I get it changing my password so so so that works like I mean you gotta have a little bit of levity about it so that's kind of my approach the other thing is they think they say their second reaction is you know how do they phrase this they say do you have all the passwords in plain text right they think that like we've implemented a system because we built Active Directory or something we've implemented a system where we're just

writing their password to a text file or something comparing that way so we just tell them no we've got real systems and they do this and here's the process so those are the primary reactions that that we've gotten other than and then the the second one is the one I went through the visceral reaction when I send you your password in an email that that is an interesting one but it's been showing pretty good results you mentioned the repeat offenders yes I have them all so how do you deal with those do you involve management that manager so can you give examples on on the most the ones that are lost courses so we we might be implementing another

thing but so there's two types of repeat offenders there's the ones that just keep making weak passwords but they're different right and I didn't address that one and primarily at the moment we're giving them or we're assigning them the web-based password training that nobody else has to take so we're trying we're trying to do a security awareness program where it's minimal and you only get kind of fed or provided the training that you need or seemed to need right so so that it's not just like everybody saying the same thing so that's that's one of the approaches we probably have to think about effort now that we've got about two years worth we need to start taking a longer view and

seeing if there's anybody that's done it every time we had one that was that he was he was fairly high up in the organization and I don't know if we have the time to do this we are still kind of small company so maybe but whatever helpdesk professionals sat down with him I mean this guy's he's way up there a sat down with them showed him how to create a good password to tricks the tips and tricks that we've also published because he doesn't have time to read it and he hasn't been caught again so so that is worked as well but that obviously has a lot of time associated with it all right big hand for Kevin thank you

[Applause]

[Music] you [Music]

[Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

by Eric Bryan before we get started obviously we have to give some love to all the great sponsors who helped put all this stuff on anybody cell phones make sure they are silenced because we will be streaming live to YouTube you don't want to be the guy and YouTube whose phone went off in the middle of the presentation other than that's if you have any questions hold them till the end if we've got time I'll bring the mic around and you could ask so that everyone listening at home can hear you so Eric

is that better thanks so much all right so again good evening I'm Eric Bryant if you saw my talk on the schedule or saw my name on the schedule and came anyway I appreciate that very much so anyway I'm here to talk to you about vulnerability management and there's quite a bit to get into so we'll just jump into it I want to say a quick word of thanks to besides for inviting me to speak and to my mentor making up here I'm from entering me and hopefully we've got something special for you and I hope that everybody can take something from this talk back home and use it in your organization all right so who am i Erik

Bryan security engineer at North State Technology Solutions I have been an IT about 18 years and security for about ten of those years back then I worked for a private investigator doing some digital forensics and that's what really got me hot and heavy into the security side of things so now I do risk management and compliance consulting and of course vulnerability management so what is vulnerability management vulnerability management is defined as the cyclical process of identifying classifying or mediating and/or mitigating vulnerabilities and a vulnerability in this sense I'm sure you all know a weakness in an information system security design implementation procedures that can be exploited to gain unauthorized access to information or an information system so why is

vulnerability management important because the Center for Internet Security says so it's not a bad reason the CIS maintains a document called the top 20 critical security controls and number three formally number four but it's so important they moved it up to number three continuous vulnerability assessment and remediation the goal of which is to continuously acquire assess and take action on new information in order to identify vulnerabilities or mediate and minimize the window of opportunity for attackers it's also important because around us we have a constant stream of threat intelligence this comes to us from pretty much everywhere from vendors like Microsoft and Cisco security researchers like Bruce Schneier and Brian Krebs lots of other sources that we'll get to in a

minute and failing to keep pace with this just allows for easier exploitation so example here you have a vulnerability that's published and not responsibly published so at that time the information becomes available to every it's available to the bad guys to weaponize and exploit to the vendors so that they can develop and deploy patches and to us or I guess us the good guys to remediate and apply those patches and other defensive measures so this isn't so much a how-to on vulnerability management as it is about my experience implementing this at a client so this client back in Charlotte North Carolina that we have and this client has 25,000 devices and these are workstation and

servers and point-of-sale IOT is in there and they're running cisco and windows and AIX ESX island there and countless applications so when we started this program with them they had pretty much nothing and what they had was always reactionary so here's our scenario there's an existing vulnerability discovered so I mean what do you think happens from experience you know what's happened in your organization's this was ours all the time every time so what would happen is everybody's hair was on fire and we had to run this thing down until we figured out what we're going to do about it if we were going to remediate it if it needed to be remediated and how to

address it from there so here's our next scenario here's a possibly applicable vulnerability we might have this it might be out here it might be something we need to look at it's on Windows we know we got Windows that's about it so what happened this every single time again everybody's all crazy everybody's hair is on fire we're running around trying to figure out how to address this vulnerability and this process it was ultimately effective we eventually got patches applied eventually got updates done but it was incredibly inefficient and just exhausting to everybody who had to facilitate it namely me so for my experience here we have three primary components of vulnerability management we have number one vulnerability

discovery so finding out the information that's out there secondly we have vulnerability notification taking the information we got from our sources and relaying it to whoever can remediate those vulnerabilities and finally verification verification so taking what they've said they've done and just verifying that it's complete alright so the first goal that we wanted to accomplish here was to improve our vulnerability discovery our awareness of what was out there so our first step here we deployed a vulnerability scanner it happened to be rapid7 expose and the first thing we did was run a discovery skin now this client runs a slash 8 IP address so in case you're ridiculously good at math or just happen to know this

that's almost 17 million IP addresses and this took weeks and weeks to complete but it was minimally invasive didn't crash anything thank God and it gathered basic information now every address an expose gave us an IP address every asset we got an IP address now if it could be fingerprinted then we would get an operating system and sometimes the host name as well so that would give us the basic building blocks that we needed to scan further and to do that we would do credential scans so we had an Administrative Service account that we would plug into next pose and then it would scan those devices with the service account now if the credentials were valid it would bring back a lot

more information and since most of what we were using was Windows that was very valuable information for figuring out what kind of software we had out there so the next aspect for us improving our vulnerability discovery was a daily or weekly review depending on the source of information so to do this we had lots of sources first of all the national vulnerability database the NBD and this is a multi-format downloadable searchable database that let you look and see everything that's out there this week we could compare it against last weeks and see what was new or it was especially fun the first time we looked at it and had to sort through 25 years of vulnerabilities and figure out what

we might need to address secondly the United States computer emergency response team or u.s. cert and they provide notification services they have a weekly security bullets and for us to look at next up vendor specific alerts so here's your Patch Tuesday and your regular updates from Cisco and VMware and Oracle and whatever vendors whatever other vendors that you're using so the next source of security research and aggregation sources so these include threat posts CSO online and cyber wire also we had penetration test done as part of a compliance process so after going through this for a little bit we learned to incorporate the findings from the penetration test as well as very valuable source of information and

finally social media so like Brian Krebs Katie motorist security week Megan woo as a Twitter account I guess and then paying Twitter accounts they're constantly updated so if you're looking for the latest and greatest vulnerability information Twitter is where you go so thanks to these sources we've identified some vulnerabilities that we might need to address so what now the next aspect we had to consider was resource allocation how do we prioritize these vulnerabilities in a way that's specific to our organization so first we looked at how vulnerabilities are scored by the industry the common vulnerability scoring system or cbss and this is an open framework for communicating the characteristics and severity of vulnerabilities and the cbss uses three

primary metrics base the intrinsic qualities of the vulnerability temporal aspect specific to an organization's I'm sorry temporal aspects that may change over time and finally environmental assets or aspects specific to the organization's environment so and that uses a ten-point scale as we can see here low medium high and critical now these environmental factors that are built-in in the cbss to help organizations tried and rate these based on what they're using so they use these dynamic components and here's what they look like right and so we had a problem with this because it's just too subjective and depending on who was reviewing what vulnerability it was just a mess because you'd have different people coming up with different results

and you know look it's a lot like this this is what it felt like trying to figure out those critical components yeah math am i right so we devised an alternate and simplified calculation scheme the adjusted scoring system so my acronym needs some work I've been I've been looking at it for a while now so the purpose behind this system is to take into account the industry scoring the cbss and combine lots of institutional specific factors so there were three potential factors here with a maximum score of 10 the cbss has a maximum score of 10 so we would add those together and we would average those to get us new enterprise specific score to help us prioritize so

the first and largest factor we looked at was external accessibility if any asset with this vulnerability was accessible from out the organization four points if there were no assets that were vulnerable they got zero so the next factor we had was data sensitivity in our organization we had PCI data of course because we're a retail this client also operated a pharmacy so we had personal healthcare information to consider as well and personal personally identifiable information so those rated like this and they are mutually exclusive so if you had a system that had all the data types in it then they wouldn't get six points from this aspect they would just get the highest one and the final factor was

prevalence and after playing around with it a little bit for our organization this is what we came out for the sweet spot of where we felt prevalence would make the most sense here if you're going to take this and try it elsewhere you want to adjust these numbers based on the size of an organization so by implementing the adjusted scoring system we go from this down to this so it's much simpler right so let's look at a practical example I have the using Cisco ice in our organization and the supplicant for that is anyconnect so we had this on just about every single Windows Device out there so quite a few devices so it was rated a high severity

a 7.8 so we had to look at it and figure out okay we know this is a problem how do we address it so we took into account our different factors internal only within PCI scope way more than 50 devices so we did our math down here and came out with a justice score of 6.9 still important still needs to be addressed just you know not right now and this chart by the PCI DSS shows us this as well so it's the same scale we talked about a minute ago but for low remediation is not required so we had a lot of those that it just booted it right out of the part nothing to worry

about there for medium it has to be addressed within within 90 days and so in the previous example it knocked down from we have to fix it in 30 days to now we have to fix it within 90 days and that made a little bit simpler and we could prioritize anything above that that was more important according to our system so we scored two vulnerabilities and we prioritized them for our organization and then throw back move B reference for you know so we get to the second component vulnerability notification taking all this information and relaying it to the person responsible for radiation so this client had about half a dozen administrative teams to address these

vulnerabilities on a different level for example we may have a Windows server that's running Oracle so we had the windows team that patched windows and the database team that passed Oracle so we'd have to have those teams working together to remediate that and that's just one example there was several vulnerabilities that pass through every single team just just because of the nature of the vulnerability so we would limit the number of vulnerabilities to 10 per team per month we tried giving them all the vulnerabilities but some of them had hundreds they didn't take that too well yeah so to do this we would start with an expose report top-25 remediations with details very important gave us a good

jumping-off point and based on that we would create two documents the first one we give them a spreadsheet overview so they could see at a glance here's your ten here's what you need to look at and then give them all the information about our external factors the CVE etc and then we do a second one a detailed document that would have that information plus any links that they might need to to remediate this and there were quite a few it took some practice to get this going the right direction but if we didn't do this they would bug the snot out of us trying to figure out how to get us to tell them how to do their jobs which is fun of

course so we had the reports assembled and we met with the teams so we had two meetings per team per month and in these meetings we had the team of course we had the security team of course and we tried to involve their management as much as possible they needed some some encouragement let's say let's put it that way so the initial meeting the documents are presented to him and we tried this an email at first but we found that they would either ignore the email or what kind of give us half answers so it was important for us to get out in front of these teams and give them the opportunity to respond to look us in the

eye and understand that this is important it's something you need to look at and do something with it so we'd have the first meeting and then they'd come back for a second meeting and they'd have our documents that were marked up and annotated with what they had done or our doing or what they had plan to do so in these documents that we got back from them we saw there were four responses the first response not applicable don't have it not using that component no problem secondly false positive can be disregarded also throw it right out no problem next it can be remediated and here's where we come back to our timeline for a mediation within 30 days

for critic or ha within 90 days from medium that's great that's the best case scenario or finally it cannot be remediated in the predetermined time frame or at all so we had a problem on our hands so when we got the response from the team that they were unable to remediated it remediated on time or at all then we would generate a risk acceptance plan so why do we need a risk acceptance plan it's very simple because at first we would try to just Slough it off you know just kind of shrug our shoulders it's not that big a deal but we came to realize that these things have to be run by and approved by senior

management because it's not up to the security team to accept risk it's not up but the security team to accept risk I can't say that loudly or frequently enough but instead it's the job of the security team to come in to inform and advise and what constitutes senior management so we thought about doing this at different levels at first so having just is manager signed off on some of them based on severity or the VP of is or the C so based on what it was we ended up having everybody go through the VP of is I just seemed to make the most sense for us but senior management for your organization a good rule of

thumb is whoever's most likely to get fired if it goes sideways that's a pretty good rule of thumb to decide who needs to sign off on it so after we would put together so what goes into a risk acceptance plan so we would lay out our documentation so we would give a detailed description everything that management needed to know about the vulnerability to make an informed decision including the scope so how many devices were affected the platform's so what type of devices were affected are we talking about our point of sale here are we talking about our servers are we just talking about workstations it's important to get this information across and also in here you want to lay out

your worst-case you so that since they're signing off on it you won't then have a good understanding of what they're signing elephone and what the full implications of it could be so you list your worst case scenario you go through all the bad and then you can come in and list the good and here's where our vulnerabilities some of them just weren't that big a deal because we had mitigating controls around him and then so because of these mitigating controls it didn't really matter so in our mitigating control is included your ids/ips so your Cisco firepower your secure works firewalls Cisco a si pas Palo Alto your antivirus your network segmentation we had some where the

device that was vulnerable completely segmented from everything else what kind of risk is that almost zero and application whitelisting I'm telling you that's the way to go if you haven't heard of application whitelisting what are you doing at this conference if you have heard and are look you should look into it if you've looked into it and implemented it good for you ghost are you are on the road to success and including here anything that might mitigate the risk of the vulnerability so now we get to our third component remediation verification ensuring that remediation is complete because teams will tell you that it is when is really not so we discover vulnerability has been remediated and

the remediation has been reported all right so that's what we would hope for from them in this case it's up to the security team to go out and collect evidence so what constitutes evidence well if you found out about it through your vulnerability scanner it's pretty simple you just were you run the scan on the devices if it shows clean you're in good shape also configuration and patch level screenshots for vulnerabilities that were discovered house out of an expose those are a little tougher also vendor reports so your Microsoft baseline secured analyzer MBSA could independently verify this as well as we used f5 load balancers so they have their own tool where you can import your

configuration and it'll come back and tell you all the patches and configuration issues with it it's pretty handy so now that I've discussed my experiences when bolon really vulnerability management I wanted to provide some suggestions so if you want to get this started up at your organization or improve your stance on this as a company you know here are some things you can look at so the first recommendation bring in a consulting firm to perform a security audit based on those top 20 critical security controls and these security controls include number one inventory of authorized an unauthorized devices so there's your an expose discovery scan number two inventory of authorized and unauthorized software so there's your credential scans that

give you that information and number three phoner ability management which is why I'm standing up here so our second second recommendation stand up with vulnerability scan are compatible with most if not all devices in your organization a simple discovery scan the first pass they're relatively quick mentally invasive it might take a while but it's going to help you a lot just to understand the assets you have out there secondly run your credential scans that we talked about a minute ago and based on the size of your organization you'll want to break these down by IP range or geographical location and organization unit or asset type next create device hardening standards a good way to do

that do this and here we're back to the Center for Internet Security see is they have the CIS benchmarks these are super handy and they allow they provide advice for hardening a device based on this operating system and those are all included here cisco router switch firewall all the operating system and even multi-function devices even printers there's covered there I thought that was neat some vulnerability scanners you have an expose and necess or two examples I'm going to use can run a specific type of scan against a device and provide a CIS benchmark report which is very handy when you're trying to put out some documentation for your auditors I know necess has a really cool

capability where you can export your router switch config into necess and then we're doing offline scan come back and tell you everything that's wrong they're really cool especially since next bugs wouldn't do what we needed to do there no offense to expose it's our next recommendation hire professional penetration testing firm and you want them to simulate attacks on any devices that are external outside your organization in that external space anything with sensitive data if you're doing PCI compliance or HIPAA compliance they're probably going to force you to do this anyway and finally anything that's comply related so if these recommendations are a little bit too resource intensive and they can be especially if you're a small

shot look it's a software-as-a-service and these solutions are great because they require minimal infrastructure cost and it allows a person or organization to focus on using the application instead of trying to administer deploy and maintain it it's very handy so our key concept here if you missed everything else I said tune in for this one the key concept is to base an information security program around goals and strategies not a tool or a set of tools vulnerability sources we went through and the vulnerability scanner all that is really handy but no combination of those things can tell you everything you need to know about your environment it's very important you based around goals and strategies so

your approach to vulnerability management has to be comprehensive has to cover as many areas as many device types as possible next it's got to be concerted have all your teams working together towards this common goal of eradicating vulnerabilities because that's going to happen it's really not customized so here's where we get back to our adjusted scoring system so you can have it customized for your organization consistent the same for all teams all vulnerabilities and all circumstances this was important we had those vulnerabilities I talked about it's we just wanted to write off because it's no big deal you know shoulder shrug quick email from our manager we don't need to worry about this but it was

important we found out to be consistent and to hold ourselves to that standard of addressing all the vulnerabilities we came across you know top ten at a time and finally changeable so initially you'll need constant changes to your program we spent close to six months as a team working on our vulnerability management program before we presented it to the first team and we thought it was great we loved it we had celebratory lunches and dinners over it because it was so good we presented the FIR to the first team and it fell apart so just keep that in mind don't get discouraged when you have to change your program 111 two times so in conclusion vulnerability

management's can be a powerful tool for reshaping and information services department engaging in a cyclical process of identifying vulnerabilities notifying the persons responsible for addressing them and tracking the vulnerabilities to complete remediation has the potential to vastly improve an Information Systems department any questions one thing I was wondering is that you described you to get your head quite a big Network yes but I mean with a big network but a bigger pond abilities comes a lot of work right very much and I guess the I see people has had a lot of things underpaid already so so how do you manage to do to do to do that in practice because that's what I mean it

all looks good and great and paper and all that it is great in paper yeah exactly but I mean I mean yes so that's why we wanted to limit ourselves to 10 per team per month because if we came out and wanted you to fix everything and sometimes we could lump them together like if there was your Patch Tuesday and you had two patches that were within that patch Tuesday you could just tell them hey here's all your patch tuesday findings you can go patch those and by living to get to ten per team per month we could let them take small bites and small chunks and pretend that those other ones didn't exist for 30 days it

would get better it would get better teams usually after we had implemented it for about six to eight months we found that the teams only had two or three items per month it had worked its way down that far and improved their business process at the same time to where it was just easier as an organization to deal with owner abilities even outside of our top ten process

how frequently do you run vulnerability scans and do you get pushback from asset owners who say that's an out-of-date scam how do you deal with that so we run them monthly on a monthly basis and it was a rotating schedule so we didn't boner ability scan everything on the first Tuesday of every month for example and it was broken down by IP range device type you know like I talked about a minute ago and we usually would have to do a change request like get it approved by different people but if the asset owner was like we fixed it run another scan we could just do it right then and there on demand you know assuming that we had

time to to run that scan for them and that it wasn't gonna take their system offline which usually was not the case

all right thanks so much guys appreciate it rare for any of you that we're expecting to stay for the next talk due to circumstances beyond our control will be replayed tomorrow at noon in this room so this is the last talk in this room for today

[Music]

[Music] [Music]

[Music]

[Music] [Applause] [Music] [Applause] [Music] [Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Applause]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music]

[Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music]

[Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]

[Music] [Music]

[Music] [Music] [Applause] [Music] [Applause]

[Music] [Applause]

[Music]

[Music]

[Music]

[Music] [Music]

[Music]

[Music]