I want to share some stories from my consulting

experience.

They will SHOCK and AMAZE you!

Or maybe not.

But they’re pretty funny.

Or sad. Or both.

A Security Horror Story:

Macabre Tales of Vulnerability

Management Gone Awry

Dave Shackleford

Voodoo Security

The Problem

• As a consultant, I see a lot of really bad

vulnerability management practices

• Sometimes organizations are “doing it

wrong”.

– OK, nobody’s perfect.

• There are lessons to be learned in these

stories, though…DESPITE how painful

they may be.

The Case of The…

The Story

• Mid-sized organization in the

manufacturing industry

• Had set up an enterprise vulnerability

scanner configured for authenticated

scans

• An admin account had been added to the

environment for scanning Windows

systems

So…What’s the Big Deal?

• This credential was WEAK

• As in… “Password1” weak.

• Yeah.

• So...things went in an interesting direction

• And by interesting...

– ...well, we all know what that means.

Strange Things Were Seen…

…IN THE LOGS!!!!!

The Story?

• The scanning account got popped.

• You have to secure the account used for

authenticated scans and lock it down

TIGHT

• This one:

– Weak

– Never Expired

– And everywhere…

Where the %$*& are the METRICS?

Where it all began…

• This, my friends, is a sad tale of political

failure

• The organization was a midsize financial

firm

• The vulnerability management program

was slowly gaining traction

• Gains were won! The program marched

onward!

But Then! THEY GOT A NEW CIO!!!

The team…

…WAS UNPREPARED!!!

The Aftermath

• The CIO was not impressed with the

team’s lack of metrics and tracking

• She diverted her attention to other projects

and initiatives

• The group didn’t lose all funding, but saw

a reduction in budget

– They also did not get headcount approval

10,000 Page

Report!

The Setup

• Company: Large Healthcare Organization

• 3 people doing vulnerability management

• Their program:

– Scanning

– Some threat intel

– Patch and config guidance

• They thought they were doing everything

right…

There was a DISCONNECT

• The Ops teams had no direction

• They were prioritizing three things:

– Availability

– Availability

– Availability

• They didn’t have time to pick and choose

what to fix…and the security team...

provided a 10,000 page report!!!

The Lesson Learned

• The Ops team had analysis paralysis.

• The security team had to focus the results

they provided:

– Reduce and vet false positives

– Prioritize the top 10 issues

– Work with the team to socialize the expose

the fixes proposed (patches, etc.)

The Mystery of the Selective Patching

The Setup

• Large, distributed insurance company

• Many different business units

• Semi-autonomous IT teams in different

areas

– Lots of acquisitions and mergers

• Central vulnerability management

(scanning)

– NOT centralized patching and config mgmt

Patch Reporting

• Several local operations teams “self

reported” on patch application status:

This is where I come in.

• I was hired to work with the internal audit team to assess their vulnerability management program.

• We selected sample servers across all groups.

• Some of the “self reporter” groups’ servers were included.

• These groups had high patch compliance ratings up to this point.

What We Found! The Admins Were…

LYING!!!!

The Lesson

• The admins were only reporting on

RECENT patches – they were still missing

may old ones!

• Are you surprised?

– Don’t answer this.

• You absolutely need to perform

authenticated scans and audits to confirm

patch levels!

What’s in your wallet?

DEFAULT

CREDENTI

ALS

The Setup

• Company: Global multi-billion

SUPERMEGACORP

• Security team: ~40 people

• The gig: Internal pen test

Day 1: Start the Pen Test

• Day 1, hour 3:

• Dave: Guys, are these network devices in

scope?

• Team: Yes, everything in the subnet.

• Dave: Cool.

• Team: Cool.

• Cool.

Day 1: P0wnage Hell

• Day 1, hour 4:

• Dave: Guys, I own most of your network

devices in this subnet.

• Team: Nah.

• Dave: Yeah.

• Team: Nope

• Dave: Dudes.

Username: ADMIN

Password: ADMIN!!!!

The Report. The Meeting.

• Was I the super 1337 guy for all of this?

• No.

• What got me ownership of Palo Alto,

Cisco, and F5 systems?

• DEFAULT. SYSTEM. CREDENTIALS.

The Lesson?

• Testing network devices is CRITICAL as

part of your vulnerability management

program.

• These were the Achilles Heel of the whole

place…and you can do a lot of damage

from here.

ADVANCED

PERSISTENT

VULNERABILITY MANAGEMENT

FAILS

Fail #1: Patching

• I routinely tell my SANS classes and

clients, “It’s hard to find missing patches

these days”

– I’m lying, of course

• Sure, most DMZ systems aren’t missing

MS08-067, but it happens.

– Even ANCIENT patches like MS03-026 (RPC

DCOM)

Patch Failure? Why?

• Platform coverage

• Deployment scenarios

• Patch installation control

– Retries

– Loading on boot

– Mobile connectivity

• Rollback ability

• Validation ability

• Reporting

Fail #2: Desktop Configs

• Organizations routinely suck at this.

• Many lack real standards that are applied

at the desktop level

• Everyone SAYS they follow Microsoft or

CIS…but they LIE.

• Develop and maintain a standard...and

SCAN and AUDIT it.

Fail #3: Communication

• Vulnerability management is a team effort.

• Without buy-in and commitment from

operations teams and others:

YOU.

WILL.

FAIL.

• Make sure you have visibility and regular

meetings to get this done.

The Rub

• Vulnerability management can be HARD.

• In 2016, there’s no excuse to be failing THIS badly though.

Retina Enterprise

Vulnerability Management

Alex DaCosta

RETINA VULNERABILITY MANAGEMENT

POWERBROKER PRIVILEGED ACCOUNT MANAGEMENT

41

PRIVILEGE MANAGEMENT

ACTIVE DIRECTORY BRIDGING

PRIVLEGED PASSWORD

MANAGEMENT

AUDITING & PROTECTION

ENTERPRISE VULNERABILITY MANAGEMENT

BEYONDSAAS CLOUD-BASED

SCANNING

NETWORK SECURITY SCANNER

WEB SECURITY SCANNER

BEYONDINSIGHT CLARITY THREAT ANALYTICS

BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM

EXTENSIVE

REPORTING

CENTRAL DATA

WAREHOUSE

ASSET

DISCOVERY

ASSET

PROFILING

ASSET SMART

GROUPS

USER

MANAGEMENT

WORKFLOW &

NOTIFICATION

THIRD-PARTY

INTEGRATION

Product Demonstration

Poll

Thank you for attending!