Lessons Learned in the Establishment of a Vulnerability Assessment Program

James PerryStatewide Security Team LeadUniversity of Tennesseejperry1@utk.edu

Today’s Agenda

• WHAT is a Vulnerability Assessment?

• WHY do a Vulnerability Assessment?

• Establish security baseline

• The “SORRY!” Factor

• Regulatory Compliance

• HOW to perform a Vulnerability Assessment?

• Methodology

• Open-Source and Commercial Tools

• Questions! (hopefully answers)

•WHAT is a Vulnerability Assessment?

• The process of identifying technical vulnerabilities in computers and networks as well as weaknesses in policies and practices relating to the operation of these systems.

WHY do a Vulnerability Assessment

Establish Security Baseline

• Identify “critical” IT Infrastructure/Data• Identify potential RISKs and THREATs to

confidentiality, integrity, and availability.• Identify EXPOSUREs through assessment.• Develop remediation plans to address

exposures.

How do you effectively create a defense-in-depth security posture without knowing what you’re protecting and how it needs to be protected?

WHY do a Vulnerability Assessment

Hacker hits California University Computer[San Francisco | Reuters News Service, 20

October 2004] – A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said yesterday. The names accessed by the hacker were being used by a UC Berkeley researcher.

The “SORRY!” Factor

ATHENS, Ga. (AP) — The University of Georgia has notified 27,000 students via e-mail that a hacker may have accessed their personal information through a school computer server …. are records for every student who applied for undergraduate admission to UGA since August 2002, totaling about 31,000 people.

59,000 Social Security Numbers Stolen from the University of Texas March 6: Over 59,000 SSNs belonging to current and former students, faculty, and staff were seized by attackers who hacked into a University of Texas at Austin computer system. Presumably, the goal was identity theft.

WHY do a Vulnerability Assessment

The “SORRY!” Factor

A former Boston College student was indicted on Thursday for allegedly installing keystroke-recording software on more than 100 campus computers and accessing databases containing personal information on other students, staff, and faculty.

The records of more than 30,000 people have been stolen from George Mason University in Virginia, opening up the possibility of ID theft for staff and students. George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders. The attackers broke into a server that held details used on campus identity cards, the university said.

WHY do a Vulnerability Assessment

The “SORRY!” Factor

Hacker hits California State University [Chico, California | Associated Press, March 22 2005] – Hackers gained personal information of 59,000 people affiliated with a California university -- the latest in a string of high-profile cases of identity theft.

Last April, hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants.

WHY do a Vulnerability Assessment

The “SORRY!” Factor

• MAY 14, 2005 Middle Tennessee State University officials are recommending current and past university faculty and students take precautions to protect their personal information after a security breach into an MTSU computer server was recently discovered. The university announced Friday that someone gained unauthorized access to one of the university's file servers that contained limited personal information. The breach, discovered by an information officer at MTSU, is under investigation by the appropriate authorities, said Lucinda Lea, vice president of the Division of Information Technology at MTSU. Officials are not releasing what information could have been accessed or for what length of time someone had unauthorized access due to the ongoing investigation.

WHY do a Vulnerability Assessment

The “SORRY!” Factor

• HIPAA

• GLBA

• PCI Data Security Standards• VISA CISP (Cardholder Information Security Program)• MasterCard SDP (Site Data Protection Plan)

• Others coming soon….

WHY do a Vulnerability Assessment

Regulatory Compliance

How to perform a Vulnerability Assessment?

A Successful Vulnerability Assessment Program Requires Three Things!

•Support from Administration

•A Formal Methodology

•Assessment Tools

Administration Support

• Approval

• Scope of Assessment

• Handling of Information

• Cost to get started

Methodology

Assessment Basics

• Assessments are not audits!

• Assessments should be helpful!

• Assessments should use a consistent and documented methodology

Assessment Process

• 6 Step Process• Assessment Planning• Entrance Conference• Fieldwork• Preparing the Report• Exit Conference• Report to Management

Methodology

Methodology

Assessment Planning• Initial Research

• Policies & Procedures• Applicable Laws• Best Practices

• Determine assessment scope (signed document)

• Determine assessment strategy• What and How

• Create an assessment checklist

Methodology

Entrance Conference• Who should come?

• Management• System Owner• System Administrator• Assessment Team

• What should be covered?• Scope Document• Assessment Process• Assessment Roles• Time Frame

Methodology

Fieldwork• Execution of strategy using checklist• Report new issues in a timely and professional

manner to system owner/administrator as defined in the scope documentCommunication is the key:• Humbly report what is found, how you found it, and

why it is an issue• Be helpful, offer potential solutions to the issue

• Documentation

Methodology

Preparing the Report

• Report should include:• Executive Summary

• Describe Purpose of Assessment• Describe Scope of Assessment

• Findings and Recommendations (bullet points)

• Conclusion

• Draft report reviewed and commented by system owner/admin

MethodologyExit Conference• Who should come?

• Management (?)• System Owner• System Administrator• Assessment Team• Review report

• What to cover• Review report• Assign tasks for remediation/mitigation• Establish schedule for future assessments

Methodology

Report to Management

• Clear and concise presentation

• Executive summary

• Status of mitigation/remediation efforts

• Discussion/Questions

• “Attaboys” & “Kudos”

Needed Assessment Tools

• General purpose scanner with a well rounded and well documented database

• Web server and web application scanner• Database scanners (Oracle, DB2, MySql, MS SQL)• Network dump utilities (tcpdump, ethereal)• Host based tools (CIS benchmark)• Other miscellaneous utilities (e.g. nmap, snmp utilities,

individual vulnerability scanners)

General Purpose Tools• Nessus – configurable and free but, be careful of your

results. http://www.nessus.org/

• Typhon III – NGS Software; very fast, written in assembly language, few false positives, relatively low cost compared to well known commercial products.

http://www.nextgenss.com/

• ISS Internet Scanner – high cost, slow but, provides some corroboration and has nice information.

http://www.iss.net/

Web Assessment Tools• Spy Dynamics Web Inspect – easily the best web

server and web application scanner; huge database that is kept current – analyzes attack possibilities so that some things aren’t thrown at servers that don’t need to be (yet, this still needs some work – if no 404 then test)

http://www.spidynamics.com/

Database Scanners• AppSec Inc. AppDetective – can run pen tests

against MS SQL, DB2, Lotus, MySql, Oracle, and Sybase.

http://www.appsecinc.com/

• Next Generation Software Squirrel for Oracle and Squirrel for MS SQL; they also make a DB2 product.

http://www.nextgenss.com/

Other Utilities• Nmap – used for information gathering

http://www.insecure.org/nmap/

• Ethereal – used to determine if network traffic is encrypted, look for anomalies in how an application behaves on the network, and to see other systems that may be attempting connections to a given applicationhttp://www.ethereal.com/

Host Based Tools and Methods• CIS Benchmarks – very well

written documentation• One of the recommendations

of CIS, on Unix/Linux machines, is to search for files that are setuid/setgid root

• Account policies• File and directory

permissions• Protection of sensitive data

http://cisecurity.com/

Other Utilities• Nmap – what did we do

without it?• SNMP utilities that allow

browsing of MIBs, retrieval of community names, etc.

• Special purpose scanners (e.g. free things from EeYe and occasionally ISS

• MetaSploit http://www.metasploit.com/

• Core Impact (for the rich)

http://www.coresecurity.com

Final Words• Never completely trust the output from scanners• Corroborate and verify all results using other scanners, logging

onto the console of a given machine(s), analyzing network traffic, manually grabbing banners, attempting to login, manually trying exploits, etc.

• Errors in diplomacy• In general, you’re better off writing your own summary reports

even though vendor X says “Hey! Guess what! We create really cool reports and pie charts and everything!” – because often the reports are filled with jargon that most people don’t always understand and sometimes are just plain wrong

Questions?