No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van...
Transcript of No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van...
![Page 1: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/1.jpg)
No vulnerability,No cryAlles van waarde is weerloos
Chris van den Hooven
Security Consultant Nixu
PvIB 14 mei 2019
![Page 2: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/2.jpg)
Het poldermodel
![Page 3: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/3.jpg)
Vulnerabilities in informatiesystemen
• Software fout
• Configuratiefout
• Gebruiker?
![Page 4: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/4.jpg)
Exploit
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u685
8%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
17/05/20194
![Page 5: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/5.jpg)
Where did this all started (Code Red, 2001)
17.5.20195
![Page 6: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/6.jpg)
Where did this all started (Slammer/ Saphire, 2003)
17.5.20196
![Page 7: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/7.jpg)
Recente publicatie
17/05/20197
![Page 8: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/8.jpg)
Theorie
![Page 9: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/9.jpg)
High-level process steps:
Vulnerability Notification through becoming aware of disclosed
vulnerabilities and performing security assessments.
Vulnerability Identification through manual or automated scanning of
technologies throughout the organization.
Vulnerability Remediation & Mitigation through application of
patches, adjustment of configurations, modification of systems, or
acceptance of risk.
![Page 10: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/10.jpg)
Vulnerability
Management
N
Alert sources
Vulnerabilty Management process
Change
Management
Fix deployment
or other
mitigation action
Vulnerability
Management
![Page 11: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/11.jpg)
Praktijk
![Page 12: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/12.jpg)
Boring?
17/05/201912
![Page 13: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/13.jpg)
Onbekenden
• Wat heb je in huis? (IoT?)
• Welke vulnerabilities zijn gepubliceerd?
• Welke vormen een probleem voor jou?
• Zijn er oplossingen voor?
• Heb je voldoende capaciteit om het aan te pakken?
17/05/201913
![Page 14: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/14.jpg)
17/05/201914
![Page 15: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/15.jpg)
![Page 16: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/16.jpg)
17/05/201916
Source: Guillaume_Lpl/Twitter
![Page 17: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/17.jpg)
Strategie
• Scan
• identify false positives and remove them from the list
• identify and solve disasters to happen as quickly as possible
• identify low hanging fruit and solve quickly
• handle the rest
Tip: Patch niet op vrijdagmiddag…
![Page 18: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/18.jpg)
Stappen voor risico management
• Wat wil je beschermen?
• Wat is de waarde (BIA)?
• Wat zijn de dreigingen (en dreigers)?
• Wat zijn de vulnerabilities (bedrijfskundig gezien)?
• Wat is het risico?
• Welk risico wil de organisatie nemen?
![Page 19: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/19.jpg)
Rapporteer erover:
• Vulnerability scanning coverage
• Percent of systems with no known (severe) vulnerabilities
• Mean time to mitigate vulnerabilities
• Number of known vulnerabilities
• Mean cost to mitigate vulnerabilities
• Patch policy compliance
• Patch management coverage
• Mean time to patch
• Mean cost to patch
17/05/201919
![Page 20: No vulnerability, No cry - PvIB...No vulnerability, No cry Alles van waarde is weerloos Chris van den Hooven Security Consultant Nixu PvIB 14 mei 2019](https://reader036.fdocuments.net/reader036/viewer/2022070722/5ee46417ad6a402d666d825a/html5/thumbnails/20.jpg)
Betere strategie: vermijd vulnerabilities
• Zorg voor een robuste architectuur
• Minimaliseer toegepaste software (legacy)
• Minimaliseer toegepaste hardware (drivers!)
• (Netwerk) scheiding van systemen
• Hardening van systemen
• Automatiseer updates (workstations)
• Zorg voor een Secure Development Lifecycle
• Verplaats naar de cloud (outsource het probleem)
• Awareness sessies (gebruikers als vulnerability)
17/05/201920