Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and...
Transcript of Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and...
![Page 1: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/1.jpg)
Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results
11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018Tanja Hanauer, Stefan Metzger
1
![Page 2: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/2.jpg)
23.07.18 Leibniz-Rechenzentrum 2
Agenda
Ø MotivationØ State of the ArtØ Process Framework Vis4SecØ Exemplary Process Iterations
§ Limitation and Control of Network Ports§ Vulnerable OpenSSL Library
Ø Conclusion
![Page 3: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/3.jpg)
23.07.18 Leibniz-Rechenzentrum 3
Motivation
Ø Overview
Ø Organizational Knowledge
Ø Compliance -> Implementation
![Page 4: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/4.jpg)
23.07.18 Leibniz-Rechenzentrum 4
State of the Art
Ø Visualization and Data Guidelines§ Gestalt Theory§ Tufte‘s Design Criteria§ Shneiderman‘s Information Seeking Mantra
![Page 5: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/5.jpg)
7/23/18 Leibniz-Rechenzentrum 5
Data Quality Dimensions according to Data Management Association UK
Ø Completeness: Proportion of stored data against the potential of 100 % complete.
Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified.
Ø Timeliness: The degree to which data represent reality from the required point in time.
Ø Validity: The data conforms to the syntax (format, type range) of its definition.
Ø Accuracy: The degree to which data correctly describes the „real world“ object or event being described.
Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition.
![Page 6: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/6.jpg)
23.07.18 Leibniz-Rechenzentrum 6
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls
![Page 7: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/7.jpg)
23.07.18 Leibniz-Rechenzentrum 7
Security Best Practices
Ø ISO/IEC 27001
Ø Critical Security Controls
§ 13.1.2 Security of network services§ 18.2.3 Technical review to ensure compliance with
information security policy
CSC 9 Limitation and control of network ports§ 9.1 Only ports, protocols, and services
with validated business needs are running on each system
§ 9.3 Automated regular port scans against all key servers andcomparison of the results to a known baseline
![Page 8: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/8.jpg)
23.07.18 Leibniz-Rechenzentrum 8
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls
Ø Existing Publications
![Page 9: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/9.jpg)
23.07.18 Leibniz-Rechenzentrum 9
Existing Publications
![Page 10: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/10.jpg)
23.07.18 Leibniz-Rechenzentrum 10
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices
§ ISO/IEC 27001
§ Critical Security Controls
Ø Existing Publications
Ø Visualization and Knowledge Processes
§ Ware, Fry, Marty, and Balakrishnan
§ Burkhard
![Page 11: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/11.jpg)
23.07.18 Leibniz-Rechenzentrum 11
Process Framework Vis4Sec
Ø Initiation§ Environment§ Requirements§ Stakeholders§ Planned Actions
Ø Question PhaseØ Data Preparation Phase
§ Data Sources§ Ensure Data Quality
Ø Visualization PhaseØ Interaction PhaseØ Iterations
![Page 12: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/12.jpg)
23.07.18 Leibniz-Rechenzentrum 12
Initiation
Ø Environment: Scientific Data Center LRZ
Ø Requirements § Know running services
§ Detect new services§ Detect and patch potentially vulnerable services
Ø Stakeholders § System- and security-admins
§ IT management
Ø Planned Actions § Automation of network scans
§ Stakeholder specific filtering and distribution of results
![Page 13: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/13.jpg)
23.07.18 Leibniz-Rechenzentrum 13
Question Phase
Ø What are the reachable ports on each system?
§ Externally§ Internally
?
![Page 14: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/14.jpg)
23.07.18 Leibniz-Rechenzentrum 14
Data Preparation Phase – Data Source I
DR Portscan
§ Centralized regular network scans
§ Aggregated
§ Automated ∆-reporting
§ Information à operations
![Page 15: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/15.jpg)
7/23/18 Leibniz-Rechenzentrum 15
Data Preparation Phase - Ensure Data Quality I
![Page 16: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/16.jpg)
7/23/18 Leibniz-Rechenzentrum 16
Data Preparation Phase - Ensure Data Quality II
![Page 17: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/17.jpg)
7/23/18 Leibniz-Rechenzentrum 17
Data Preparation Phase - Data Source II
Ø DR Portscan
Ø Organizational§ CMDB§ Inventory DB§ LDAP
![Page 18: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/18.jpg)
7/23/18 Leibniz-Rechenzentrum 18
Visualization Phase
”Visualization gives you answers to questions you didn’t know you had.” Ben Shneiderman
![Page 19: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/19.jpg)
23.07.18 Leibniz-Rechenzentrum 19
Interaction Phase
Ø Data
Ø Dashboards
![Page 20: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/20.jpg)
23.07.18 Leibniz-Rechenzentrum 20
Iteration
Redefined Question:
Ø What are the externally reachable servicesthat use a vulnerable OpenSSL library?
![Page 21: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/21.jpg)
23.07.18 Leibniz-Rechenzentrum 21
Data Preparation Phase
§ Port Scanner
Ø Data Sources
§ Scan: SSL Cipher-Suites
§ Common Vulnerabilities and Exposures
§ Installed software on each system
§ Organizational
![Page 22: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/22.jpg)
23.07.18 Leibniz-Rechenzentrum 22
Visualization + Interaction Phase
Ø Data
Ø Dashboards
Ø Reports
![Page 23: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/23.jpg)
23.07.18 Leibniz-Rechenzentrum 23
Conclusion Process Iterations
Various iterationsØ Vulnerabilities Ø Unneeded open ports
§ Printer (9100)§ Ntp (123)
Ø StakeholdersØ Controls
§ Authorized devices§ Updates and patching
ImprovementØ Settings correctedØ …Ø Awareness
![Page 24: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/24.jpg)
7/23/18 Leibniz-Rechenzentrum 24
Further Iterations
Ø Updates
Ø Vulnerabilities
Ø Transferable to further§ Vulnerabilities§ Security controls§ Security approaches
![Page 25: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/25.jpg)
23.07.18 Leibniz-Rechenzentrum 25
Conclusion
Ø Initiates§ Communication among stakeholders
§ Revision of security settings § Security and data awareness
Ø Supports§ Implementation of compliance requirements
§ Organizational knowledge generation and transfer§ Overview of existing systems and security state
Ø Knowledge IT management + IT operations
![Page 26: Stakeholder Specific Visualization and Automated Reporting ... · § 9.1 Only ports, protocols, and services with validated business needs are running on each system § 9.3 Automated](https://reader033.fdocuments.net/reader033/viewer/2022050716/5e1bfd4fdd50e541d83087ba/html5/thumbnails/26.jpg)
23.07.18 Leibniz-Rechenzentrum 26
Thank you for your attention
Source adapted https://xkcd.com /1354/