WEBVTT 00:00.139 --> 00:03.000 >> Vulnerability management. 00:03.000 --> 00:05.850 The learning objectives for this lesson are to 00:05.850 --> 00:08.430 define vulnerabilities and vulnerability management, 00:08.430 --> 00:11.520 to discuss the importance of patch management, 00:11.520 --> 00:13.485 and to utilize vulnerability scanners 00:13.485 --> 00:14.940 in vulnerability management. 00:14.940 --> 00:19.050 Let's get started. What is a vulnerability? 00:19.050 --> 00:21.120 A vulnerability is any area of 00:21.120 --> 00:22.830 your enterprise where you are not 00:22.830 --> 00:24.630 fully protected and that this 00:24.630 --> 00:26.460 could be exploited by an attacker. 00:26.460 --> 00:28.260 A lot of times people tend to 00:28.260 --> 00:30.405 think of these as bugs in software, 00:30.405 --> 00:32.010 but this isn't the case. 00:32.010 --> 00:34.320 It could be anything in your environment that 00:34.320 --> 00:36.960 allows an attacker the opportunity to exploit. 00:36.960 --> 00:40.220 We'll go over some specific examples in the next slide, 00:40.220 --> 00:42.860 but what I want you to take away from now is 00:42.860 --> 00:46.770 that it doesn't have to be about software only. 00:47.300 --> 00:49.459 Here are some examples. 00:49.459 --> 00:51.470 The first one we'll go over his staff not being 00:51.470 --> 00:54.110 trained and then they click on phishing links. 00:54.110 --> 00:57.230 We need to train our staff because they are not 00:57.230 --> 00:58.820 keeping up with the latest techniques 00:58.820 --> 01:00.170 that attackers are using. 01:00.170 --> 01:03.110 We can't expect them to know or even understand those. 01:03.110 --> 01:04.970 It's our job to help teach 01:04.970 --> 01:06.800 them so that they know these things. 01:06.800 --> 01:08.035 If we're not teaching them, 01:08.035 --> 01:10.405 then that's why they're clicking on these links. 01:10.405 --> 01:12.500 The next is having Ethernet ports 01:12.500 --> 01:14.315 in common areas that are live. 01:14.315 --> 01:16.100 Company moves into a new building, 01:16.100 --> 01:17.240 buys it all up, 01:17.240 --> 01:19.160 has everything plugged into a switch, 01:19.160 --> 01:21.050 then they have drops in common areas or 01:21.050 --> 01:23.605 maybe offices that are not occupied yet. 01:23.605 --> 01:25.280 They're all live, but this gives 01:25.280 --> 01:27.110 an opportunity for an attacker to come in, 01:27.110 --> 01:28.955 plugin, and be on your network. 01:28.955 --> 01:31.805 If you're not using those ports, we need to disable them. 01:31.805 --> 01:33.980 You'd be surprised how many companies 01:33.980 --> 01:35.510 don't have alarm systems. 01:35.510 --> 01:37.250 After spending tens of thousands 01:37.250 --> 01:38.690 or hundreds of thousands of dollars on 01:38.690 --> 01:40.430 IT infrastructure and not to 01:40.430 --> 01:42.500 mention the value of the data they have, 01:42.500 --> 01:43.640 you would think they would consider 01:43.640 --> 01:45.155 having an alarm system. 01:45.155 --> 01:47.390 Next is having servers or other 01:47.390 --> 01:50.060 critical systems that are not access controlled. 01:50.060 --> 01:51.770 Ideally you want your server and 01:51.770 --> 01:53.210 your networking infrastructure to 01:53.210 --> 01:54.755 be in its own locked room. 01:54.755 --> 01:57.365 However, we have seen cases where 01:57.365 --> 01:58.850 someone had a server that was sitting 01:58.850 --> 02:00.575 in the corner of a small office. 02:00.575 --> 02:02.465 Anyone could have access to it. 02:02.465 --> 02:04.130 If it contains important data 02:04.130 --> 02:05.435 and it needs to be protected, 02:05.435 --> 02:07.190 it needs to be separated. 02:07.190 --> 02:10.250 Next is having laptops that have 02:10.250 --> 02:12.630 VPN access to your office or they 02:12.630 --> 02:15.385 contain sensitive data but they're not encrypted. 02:15.385 --> 02:17.570 We'll get into this a little bit deeper when we 02:17.570 --> 02:19.930 get into compliance frameworks like HIPAA, 02:19.930 --> 02:21.500 but if you want to see examples of 02:21.500 --> 02:22.730 companies that have paid a lot of 02:22.730 --> 02:25.385 money in fines for violations like this, 02:25.385 --> 02:27.045 go to the HIPAA wall of shame. 02:27.045 --> 02:29.250 There have been several cases where laptops that 02:29.250 --> 02:31.430 contain patient information were either 02:31.430 --> 02:33.410 lost or stolen and companies or 02:33.410 --> 02:36.455 practices had to pay out large sums for that. 02:36.455 --> 02:38.880 If we're going to have our laptops 02:38.880 --> 02:40.490 going out of the office they 02:40.490 --> 02:42.530 need to be encrypted at all times. 02:42.530 --> 02:44.900 Finally, we have outdated 02:44.900 --> 02:46.460 software or software that's 02:46.460 --> 02:48.080 no longer supported by the vendor. 02:48.080 --> 02:49.790 A good example of this is Windows 02:49.790 --> 02:51.739 7 or Windows Server 2008. 02:51.739 --> 02:53.750 It's no longer supported by Microsoft, 02:53.750 --> 02:55.160 so it's not getting those updates for 02:55.160 --> 02:59.040 any new bugs or security flaws that are found. 02:59.560 --> 03:02.535 Vulnerability management activities. 03:02.535 --> 03:04.820 Here are some ways we can go about managing 03:04.820 --> 03:07.250 our vulnerabilities in our environment. 03:07.250 --> 03:10.370 The first common way is to use a vulnerability scanner. 03:10.370 --> 03:12.985 We'll go over that in more detail in the next slide. 03:12.985 --> 03:15.125 The next is patch management. 03:15.125 --> 03:16.625 We want to make sure we deploy 03:16.625 --> 03:18.170 all the patches that are available for 03:18.170 --> 03:22.465 the devices and the operating systems in our environment. 03:22.465 --> 03:25.850 Finally we can perform a risk assessment to help us find 03:25.850 --> 03:27.320 areas that maybe we weren't 03:27.320 --> 03:29.880 thinking about that we're vulnerable in. 03:31.630 --> 03:35.270 Vulnerability scanners are software products 03:35.270 --> 03:36.770 that will scan our network 03:36.770 --> 03:38.840 to see where we might be vulnerable. 03:38.840 --> 03:41.210 They're going to test devices or 03:41.210 --> 03:43.535 operating systems against known exploits, 03:43.535 --> 03:45.740 but they're also going to look for missing patches, 03:45.740 --> 03:48.140 any misconfigurations, or maybe if we 03:48.140 --> 03:49.190 left things in a default 03:49.190 --> 03:51.085 setting and these need to be changed. 03:51.085 --> 03:54.500 Two examples of a vulnerability scanner 03:54.500 --> 03:57.040 will be Nitko and Nessus. 03:57.730 --> 04:01.080 These are some critical components 04:01.080 --> 04:02.385 of a vulnerability scanner. 04:02.385 --> 04:04.040 We need to consider if we're going to 04:04.040 --> 04:06.110 use credentials when we perform a scan. 04:06.110 --> 04:07.940 The reason we might not want to use 04:07.940 --> 04:09.620 credentials is if we want to 04:09.620 --> 04:11.585 emulate an attacker in our environment, 04:11.585 --> 04:13.040 an attacker wouldn't yet have 04:13.040 --> 04:15.260 access to a system that they're scanning, 04:15.260 --> 04:17.750 because of that, they were not going to be able to get 04:17.750 --> 04:20.165 the full details back from a vulnerability scanner. 04:20.165 --> 04:23.285 However, for the purposes of vulnerability management, 04:23.285 --> 04:25.190 we are going to want to scan with credentials 04:25.190 --> 04:27.455 so that we get back the full amount of information. 04:27.455 --> 04:29.060 We also need to decide if we're going to 04:29.060 --> 04:30.515 use agent or agentless. 04:30.515 --> 04:32.150 Do we want to install a component on 04:32.150 --> 04:34.200 each endpoint before it's scanned? 04:34.200 --> 04:35.710 We also need to make sure that we 04:35.710 --> 04:37.195 get a criticality ranking. 04:37.195 --> 04:39.550 This will show the result of the scan with 04:39.550 --> 04:41.350 the highest urgency at 04:41.350 --> 04:43.835 the top so that we can make sure those are addressed. 04:43.835 --> 04:45.880 Then finally we want to decide if 04:45.880 --> 04:47.845 we're going to use active versus passive. 04:47.845 --> 04:49.660 An active scan will go 04:49.660 --> 04:51.715 through each device and scan them directly 04:51.715 --> 04:53.500 whereas a passive scan is going to collect 04:53.500 --> 04:56.780 information in a more indirect way. 04:57.340 --> 05:00.625 Instructor side note. Nessus scanner 05:00.625 --> 05:02.485 is a great vulnerability scanner. 05:02.485 --> 05:04.240 Unfortunately, it's a little expensive, 05:04.240 --> 05:06.250 but they do offer a free trial that will 05:06.250 --> 05:08.620 allow you to scan up to 16 IP addresses. 05:08.620 --> 05:11.395 That's 16 total not 16 per scan. 05:11.395 --> 05:13.975 It's highly recommended that you download this. 05:13.975 --> 05:16.505 You can get your feet wet with a vulnerability scanner. 05:16.505 --> 05:18.390 You can go to the website on the slide 05:18.390 --> 05:20.420 here, get your free scanner. 05:20.420 --> 05:21.890 Maybe scan a couple of devices on 05:21.890 --> 05:23.495 your network, see what it finds. 05:23.495 --> 05:25.820 That way you can get an understanding of how these work 05:25.820 --> 05:26.870 and then how they would be used 05:26.870 --> 05:29.040 in a business environment. 05:30.280 --> 05:34.340 Patch management. This is about identifying 05:34.340 --> 05:35.660 the missing patches or 05:35.660 --> 05:38.090 updates for every device on our network. 05:38.090 --> 05:40.835 It's not limited to just operating systems. 05:40.835 --> 05:44.570 For example, devices like switches and firewalls and 05:44.570 --> 05:46.130 access points all have 05:46.130 --> 05:48.320 new firmware that's released from time to time. 05:48.320 --> 05:50.960 These will patch holes found in those devices. 05:50.960 --> 05:53.345 We want to make sure that we deploy those too. 05:53.345 --> 05:56.060 Installing missing patches keeps our systems fully 05:56.060 --> 05:59.550 up-to-date but also closes those security holes. 06:00.190 --> 06:03.530 Instructor side note. This is probably not on the test, 06:03.530 --> 06:05.105 but I wanted you to be aware of it. 06:05.105 --> 06:06.890 Ideally before you go 06:06.890 --> 06:08.960 deploying patches on your critical systems, 06:08.960 --> 06:10.415 you want to test them first. 06:10.415 --> 06:12.365 Maybe have a test environment setup, 06:12.365 --> 06:13.610 even a virtual machine that you 06:13.610 --> 06:15.050 can install it on to make sure. 06:15.050 --> 06:16.400 Because we've seen in the past where 06:16.400 --> 06:17.420 sometimes for example, 06:17.420 --> 06:19.190 Microsoft releases an update 06:19.190 --> 06:21.710 that the side effect is blue screens. 06:21.710 --> 06:24.515 We want to be able to test those before deploying it. 06:24.515 --> 06:26.510 Some organizations actually use 06:26.510 --> 06:27.710 change management that would 06:27.710 --> 06:29.270 require us to test those 06:29.270 --> 06:32.070 and then document them before deploying. 06:33.130 --> 06:35.990 Vulnerability information sources. 06:35.990 --> 06:38.285 Where do we find out about these vulnerabilities? 06:38.285 --> 06:41.000 The first place we would go to are advisories. 06:41.000 --> 06:43.115 These contain specific data 06:43.115 --> 06:45.290 on the identified vulnerability. 06:45.290 --> 06:47.090 This would include how 06:47.090 --> 06:50.120 the vulnerability is identified, what it does, 06:50.120 --> 06:52.160 sometimes a proof-of-concept, and then 06:52.160 --> 06:55.055 maybe any mitigations if there are any available. 06:55.055 --> 06:56.765 Next would be bulletins. 06:56.765 --> 06:57.950 These are summaries or a 06:57.950 --> 07:00.310 newsletter listing of advisories. 07:00.310 --> 07:02.420 After that we have information sharing 07:02.420 --> 07:04.295 and analysis center or ISACs, 07:04.295 --> 07:07.190 is a non-profit group that usually specialize on 07:07.190 --> 07:10.750 a specific sector such as finance or health care. 07:10.750 --> 07:12.590 Finally we have news reports. 07:12.590 --> 07:14.660 You may end up hearing about it in the news. 07:14.660 --> 07:17.120 Large cases that hinge 07:17.120 --> 07:20.820 on specific exploits are very common in the news lately. 07:22.180 --> 07:25.365 Security Content Automation Protocol. 07:25.365 --> 07:27.005 This is a suite of 07:27.005 --> 07:29.825 interoperable specs that are designed to standardize 07:29.825 --> 07:32.300 the naming conventions and the formatting 07:32.300 --> 07:35.350 used to identify and report on software flaws. 07:35.350 --> 07:38.480 It's made up of open standards and these enumerate 07:38.480 --> 07:39.500 the software flaws and 07:39.500 --> 07:42.510 the security-related configuration issues. 07:45.020 --> 07:47.505 SCAP languages. 07:47.505 --> 07:49.160 The first we're going to discuss is 07:49.160 --> 07:52.610 the Open Vulnerability and Assessment Language or OVAL. 07:52.610 --> 07:55.700 This provides a consistent way to collect and 07:55.700 --> 07:58.700 assess the three main aspects of evaluated systems. 07:58.700 --> 08:00.425 These are the system information, 08:00.425 --> 08:02.600 the machine state, and reporting. 08:02.600 --> 08:06.480 Next we have Asset Reporting Format or ARF. 08:06.480 --> 08:08.330 This correlates to reporting 08:08.330 --> 08:10.765 formats to device information. 08:10.765 --> 08:13.830 Next is the Extensible Configuration Checklist 08:13.830 --> 08:16.850 Description Format or XCCDF. 08:16.850 --> 08:19.820 This is written in XML and it's designed to provide 08:19.820 --> 08:21.290 a consistent way to define 08:21.290 --> 08:22.400 the benchmarks and 08:22.400 --> 08:25.080 the checks performed during assessments. 08:27.200 --> 08:30.360 SCAP identification schemes. 08:30.360 --> 08:33.845 First we have the Common Platform Enumeration or CPE. 08:33.845 --> 08:36.140 These are standardized naming formats to 08:36.140 --> 08:38.540 help us identify systems and software. 08:38.540 --> 08:40.590 Then we have Common Vulnerabilities 08:40.590 --> 08:42.840 and Exposures or CVEs. 08:42.840 --> 08:44.810 This is a list of known 08:44.810 --> 08:46.790 vulnerabilities and they're formatted with 08:46.790 --> 08:48.770 CVE then the year and then 08:48.770 --> 08:51.260 the actual number that's assigned to that. 08:51.260 --> 08:52.880 From there we have the Common 08:52.880 --> 08:55.345 Configuration Enumeration or CCE. 08:55.345 --> 08:58.070 It's similar to CVE but it focuses on 08:58.070 --> 08:59.570 the configuration issues that 08:59.570 --> 09:02.520 may potentially lead to a vulnerability. 09:03.310 --> 09:06.380 This is how it all comes together. 09:06.380 --> 09:08.480 You can see the four main areas 09:08.480 --> 09:09.785 that we're looking to address. 09:09.785 --> 09:11.345 Software vulnerability management, 09:11.345 --> 09:12.590 configuration management, 09:12.590 --> 09:15.095 compliance management, and then asset management. 09:15.095 --> 09:16.715 All of these circles overlap 09:16.715 --> 09:18.155 each other in different areas. 09:18.155 --> 09:20.240 However, each part plays 09:20.240 --> 09:23.495 its own role in the overall method. 09:23.495 --> 09:25.760 For example, if we're going to look at asset management, 09:25.760 --> 09:27.485 we know that that's going to be CPE. 09:27.485 --> 09:29.690 This identifies software and devices. 09:29.690 --> 09:31.600 But if we're looking at configuration management, 09:31.600 --> 09:35.485 we want CCE, this identifies configuration controls. 09:35.485 --> 09:37.730 This is a good overview that can 09:37.730 --> 09:40.950 help you understand how it all works together. 09:42.020 --> 09:44.490 SCAP metrics. 09:44.490 --> 09:48.350 The Common Vulnerability Scoring System or CVSS, 09:48.350 --> 09:49.670 this is represented by 09:49.670 --> 09:51.020 a numerical score to 09:51.020 --> 09:53.405 show how severe the vulnerability is. 09:53.405 --> 09:56.315 One thing to keep in mind is the vulnerability score 09:56.315 --> 09:59.195 is not necessarily the same for every person. 09:59.195 --> 10:01.340 You may have a different deployment of 10:01.340 --> 10:03.515 a specific software product 10:03.515 --> 10:05.680 that makes you more or less vulnerable, 10:05.680 --> 10:07.010 but this is to give you a very 10:07.010 --> 10:08.630 good guide on how this works. 10:08.630 --> 10:11.960 You want to be able to know that anything in 10:11.960 --> 10:14.270 the higher critical level needs to be addressed as 10:14.270 --> 10:17.820 soon as possible and then work your way down from there. 10:18.740 --> 10:21.560 Let's summarize. We discussed 10:21.560 --> 10:23.615 vulnerabilities and vulnerability scanners. 10:23.615 --> 10:25.160 We also went over vulnerability 10:25.160 --> 10:27.275 management and patch management. 10:27.275 --> 10:29.525 We also discussed SCAP, 10:29.525 --> 10:30.770 the SCAP Languages, 10:30.770 --> 10:34.010 the SCAP Identification Schemes, and SCAP Metrics. 10:34.010 --> 10:36.515 Let's do some sample questions. 10:36.515 --> 10:39.380 A blank is any weakness 10:39.380 --> 10:42.350 that could be exploited and lead to a breach? 10:42.380 --> 10:46.065 Vulnerability. Question 2. 10:46.065 --> 10:49.100 Blank helps describe the three main aspects 10:49.100 --> 10:51.874 to evaluate a system: system information, 10:51.874 --> 10:54.480 machine state, and reporting. 10:54.650 --> 10:58.830 Open Vulnerability and Assessment Language or OVAL. 10:58.830 --> 11:02.345 Question 3, which identification scheme 11:02.345 --> 11:06.030 is responsible for classifying configurations? 11:06.340 --> 11:10.710 Common configuration enumeration or CCE. 11:10.710 --> 11:13.100 Question 4, after 11:13.100 --> 11:15.470 performing a scan with a vulnerability scanner, 11:15.470 --> 11:16.730 the report shows that you have 11:16.730 --> 11:19.400 one vulnerability with a score of 7.4, 11:19.400 --> 11:23.190 what severity rating would this score represent? 11:24.560 --> 11:27.205 7.0-8.9 is high. 11:27.205 --> 11:29.090 I hope this was helpful for you and I hope you 11:29.090 --> 11:31.980 learned something, and I'll see you in the next one.