1 / 51

Vulnerability Management Solutions

Vulnerability Management Solutions. Harold Toomey Product Manager 13 August 2001. Agenda. Importance of Security Security Policy Security Management Web access management Vulnerability management Intrusion detection Symantec Products ESM – OS Security Web Server Security

sandra_john
Download Presentation

Vulnerability Management Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Management Solutions Harold Toomey Product Manager 13 August 2001

  2. Agenda • Importance of Security • Security Policy • Security Management • Web access management • Vulnerability management • Intrusion detection • Symantec Products • ESM – OS Security • Web Server Security • Database Security • Symantec NetRecon – Network Security • Questions and Answers

  3. Company A Market Trends • Source – Business Week August 28th 2000 A transformation of the Corporate enterprise Company B 20th Century Corporation 21st Century Corporation • As technology has changed the way we do business, it changes the way we think about security • No longer about keeping people out, but letting people in….

  4. Microsoft hacked Wide-spread Denial-of-Service Attacks (Yahoo!, eBay) “Zombies” appear SATAN is released Morris Internet Worm Evolution of Network Intrusions Source: CERT, Carnegie Mellon University

  5. 2001 CSI/FBI Computer Crime and Security Survey Average Reported Losses $4.42 M $4.45 M $454K $322K $275K Outside System Penetration Sabotage and Denialof Services UnauthorizedInsiderAccess Financial Fraud Theft of Proprietary Information Mar 12, 2001

  6. Risk Remains High • $1.6 TRILLION - Estimated worldwide loss in 2000 due to downtime resulting from security breaches and virus attacks. (InformationWeek) • $266 BILLION - Estimated cost of damages caused by viruses and computer cracking in U.S. firms in 2000. (InformationWeek) • 42% of computers checked were still not running anti-virus software. 32% were infected. (Symantec SecurityCheck) • 12:1 - Ratio of the number of times on-line merchants suffer credit card fraud compared to the off-line, bricks-and-mortar counterparts. (Gartner Group)

  7. *

  8. Web Server Security Threat “Web Server Security has been at the forefront of the news throughout the last month, with the archive site attrition.org announcing that it had received a list of around 9,000 Microsoft-IIS sites that had been successfully been taken control of by attackers. • … Recently it has been receiving over 100 reports of successful attacks in a single day, more than for the entire years of 1995 & 1996.” • Source: http://www.netcraft.com/survey/ (Jun 2001)

  9. Web Site Defacements Source: attrition.org

  10. Policy Standards Procedures, Guidelines & Practices Policy is Key to Security • Mandate to implement security • Standard to measure security • Basis for all security technology and procedures

  11. Confidentiality Who sees the data? Integrity Has the data been tampered with? Availability Can I access the server or data when I need it? Security Objectives

  12. No Need to Start from Scratch Rather than analyzing every risk, look at what others are doing Meet standard of due care Use existing standards and “Best Practices” Pay attention to regulations and requirements • Government • Industry • Partner

  13. Standards for Operational Security • BS7799 security requirements established by the British Government (ISO 17799) • SAS 70 and SysTrust requirements established by the AICPA • FISCAM requirements established by GAO for federal govt. • COBIT requirements established by Information Systems Audit and Control Association (ISACA) • IETF Site Security Handbook and User Security Handbook • The Top Ten Internet Security Threats from SANS • VISA's ten requirements for 21,000 organizations that carry the VISA logo • Future – Minimum standards of due care from The Center for Internet Security, a new world-wide standards consortium

  14. Visa’s “Ten Commandments” • 1. Install and maintain a working network firewall to protect data accessible via the Internet • 2. Keep security patches up-to-date • 3. Encrypt stored data accessible from the Internet • 4. Encrypt data sent across networks • 5. Use and regularly update anti-virus software • 6. Restrict access to data by business "need to know" • 7. Assign unique IDs to each person with computer access to data • 8. Track access to data by unique ID • 9. Don't use vendor-supplied defaults for system passwords and other security parameters • 10. Regularly test security systems and processes Source: www.visabrc.com

  15. Regulations forOperational Security • FDIC and OCC regulations for banking industry • HIPAA regulations for health care industry • SEC regulations for brokerage industry • DoD regulations for military commands and contractors • FDA regulations for pharmaceutical companies • NASA requirements for all its facilities and contractors • 1974 Privacy Act with amendments

  16. Metrics for Security Effectiveness • Measuring Policy Compliance • Percent of organization following policy • Number of exemptions granted • Measuring Resistance and Response to Attack • Number of holes found by vulnerability scan • Percent of attacks detected during penetration test • Percent of detected attacks with proper response/report • Percent of attempted attacks that succeeded If you want to manage something, you have to be able to measure it.

  17. Web Server Customers File Servers Partners Database Servers Branch Office Groupware Servers Modems WirelessDevice Telecommuters Web Access Management Firewall E-mail servers

  18. Hacker Traditional Web Access Management Web Users & Internet Service Network (DMZ) Web Servers & Content Firewall Application Servers Application Servers Secure (Trusted) Network DB DB Auth. DB Auth. DB

  19. Web Users & Internet Service Network (DMZ) Proxy Server PKI Auth Agent Firewall LDAPAuth Agent Other Auth Agents NT Auth Agent Central Management Server Secure (Trusted) Network Authentication Mechanism(s) Web Servers & Content Secure Web Access Management

  20. Authentication • Username/password most common • Can be stolen or frequently cracked • Use SSL or similar web technology • Two-factor authentication is stronger • Hardware token, smartcard, etc. • Soft token, digital certificate • Biometric

  21. Web Server Customers File Servers Partners Database Servers Branch Office Groupware Servers Modems WirelessDevice Telecommuters Vulnerability Management – Policy Compliance Firewall

  22. Some Typical Vulnerabilities • Password strength • Out-of-date patch levels • Account settings • Network parameters • NT RAS, NIS, UNIX .rhosts files, ftp, telnet • File protections • Improperly changed files • O/S specific problems • Windows NT registry, NetWare NDS, UNIX suid files, etc. • Improper CGI and other web vulnerabilities • Presence of DDoS “Zombie” code G. Mark Hardy

  23. Probe for Vulnerabilities Web Server Firewall Customers Probe for Vulnerabilities Partners File Servers Branch Office Database Servers Groupware Servers Modems WirelessDevice Telecommuters Vulnerability Management –Vulnerability Scanning

  24. IDS Hacker Web Server Customers File Servers Partners Database Servers Branch Office Groupware Servers Modems WirelessDevice Telecommuters Detect Intruders Firewall

  25. Internet Network IDS Host IDS Network and Host IDS Partnership • Phase 1 • Discover & • Map • Automated Scanning & Probing • Phase 2 • Penetrate • Perimeter • Denial of Service • Spoofing • Protocol exploits • Web appl. attack • Phase 3 • Attack/Control • Resources • Password attacks • Privilege grabbing • Theft • Audit trail tampering • Admin. changes • Vandalism • Trojan horses

  26. Host-Based Network-Based Vulnerability Management Enterprise Security Manager Symantec NetRecon Intrusion Detection Intruder Alert NetProwler VM and IDS Matrix • Symantec provides all important components to comprehensive security

  27. Enterprise Security Manager • Comprehensive security “health check” of the enterprise from a central location. • Automatically discovers and reports vulnerabilities, including areas that do not comply with security policy. • Identify systems that are at risk or non-compliant. • Consistent, automated, repeatable, on-demand mechanism. • Provide baseline and measures by which to manage security. Enterprise Security Manager (ESM) is the worldwide leader in host-based Vulnerability Assessment with 68% market share according to IDC. Also, ESM has recently won Secure Computing Magazine’s Academy Award for Best SecurityManagement product. G. Mark Hardy

  28. ESM: Manager/Agent Architecture GUI Code Code Code Network Code Code Code Code Manager

  29. ESM Managers with Agents ESM Console ESM - Scales to Virtually any Enterprise ESM Agents

  30. Symantec NetRecon • Gain a hacker’s eye view of the network. • Vulnerability assessment with root cause analysis - leads you to the real problem, not the symptoms • Unique path analysis illustrates exact sequence of steps to uncover vulnerability • Progressive scanning technology uses information from part of the scan to search deeper for weaknesses. • Shares information like a Tiger Team NetRecon, in conjunction with ESM, leads the Vulnerability Assessment space with 39% market share according to IDC. Secure Computing Magazine gave NetRecon a four-star overall rating, and recognized it as “capable of discovering more potential vulnerabilities than the competition in certain situations.” G. Mark Hardy

  31. Holistic view of network Searches deeper for network weaknesses Correlates vulnerabilities across systems to demonstrate how related vulnerabilities can lead to attack Shows how low- and medium-risk problems combine to make high-risk problems Uncovers vulnerabilities that other scanners don’t find Enhanced performance provided by parallel objectives Runs faster by filtering out redundant risks NetRecon w/ Progressive Scanning Technology

  32. Key Features & Benefits • Progressive Scanning • Scans entire network as a whole, not just each system in isolation to the others like other scanners • Uses information found on one system to penetrate the other systems • Path Analysis • Illustrates the exact sequence of steps taken to uncover a vulnerability • Helps the security administrator to pin-point the root cause of the vulnerabilities • Live Update™ • Incorporates Symantec’s renowned Live Update technology to deliver new vulnerability checks • Integrated Password Cracking • Actually cracks encrypted passwords as it scans • Enterprise Support • Is unique in that it also scans non-IP based networks, such as NetWare’s IPX/SPX and NetBEUI protocols • Is tightly integrated with ESM

  33. Integrated Host- & Network-Based Security Assessment • Security is an on-going process • Assessment gives you a baseline from which to build • Two approaches to vulnerability assessment • Host-based (“privileged access”) • Network-based (“hacker’s view”) • Each has it’s own benefits and limits • Comprehensive vulnerability assessment includes a combination of both approaches • “…a combination of network- and host-based is critical. If you’re doing just one or the other, you’re missing half the elements." • InformationWeek, May 29, 2000

  34. Routers Web Servers Applications (ERP, CRM) Firewalls Databases ESM Application Security • ESM leads the market in OS-level security, vulnerability assessment and policy compliance • Now it is addressing mission-critical e-business components: • Integrate both host-based and network-based assessment for comprehensive coverage

  35. Application-level security Network Components NetRecon Firewalls e-Mail Servers Applications Web Servers Databases NAV Servers WAP Servers Single integrated view Operating System security ESM Application Security Modules Architecture Operating Systems

  36. ESM for AntiVirus NetRecon ESM for WebServers ESM for Oracle Operating Systems Current ESM Modules • Implementation • Uses best of host-based and network-based technologies to provide complete assessment coverage

  37. Symantec NetRecon 3.5 Integration • Benefits • Displays NetRecon scan data in ESM Console • Provides a central view of both host-based and network-based assessment and vulnerability data • Integrates NetRecon data into ESM reports • ESM policies can launch NetRecon scans using ICE • Provides trend analysis and other ESM features • Each release gets more integrated with ESM • .NRD file (v2.0) • CLI / ESM Console using ICE (v3.5) • Vulnerability correlation (future)

  38. ESM for WebServers • Features • Network-based approach (hacker’s view) • Coverage of all major web servers and OSs • Apache • NT, W2K, XP • Microsoft IIS • Redhat Linux • Netscape •Unix (Solaris, AIX, HP-UX) • Addresses SANS / FBI Top 10 Internet Vulnerabilities • Combination of ESM host OS agent + ESM for WebServers = Comprehensive coverage

  39. ESM for WebServers Policy

  40. Shell Whois Printer FTP CGI / HTTP (20, 21) (80, 8080) Echo POP3 DNS Name Login Netstat Gateway Login SMTP Assessment Methodology Web Server

  41. Best Practice Configuration • Install an ESM Agent on each web server for host-based checks • Covers ~80% of vulnerabilities • Ensures proper policy compliance • OS patches module most critical • Install ESM for WebServers on a separate NT workstation, preferably on the same segment as the web server(s) • Covers ~20% of remaining vulnerabilities • ESM policy options • One web server per policy for tight data correlation • Multiple web servers per policy to assess a web server farm

  42. ESM for Oracle • Features • First host-based database vulnerability assessment product on the market • Integrates into ESM at the application level • Supports Oracle versions 7.3.x – 8.0.6 • Supported host systems • Sun Solaris 2.4 – 2.6 • IBM AIX 4.1 – 4.3.1 (RS6000) • HP-UX 10.20 – 11.x • Digital Unix OSF1-AXP v4.0d • Oracle 7.3.4 only

  43. ESM for Oracle • Benefits • Extends policy compliance and management to critical systems • Assesses database for known vulnerabilities • Integrates database security into enterprise policy management picture

  44. dB Inst. 1 dB Inst. 2 dB Inst. 3 ESM for Oracle Oracle Server (Unix) Securing Oracle Instances Each Oracle instance may have different priority levels and different security vulnerabilities… ESM Console ESM Manager ESM Agent

  45. ESM for Oracle Database Checks • Coverage of key vulnerabilities associated with Oracle RDBMS • Eight Oracle RDBMS assessment groups • Access Group • Accounts Group • Auditing Group • File Attributes Group • Passwords Group • Roles Group • Startup Group • Table Attributes Group • Each group contains multiple key vulnerability checks

  46. ESM for NAV Servers • Benefits • Best Practice policies to secure Norton Anti-Virus Corporate Edition servers • Shows synergy and value between Symantec and AXENT product integration • Free to maintenance paying ESM customers

  47. Client PC Client PC Client PC ESM for NAV Servers Architecture Client PC Client PC Client PC … ESM Enterprise Console ESM Manager - ESM for NAV CE Server - ESM Agent - ESM for NAV Servers Best Practice Policy - Client PCs - ESM Agents

  48. Security Updates SWAT Security Update Program • What: • Team of Security Professionals conducting research on vulnerabilities and delivering detection and countermeasure capabilities to IDvA products. • How: • Security Updates are deployed via the web and Live Update. • Frequency: • ESM Security Updates are released quarterly. • NetRecon Security Updates are released monthly. • In emergencies (DDoS, Trin00, etc.), updates are available within several hours. • Track Record (2000): • ESM Security Updates added 260 new checks. • NetRecon Security Updates added 350 new checks. • ESM for WebServers added 246 new checks.

  49. Final Thoughts • The SANS' Top Ten list identified CGI vulnerabilities as the #2 issue • Security analysts who conduct penetration studies indicate that 80% of break-ins occur because of: • 1) Out-of-date, unpatched systems and applications • 2) Easy-to-guess passwords • “For cyber security, 47% of consumers would like enhanced Web site security measures, safeguards for credit card information and privacy policies.” (USA Today Snapshots – Nov. 27, 2000) • Follow best practices to achieve due care • Implement process to manage policy and incidents

More Related