Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Enterprise
Vulnerability
Management
Alexander Leonov, Ekaterina Pukhareva,
Alex Smirnoff
1. A variety of Vulnerability Scanners
2. Experience in the use of Tenable SecurityCenter and Nessus
3. How to make an eff...
A variety of Vulnerability Scanners
•When the scan is finished, the results may already be outdated
•False positives
•Per-host licensing
Knowledge base
•How q...
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
Op...
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
Op...
•“Old” vulnerabilities
•Vendor forgot to add links to CVE id
•Vulnerabilities in plugins (N: WordPress VideoWhisper)
•Don’...
In other words
•Vulnerability Scanner is a necessity
•Don't depend too much on them
•Scanner does not detect some vulnerab...
Sometimes a free service detects better
•Linux OS vulnerability scan
•Immediate results
•Dramatically simple
https://vulners.com/#audit
Vulners Linux Audit GUI
•RedHat
•CentOS
•Fedora
•Oracle Linux
•Ubuntu
•Debian
Vulners Linux Audit GUI
Vulners Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X
POST -d '{"os":"centos",...
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
Experience in the use of Tenable
SecurityCenter and Nessus
Discovery
Finding a live host
Assessment
What assets?
Analysis
...
Experience in the use of Tenable SecurityCenter and Nessus
Reporting and dashboards
Nessus .audit files (built-in or highly
customized plug-ins)
- Operation systems (SSH, password policy, local
accounts, au...
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Reporting
Graphs:
• MS Critical + Exploitable
• MS Cri...
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Ticketing
● Scanners updating by scripts
● New plugins
● Log-management and monitoring
● Harmless pentest
● FalsePositive
● Authenti...
Nessus Agents
Vulnerability Scanner as a valuable asset
Dangerous audit file
Domain + two-factor
authentication
Role model in SecCenter
Monitoring of using nessus account
Vulnerability Scanner as a v...
Restricting Nessus
permissions
Defaults:scanaccount !requiretty
Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo
[0-9...
What is still wrong
(from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
Risk management?
Asset management?
Threat intelligence?
Detecting scanning gaps?
Do you really need expensive “state of th...
For pentesters
For splunk, big data and fancy tech HUBBLESTACK.IO
For the rest of us
There is an alternative
Import all you scans data to the database
..do anything you want!
Monitor changes, create scopes, custom reports, whatever...
We do not have critical asset inventory!
Wait.. we do. It is called “monitoring”
Use zabbix data to create asset lists
Pus...
Create exploit capabilities description (CVSS sucks!)
Add environment data (internal and external scans at least)
Add anyt...
Upcoming SlideShare
Loading in …5
×

of

Enterprise Vulnerability Management - ZeroNights16 Slide 1 Enterprise Vulnerability Management - ZeroNights16 Slide 2 Enterprise Vulnerability Management - ZeroNights16 Slide 3 Enterprise Vulnerability Management - ZeroNights16 Slide 4 Enterprise Vulnerability Management - ZeroNights16 Slide 5 Enterprise Vulnerability Management - ZeroNights16 Slide 6 Enterprise Vulnerability Management - ZeroNights16 Slide 7 Enterprise Vulnerability Management - ZeroNights16 Slide 8 Enterprise Vulnerability Management - ZeroNights16 Slide 9 Enterprise Vulnerability Management - ZeroNights16 Slide 10 Enterprise Vulnerability Management - ZeroNights16 Slide 11 Enterprise Vulnerability Management - ZeroNights16 Slide 12 Enterprise Vulnerability Management - ZeroNights16 Slide 13 Enterprise Vulnerability Management - ZeroNights16 Slide 14 Enterprise Vulnerability Management - ZeroNights16 Slide 15 Enterprise Vulnerability Management - ZeroNights16 Slide 16 Enterprise Vulnerability Management - ZeroNights16 Slide 17 Enterprise Vulnerability Management - ZeroNights16 Slide 18 Enterprise Vulnerability Management - ZeroNights16 Slide 19 Enterprise Vulnerability Management - ZeroNights16 Slide 20 Enterprise Vulnerability Management - ZeroNights16 Slide 21 Enterprise Vulnerability Management - ZeroNights16 Slide 22 Enterprise Vulnerability Management - ZeroNights16 Slide 23 Enterprise Vulnerability Management - ZeroNights16 Slide 24 Enterprise Vulnerability Management - ZeroNights16 Slide 25 Enterprise Vulnerability Management - ZeroNights16 Slide 26 Enterprise Vulnerability Management - ZeroNights16 Slide 27 Enterprise Vulnerability Management - ZeroNights16 Slide 28 Enterprise Vulnerability Management - ZeroNights16 Slide 29 Enterprise Vulnerability Management - ZeroNights16 Slide 30
Upcoming SlideShare
Vulnerability Intelligence and Assessment with vulners.com
Next
Download to read offline and view in fullscreen.

5 Likes

Share

Download to read offline

Enterprise Vulnerability Management - ZeroNights16

Download to read offline

Presentation by Alexander Leonov, Ekaterina Pukhareva, Alex Smirnoff
ZeroNights Security Conference, 18.11.2016, Moscow

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Enterprise Vulnerability Management - ZeroNights16

  1. 1. Enterprise Vulnerability Management Alexander Leonov, Ekaterina Pukhareva, Alex Smirnoff
  2. 2. 1. A variety of Vulnerability Scanners 2. Experience in the use of Tenable SecurityCenter and Nessus 3. How to make an efficient vulnerability management? 4. Vulnerability Scanner as a valuable asset 5. Beyond scanners Content
  3. 3. A variety of Vulnerability Scanners
  4. 4. •When the scan is finished, the results may already be outdated •False positives •Per-host licensing Knowledge base •How quickly vendor adds new vulnerability checks? •No scanners will find all vulnerabilities of any software •Some vulnerabilities may be found only with authorization or correct service banner •You will never know real limitations of the product A variety of Vulnerability Scanners Some problems
  5. 5. A variety of Vulnerability Scanners Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579
  6. 6. A variety of Vulnerability Scanners Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579 2673 OpenVAS plugins 6639 Nessus plugins 38207 OpenVAS plugins and 50896 Nessus plugins All NASL plugins: OpenVAS: 49747 Nessus: 81349
  7. 7. •“Old” vulnerabilities •Vendor forgot to add links to CVE id •Vulnerabilities in plugins (N: WordPress VideoWhisper) •Don’t support “Local” software (N: openMairie) •Stopped adding new vulnerabilities (N: vBulletin, O: Solaris) Why?
  8. 8. In other words •Vulnerability Scanner is a necessity •Don't depend too much on them •Scanner does not detect some vulnerability — it’s YOUR problem not your VM vendor •Choose VM solution you can control •Have alternative sources of Vulnerability Data (vulners.com, vFeed)
  9. 9. Sometimes a free service detects better
  10. 10. •Linux OS vulnerability scan •Immediate results •Dramatically simple https://vulners.com/#audit Vulners Linux Audit GUI
  11. 11. •RedHat •CentOS •Fedora •Oracle Linux •Ubuntu •Debian Vulners Linux Audit GUI
  12. 12. Vulners Linux Audit API curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3-11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos-2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}' https://vulners.com/api/v3/audit/audit + Agent Scanner
  13. 13. Experience in the use of Tenable SecurityCenter and Nessus Architecture
  14. 14. Experience in the use of Tenable SecurityCenter and Nessus Architecture
  15. 15. Experience in the use of Tenable SecurityCenter and Nessus Discovery Finding a live host Assessment What assets? Analysis What to fix first? Remediation Fix the problem • What time for fixing? • Risks? Scan: • External and Internal perimeters Scan for specific assets: • Workstations, Network Servers • What CVSS score? • Fixing • Accepting risks
  16. 16. Experience in the use of Tenable SecurityCenter and Nessus Reporting and dashboards
  17. 17. Nessus .audit files (built-in or highly customized plug-ins) - Operation systems (SSH, password policy, local accounts, audit, etc.) - Databases (privileges, login expiration check, etc.) - Network devices (SSH, SNMP, service finger is disable, etc.) - Etc. Experience in the use of Tenable SecurityCenter and Nessus Compliance checks Checking the PCI DSS requirements and others
  18. 18. Experience in the use of Tenable SecurityCenter and Nessus Homemade Reporting Graphs: • MS Critical + Exploitable • MS Critical • MS Other • Windows Software Tables: • Legend • Top vulnerable hosts • Top vulnerabilities
  19. 19. Experience in the use of Tenable SecurityCenter and Nessus Homemade Ticketing
  20. 20. ● Scanners updating by scripts ● New plugins ● Log-management and monitoring ● Harmless pentest ● FalsePositive ● Authentication Failure Experience in the use of Tenable SecurityCenter and Nessus Usage Problems
  21. 21. Nessus Agents
  22. 22. Vulnerability Scanner as a valuable asset Dangerous audit file
  23. 23. Domain + two-factor authentication Role model in SecCenter Monitoring of using nessus account Vulnerability Scanner as a valuable asset Monitoring
  24. 24. Restricting Nessus permissions Defaults:scanaccount !requiretty Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXA = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *;*; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXB = ! /bin/sh -c echo nessus_su_`echo [0-9]*;*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXC = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*;*[0-9]` scanaccount ALL = (root) NESSUSAA, NESSUSXA, NESSUSXB, NESSUSXC Not officially supported May stop working anytime More like security through obscurity rather than efficient protection
  25. 25. What is still wrong (from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
  26. 26. Risk management? Asset management? Threat intelligence? Detecting scanning gaps? Do you really need expensive “state of the art” solution? ..and what’s beyond vulnerability scanning?
  27. 27. For pentesters For splunk, big data and fancy tech HUBBLESTACK.IO For the rest of us There is an alternative
  28. 28. Import all you scans data to the database ..do anything you want! Monitor changes, create scopes, custom reports, whatever Avoid VM vendor lock-in Simple as that
  29. 29. We do not have critical asset inventory! Wait.. we do. It is called “monitoring” Use zabbix data to create asset lists Push back alerts to zabbix Use case: asset management
  30. 30. Create exploit capabilities description (CVSS sucks!) Add environment data (internal and external scans at least) Add anything you want (threat intel) No part is mandatory! Use case: advanced risk management
  • naderalkahtani

    Jan. 19, 2021
  • KititouchBoonsuwan

    May. 10, 2020
  • DanilaLutsiv

    Aug. 13, 2018
  • mohit027

    May. 22, 2017
  • AndreyAlyabiev

    Apr. 7, 2017

Presentation by Alexander Leonov, Ekaterina Pukhareva, Alex Smirnoff ZeroNights Security Conference, 18.11.2016, Moscow

Views

Total views

8,030

On Slideshare

0

From embeds

0

Number of embeds

4,230

Actions

Downloads

159

Shares

0

Comments

0

Likes

5

×