Tiptoe Through The
Network:
Practical Vulnerability
Assessments in Control
Systems Environments
Paul Asadoorian
Product Ev...
About Me
• Currently Product Evangelist at Tenable Network Security
• Founder & CEO of Security Weekly (formerly “PaulDotC...
Warning: Sub-Themes I am Known to Use in All My
Presentations
• Ninjas (Check)
• Star Wars Reference
• ONE lolcat
• Old Jo...
I can “scan” your networks without breaking “stuff”

And spoons don’t really sound like airplanes?
You Don’t Have to Feel Vulnerable
• There is typical hesitation when
scanning a network and/or any
systems
• Scans may “ca...
Goals
• Identify assets
• Don’t break stuff
• Discover vulnerabilities
• Report them to people who
can fix them
• Continuo...
You Can’t Fix it if You Don’t Know it Exists
• Detect hosts:
Netflow Data
o Firewall Logs
o Arp Tables
o Sniff Network Tra...
Check out Bro IDS
• Regex for your
network
• Write rules to
discover hosts,
attacks,
vulnerabilities and
more
• Command li...
P0f – Passive OS and Host detection
• This tool is 14 years old…(Been around a long time)
• Big thanks to Rob over at the ...
Sniffing the Network
• Passive sniffing
• Firewalls
• Virtualization
• This shouldn’t be
on the network
Sniffing & Logging – New Hosts
Nessus for Host Discovery
• Nessus is an active
vulnerability scanner,
however:
o

o

o

You can use credentials to audit
...
Credentials: Checking for Patches
• Easy to create, use the
wizard
• Upload the SSH keys
• Nessus automatically
selects th...
Credentials: Checking for Patches (2)
Lots of Results, “No Problem”
Credentials:
Checking
Configuration
Credentials: Checking Configuration (2)
VMware Virtual Machine Info
Vulnerability Management
• You must keep up with patches on ALL of your
systems
• You must identify easily exploitable
vul...
The Patch Management Struggle
Our
systems
are missing
patches!

Security Guy

Sysadmin
Step 1 – Define
• Policy – What you will do and where you will do it
• Procedures – How you will do it and who you will do...
Step 2 – Communication & Process
• Communicate your policy and procedures to the
right people!
• Management, security, adm...
Step 3 – Find Them All
• Scan your network (frequently)
• Perform authenticated
vulnerability scans
Servers & Desktops
o N...
Application Discovery
• Get rid of applications not supported or not in
use
• Reduce your attack platform
• Less stuff to ...
Eek, why TELNET?
Phone + Wifi

Here’s my
number, call me
after you patch
your phone.
Applications

How many
browsers do
you need?
Scanning Embedded Systems
This is not a tablet, phone or “phablet”
2012 Wife Christmas Gift
• Has Wifi
• “Runs” Android
2013 Wife Christmas Gift

• Has Wifi
• Runs….?
“Scanning” Embedded Systems
• Many embedded devices are Wifi-only
• Some devices are transient or only are online for
a sh...
Passive Vulnerability Scanner Trending
Conclusions
• There are many ways to continually perform host
discovery, from sniffing to log monitoring
• Once you’ve ide...
Sub-Themes Check list
Ninjas
Star Wars Reference
ONE lolcat
Old Joke directed at my friend Jack Daniel
Wife/Kids rela...
Tenable Resources
Blog:
http://blog.tenable.com
Podcast:
http://www.tenable.com/podcast

Videos:
http://www.youtube.com/te...
Try SecurityCenter and Nessus now
For more information, or to evaluate
SecurityCenter Continuous View:
http://www.tenable....
Questions?
Thank you
Contact me:
Paul Asadoorian – paul@nessus.org for Tenable
related items
paul@securityweekly.com for anything els...
Upcoming SlideShare
Loading in …5
×

Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments, Paul Asadoorian of Tenable Network Security

1,646 views

Published on

I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!

Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:

- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,646
On SlideShare
0
From Embeds
0
Number of Embeds
213
Actions
Shares
0
Downloads
64
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments, Paul Asadoorian of Tenable Network Security

  1. 1. Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments Paul Asadoorian Product Evangelist Tenable Network Security
  2. 2. About Me • Currently Product Evangelist at Tenable Network Security • Founder & CEO of Security Weekly (formerly “PaulDotCom”) • Worked for Digital Bond in 2008/2009 • Love hacking and breaking embedded systems
  3. 3. Warning: Sub-Themes I am Known to Use in All My Presentations • Ninjas (Check) • Star Wars Reference • ONE lolcat • Old Joke directed at my friend Jack Daniel • Wife/Kids related humor • Unicorns
  4. 4. I can “scan” your networks without breaking “stuff” And spoons don’t really sound like airplanes?
  5. 5. You Don’t Have to Feel Vulnerable • There is typical hesitation when scanning a network and/or any systems • Scans may “cause an undesirable condition on a remote host” (Okay, it could crash it) • Problem is you must: Identify the device o Enumerate vulnerabilities o
  6. 6. Goals • Identify assets • Don’t break stuff • Discover vulnerabilities • Report them to people who can fix them • Continuously discover vulnerabilities that remain • Report progress to management
  7. 7. You Can’t Fix it if You Don’t Know it Exists • Detect hosts: Netflow Data o Firewall Logs o Arp Tables o Sniff Network Traffic o Connection tables o Query VMWare o Look at your logs o
  8. 8. Check out Bro IDS • Regex for your network • Write rules to discover hosts, attacks, vulnerabilities and more • Command line kung fu, Security Onion Liam has the coolest title: “Brovangelist”
  9. 9. P0f – Passive OS and Host detection • This tool is 14 years old…(Been around a long time) • Big thanks to Rob over at the SANS ISC, nice articles and examples http://isc.sans.org/diary/Passive+Scanning+Two+Ways++How-Tos+for+the+Holidays/17246 o http://isc.sans.org/diary/Scanning+without+Scanning/17189 o Not as long as Jack….
  10. 10. Sniffing the Network • Passive sniffing • Firewalls • Virtualization • This shouldn’t be on the network
  11. 11. Sniffing & Logging – New Hosts
  12. 12. Nessus for Host Discovery • Nessus is an active vulnerability scanner, however: o o o You can use credentials to audit patches Configuration auditing points out flaws Policies are highly configurable • http://www.tenable.com/blog/u sing-nessus-for-host-discovery Ninja convention
  13. 13. Credentials: Checking for Patches • Easy to create, use the wizard • Upload the SSH keys • Nessus automatically selects the appropriate plugins
  14. 14. Credentials: Checking for Patches (2)
  15. 15. Lots of Results, “No Problem”
  16. 16. Credentials: Checking Configuration
  17. 17. Credentials: Checking Configuration (2)
  18. 18. VMware Virtual Machine Info
  19. 19. Vulnerability Management • You must keep up with patches on ALL of your systems • You must identify easily exploitable vulnerabilities and patch them FAST
  20. 20. The Patch Management Struggle Our systems are missing patches! Security Guy Sysadmin
  21. 21. Step 1 – Define • Policy – What you will do and where you will do it • Procedures – How you will do it and who you will do it with • Get management to sign off on both of the above
  22. 22. Step 2 – Communication & Process • Communicate your policy and procedures to the right people! • Management, security, administrators and end users
  23. 23. Step 3 – Find Them All • Scan your network (frequently) • Perform authenticated vulnerability scans Servers & Desktops o Network infrastructure o Virtualization platform o Storage systems o • Sniff your network for These are not the vulnerabilities you’re looking for vulnerabilities • Mine your logs for data
  24. 24. Application Discovery • Get rid of applications not supported or not in use • Reduce your attack platform • Less stuff to patch
  25. 25. Eek, why TELNET?
  26. 26. Phone + Wifi Here’s my number, call me after you patch your phone.
  27. 27. Applications How many browsers do you need?
  28. 28. Scanning Embedded Systems
  29. 29. This is not a tablet, phone or “phablet”
  30. 30. 2012 Wife Christmas Gift • Has Wifi • “Runs” Android
  31. 31. 2013 Wife Christmas Gift • Has Wifi • Runs….?
  32. 32. “Scanning” Embedded Systems • Many embedded devices are Wifi-only • Some devices are transient or only are online for a short time then go away • Many do not react well to an active networkbased scan (ICS type devices for example) • Resources are an issue (not enough CPU/RAM)
  33. 33. Passive Vulnerability Scanner Trending
  34. 34. Conclusions • There are many ways to continually perform host discovery, from sniffing to log monitoring • Once you’ve identified all the hosts, have a process for vulnerability management • There are numerous ways in which to “scan” a host, including credentialed patch audits and configuration auditing • Embedded systems are tricky, require special attention, and passive scanning is best in this case
  35. 35. Sub-Themes Check list Ninjas Star Wars Reference ONE lolcat Old Joke directed at my friend Jack Daniel Wife/Kids related humor Unicorns
  36. 36. Tenable Resources Blog: http://blog.tenable.com Podcast: http://www.tenable.com/podcast Videos: http://www.youtube.com/tenablesecurity Discussion portal: https://discussions.nessus.org Buy Nessus, Perimeter Service, Training & Bundles: https://store.tenable.com Become a Tenable Partner: https://www.tenable.com/partners
  37. 37. Try SecurityCenter and Nessus now For more information, or to evaluate SecurityCenter Continuous View: http://www.tenable.com/products/securitycenter-continuous-view Evaluate Nessus free for 14 days: http://www.tenable.com/products/nessus/evaluate
  38. 38. Questions?
  39. 39. Thank you Contact me: Paul Asadoorian – paul@nessus.org for Tenable related items paul@securityweekly.com for anything else…

×