The ITWeb Security Summit is creeping up on us again and will be happening on the 10-11th of May. This year ITWeb went with something slightly different, and are asking for people to suggest who they'd like to see on day 2. These suggestions will then be voted on. So, if there's someone you're dying to see present or a topic you really want someone to spend some time researching, head over to their community portal and write it down.
In the movie "The American President", the statement is made that America has advanced citizenship and that "you gotta want it bad, because it will put up a fight". The same can be said for vulnerability management. It is never a completed exercise or a process where the status quo can be maintained quite easily, especially in a distributed enterprise environment. The reason: change.
SensePost recognised early on that just having an accurate vulnerability scanner isn't good enough to ensure continuous and less arduous vulnerability management. There needs to be workflow and efficiency build into such a scanner. Hence our HackRack and now lately, our BroadView managed vulnerability scanning offerings.
But, no matter how good a scanner is or how well the workflow has been designed, there is still a very large amount of manual analysis required.
In BroadView, when viewing scan results, by default the Medium, High and Critical findings are shown. Fab and groovy. But, should one just stop there? The Low and Info findings can be as interesting as the rest. For example, a client of ours that usually has a handle on things, had an informational finding about virtual directories being guessable on one of their web servers: the directories "/testing" and "/test" were identified. This "/testing" directory turned out to contain the beta version of a new e-commerce web application and even though reasonable security was in place, a blind SQL injection test showed us they were developing on live data. Just like that, an informational finding became a critical finding. If we had been focused on CVSS scores and risk impact only, this finding would have been flying under the radar.
What we saw on BroadView:
Vulnerability management is not easy. It will put up a fight; be that in the form of stubborn sysadmins not closing the holes or developers taking chances with release candidates and beta products. The vulnerability manager has to be on his/her toes and perform constant scanning and prodding. Vulnerability scanner results should never be taken at face value, and the associations between findings should be understood.
It is wise to keep in mind that vulnerability management is cyclic and repetitive. And as Dr Ruth always used to say: "Once, is not enough". You cannot scan once, find nothing, and sit back and relax. You may just miss your /testing directory.
For our BroadView customers we have added a couple of new blizzards to enhance the process to monitor results.
The Missing Microsoft Patches blizzard combines all the possible patches that could be missing and this is especially necessary where Internet facing targets are scanned. Murphy's Law usually applies where patches and Internet facing devices are concerned - that one patch that can result in pwnage, is normally the one missing.
The output from the Missing Microsoft Patches blizzard would typically consist of an IP:Value output
The jBoss Console blizzard was created after we realised it is becoming more and more prevalent for consoles to be found open during assessments and vulnerability scanning.
Having access to world class pen-testers really does give the vulnerability management team a good insight into which vulnerabilities can actually lead to system compromise.
It is always a little bemusing to hear that we only provide pentests. Since 2001, SensePost has offered a very comprehensible vulnerability management service that's evolved through multiple generations of technologies and methodologies into a service we're very proud of. The Managed Vulnerability Scanning ("MVS") service makes use of our purpose-built BroadView scanning technology to scan a number of high profile South African and European clients. More information can be found here, but the purpose of this post is to introduce it with a basic overview of its deployment.
To give you a better understanding of our coverage, below are a number of statistics from our scanning database.
Number of scans per week: 935 average per week
Number of findings stored: 3 795 963
Number of collected attribute instance: 1 274 016
Number of unique IPs listed as targets: 24723
Number of unique IPs with issues: 4931
However, the stats are not the interesting bit. BroadView goes further than simply storing open issues, it also tags interesting characteristics of the targets using 'attributes', which are pieces of information associated with a finding, but are not necessarily a result. It is possible to query these attributes and tie them back to hosts; this enables you to search across all hosts for matching attributes. The most used attributes are:
So, we have loads of data and it makes for interesting analysis.
The number of targets with potential webservers: 918
And breaking it down further:
The top 3 SSL certificate issuers used:
Next time, more about the dashboard and the blizzards.