Tips to Remediate your Vulnerability Management Program
4 likes790 views
The document outlines strategies for enhancing vulnerability management in cybersecurity, emphasizing the need for security awareness and effective identity management. Key points include the importance of privileged access management, incident response plans, and hardware-based credential protection. It advocates for a comprehensive approach employing best practices and frameworks to address modern security threats and improve organizational resilience against attacks.
Tips to Remediate your Vulnerability Management Program
- 1. Tips to Remediate Your Vulnerability Management Program Paula Januszkiewicz CQURE: CEO, Cybersecurity Expert CQURE Academy: Trainer MVP: Enterprise Security Microsoft Regional Director (not working at Microsoft ;)) www.cqureacademy.com [email protected] @CQUREAcademy @paulaCQURE CONSULTING
- 3. What does CQURE do? CQURE Consulting: Extensive IT Security Audits and Penetration Tests of all kinds Configuration Audit and Architecture Design Social Engineering Tests Advanced Troubleshooting and Debugging Data Analysis Emergency Response Services R&D & Publications CQURE Academy (education): 40 authored deep โ dive trainings Technical education offline (mainly in New York or via our partners worldwide) Technical education online (over 1 million views) Management security awareness training series
- 5. Awareness >> Behavior >> Culture must aim for a responsible security culture.
- 6. I know the traffic rulesโฆ. Awareness comes with experience I know the traffic rulesโฆ.
- 7. Does it guarantee that I am a good driver? Behavior comes with awareness
- 8. Culture comes with understanding
- 9. We have the best security solutionsโฆ
- 10. โฆbut the security landscape has changed.
- 11. Unmanaged & Mobile Clients Sensitive Workloads Cybersecurity Reference Architecture Intranet Extranet Azure Key Vault Azure Security Center โข Security Hygiene โข Threat Detection System Management + Patching - SCCM + Intune Microsoft Azure On Premises Datacenter(s) NGFW IPS DLP SSL Proxy Nearly all customer breaches Microsoftโs Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) IaaS/Hoster $ Windows 10 EPP - Windows Defender Office 365 ATP โข Email Gateway โข Anti-malware EDR - Windows Defender ATPMac OS Multi-Factor Authentication MIM PAMAzure App Gateway Network Security Groups Windows Information Protection AAD PIM Azure Antimalware Disk & Storage Encryption Endpoint DLP Shielded VMs SQL Encryption & Firewall Hello for Business Azure Information Protection (AIP) โข Classification โข Labelling โข Encryption โข Rights Management โข Document Tracking โข Reporting Enterprise Servers VPN VPN Domain Controllers VMs VMs Certification Authority (PKI) Incident Response Vulnerability Management Enterprise Threat Detection Analytics Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WEF SIEM Integration IoT Identity & Access 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) UEBA Windows 10 Security โข Secure Boot โข Device Guard โข Credential Guard โข Remote Credential Guard โข Windows Hello Managed Clients Legacy Windows Office 365 Security Appliances Intune MDM/MAM Conditional Access Cloud App Security Information Protection Windows Server 2016 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, โฆ Software as a Service Analytics & Reporting ATA Privileged Access Workstations Internet of Things ASM Lockbox Admin Forest
- 12. According to the industryโs statistics, by 2019 the market will need 6 mln security professionals. But only 4 to 5 million of them will have the needed qualifications. *Source: Financial Times
- 13. SECURITY IN THE ENTERPRISE = ORGANIZATIONAL PROCEDURES WE FOLLOW + VULNERABILITY MANAGEMENT + INSECURE CONFIGURATION MANAGEMENT
- 14. And here come some statisticsโฆ *Based on Trustwave Global Security Report 2013/2014
- 15. Vulnerability Management โ Whatโs This?
- 16. Security Scopes DEFENDING AGAINST MODERN SECURITY THREATS SECURED DEVICES SECURED IDENTITIES INFORMATION PROTECTION THREAT RESISTANCE
- 18. What is the most successful path for the attack right now?
- 19. :) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
- 20. HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
- 21. User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
- 23. โPASS THE HASHโ ATTACKS Todayโs security challenge
- 24. User: Adm... Hash:E1977 Fredโs Laptop Fredโs User Session User: Fred Password hash: A3D7โฆ Sueโs Laptop Sueโs User Session Pass-The-Hash Technique Malware Session User: Administrator Password hash: E1977โฆ Malware User Session User: Admโฆ Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DFโฆ File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUEโS LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
- 25. Virtual Secure Mode Virtual Secure Mode (VSM) Kernel Credential Guard Hypervisor Hardware Windows Kernel Apps VirtualTPM Hyper-Visor CodeIntegrity
- 27. Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
- 28. Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion: OS greatly helps us to protect secrets
- 29. Cached Logons: It used to be like thisโฆ Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
- 30. Cached Logons There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
- 31. Learning Points for Secured Idenities Key learning points: โ gMSA can also be used for the attack โ Service accountsโ passwords are in the registry, available online and offline โ A privileged user is someone who has administrative access to critical systems โ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) โ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
- 33. Lack of SMB Signing (or alternative) Key learning points: โ Set SPNs for services to avoid NTLM: SetSPN โL <your service account for AGPM/SQL/Exch/Custom> SetSPN โA Servicename/FQDN of hostname/FQDN of domain domainserviceaccount โ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx โ Require SPN target name validation Microsoft network server: Server SPN target name validation level โ Reconsider turning on SMB Signing โ Reconsider port filtering โ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
- 34. SMB2/3 client and SMB2/3 server signing settings Setting Group Policy Setting Registry Key Required * Digitally sign communications (always) โ Enabled RequireSecuritySignature = 1 Not Required ** Digitally sign communications (always) โ Disabled RequireSecuritySignature = 0 * The default setting for signing on a Domain Controller (defined via Group Policy) is โRequiredโ. ** The default setting for signing on SMB2 Servers and SMB Clients is โNot Requiredโ. Server โ Required Server โ Not Required Client โ Required Signed Signed Client โ Not Required Signed* Not Signed** Effective behavior for SMB2/3: * Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
- 35. Allowing unusual code execution Key learning points: Common file formats containing malware are: โ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) โ .dll (Dynamic Link Libraries) โ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) โ .docm, .xlsm etc. (Office Macro files) โ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
- 36. Old protocols or their default settings
- 37. Secured Devices
- 38. Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
- 39. IIS Configuration In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be โdecryptedโ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies itโs security on Machine Keys (Local System)
- 40. Secured Devices vs. Trusting solutions without knowing how to break them Key learning points: โ The best operators won't use a component until they know how it breaks โ Almost each solution has some โbackdoor weaknessโ โ Some antivirus solutions can be stopped by SDDL modification for their services โ Configuration can be monitored by Desired State Configuration (DSC) โ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
- 42. Reason 1: Security is both a Reality and Feeling For End User Security is a feeling Success lies in influencing the โfeelingโ of security
- 43. Reason 2: Not every attack(er) is that smart Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls โ AV, Updates Technology + Human โ Firewall configuration, Choosing a secure Wifi Human โ Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 People exaggerate risks that are spectacular or uncommon
- 44. Reason 3: Technologyโฆyes, but humansโฆ of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for itโs machines or the doctors?
- 45. InformationSecurityFramework GovernanceManagement Context and Leadership Information Security Charter Culture and Awareness Information Security Organizational Structure Prevention Identity and Access Management Identity Security Data Security Hardware Asset Management Data Security & Privacy Infrastructure Security Network Security Evaluation and Direction Security Risk Management Security Strategy and Communication Security Policies Endpoint Security Malicious Code Application Security Cloud Security Vulnerability Management Cryptography Management Physical Security HR Security HR Security Change and Support Configuration and Change Management Vendor Management Compliance, Audit, and Review Security Compliance Management External Security Audit Internal Security Audit Management Review of Security Detection Security Threat Detection Log and Event Management Measurement Metrics Program Continuous Improvement Response and Recovery Security Incident Management Information Security in BCM Security eDiscovery and Forensics Backup and Recovery A best-of-breed security framework
- 46. Security framework should integrate several best practices to create a best-of-breed security framework ISO 27000 series CIS โ Critical Security Controls COBIT 5 NIST SP800- 53 SECURITY FRAMEWORK Comprehensive standard providing best practices associated with each control Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations Comprised of a concise list of 20 controls and sub- controls for actionable cyber defence A process and principle structured security best practice framework Best-of-Breed Information Security Framework
- 48. The 11 key cyber security questions 1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10.Do we have an organized plan for responding to a security breach? 11.Are we adequately resourced and insured?
- 50. 1: Privileged Access Management Access Monitoring / Effective Access We need to know about who and where has access to Access should be role driven
- 51. 2: Incident Response Plan Action list In case of emergency situation: allows to act reasonably and according to the plan Increases chances that evidence is gathered properly Allows to define responsibilities for recovery Discussions provide management with understanding of security Jump Bag: preserving evidence Disk data: Disk2VHD, WinDD, FTK Imager Memory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMem Centralization of the event logs Pre-incident steps: use Sysmon for better knowledge about processes and network
- 52. 3: Whitelisting Code execution prevention It is an absolute necessity taking into consideration the current security trends PowerShell is a new hacking tool Scripting languages are the biggest threat Ransomware can be in a form of PowerShell script Just Enough Administration: PowerShell should be blocked for users and limited for helpdesk to use the necessary commands It is necessary to know what executes on your servers Sysmon is perfect for this AppLocker / DeviceGuard in the audit mode
- 53. 4: Hardware-based Credentials Protection Virtual Secure Mode (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Implements Credential Guard where derived credentials that VSM protected LSA Service gives to Windows are non-replayable VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
- 54. 5: Automation Level Master PowerShell implements great automation (and hacking tool) Some solutions are managed by Powershell only (Nano, IoT) Experience shows that administrators try to avoid it โ especially these ones with great experience There are so many custom modules available: PowerForensics, AccessControl etc. You can create your own customized modules
- 55. 6: Testing Yourself When You Can
- 58. Retina Enterprise Vulnerability Management Alex DaCosta BeyondTrust
- 59. RETINA VULNERABILITY MANAGEMENT POWERBROKER PRIVILEGED ACCOUNT MANAGEMENT 59 PRIVILEGE MANAGEMENT ACTIVE DIRECTORY BRIDGING PRIVLEGED PASSWORD MANAGEMENT AUDITING & PROTECTION ENTERPRISE VULNERABILITY MANAGEMENT BEYONDSAAS CLOUD-BASED SCANNING NETWORK SECURITY SCANNER WEB SECURITY SCANNER BEYONDINSIGHT CLARITY THREAT ANALYTICS BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM EXTENSIVE REPORTING CENTRAL DATA WAREHOUSE ASSET DISCOVERY ASSET PROFILING ASSET SMART GROUPS USER MANAGEMENT WORKFLOW & NOTIFICATION THIRD-PARTY INTEGRATION
- 60. Demo
- 61. Quick Poll + Q&A Time Thank you for attending!