However, this manual operations can make the process of debugging dashboards really annoying. It would be much easier to send dashboard XML content to Splunk using Splunk API. And it is actually possible. 🙂
Last Thursday, September 20th, I spoke at ISACA Moscow “Vulnerability Management” Meetup held at Polytechnic University. The only event in Moscow devoted solely to Vulnerability Management. So I just had to take part in it. 🙂
The target audience of the event – people who implement the vulnerability management process in organizations and the employees of Vulnerability Management vendors. I noticed groups of people from Altex-Soft (Altx-Soft), Positive Technologies and Vulners.
It was very interesting to see such concentration of Vulnerability and Compliance Management specialists in one place. Questions from the audience were relevant and often concerned the weaknesses of competitors. 😉 Here I will make a brief overview of the reports. You can also read here about previous year event at “ISACA Moscow Vulnerability Management Meetup 2017“.
Talking about the audience, there were fewer people than last year, but still a lot:
The event was recorded. I will add video here as soon as it’s ready.
upd. Video in Russian. My presentation starts at 1:35:56
The event was conducted entirely in Russian, including all the slides. So, maybe I will make English subtitles and voiceover, at least for my part.
In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?
Kübler-Ross model and Tsunami of Vulnerability Remediation Tasks
Just think about it. The only thing that your colleagues from IT team see is an unexpected tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.
So, they may think that denial and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to sabotage Vulnerability Remediation. Most main and common are the following:
I don’t understand how to patch this.
I already patched this, there should be a false positive in the scanner.
Why should we patch this? The vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.
In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each vulnerability will require insane amount of time and efforts and will paralyze the work. It is basically the Italian strike or work-to-rule.
Expect can help you to automate interactive console applications. For example, expect script can go to some Linux host via SSH with password authentication, make additional authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active Linux scanning, right? 🙂 For example you can get the list of installed packages and make Vulnerability Assessment without Vulnerability Scanner.
Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use python scripts, for example paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with expect installed) to gather information from the accessible hosts.
I have recently worked with NetBox – an open source IP address management (IPAM) and data center infrastructure management (DCIM) solution developed by well-known cloud hosting provider DigitalOcean.
It’s not really about security, not even a CMDB. But, security team still might be interested in NetBox, because it makes possible to track the hosts in some critical subnet without active scanning, providing great visibility of assets. Here I will show a small example of NetBox API usage.
Recently I had a chance to work with OpenSCAP. It’s a set of free and open-source tools for Linux Configuration Assessment and a collection security content in SCAP (Security Content Automation Protocol) format.
In this post I will write about SCAP Workbench. It is a GUI application that can check the configuration of your local Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example PCI DSS or DISA STIG.
Moreover, you can generate the script for automated remediation. You can also create your own scan profiles based on existing SCAP content.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.