Category Archives: Concept

What I expect from IT Asset Inventory

The main problem of vulnerability management, in my opinion, is that it is not always clear whether we know about ALL network hosts existing in our infrastructure or not. So, not the actual process of scanning and the detection of vulnerabilities, but the lack of knowledge what we should scan.

Knowing the total number of active hosts, this must be such a simple and basic thing. But for a large organization, this is not so trivial. To tell the truth, I do not know how to do IT Asset Inventory right. I’m not even sure who should be responsible this. There are so many different technological and organizational nuances. I will mention some of them below.

Who is responsible for inventorying IT assets?

But I can say with confidence that my basic requirement for IT Asset Inventory system will be the completeness of the scope, not the number of collected parameters. The very minimum is just to see that some network host existed and seemed active at some time.

Continue reading

How to correlate different events in Splunk and make dashboards

Recently I’ve spent some time dealing with Splunk. Despite the fact that I have already done various Splunk searches before, for example in “Tracking software versions using Nessus and Splunk“, the correlation of different events in Splunk seems to be a very different task. And there not so many publicly available examples of this on the Internet. So, I decided to write a small post about it myself.

Splunk dashboard

Disclaimer: I’m not a pro in Splunk. I don’t have an idea if I am doing this the right or in optimal way. 😉 I just learned some tricks, they worked for me well and I want to share it with you. 

I will show the following case:

  1. We have some active network hosts.
  2. Some software product should be installed these hosts.
  3. We will send “host X is active” and “software is installed on host X” events to the Splunk server.
  4. We want to get some diagrams in Splunk that will show us on which hosts the software is  installed and how number of such hosts is changing in time.

As you can see, the task is quite a trivial and it can be easily implemented in pure Python. But the idea is to make it in Splunk. 😉

Continue reading

Masking Vulnerability Scan reports

Continuing the series of posts about Kenna (“Analyzing Vulnerability Scan data“, “Connectors and REST API“) and similar services. Is it actually safe to send your vulnerability data to some external cloud service for analysis? Leakage of such information can potentially cause great damage to your organization, right?

Masking Vulnerability Scans

It’s once again a problem of trust to vendor. IMHO, in some cases it may make sense to hide the real hostnames and ip-addresses of the target hosts in scan reports. So, it would be clear for analysis vendor that some critical vulnerability exists somewhere, but it would not be clear where exactly.

To do this, each hostname/ip-address should be replaced to some values of similar type and should be replaced on the same value each time. So the algorithms of Kenna-like service could work with this masked reports. This mean that we need to create a replacement dictionary.

Continue reading

Vulnerability Management for Network Perimeter

Network Perimeter is like a door to your organization. It is accessible to everyone and vulnerability exploitation does not require any human interactions, unlike, for example, phishing attacks. Potential attacker can automate most of his actions searching for an easy target. It’s important not to be such of target. 😉

Vulnerability Management for Network Perimeter

What does it mean to control the network perimeter? Well, practically this process consist of two main parts:

  • Assessing network hosts that are facing Internet using some Network Scanner (Nessus, OpenVAS, Qualys, MaxPatrol. F-Secure Radar, etc.)
  • Assessing application servers, e.g. Web Servers, on these hosts using some special tools, e.g. Web Application Scanners (Acunetix, Burp Suite, Qualys WAS, Tenable.io WAS, High-Tech Bridge ImmuniWeb, etc.)

Active scanning is a good method of perimeter assessment. Dynamics of the assets is relatively low, comparing with the Office Network. Perimeter hosts usually stays active all the time, including the time when you are going to scan scanning them. 😉

Most of the dangerous vulnerabilities can be detected without authorization: problems with encryption (OpenSSL Heartbleed, Poodle, etc.). RCE and DoS of web servers and frameworks (Apache Struts and Equifax case)

The best results can be achieved with scanners deployed outside of your network. Thus, you will see your Network Perimeter the same way a potential attacker sees it. But certainly, you will be in a better position:

  • You can ask your IT administrators to add your network and WAS scanners in white list, so they will not be banned.
  • You can check and correlate scan results of remote scanner with (authenticated?) scan results produced by the scanner deployed in your organization’s network and thus filtering false positives.

What about the targets for scanning? How should you get them?

Continue reading

Harassment scandals, Sheldon Cooper, Black Mirror and blockchain

Lots of good jokes in a popular TV show The Big Bang Theory are related to Sheldon Cooper’s bureaucracy in interpersonal relationships: all these “roommate agreement”, “relationship agreement”, etc.

Harassment scandals, Sheldon Cooper, Black Mirror and blockchain

However, because of these endless harassment scandals in media, now it seems like a best practice of some kind. 😉

roommate agreement

I’m not particularly interested in who is right or wrong in any particular scandal. But the scheme itself seems corrupted.

In the current reality, when any joint action can be post factum presented as violent and committed under pressure, even after 10-20 years, and can lead to very sad consequences, any oral arrangements are rapidly depreciating.

Continue reading