Tag Archives: CVSS

Vulnerability Management at Tinkoff Fintech School

In the last three weeks, I participated in Tinkoff Fintech School – educational program for university students. Together with my colleagues, we prepared a three-month practical Information Security course: 1 lecture per week with tests and home tasks.

Each lecture is given by a member of our security team, specialized in one of the following modules: Vulnerability Management, Application Security, Infrastructure Security, Network Security, Virtualization Security, Banking Systems Security, Blue & Red-teaming, etc.

Vulnerability Management at Tinkoff Fintech School

The course is still ongoing, but my Vulnerability Management module is over. Therefore, I want to share my impressions and some statistics.

Continue reading

What is a vulnerability and what is not?

It looks like a pretty simple question. I used it to started my MIPT lecture. But actually the answer is not so obvious. There are lots of formal definitions of a vulnerability. For example in NIST Glossary there are 17 different definitions. The most popular one (used in 13 documents) is:

Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source
NISTIR 7435 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems

But I prefer this one, it’s from the glossary as well:

Vulnerability is a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.

I think the best way to talk about vulnerabilities is to treat them as bugs and errors. Because people deal with such entities more often in a form of software freezes and BSODs. ­čśë

You probably heard a joke, that a bug can be presented as a feature if it is well-documented and the software developers don’t want to fix it.

Bug, feature and vulnerability

Vulnerability is also a specific bug that can lead to some security issues. Or at least it is declared.

Continue reading

What’s wrong with patch-based Vulnerability Management checks?

My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let’s review one. It’s a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus.

If you perform vulnerability scans, you most likely seen these pretty huge checks in your scan results like “KB4462917: Winsdows 10 Version 1607 and Windows Server 2016 October 2018 Security Update“. This particular Nessus plugin detects 23 CVEs at once.

What's wrong with patch-centric Vulnerability Management?

And, as you can see, it has formalized “Risk Information” data in the right column. There is only one CVSS score and vector, one CPE, one exploitability flag, one criticality level. Probably because of architectural limitations of the scanner. So, two very simple questions:

  • for which CVE (of these 23) is this formalized Risk Information block?
  • for which CVE (of these 23) exploit is available?

Ok, maybe they show CVSS for the most critical (by their logic) CVE. Maybe they somehow combine this parameter from data for different CVEs. But in most cases this will be inaccurate. Risk information data for every of these 23 vulnerabilities should be presented independently.

As you can see on the screenshot, one of these vulnerabilities is RCE the other is Information Disclosure. Vulnerability Management solution tells us that there is an exploit. Is this exploit for RCE or DoS? You should agree, that it can be crucial for vulnerability prioritization. And more than this, in the example there are 7 different RCEs in Internet Explorer, MSXML parser, Windows Hyper-V, etc. All this mean different attack scenarios. How is it possible to show it Vulnerability Scanner like one entity with one CVSS and exploitability flag? What can the user get from this? How to search in all this?

Continue reading

Guinea Pig and Vulnerability Management products

IMHO, security vendors use the term “Vulnerability Management” extremely inaccurate. Like a guinea pig, which is not a pig and is not related to Guinea, the current Vulnerability Management products are not about the actual (practically exploitable) vulnerabilities and not really about the management.

Guinea Pig and Vulnerability Management

Vulnerability should mean something solid and reliable, something that can be practically used by a malicious attacker or penetration tester.

When (so-called) Vulnerability Management vendors start working with indirect information from third-party about potential vulnerabilities in the software, that were possibly exploited by someone in some unknown conditions, or simply distance from responsibility: “we just provide information from the software vendor; software vendor knows better about the vulnerabilities in his own products”, it’s all falling into to the area of fortune telling and counting angels on the head of a pin.

Hardcore process of identifying weaknesses that real-life attackers can use moves to a boring compliance. For example, as PCI DSS requires, there should be no vulnerabilities above medium level (CVSS Base score > 4). At the same time, no one cares how fair this assessment of criticality is or how real these vulnerabilities are. All the analytics build on such formal data loses its sharpness and practical value.

Continue reading

Psychological Aspects of Vulnerability Remediation

In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?

K├╝bler-Ross model and Tsunami of Vulnerability Tasks

K├╝bler-Ross model and Tsunami of Vulnerability Remediation Tasks

Just think about it. The only thing that your colleagues from┬á IT team see is an unexpected┬á tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.

So, they may think that denial and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to sabotage Vulnerability Remediation. Most main and common are the following:

  • I don’t understand how to patch this.
  • I already patched this, there should be a false positive in the scanner.
  • Why should we patch this? The vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.

In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each vulnerability will require insane amount of time and efforts and will paralyze the work. It is basically the Italian strike or work-to-rule.

Continue reading

PHDays8: Digital Bet and thousands tons of verbal ore

It’s time to write about┬áPositive Hack Days 8: Digital Bet┬áconference, which was held May 15-16 at the┬áMoscow World Trade Center. It was the main┬áRussian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

Hack Days 8: Digital Bet

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions.┬áI was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Continue reading

Outpost24 Appsec Scale for Web Application Scanning

Today I would like to write about yet another Outpost24┬áproduct – cloud Web Application Scanner Appsec Scale.

Outpost24 Appsec Scale scan results

It is available in the same interface as Outpost24 Outscan, that I reviewed earlier. Select APPSEC SCALE in the start menu and you can scan web applications:

Outpost24 Appsec Scale

Continue reading