In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers:
- The key phases and activities of the vulnerability management lifecycle
- The tools you need for an effective vulnerability management program
- How to prioritize your VM needs
- How an effective VM program can help you measurably reduce risk and meet compliance objectives
You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Tips to Remediate your Vulnerability Management Program
1. Tips to Remediate Your Vulnerability
Management Program
Paula Januszkiewicz
CQURE: CEO, Cybersecurity Expert
CQURE Academy: Trainer
MVP: Enterprise Security
Microsoft Regional Director (not working at Microsoft ;))
www.cqureacademy.com
paula@cqure.us
@CQUREAcademy
@paulaCQURE
CONSULTING
2.
3. What does CQURE do?
CQURE Consulting:
Extensive IT Security Audits and Penetration Tests of all kinds
Configuration Audit and Architecture Design
Social Engineering Tests
Advanced Troubleshooting and Debugging
Data Analysis
Emergency Response Services
R&D & Publications
CQURE Academy (education):
40 authored deep – dive trainings
Technical education offline (mainly in New York or via our partners worldwide)
Technical education online (over 1 million views)
Management security awareness training series
11. Unmanaged & Mobile Clients
Sensitive
Workloads
Cybersecurity Reference Architecture
Intranet
Extranet
Azure Key Vault
Azure Security Center
• Security Hygiene
• Threat Detection
System Management + Patching - SCCM + Intune
Microsoft Azure
On Premises Datacenter(s)
NGFW
IPS
DLP
SSL Proxy
Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft
63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR)
IaaS/Hoster
$ Windows 10
EPP - Windows Defender
Office 365 ATP
• Email Gateway
• Anti-malware
EDR - Windows Defender ATPMac
OS
Multi-Factor
Authentication
MIM PAMAzure App Gateway
Network Security Groups
Windows
Information
Protection
AAD PIM
Azure Antimalware
Disk & Storage Encryption
Endpoint DLP
Shielded VMs
SQL Encryption & Firewall
Hello for
Business
Azure
Information
Protection (AIP)
• Classification
• Labelling
• Encryption
• Rights
Management
• Document
Tracking
• Reporting
Enterprise Servers
VPN
VPN
Domain Controllers
VMs VMs
Certification
Authority (PKI)
Incident
Response
Vulnerability
Management
Enterprise
Threat
Detection
Analytics
Managed
Security
Provider OMS
ATA
SIEM
Security Operations
Center (SOC)
Logs & Analytics
Active Threat Detection
Hunting
Teams
Investigation
and Recovery
WEF
SIEM
Integration
IoT
Identity &
Access
80% + of employees admit using
non-approved SaaS apps for
work (Stratecast, December 2013)
UEBA
Windows 10 Security
• Secure Boot
• Device Guard
• Credential Guard
• Remote Credential Guard
• Windows Hello
Managed Clients
Legacy
Windows
Office 365
Security
Appliances
Intune MDM/MAM
Conditional Access
Cloud App Security
Information
Protection
Windows Server 2016 Security
Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential
Guard, Remote Credential Guard, Hyper-V Containers, …
Software as a Service
Analytics
& Reporting
ATA
Privileged Access Workstations
Internet of Things
ASM
Lockbox
Admin
Forest
12. According to the industry’s statistics, by 2019 the
market will need 6 mln security professionals.
But only 4 to 5 million of them will have the
needed qualifications.
*Source: Financial Times
13. SECURITY IN THE ENTERPRISE =
ORGANIZATIONAL PROCEDURES WE FOLLOW
+
VULNERABILITY MANAGEMENT
+
INSECURE CONFIGURATION MANAGEMENT
14. And here come some statistics…
*Based on Trustwave Global Security Report 2013/2014
18. What is the most successful
path for the attack right now?
19. :)
THE ANATOMY OF AN ATTACK
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
20. HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
:)
Healthy
Computer
User Receives
Email
User Lured to
Malicious Site
Device
Infected with
Malware
21. User Lured to
Malicious Site
Device
Infected with
Malware
HelpDesk Logs
into Device
Identity Stolen,
Attacker Has
Increased Privs
ceives
il
24. User: Adm...
Hash:E1977
Fred’s Laptop
Fred’s User Session
User: Fred
Password hash: A3D7…
Sue’s Laptop
Sue’s User Session
Pass-The-Hash Technique
Malware Session
User: Administrator
Password hash: E1977…
Malware User Session
User: Adm…
Hash: E1977
User: Sue
Hash: C9DF
User: Sue
Password hash: C9DF…
File Server
User: Sue
Hash:C9DF
1 3 4
1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR
2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER
3. MALWARE INFECTS SUE’S LAPTOP AS FRED
4. MALWARE INFECTS FILE SERVER AS SUE
2
27. Class names for keys from HKLMSYSTEMCCSControlLsa
HKLMSECURITYCache
HKLMSECURITYPolicySecrets
HKLMSECURITYPolicySecrets
28. Classic Data Protection API
Based on the following components:
Password, data blob, entropy
Is not prone to password resets!
Protects from outsiders when being in offline access
Effectively protects users data
Stores the password history
You need to be able to get access to some of your passwords
from the past
Conclusion: OS greatly helps us to protect secrets
29. Cached Logons: It used to be like this…
Before the attacks facilitated by pass-the-hash, we can
only rejoice the "salting" by the username.
There are a number pre-computed tables for users as
Administrator facilitating attacks on these hashes.
30. Cached Logons
There is actually not much of a difference with XP /
2003!
No additional salting.
PBKDF2 introduced a new variable: the number of
iterations SHA1 with the same salt as before (username).
31. Learning Points for Secured Idenities
Key learning points:
✓ gMSA can also be used for the attack
✓ Service accounts’ passwords are in the registry, available online
and offline
✓ A privileged user is someone who has administrative access to
critical systems
✓ Privileged users have sometimes more access than we think (see:
SeBackupRead privilege or SeDebugPrivilege)
✓ Privileged users have possibility to read SYSTEM and SECURITY
hives from the registry
Warning! Enabling Credential Guard blocks:
x Kerberos DES encryption support
x Kerberos unconstrained delegation
x Extracting the Kerberos TGT
x NTLMv1
33. Lack of SMB Signing (or alternative)
Key learning points:
✓ Set SPNs for services to avoid NTLM:
SetSPN –L <your service account for AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of domain
domainserviceaccount
✓ Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-us/library/jj865668.aspx
✓ Require SPN target name validation
Microsoft network server: Server SPN target name validation level
✓ Reconsider turning on SMB Signing
✓ Reconsider port filtering
✓ Reconsider code execution prevention but do not forget that
this attack leverages administrative accounts
34. SMB2/3 client and SMB2/3 server signing settings
Setting Group Policy Setting Registry Key
Required * Digitally sign communications (always) –
Enabled
RequireSecuritySignature = 1
Not Required ** Digitally sign communications (always) –
Disabled
RequireSecuritySignature = 0
* The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”.
** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”.
Server – Required Server – Not Required
Client – Required Signed Signed
Client – Not Required Signed* Not Signed**
Effective behavior for SMB2/3:
* Default for Domain Controller SMB traffic.
** Default for all other SMB traffic.
35. Allowing unusual code execution
Key learning points:
Common file formats containing malware are:
✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc)
✓ .dll (Dynamic Link Libraries)
✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT,
COM, CMD etc)
✓ .docm, .xlsm etc. (Office Macro files)
✓ .other (LNK, PDF, PIF, etc.)
If SafeDllSearchMode is enabled, the search order is as follows:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories that are listed in the PATH environment
variable
38. Services
Store configuration in the registry
Always need some identity to run the executable!
Local Security Authority (LSA) Secrets
Must be stored locally, especially when domain credentials are used
Can be accessed when we impersonate to Local System
Their accounts should be monitored
If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention)
Conclusion: Think twice before using an Administrative account, use gMSA
39. IIS Configuration
In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next
Generation (CNG) providers by default:
IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider,
IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider
CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys
Worker Processes (w3wp.exe)
Their identity is defined in Application Pool settings
Are managed by Windows Process Activation Service that knows how to read secrets
Passwords for AppPool identity can be ’decrypted’ even offline
They are stored in the encrypted form in applicationHost.config
Conclusion: IIS relies it’s security on Machine Keys (Local System)
40. Secured Devices vs. Trusting solutions without knowing how to
break them
Key learning points:
✓ The best operators won't use a component until they
know how it breaks
✓ Almost each solution has some ‘backdoor weakness’
✓ Some antivirus solutions can be stopped by SDDL
modification for their services
✓ Configuration can be monitored by Desired State
Configuration (DSC)
✓ DSC if not configured properly will not be able to spot
internal service configuration changes
Example: how to I get to the password management
portal?
41.
42. Reason 1: Security is both a Reality and Feeling
For End User
Security is a feeling
Success lies in influencing the “feeling” of security
43. Reason 2: Not every attack(er) is that smart
Control efficiency
Risk
severity/
Attacker
Smartness/
Attack
Efficiency
Technology & Processes
Awareness & Competence
Automatic security controls – AV, Updates
Technology + Human – Firewall configuration,
Choosing a secure Wifi
Human – Recognizing a zero day attack,
Phishing mails, Not posting business
information in social media
The very smart attacker
1
2
3
4
People exaggerate risks
that are spectacular or
uncommon
44. Reason 3: Technology…yes, but humans… of course!
Aircrafts have become more advanced,
but does it mean that pilot training
requirements have reduced?
Medical technology has become more
advanced, but will you choose a hospital
for it’s machines or the doctors?
45. InformationSecurityFramework
GovernanceManagement
Context and Leadership
Information Security
Charter
Culture and Awareness
Information Security
Organizational Structure
Prevention
Identity and Access
Management
Identity Security
Data Security
Hardware Asset
Management
Data Security & Privacy
Infrastructure Security
Network Security
Evaluation and Direction
Security Risk
Management
Security Strategy and
Communication
Security Policies
Endpoint Security
Malicious Code
Application Security Cloud Security
Vulnerability
Management
Cryptography
Management
Physical Security
HR Security
HR Security
Change and Support
Configuration and
Change Management
Vendor Management
Compliance, Audit, and Review
Security Compliance
Management
External Security Audit
Internal Security Audit
Management Review of
Security
Detection
Security Threat
Detection
Log and Event
Management
Measurement
Metrics Program
Continuous
Improvement
Response and Recovery
Security Incident
Management
Information Security in
BCM
Security eDiscovery and
Forensics
Backup and Recovery
A best-of-breed security framework
46. Security framework should integrate several best
practices to create a best-of-breed security framework
ISO
27000
series
CIS –
Critical
Security
Controls
COBIT
5
NIST
SP800-
53
SECURITY
FRAMEWORK
Comprehensive
standard providing
best practices
associated with each
control
Provides a detailed list
of security controls
along with many
implementation best
practices intended for
US federal information
systems and
organizations
Comprised of a concise list
of 20 controls and sub-
controls for actionable
cyber defence
A process and
principle structured
security best practice
framework
Best-of-Breed Information
Security Framework
48. The 11 key cyber security questions
1. Do we treat cyber security as a business or IT responsibility?
2. Do our security goals align with business priorities?
3. Have we identified and protected our most valuable processes and information?
4. Does our business culture support a secure cyber environment?
5. Do we have the basics right? (For example, access rights, software patching,
vulnerability management and data leakage prevention.)
6. Do we focus on security compliance or security capability?
7. Are we certain our third-party partners are securing our most valuable
information?
8. Do we regularly evaluate the effectiveness of our security?
9. Are we vigilant and do we monitor our systems and can we prevent breaches?
10.Do we have an organized plan for responding to a security breach?
11.Are we adequately resourced and insured?
50. 1: Privileged Access Management
Access Monitoring / Effective Access
We need to know about who and where has access to
Access should be role driven
51. 2: Incident Response Plan
Action list
In case of emergency situation: allows to act reasonably and
according to the plan
Increases chances that evidence is gathered properly
Allows to define responsibilities for recovery
Discussions provide management with understanding of security
Jump Bag: preserving evidence
Disk data: Disk2VHD, WinDD, FTK Imager
Memory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMem
Centralization of the event logs
Pre-incident steps: use Sysmon for better knowledge about processes
and network
52. 3: Whitelisting
Code execution prevention
It is an absolute necessity taking into consideration the current
security trends
PowerShell is a new hacking tool
Scripting languages are the biggest threat
Ransomware can be in a form of PowerShell script
Just Enough Administration: PowerShell should be blocked for
users and limited for helpdesk to use the necessary commands
It is necessary to know what executes on
your servers
Sysmon is perfect for this
AppLocker / DeviceGuard in the audit mode
53. 4: Hardware-based Credentials Protection
Virtual Secure Mode (VSM)
VSM isolates sensitive Windows processes in a hardware
based Hyper-V container
VSM protects VSM kernel and Trustlets even if Windows
Kernel is fully compromised
Requires processor virtualization extensions (e.g.: VT-X,
VT-D)
Implements Credential Guard where derived credentials
that VSM protected LSA Service gives to Windows are
non-replayable
VSM runs the Windows Kernel and a series of Trustlets
(Processes) within it
54. 5: Automation Level Master
PowerShell implements great automation
(and hacking tool)
Some solutions are managed by Powershell
only (Nano, IoT)
Experience shows that administrators try
to avoid it – especially these ones with
great experience
There are so many custom modules available:
PowerForensics, AccessControl etc.
You can create your own customized modules