К базе данных уязвимостей и дальше
•
1 recomendación•354 vistas
Язык докладаРусскийСпециалист по автоматизации информационной безопасности. В течение 6 лет участвовал в разработке сканеров уязвимостей и продуктов управления соответствием. Работает в крупнейшей интернет-компании России и отвечает за автоматизированный анализ защищенности огромной и разнообразной IT-инфраструктуры. Ведет блог avleonov.com, посвященный в основном вопросам vulnerability management. Александр Леонов Александр Леонов Стек Linux HTTPS/TCP/IP для защиты от HTTP-DDoS-атакТехнологии
Recomendados
Recomendados
Más contenido relacionado
Más de Positive Hack Days
Más de Positive Hack Days (20)
Último
Último (20)
К базе данных уязвимостей и дальше
- 1. To Vulnerability Database and beyond Alexander Leonov, PHDays 2017
- 2. 2 #:whoami - Security Analyst at Mail.Ru Group - Security Automation blog at avleonov.com
- 3. 3 Security Advisories … OVER 9000!
- 5. 5 Home-grown Database CVSS, CPE Vendor Bug Exploit DBs Media Advisories id remediation strategy CERTs Customer’s Side … … … Home-grown Vulnerability Database parser
- 6. Commercial Database Vulnerability Base Search System Notification Service Vulnerability Intelligence 6 API
- 7. Vulnerability Base Search System Notification Service Vulnerability Intelligence API Applicability Verification + Detection Rules & Plugins + Transports Vulnerability Scanner + Dashboards + TaskTracker Vulnerability Management + Infrastructure context Threat/Risk Management 7
- 8. Still a Vulnerability Database! Vulnerability Base 8 - Vulnerabilities your vendor knows/don’t know - Vulnerabilities your vendor can/can’t detect in various modes - How quickly your vendor adds detection plugins
- 10. Subscriptions? 10 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification
- 11. Subscriptions? 11 Manual vulnerability tracking Subscriptions to all vulnerabilities Subscriptions to vulnerabilities in software we use Automated applicability verification https://telegram.me/vulnersBot
- 12. 12 What will explode next? ?!
- 13. 13 Vulnerability Hype - Researchers can overestimate the importance of vulnerability for self-promotion - Hyped vulnerability: really critical or not? - What is out of scope?
- 15. 15 CVSS
- 16. 16 CVSS - Every CVSS vector was filled manually by some analyst - Appear in databases with a significant latency - For the most vulnerabilities Temporal Vector is not available - Doesn't express current relevance and criticality based on all factors
- 17. 17 CVSS High / CVSS Base Score : 5.0 Medium (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) High / CVSS Base Score : 9.4 High (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N) Heartbleed CVE-2014-0160 https://www.tenable.com/plugins/index.php?view=single&id=73412 Confidentiality Impact: Complete or Partial? Integrity Impact: None or Complete?
- 18. 18 CVSS “CVSSv3 doesn’t fix the major disparities with data confidentiality. Instead the whole flawed section is exactly the same.” https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/
- 20. 20 2 characteristics - "Danger" an assessment of criticality, exploitability - "Relevance" shows an attention paid to the vulnerability
- 21. 21 Vulnerability Danger - CVSS Base Score ↑ - Potential exploitability ↑ - Exploits ↑ - Malware ↑ - Patches ↓ - Detection plugins ↓ - Age ↓
- 22. 22 Vulnerability Relevance - Media coverage ↑ - Descriptions ↑ - Detection plugins ↑ - Search queries ↑ - Search results ↑ - Clicks ↑ - Age ↓
- 23. 23 Quadrants
- 29. 29 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
- 30. 30 PoC CVE-2017-2478 RCE Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
- 31. 31 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
- 32. 32 PoC Latest 3500 CVEs (max 10 days in Daily Routine <3.5)
- 34. 34 Possibilities - Watch vulnerabilities in dynamics - Highlight most critical vulnerabilities and groups - Identify trends - Have fun :-)
- 35. 35 Problems - It’s all about CVEs One vulnerability - a lot of CVEs Vulnerabilities without CVEs - Subjective formulas for Danger and Relevance - Data sources
- 36. 36 Thanks! - Security Automation Blog avleonov.com - me@avleonov.com