![Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk](http://img.images-bn.com/static/redesign/srcs/images/grey-box.png?v11.9.4)
Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk
192![Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk](http://img.images-bn.com/static/redesign/srcs/images/grey-box.png?v11.9.4)
Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk
192Paperback
-
PICK UP IN STORECheck Availability at Nearby Stores
Available within 2 business hours
Related collections and offers
Overview
Bugs: they're everywhere. Software, firmware, hardware they all have them. Bugs even live in the cloud. And when one of these bugs is leveraged to wreak havoc or steal sensitive information, a company's prized technology assets suddenly become serious liabilities.
Fortunately, exploitable security weaknesses are entirely preventable; you just have to find them before the bad guys do. Practical Vulnerability Management will help you achieve this goal on a budget, with a proactive process for detecting bugs and squashing the threat they pose.
The book starts by introducing the practice of vulnerability management, its tools and components, and detailing the ways it improves an enterprise's overall security posture. Then it's time to get your hands dirty! As the content shifts from conceptual to practical, you're guided through creating a vulnerability-management system from the ground up, using open-source software.
Along the way, you'll learn how to:
Playing whack-a-bug won't cut it against today's advanced adversaries. Use this book to set up, maintain, and enhance an effective vulnerability management system, and ensure your organization is always a step ahead of hacks and attacks.
Product Details
ISBN-13: | 9781593279882 |
---|---|
Publisher: | No Starch Press |
Publication date: | 10/06/2020 |
Pages: | 192 |
Sales rank: | 1,042,454 |
Product dimensions: | 6.90(w) x 9.10(h) x 0.60(d) |
About the Author
Read an Excerpt
INTRODUCTION
It’s human nature to pay attention to the problems that are big and flashy, attracting lots of interest, such as advanced persistent threat (APT) groups—state-sponsored attackers. APT-linked attackers have compromised major retailers, financial institutions, and even government networks. But when we focus all of our attention on APTs and other headline-generating activity, we miss basic issues. Even though you have new firewalls protecting your system and powerful traffic-monitoring devices, if you don’t keep up with the bread and butter of your security responsibilities, you’re leaving many chinks in your system’s armor. Neglecting the basics, like keeping your systems updated, can lead to serious consequences.
Consider this example: suppose you’re an information security manager at a medium-sized e-commerce business. You’ve set up firewalls to block incoming traffic except for traffic to internet-facing services on systems in your demilitarized zone (DMZ). You’ve turned on egress filtering to block unauthorized exit traffic. An antivirus is on the endpoints, and you’ve hardened your servers. You believe your system is safe.
But an old web service is running on an outdated version of Tomcat on a Linux server in the DMZ. It’s a relic from an ill-advised foray into selling some of your company’s valuable proprietary data to selected business partners. The initiative failed, but because you made some sales, you had a contractual obligation to keep that server up for another year. At the end of the year, the project was quietly shuttered, but the server is still running. Everyone has forgotten about it. But someone on the outside notices it. An attack comes in from a compromised server in Moldova, and your unpatched Tomcat server is vulnerable to a five-year-old Java issue. Now the attacker has a foothold in your network, and all your protections couldn’t stop it. Where did you fail?
This guide demonstrates the value of strong information security fundamentals. These are the most important components of a successful information security program. Unfortunately, they’re regularly neglected in favor of sexier topics, such as traffic analysis and automated malware sandboxing. Don’t get me wrong; these are great advances in the state of the art of information security. But without a strong grasp of the fundamentals, investment in more advanced tools and techniques is futile.
Who This Book Is For
This book is for security practitioners tasked with defending their organization on a small budget and looking for ways to replicate functionality from commercially available vulnerability management tools. If you’re familiar with vulnerability management as a process, you’ll have a head start. To build your own vulnerability management system, you should be familiar with Linux and database concepts and have some experience in a programming language like Python. The scripts in this book are written in Python, but you can functionally re-create them in whichever modern scripting or programming language you prefer.
Back to Basics
You can consider a number of security topics as foundational, such as authentication management, network design, and asset management. Although these elements might not be exciting or interesting for an analyst to work on, they’re of critical importance.
Vulnerability management is one of the foundational concepts of information security. A perfectly written and configured software package doesn’t exist. Bugs are an inevitable part of software, and many bugs have security implications. Dealing with these software vulnerabilities is a perennial issue in information security; the practice of vulnerability management is required for a baseline level of security that can serve as a trusted foundation upon which to deploy more advanced and specialized tools.
Vulnerabilities affect an organization’s IT infrastructure at all levels, so vulnerability management affects all aspects of an IT security program. Endpoint security relies on workstations and servers being up-to-date with the latest software versions to minimize the attack surface. Zero-day vulnerabilities are always a concern. But removing the low-hanging fruit of known (and sometimes long-standing) vulnerabilities makes it more difficult for attackers to compromise an endpoint and gain a foothold in your environment. Network security does its best to ensure that only necessary traffic passes among internal network segments and to and from the internet. But if systems or network devices contain known vulnerabilities, even otherwise legitimate traffic might contain network-based attacks using known and trusted protocols. Identity and access management (IAM) restricts users to the specific systems and data to which they’re entitled. But if the identity systems are vulnerable, attackers can simply sidestep them.
If your environment has a baseline level of security, any countermeasures you put in place can’t be easily bypassed by exploiting known vulnerabilities. Let’s consider an analogy: after World War I, France tried to protect itself from Germany by building a long line of forts and entrenchments along its German border. It was named the Maginot Line after the French minister of war. But when World War II began, the Germans ignored the barrier by simply going around it, invading France across the Belgian border instead. All of that expensive defensive infrastructure was irrelevant. The same goes for your environment. If it doesn’t have a foundational level of security, any additional countermeasures are no more than a Maginot Line. Attackers can easily avoid them because there is an easier path elsewhere. But by establishing a vulnerability management baseline and maintaining it via an active vulnerability management program, you can trust that additional security measures will add real value to your security program.
Vulnerability Management Is Not Patch Management
Patch management, perhaps in conjunction with a full software configuration management (SCM) system, keeps track of the versions and patch levels of servers and endpoints across an enterprise. It can push patches remotely to keep systems up-to-date. But although traditional patch management and vulnerability management (as described in this guide) share many similarities, the underlying assumptions are very different.
Patch management assumes that patches are available, a patch management system can manage all the devices on the network that need patches, and there is enough time and manpower to apply all patches. But in real environments, it’s very rare for all of these conditions to hold. Devices exist that aren’t managed by the SCM: for example, network devices like routers and firewalls, test machines, abandoned servers, and devices running operating systems that aren’t compatible with SCM agents. All these components are invisible to a typical SCM deployment and could easily become out-of-date without anyone noticing. Even if automated patching is practicable for endpoints, often you must handle servers and network devices manually, because automatically patching a server might lead to downtime when the organization can least afford it. On the other hand, manually patching servers and network devices takes time that overworked IT staff often can’t spare.
Vulnerability management takes a more pragmatic approach. Instead of asking, “How can we apply all of these patches?” vulnerability management asks, “Given our limited resources, how can we best improve our security posture by addressing the most important vulnerabilities?” Vulnerability management looks at the problem through a risk management lens. We start with the full domain of vulnerabilities that exist on networked devices—managed and unmanaged—and determine which of these vulnerabilities present the highest risk to the organization’s security. Once we’ve gathered that data, we have enough information to prioritize patching and remediation activities. If after this process is complete we have the capacity to apply more updates and remediation, so much the better. But by looking at the highest-risk issues first and using our limited time and resources wisely, we can improve the system’s security posture significantly with comparatively little effort.
Main Topics Covered
This technical guide is divided into two main parts: conceptual and practical. In the first part, you’ll learn about the concepts and components of the vulnerability management process. In the second and larger part, you’ll look at a practical approach to building a free or low-cost vulnerability management system. Although you can follow the guide exactly, it’s most important for you to understand the concepts behind each script to adapt it to your own needs. Toward the end of the book, you’ll explore topics you might want to tackle once your vulnerability management system is up and running. One of those topics is purchasing a commercial tool to improve your vulnerability management program when you have the budget to do so.
Table of Contents
Acknowledgments xvii
Introduction xix
Who This Book Is For xx
Back to Basics xx
Vulnerability Management Is Not Patch Management xxi
Main Topics Covered xxii
How This Book Is Organized xxii
Outcomes xxiii
Get the Code xxiv
Important Disclaimer xxiv
Part I Vulnerability Management Basics 1
1 Basic Concepts 3
The CIA Triad and Vulnerabilities 4
What Is Vulnerability Management? 4
Collecting Data 5
Analyzing Data 7
Applying Cull-Rank to a Real-World Example 8
Making Recommendations 9
Implementing Recommendations 9
Vulnerability Management and Risk Management 10
Summary 11
2 Sources of Information 13
Asset Information 13
Vulnerability Information 14
Exploit Data 15
Advanced Data Sources 16
Summary 17
3 Vulnerability Scanners 19
What Vulnerability Scanners Do 19
How Vulnerability Scanners Work 20
How to Deploy Vulnerability Scanners 21
Ensuring the Scanner Has Access 21
Choosing Your OS and Hardware 22
Configuring Your Scanner 22
Getting Results 24
Summary 24
4 Automating Vulnerability Management 25
Understanding the Automation Process 25
Data Collection 26
Automating Scans and Updates 27
Exploiting Your System's Vulnerabilities 28
Summary 29
5 Dealing with Vulnerabilities 31
Security Measures 32
Patching 32
Mitigation 32
Systemic Measures 33
Accept the Risk 34
Defense in Depth 34
Validating Controls 34
Summary 35
6 Organizational Support and Office Politics 37
Balancing Competing Priorities 38
Gaining Support 39
Empathy 39
Involve Stakeholders Early 40
Understand Office Politics 40
Speak Their Language 40
Find a Champion 41
Argue for Risk Management 41
Summary 43
Part III Hands-On Vulnerability Management 45
7 Setting Up Your Environment 47
Setting Up the System 47
Installing the OS and Packages 48
Customize If 49
Installing the Tools 49
Setting Up OpenVAS 49
Setting Up eve-search 50
Setting Up Metasploit 52
Customize It 53
Keeping the System Updated 53
Writing a Script for Automatic Updates 53
Running the Script Automatically 55
Customize It 55
Summary 55
8 Using the Data Collection Tools 57
An Introduction to the Tools 58
Nmap 58
OpenVAS 58
Cve-search 59
Getting Started with Nmap Scanning 60
Running a Basic Scan 61
Using Nmap Flags 62
Customize It 66
Getting Started with OpenVAS 67
Running a Basic OpenVAS Scan with the Web GUI 67
Running a Basic Scan from the Command Line 72
Customize It 75
Getting Started with eve-search 75
Searching for CVE IDs 75
Finding Out More About a CVE 76
Text Searching the CVE Database 77
Customize It 78
Summary 78
9 Creating an Asset and Vulnerability Database 79
Preparing the Database 80
Understanding the Database Structure 81
Customize It 86
Getting Nmap into the Database 86
Defining the Requirements 87
Building the Script 88
Customize it 90
Getting OpenVAS into the Database 91
Defining the Requirements 91
Mapping Vulnerabilities to Hosts 92
Building the Script 93
Customize It 96
Summary 96
10 Maintaining the Database 97
Defining Database Indexes 97
Setting Indexes 98
Testing Indexes 98
Customize It 99
Keeping the Data Fresh 100
Determining the Cleanup Parameters 100
Cleaning Up Your Database with Python 101
Customize if 101
Summary 102
11 Generating Asset and Vulnerability Reports 103
Asset Reports 104
Planning Your Report 104
Getting the Data 105
Script Listing 107
Customize It 109
Vulnerability Reports 109
Planning Your Report 109
Getting the Data 110
Script listing 111
Customize It 112
Summary 113
12 Automating Scans and Reporting 115
Visualizing the Automation Process 116
Collect Data 116
Analyze Data 117
Maintain the Database 117
Planning the Script 117
Assembling the Script 117
Running Nmap and OpenVAS 119
Scheduling the Script 119
Script Listings 119
Customize It 121
Summary 122
13 Advanced Reporting 123
Detailed Asset Reporting 123
Planning the Script 124
Script Listing 125
Customize It 126
Detailed Vulnerability Reporting 131
Planning the Script 133
Script Listing 133
Customize It 136
Exploitable Vulnerability Reporting 136
Preparation 136
Modifying the Old Script 137
Customize It 138
Summary 138
14 Advanced Topics 139
Building a Simple REST API 140
An Introduction to APIs and REST 140
Designing the API Structure 141
Implementing the API 142
Getting the API Running 145
Customize It 146
Automating Vulnerability Exploitation 147
Pros and Cons 147
Automating Metasploit 148
Bringing the System into the Cloud 149
Cloud Architecture 150
Cloud and Network Ranges 150
Other Implementation Considerations 151
Summary 152
15 Conclusion 155
A Look Back 155
Designing and Building 156
Maintaining the System 156
Commercial Vulnerability Management Products 157
Commercial Scanners 157
Commercial Vulnerability Management Systems 158
An Incomplete List of Commercial Options 159
Coming Trends in Information Security 159
Clouds and Containers Revisited 159
Zero-Trust Networking 160
In Closing 161
Index 163