Asset Inventory for Network Perimeter: from Declarations to Active Scanning
In the previous post, I shared some of my thoughts about the good #AssetInventory system. Of course, for me as a Security Specialist, it would be great if IT will provide such magical system. 🙂 But such an ideal situation is rarely possible. So now let’s see how to build an #AssetInventory system using the resources of Information Security team.
There are no special secrets. It’s necessary to get information about the assets from all available IT systems and then get the rest of the data using our own Assessment tools. I would like to start with hosts on Network Perimeter. The Network Perimeter targets are available at any time for hacker attacks, that’s why this part of the network is the most critical.
Perimeter is changing constantly. And we should understand at any time what hosts are currently exposed in every office and every external hosting platform.
We can get information about external hosts using some Vulnerability Scanner located on external host in the Internet. I have already wrote about it briefly in #VulnerabilityManagement for Network Perimeter. Here I would like focus on how we can understand which hosts should be scanned and what useful information we can get from the raw #scan results.
#Tenable #python #Nessus #MSWord #MSExcel #DNS #AtlassianConfluence #VulnerabilityManagement #PerimeterService #Concept
Read more: https://avleonov.com/2018/08/16/asset-inventory-for-network-perimeter-from-declarations-to-active-scanning/
In the previous post, I shared some of my thoughts about the good #AssetInventory system. Of course, for me as a Security Specialist, it would be great if IT will provide such magical system. 🙂 But such an ideal situation is rarely possible. So now let’s see how to build an #AssetInventory system using the resources of Information Security team.
There are no special secrets. It’s necessary to get information about the assets from all available IT systems and then get the rest of the data using our own Assessment tools. I would like to start with hosts on Network Perimeter. The Network Perimeter targets are available at any time for hacker attacks, that’s why this part of the network is the most critical.
Perimeter is changing constantly. And we should understand at any time what hosts are currently exposed in every office and every external hosting platform.
We can get information about external hosts using some Vulnerability Scanner located on external host in the Internet. I have already wrote about it briefly in #VulnerabilityManagement for Network Perimeter. Here I would like focus on how we can understand which hosts should be scanned and what useful information we can get from the raw #scan results.
#Tenable #python #Nessus #MSWord #MSExcel #DNS #AtlassianConfluence #VulnerabilityManagement #PerimeterService #Concept
Read more: https://avleonov.com/2018/08/16/asset-inventory-for-network-perimeter-from-declarations-to-active-scanning/
Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk
In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it’s time to write about the Internal Network.
There is a common belief that we can use Active Network Scanning for #AssetInventory in the organization. Currently, I’m not a big fan of this approach, and I will try to explain here the disadvantages of this method and mention some alternatives.
#TrendMicro #Tenable #subnet #Splunk #Qualys #python #Nessus #McAfee #Kaspersky #firewall #FireEyeHX #FireEye #CiscoISE #Cisco #VulnerabilityManagement #SIEM #API
Read more: https://avleonov.com/2018/08/20/asset-inventory-for-internal-network-problems-with-active-scanning-and-advantages-of-splunk/
In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it’s time to write about the Internal Network.
There is a common belief that we can use Active Network Scanning for #AssetInventory in the organization. Currently, I’m not a big fan of this approach, and I will try to explain here the disadvantages of this method and mention some alternatives.
#TrendMicro #Tenable #subnet #Splunk #Qualys #python #Nessus #McAfee #Kaspersky #firewall #FireEyeHX #FireEye #CiscoISE #Cisco #VulnerabilityManagement #SIEM #API
Read more: https://avleonov.com/2018/08/20/asset-inventory-for-internal-network-problems-with-active-scanning-and-advantages-of-splunk/
At the beginning it was probably wisely designed, but for years it was highly effected by spontaneous development processes in various projects as well as multiple acquisitions. And now very few people in the organization really understand how it all works and who owns each peace.
CyberThursday: AssetInventory, IT-transformation in Cisco, Pentest vs. RedTeam
Two weeks ago I was speaking at a very interesting information security event – #CyberThursday. This is a #meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.
These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.
#wiki #Splunk #RuslanIvanov #meeting #DNS #CyberThursday #Cisco #AtlassianConfluence #AndreyPopov #VulnerabilityManagement #Events
Read more: https://avleonov.com/2018/08/22/cyberthursday-asset-inventory-it-transformation-in-cisco-pentest-vs-redteam/
Two weeks ago I was speaking at a very interesting information security event – #CyberThursday. This is a #meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.
These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.
#wiki #Splunk #RuslanIvanov #meeting #DNS #CyberThursday #Cisco #AtlassianConfluence #AndreyPopov #VulnerabilityManagement #Events
Read more: https://avleonov.com/2018/08/22/cyberthursday-asset-inventory-it-transformation-in-cisco-pentest-vs-redteam/
Assessing #Linux Security Configurations with #SCAP Workbench
Recently I had a chance to work with #OpenSCAP. It’s a set of free and open-source tools for #Linux Configuration Assessment and a collection security content in #SCAP (Security Content Automation Protocol) format.
In this post I will write about #SCAPWorkbench. It is a #GUI application that can check the configuration of your local #Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example #PCIDSS or #DISA #STIG.
Moreover, you can generate the script for automated #remediation. You can also create your own #scan profiles based on existing #SCAP content.
#xccdf #USGCB #STIG #SCAPWorkbench #RedHat #puppet #PCIDSS #oscap #OpenSCAP #NIST #Linux #html #CJIS #CIS #CentOS #C2S #bash #ARF #ansible #Standard #ComplianceManagement
Read more: https://avleonov.com/2018/09/01/assessing-linux-security-configurations-with-scap-workbench/
Recently I had a chance to work with #OpenSCAP. It’s a set of free and open-source tools for #Linux Configuration Assessment and a collection security content in #SCAP (Security Content Automation Protocol) format.
In this post I will write about #SCAPWorkbench. It is a #GUI application that can check the configuration of your local #Linux host (or the remote host via ssh; note that agent installation is required), and show the settings that are not comply with some security standard, for example #PCIDSS or #DISA #STIG.
Moreover, you can generate the script for automated #remediation. You can also create your own #scan profiles based on existing #SCAP content.
#xccdf #USGCB #STIG #SCAPWorkbench #RedHat #puppet #PCIDSS #oscap #OpenSCAP #NIST #Linux #html #CJIS #CIS #CentOS #C2S #bash #ARF #ansible #Standard #ComplianceManagement
Read more: https://avleonov.com/2018/09/01/assessing-linux-security-configurations-with-scap-workbench/
Retrieving IT Asset lists from NetBox via API
A little bit more about IT #AssetInventory of Internal Network, that your IT team can provide. 😉
I have recently worked with #NetBox – an open source IP address management (IPAM) and data center infrastructure management (DCIM) solution developed by well-known cloud hosting provider #DigitalOcean.
It’s not really about security, not even a #CMDB. But, security team still might be interested in #NetBox, because it makes possible to track the hosts in some critical #subnet without active scanning, providing great visibility of assets. Here I will show a small example of #NetBox #API usage.
#Splunk #python #NetBox #IPAM #DigitalOcean #DCIM #AssetInventory #API
Read more: https://avleonov.com/2018/09/05/retrieving-it-asset-lists-from-netbox-via-api/
A little bit more about IT #AssetInventory of Internal Network, that your IT team can provide. 😉
I have recently worked with #NetBox – an open source IP address management (IPAM) and data center infrastructure management (DCIM) solution developed by well-known cloud hosting provider #DigitalOcean.
It’s not really about security, not even a #CMDB. But, security team still might be interested in #NetBox, because it makes possible to track the hosts in some critical #subnet without active scanning, providing great visibility of assets. Here I will show a small example of #NetBox #API usage.
#Splunk #python #NetBox #IPAM #DigitalOcean #DCIM #AssetInventory #API
Read more: https://avleonov.com/2018/09/05/retrieving-it-asset-lists-from-netbox-via-api/
Making Expect scripts for SSH Authentication and Privilege Elevation
Expect can help you to automate interactive console applications. For example, #expect script can go to some #Linux host via #SSH with password authentication, make additional #authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active #Linux scanning, right? 🙂 For example you can get the list of installed packages and make Vulnerability Assessment without Vulnerability Scanner.
Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use #python scripts, for example #paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with #expect installed) to gather information from the accessible hosts.
#sudo #SSH #scp #OpenSSH #expect #authentication #VulnerabilityManagement #ComplianceManagement
Read more: https://avleonov.com/2018/09/08/making-expect-scripts-for-ssh-authentication-and-privilege-elevation/
Expect can help you to automate interactive console applications. For example, #expect script can go to some #Linux host via #SSH with password authentication, make additional #authentication procedures (su, sudo) to elevate privileges and execute some commands. Like Vulnerability and Compliance management products do during the active #Linux scanning, right? 🙂 For example you can get the list of installed packages and make Vulnerability Assessment without Vulnerability Scanner.
Actually, the tool is pretty old. It was presented more than 20 years ago! And perhaps now it makes more sense to use #python scripts, for example #paramiko with paramiko-expect. Or even use some software provisioning tool, like Ansible. But my fun was in creating (generating?) a small old-school scripts that could be sent to any remote host (with #expect installed) to gather information from the accessible hosts.
#sudo #SSH #scp #OpenSSH #expect #authentication #VulnerabilityManagement #ComplianceManagement
Read more: https://avleonov.com/2018/09/08/making-expect-scripts-for-ssh-authentication-and-privilege-elevation/
Psychological Aspects of Vulnerability Remediation
In my opinion, Remediation is the most difficult part of #VulnerabilityManagement process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?
Just think about it. The only thing that your colleagues from IT team see is an unexpected tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.
So, they may think that _denial_ and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to #sabotage Vulnerability Remediation. Most main and common are the following:
* I don’t understand how to patch this.
* I already patched this, there should be a false positive in the #scanner.
* Why should we patch this? The #vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.
In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each #vulnerability will require insane amount of time and efforts and will _paralyze_ the work. It is basically the Italian strike or work-to-rule.
#sabotage #remediation #policy #patch #metrics #KPI #hardening #exploit #CVSS #VulnerabilityManagement #Concept
Read more: https://avleonov.com/2018/09/16/psychological-aspects-of-vulnerability-remediation/
In my opinion, Remediation is the most difficult part of #VulnerabilityManagement process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?
Just think about it. The only thing that your colleagues from IT team see is an unexpected tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.
So, they may think that _denial_ and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to #sabotage Vulnerability Remediation. Most main and common are the following:
* I don’t understand how to patch this.
* I already patched this, there should be a false positive in the #scanner.
* Why should we patch this? The #vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.
In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each #vulnerability will require insane amount of time and efforts and will _paralyze_ the work. It is basically the Italian strike or work-to-rule.
#sabotage #remediation #policy #patch #metrics #KPI #hardening #exploit #CVSS #VulnerabilityManagement #Concept
Read more: https://avleonov.com/2018/09/16/psychological-aspects-of-vulnerability-remediation/
ISACA Moscow Vulnerability Management Meetup 2018
Last Thursday, September 20th, I spoke at #ISACA Moscow “Vulnerability Management” Meetup held at Polytechnic University. The only event in Moscow devoted solely to #VulnerabilityManagement. So I just had to take part in it. 🙂
The target audience of the event – people who implement the vulnerability management process in organizations and the employees of #VulnerabilityManagement vendors. I noticed groups of people from Altex-Soft (Altx-Soft), #PositiveTechnologies and Vulners.
It was very interesting to see such concentration of Vulnerability and #ComplianceManagement specialists in one place. Questions from the audience were relevant and often concerned the weaknesses of competitors. 😉 Here I will make a brief overview of the reports. You can also read here about previous year event at “ISACA Moscow #VulnerabilityManagement Meetup 2017“.
#Zabbix #vulnerscom #Splunk #SOC #SLA #SCAP #RussianPost #Qiwi #PositiveTechnologies #OVAL #NikolaiSamosvat #MoscowPolytech #KPI #ISACA #HRD #FIN #CISO #AltxSoft #AlexBodryk #VulnerabilityManagement #Events #ComplianceManagement
Read more: https://avleonov.com/2018/09/23/isaca-moscow-vulnerability-management-meetup-2018/
Last Thursday, September 20th, I spoke at #ISACA Moscow “Vulnerability Management” Meetup held at Polytechnic University. The only event in Moscow devoted solely to #VulnerabilityManagement. So I just had to take part in it. 🙂
The target audience of the event – people who implement the vulnerability management process in organizations and the employees of #VulnerabilityManagement vendors. I noticed groups of people from Altex-Soft (Altx-Soft), #PositiveTechnologies and Vulners.
It was very interesting to see such concentration of Vulnerability and #ComplianceManagement specialists in one place. Questions from the audience were relevant and often concerned the weaknesses of competitors. 😉 Here I will make a brief overview of the reports. You can also read here about previous year event at “ISACA Moscow #VulnerabilityManagement Meetup 2017“.
#Zabbix #vulnerscom #Splunk #SOC #SLA #SCAP #RussianPost #Qiwi #PositiveTechnologies #OVAL #NikolaiSamosvat #MoscowPolytech #KPI #ISACA #HRD #FIN #CISO #AltxSoft #AlexBodryk #VulnerabilityManagement #Events #ComplianceManagement
Read more: https://avleonov.com/2018/09/23/isaca-moscow-vulnerability-management-meetup-2018/
BTW, I can recommend great official channel of ISACA Moscow Chapter (in Russian)
"Новости в области управления ИБ в России и мире, обмен лучшими практиками"
https://t.iss.one/IsacaRuSec
"Новости в области управления ИБ в России и мире, обмен лучшими практиками"
https://t.iss.one/IsacaRuSec
Telegram
ISACARuSec
Канал направления ИБ Московского отделения ISACA
Направление канала новости ISACA, новости в области управления ИБ в России и мире, обмен лучшими практиками.
Связь с администрацией
@popepiusXIII
Направление канала новости ISACA, новости в области управления ИБ в России и мире, обмен лучшими практиками.
Связь с администрацией
@popepiusXIII
How to create and manage Splunk dashboards via API
In the previous post “How to correlate different events in #Splunk and make dashboards” I mentioned that #Splunk #dashboards can be presented in a simple XML form. You can generate it with some script and then copy-past it in #Splunk #GUI.
However, this manual operations can make the process of debugging #dashboards really annoying. It would be much easier to send dashboard XML content to #Splunk using #Splunk #API. And it is actually possible. 🙂
#Splunk #python #dashboards #SIEM #API
Read more: https://avleonov.com/2018/09/27/how-to-create-and-manage-splunk-dashboards-via-api/
In the previous post “How to correlate different events in #Splunk and make dashboards” I mentioned that #Splunk #dashboards can be presented in a simple XML form. You can generate it with some script and then copy-past it in #Splunk #GUI.
However, this manual operations can make the process of debugging #dashboards really annoying. It would be much easier to send dashboard XML content to #Splunk using #Splunk #API. And it is actually possible. 🙂
#Splunk #python #dashboards #SIEM #API
Read more: https://avleonov.com/2018/09/27/how-to-create-and-manage-splunk-dashboards-via-api/