I will never forget my assignment for a vulnerability assessment against a control systems network. “Hey, can you go somewhere, run “scans” against this system, and oh by the way don’t crash it or a large portion of the USA could lose power”. Needless to say, I turned down that assignment, as they required that a traditional network-based “scan” be run. There has to be a better way to preform assessments in such environments!
Fast forward 10 years later and I’ve worked with much safer techniques for assessing the security of SCADA/Control systems infrastructure. Working for Tenable Network Security has also provided me great insights into several techniques, including:
- Using credentials to login to systems and audit for missing patches and configuration changes
- Tuning vulnerability scans to be less intrusive yet still accurate and providing useful information
- Implementing passive vulnerability scanning to discover hosts on the network and enumerate vulnerabilities, without sending a single packet to the end-user system
Semelhante a Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments, Paul Asadoorian of Tenable Network Security
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
Semelhante a Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments, Paul Asadoorian of Tenable Network Security (20)
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Systems Environments, Paul Asadoorian of Tenable Network Security
1. Tiptoe Through The
Network:
Practical Vulnerability
Assessments in Control
Systems Environments
Paul Asadoorian
Product Evangelist
Tenable Network Security
2. About Me
• Currently Product Evangelist at Tenable Network Security
• Founder & CEO of Security Weekly (formerly “PaulDotCom”)
• Worked for Digital Bond in 2008/2009
• Love hacking and breaking embedded systems
3. Warning: Sub-Themes I am Known to Use in All My
Presentations
• Ninjas (Check)
• Star Wars Reference
• ONE lolcat
• Old Joke directed at my friend Jack Daniel
• Wife/Kids related humor
• Unicorns
4. I can “scan” your networks without breaking “stuff”
And spoons don’t really sound like airplanes?
5. You Don’t Have to Feel Vulnerable
• There is typical hesitation when
scanning a network and/or any
systems
• Scans may “cause an undesirable
condition on a remote host”
(Okay, it could crash it)
• Problem is you must:
Identify the device
o Enumerate vulnerabilities
o
6. Goals
• Identify assets
• Don’t break stuff
• Discover vulnerabilities
• Report them to people who
can fix them
• Continuously discover
vulnerabilities that remain
• Report progress to
management
7. You Can’t Fix it if You Don’t Know it Exists
• Detect hosts:
Netflow Data
o Firewall Logs
o Arp Tables
o Sniff Network Traffic
o Connection tables
o Query VMWare
o Look at your logs
o
8. Check out Bro IDS
• Regex for your
network
• Write rules to
discover hosts,
attacks,
vulnerabilities and
more
• Command line kung
fu, Security Onion
Liam has the coolest title: “Brovangelist”
9. P0f – Passive OS and Host detection
• This tool is 14 years old…(Been around a long time)
• Big thanks to Rob over at the SANS ISC, nice articles
and examples
http://isc.sans.org/diary/Passive+Scanning+Two+Ways++How-Tos+for+the+Holidays/17246
o http://isc.sans.org/diary/Scanning+without+Scanning/17189
o
Not as long as Jack….
10. Sniffing the Network
• Passive sniffing
• Firewalls
• Virtualization
• This shouldn’t be
on the network
12. Nessus for Host Discovery
• Nessus is an active
vulnerability scanner,
however:
o
o
o
You can use credentials to audit
patches
Configuration auditing points out
flaws
Policies are highly configurable
• http://www.tenable.com/blog/u
sing-nessus-for-host-discovery
Ninja convention
13. Credentials: Checking for Patches
• Easy to create, use the
wizard
• Upload the SSH keys
• Nessus automatically
selects the appropriate
plugins
19. Vulnerability Management
• You must keep up with patches on ALL of your
systems
• You must identify easily exploitable
vulnerabilities and patch them FAST
20. The Patch Management Struggle
Our
systems
are missing
patches!
Security Guy
Sysadmin
21. Step 1 – Define
• Policy – What you will do and where you will do it
• Procedures – How you will do it and who you will do
it with
• Get management to sign off on both of the above
22. Step 2 – Communication & Process
• Communicate your policy and procedures to the
right people!
• Management, security, administrators and end
users
23. Step 3 – Find Them All
• Scan your network (frequently)
• Perform authenticated
vulnerability scans
Servers & Desktops
o Network infrastructure
o Virtualization platform
o Storage systems
o
• Sniff your network for These are not the vulnerabilities you’re looking for
vulnerabilities
• Mine your logs for data
24. Application Discovery
• Get rid of applications not supported or not in
use
• Reduce your attack platform
• Less stuff to patch
32. “Scanning” Embedded Systems
• Many embedded devices are Wifi-only
• Some devices are transient or only are online for
a short time then go away
• Many do not react well to an active networkbased scan (ICS type devices for example)
• Resources are an issue (not enough CPU/RAM)
34. Conclusions
• There are many ways to continually perform host
discovery, from sniffing to log monitoring
• Once you’ve identified all the hosts, have a
process for vulnerability management
• There are numerous ways in which to “scan” a
host, including credentialed patch audits and
configuration auditing
• Embedded systems are tricky, require special
attention, and passive scanning is best in this
case
35. Sub-Themes Check list
Ninjas
Star Wars Reference
ONE lolcat
Old Joke directed at my friend Jack Daniel
Wife/Kids related humor
Unicorns
37. Try SecurityCenter and Nessus now
For more information, or to evaluate
SecurityCenter Continuous View:
http://www.tenable.com/products/securitycenter-continuous-view
Evaluate Nessus free for 14 days:
http://www.tenable.com/products/nessus/evaluate