RIPE79 the compelling case for national vulnerability management programs
•Transferir como PPTX, PDF•
0 gostou•24 visualizações
Companies are supposed to patch. But the process is flawed. For all sorts of good an bad reasons, vulnerabilities still exist. The solution: CVD (coordinated vulnerability disclosure) on steroids: connect the dots and use LIRs to close the gaps
Recomendados
Recomendados
Mais conteúdo relacionado
Semelhante a RIPE79 the compelling case for national vulnerability management programs
Semelhante a RIPE79 the compelling case for national vulnerability management programs (20)
Último
Último (20)
RIPE79 the compelling case for national vulnerability management programs
- 1. And why the LIR is a key factor M. Steltman - RIPE79 – 16-10-2019 The compelling case for vulnerability management
- 3. Why are we vulnerable ? “We are vulnerable, because hard- and software has vulnerabilities. The bad guys find them and use them for themselves. So we need good guys to find them too, and then fix those leaks. It’s all we have” Bruce Schneier
- 4. So, why don’t we just patch? 4
- 5. The patching process for companies explained 5 ?
- 6. Sounds easy but hard to achieve 100% 6 ?
- 7. Too much to deal with 7
- 8. 8 Digital Infrastructure, Including LIRs Companies with digital presence Financial servicesManufacturing Logistics Healthcare Retail MobilityGovernment Digital Services Plan B: Coordinated responsible disclosure / Bug bou Common approach: “Motivate” Add: Find and report
- 10. => towards: CRD on steroids 10 Crawl and scan Crawl and scan Crawl and scan Crawl and scan Crawl and scan Crawl and scan networks Add performance information Collect and aggregate Forward & Policy Members & Constituents of:
- 11. What can and should LIRs do? 11 ** Where does LIR responsibility start and stop **? -> LIR is NOT responsible, but is (as other intermediaries) a key actor in getting this going This goes way beyond ISP abuse mitigation! -LIR ( as ISP, hoster, CSP) is a key actor , the essential “middle man”: - Monitor: Which badness is visible in my networks: vulnerabilities and abuse - Receive: Subscribe to feeds, receive abuse- and vulnerability information - Triage: Who has the actual problem, which user or cusromer? - Forward: Who can and should fix this? - Policy: “motivate” users / customers to act, or act yourself
- 12. Questions for RIPE community / LIRs 12 - Do you agree that this “actual vulnerability”approach can be very effective? - Do you agree that the LIR is a key middleman in this approach? Concrete actions for such LIRs, what can you already do NOW: - Start with this mindset - Update your policies, accept code of conduct NtD and Abuse - Be reachable ! - Subscribe to offered aggregated feeds - Forward info and act , to customers / users - Using standard OSS systems such as Abuse-IO • If this initiative will start, are YOU prepared to participate ?
- 13. 13 The current approach : motivate companies to patch 100%, is insufficient The solution: Find ACTUAL leaks, aggregate, add performance info Then forward to those who can fix– or who can make someone fix In NL: All we need is already there! Just need to go on steroids Gov: (NCSC): please take the lead, connect the dots Providers / LIRS: Adopt the CoC , connect to NBIP and start making a difference In your country: replicate the model ** It is time to act, now! **
Notas do Editor
- And again: we are vulnerable. Very vulnerable. VPns vulnerabilities: as if your staff entry is open for everybody Our scientific councel has said it: this van lead to diusrutions of society. What is vital and what not. Anything can turn out to be vital if it is donw or compromised long enough It reall, is time to act. But how?
- I was on a OECD congres last year, with Nelly, inspired by bruce. He made the matter very simple. Let start with the technology. It is nog the only thing, but if that;s not safe,
- Our approach: complain about vulnerabiloiies, strong language: we must patch, whi do;t we do it ? And if you don;t, you are apparently neglicent and lazy. Shame on you? Is it thast simple?
- Let take a look at how it works. It sounds easy enough: Know your software Crawl the CVE database Go to your supplier Update and patch your systems done. We are all a lot safer!
- But is hard, and cumvbersome,e VCE has 20000 entries, Huge task to know your inventor and know when to patch. Easy to overlook one. vendos don;t always supply patches. And llots of your technologies atre with third parties, your hosters, SaaS providers. They can overloop patches too.
- To make things worse, patching breaks things. Lots of outages are caused by patching And then the minister will say “I am going to ibtervene with companies who don’t manage their availability ? There are too many patches to keep up with Patching is a manual, time consuming process Lack of resources Some applications can’t be patched End user resistance Patching breaks things
- Plan B: scan for things you see from the Internet. Act as the bad guys do. Then report to the compny who can fix this
- So here is the plan: Put RD on steroids. It is a simple formula, that many of you recognize from other problems. Scan Forward and aggregate Add: sticks and carrots Then: send to those who do not have the problemj themselves, but KNOW who hasve the problem. LIR’s, hosters, providers. They KNOW whio is reponsible, understand the technical details, can formulate the right call to action.