Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Control 10: Continuous Vulnerability Assessment and Remediation

Published: 2011-10-13
Last Updated: 2011-10-14 09:37:40 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This control, Continuous Vulnerability Assessment and Remediation is an important mechanism to detect known vulnerabilities, if possible patch them or use additional host or network controls to prevent exploitation until a patch or update is released. Preferably, the assessment tools should categorized the discovered vulnerabilities using industry recognized standards such as CVE to correlate and classify the data obtained with other network devices such as a SIM, to detect attempts or successful exploitation of the vulnerability.

There are a large number of vulnerability management tools available on the market (free and commercial) which can be used to evaluate system configuration on a continuous basis. A first step would be to run a daily discovery scan against network devices and run a full audit of the systems with credentials on a weekly basis, taking into consideration the impact on the network (i.e. when the network devices are the least busy). This would ensure that new found vulnerabilities are taken care of in a timely manner soon after they have been discovered. Whenever possible, it is important the patch be tested in an environment that mimics the production system before being pushed enterprise wide. If the patch fails the tests, other mitigating controls should be tested and put in place to prevent exploitation.

In order to put in place an effective continuous vulnerability assessment plan, the enterprise scanner should be able to compare the results against a baseline and alert the security team when significant changes are detected. This can be done via a ticketing system, with email, etc.

All system identified in CC1 should be scanned for known vulnerabilities and should alert the security team upon the discovery of new devices. To ensure CC10 is effective, the security team must conduct a periodic review that the daily and weekly assessments are working as configured and have completed successfully.

There are many more audit tools out there than those posted below, let us know what have been the most effective in your environment.

Commercial Audit Tools

Retina: http://www.eeye.com
GFI LanGuard: http://www.gfi.com
nCircle: http://www.ncircle.com
Nessus: http://www.tenable.com
Qualys: http://www.qualys.com

Freeware Audit Tools

IPScanner: http://www.radmin.com/products/ipscanner/index.php
PSI: http://secunia.com/vulnerability_scanning/personal/
Nmap: http://insecure.org
OpenVAS: http://www.openvas.org

[1] http://www.sans.org/critical-security-controls/control.php?id=10

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

 

0 comment(s)

Dennis M. Ritchie (1941 - 2011)

Published: 2011-10-13
Last Updated: 2011-10-13 20:38:47 UTC
by Kevin Shortt (Version: 1)
3 comment(s)

/*

The news that Dennis M. Ritchie, the creator of the C Programming language and well known for contributing to the creation of the UNIX Operating System, died on October 8, 2011, hit the Internet headlines today. 

Also very well known to all UNIX/C Programmers for his co-authoring of the book The C Programming Language [1].  I will not profess to know much of Dennis M. Ritchie to speak here.  I do recognize his contribution to my career and all the UNIX that flows through my blood stream.  

I have read many stories today covering the life of Dennis M. Ritchie.  The one I found most credible and interesting to read, was ironically an autobiography [2]. Take a moment of appreciation and read through it when you have a chance.  Bell-Labs also hosts a page for dmr [3]. Those pages are my recommended reading for the day.

The loss of Steve Jobs last week is recognizably an enormous loss to society and the world.  A few days later, we have lost Dennis M. Ritchie.  It is an understatement that Steve Jobs and all like him have been standing on Dennis M. Ritchie's shoulders for years. Dennis M. Ritchie was a giant and can be recognized as such.  

Simply put, this world is a better, more productive and richer place because of Dennis M. Ritchie.  We all owe a bit gratitude.

*/

#include <stdio.h>

int main () {

   printf("goodbye, dmr. RIP.\n");

}

/*

[1] http://cm.bell-labs.com/cm/cs/cbook/index.html
[2] http://cm.bell-labs.com/cm/cs/who/dmr/bigbio1st.html
[3] http://cm.bell-labs.com/who/dmr/   

-Kevin

--
Kevin Shortt
ISC Handler on Duty

*/

$ gcc dmr.c
$ ./a.out
goodbye, dmr. RIP.



Keywords: Ritchie
3 comment(s)
VMware ESXi and ESX updates to third party libraries and ESX Service Console - http://www.vmware.com/security/advisories/VMSA-2011-0012.html
ISC StormCast for Thursday, October 13th 2011 http://isc.sans.edu/podcastdetail.html?id=2062

Critical OS X Vulnerability Patched

Published: 2011-10-13
Last Updated: 2011-10-13 03:08:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

With today's focus on the release of iOS 5, and people worldwide refreshing the UPS shipping status page to check if the iPhone 4S left Hong Kong or Anchorage yet, a patch released for OS X Lion (10.7) came in under the radar. In addition to bringing us iCloud support and a good number of other security related patches, one issue sticks out as SUPER CRITICAL, PATCH NOW, STOP THAT iOS 5 DOWNLOAD.

The exploit can be implemented in a line of javascript, and will launch arbitrary programs on the user's system. It does not appear that the attacker can pass arguments to the software, which may make real malicious exploitation a bit hard, but I am not going to wait for an improved proof of concept to proof me wrong.

That said: It is our policy not to link to exploit code. Search twitter and other outlets for links. We may reconsider if we see the code used maliciously. At this point, I am only aware of the PoC site. Please let us know if you spot it anywhere else.

NB: My Macbook failed to boot after applying the update. Still debugging why :(

Update: In my case, the Macbook boot failed because I had Symantec's PGP software installed. I didn't use the whole disk encryption, but PGP still installed drivers that turned out to be the problem. My recovery process:

- hold command+R during boot to boot into recovery mode (if you got a recovery partition
- if you are using filevault2, launch the disk utilty to unlock the disk
- remove the following files from your system disk (which is now mounted under /Volumes )

    Library/Extensions/PGPnke.kext
    System/Library/Extensions/PGPwde.kext
   Library/Extensions/PGPdiskDriver.kext

This did it for me. The next reboot went fine. For more details see the following sites that helped me get this working:
http://prowiki.isc.upenn.edu/wiki/Removing_PGP_Desktop_on_a_Mac
https://discussions.apple.com/message/16333057#16333057
http://www.macworld.com/article/161088/2011/07/hands_on_lion_recovery_mode.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exploit OS X Safari
0 comment(s)
Diary Archives