Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results
11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018Tanja Hanauer, Stefan Metzger
1
23.07.18 Leibniz-Rechenzentrum 2
Agenda
Ø MotivationØ State of the ArtØ Process Framework Vis4SecØ Exemplary Process Iterations
§ Limitation and Control of Network Ports§ Vulnerable OpenSSL Library
Ø Conclusion
23.07.18 Leibniz-Rechenzentrum 3
Motivation
Ø Overview
Ø Organizational Knowledge
Ø Compliance -> Implementation
23.07.18 Leibniz-Rechenzentrum 4
State of the Art
Ø Visualization and Data Guidelines§ Gestalt Theory§ Tufte‘s Design Criteria§ Shneiderman‘s Information Seeking Mantra
7/23/18 Leibniz-Rechenzentrum 5
Data Quality Dimensions according to Data Management Association UK
Ø Completeness: Proportion of stored data against the potential of 100 % complete.
Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified.
Ø Timeliness: The degree to which data represent reality from the required point in time.
Ø Validity: The data conforms to the syntax (format, type range) of its definition.
Ø Accuracy: The degree to which data correctly describes the „real world“ object or event being described.
Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition.
23.07.18 Leibniz-Rechenzentrum 6
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls
23.07.18 Leibniz-Rechenzentrum 7
Security Best Practices
Ø ISO/IEC 27001
Ø Critical Security Controls
§ 13.1.2 Security of network services§ 18.2.3 Technical review to ensure compliance with
information security policy
CSC 9 Limitation and control of network ports§ 9.1 Only ports, protocols, and services
with validated business needs are running on each system
§ 9.3 Automated regular port scans against all key servers andcomparison of the results to a known baseline
23.07.18 Leibniz-Rechenzentrum 8
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices§ ISO/IEC 27001§ Critical Security Controls
Ø Existing Publications
23.07.18 Leibniz-Rechenzentrum 9
Existing Publications
23.07.18 Leibniz-Rechenzentrum 10
State of the Art
Ø Visualization and Data Guidelines
Ø Security Best Practices
§ ISO/IEC 27001
§ Critical Security Controls
Ø Existing Publications
Ø Visualization and Knowledge Processes
§ Ware, Fry, Marty, and Balakrishnan
§ Burkhard
23.07.18 Leibniz-Rechenzentrum 11
Process Framework Vis4Sec
Ø Initiation§ Environment§ Requirements§ Stakeholders§ Planned Actions
Ø Question PhaseØ Data Preparation Phase
§ Data Sources§ Ensure Data Quality
Ø Visualization PhaseØ Interaction PhaseØ Iterations
23.07.18 Leibniz-Rechenzentrum 12
Initiation
Ø Environment: Scientific Data Center LRZ
Ø Requirements § Know running services
§ Detect new services§ Detect and patch potentially vulnerable services
Ø Stakeholders § System- and security-admins
§ IT management
Ø Planned Actions § Automation of network scans
§ Stakeholder specific filtering and distribution of results
23.07.18 Leibniz-Rechenzentrum 13
Question Phase
Ø What are the reachable ports on each system?
§ Externally§ Internally
?
23.07.18 Leibniz-Rechenzentrum 14
Data Preparation Phase – Data Source I
DR Portscan
§ Centralized regular network scans
§ Aggregated
§ Automated ∆-reporting
§ Information à operations
7/23/18 Leibniz-Rechenzentrum 15
Data Preparation Phase - Ensure Data Quality I
7/23/18 Leibniz-Rechenzentrum 16
Data Preparation Phase - Ensure Data Quality II
7/23/18 Leibniz-Rechenzentrum 17
Data Preparation Phase - Data Source II
Ø DR Portscan
Ø Organizational§ CMDB§ Inventory DB§ LDAP
7/23/18 Leibniz-Rechenzentrum 18
Visualization Phase
”Visualization gives you answers to questions you didn’t know you had.” Ben Shneiderman
23.07.18 Leibniz-Rechenzentrum 19
Interaction Phase
Ø Data
Ø Dashboards
23.07.18 Leibniz-Rechenzentrum 20
Iteration
Redefined Question:
Ø What are the externally reachable servicesthat use a vulnerable OpenSSL library?
23.07.18 Leibniz-Rechenzentrum 21
Data Preparation Phase
§ Port Scanner
Ø Data Sources
§ Scan: SSL Cipher-Suites
§ Common Vulnerabilities and Exposures
§ Installed software on each system
§ Organizational
23.07.18 Leibniz-Rechenzentrum 22
Visualization + Interaction Phase
Ø Data
Ø Dashboards
Ø Reports
23.07.18 Leibniz-Rechenzentrum 23
Conclusion Process Iterations
Various iterationsØ Vulnerabilities Ø Unneeded open ports
§ Printer (9100)§ Ntp (123)
Ø StakeholdersØ Controls
§ Authorized devices§ Updates and patching
ImprovementØ Settings correctedØ …Ø Awareness
7/23/18 Leibniz-Rechenzentrum 24
Further Iterations
Ø Updates
Ø Vulnerabilities
Ø Transferable to further§ Vulnerabilities§ Security controls§ Security approaches
23.07.18 Leibniz-Rechenzentrum 25
Conclusion
Ø Initiates§ Communication among stakeholders
§ Revision of security settings § Security and data awareness
Ø Supports§ Implementation of compliance requirements
§ Organizational knowledge generation and transfer§ Overview of existing systems and security state
Ø Knowledge IT management + IT operations
23.07.18 Leibniz-Rechenzentrum 26
Thank you for your attention
Source adapted https://xkcd.com /1354/