Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results 11. DFN-Forum Kommunikationstechnologien, Günzburg, 27.

Transcription

1 Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results 11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018 Tanja Hanauer, Stefan Metzger 1

2 Agenda Ø Motivation Ø State of the Art Ø Process Framework Vis4Sec Ø Exemplary Process Iterations Limitation and Control of Network Ports Vulnerable OpenSSL Library Ø Conclusion Leibniz-Rechenzentrum 2

3 Motivation Ø Compliance -> Implementation Ø Organizational Knowledge Ø Overview Leibniz-Rechenzentrum 3

4 State of the Art Ø Visualization and Data Guidelines Gestalt Theory Tufte s Design Criteria Shneiderman s Information Seeking Mantra Leibniz-Rechenzentrum 4

5 Data Quality Dimensions according to Data Management Association UK Ø Completeness: Proportion of stored data against the potential of 100 % complete. Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified. Ø Timeliness: The degree to which data represent reality from the required point in time. Ø Validity: The data conforms to the syntax (format, type range) of its definition. Ø Accuracy: The degree to which data correctly describes the real world object or event being described. Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition. 7/23/18 Leibniz-Rechenzentrum 5

6 State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC Critical Security Controls Leibniz-Rechenzentrum 6

7 Security Best Practices Ø ISO/IEC Security of network services Technical review to ensure compliance with information security policy Ø Critical Security Controls CSC 9 Limitation and control of network ports 9.1 Only ports, protocols, and services with validated business needs are running on each system 9.3 Automated regular port scans against all key servers and comparison of the results to a known baseline Leibniz-Rechenzentrum 7

8 State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC Critical Security Controls Ø Existing Publications Leibniz-Rechenzentrum 8

9 Existing Publications Leibniz-Rechenzentrum 9

10 State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC Critical Security Controls Ø Existing Publications Ø Visualization and Knowledge Processes Ware, Fry, Marty, and Balakrishnan Burkhard Leibniz-Rechenzentrum 10

11 Process Framework Vis4Sec Ø Initiation Environment Requirements Stakeholders Planned Actions Ø Question Phase Ø Data Preparation Phase Data Sources Ensure Data Quality Ø Visualization Phase Ø Interaction Phase Ø Iterations Leibniz-Rechenzentrum 11

12 Initiation Ø Environment: Scientific Data Center LRZ Ø Requirements Know running services Detect new services Detect and patch potentially vulnerable services Ø Stakeholders System- and security-admins IT management Ø Planned Actions Automation of network scans Stakeholder specific filtering and distribution of results Leibniz-Rechenzentrum 12

13 Question Phase? Ø What are the reachable ports on each system? Externally Internally Leibniz-Rechenzentrum 13

14 Data Preparation Phase Data Source I DR Portscan Centralized regular network scans Aggregated Automated -reporting Information à operations Leibniz-Rechenzentrum 14

15 Data Preparation Phase - Ensure Data Quality I 7/23/18 Leibniz-Rechenzentrum 15

16 Data Preparation Phase - Ensure Data Quality II 7/23/18 Leibniz-Rechenzentrum 16

17 Data Preparation Phase - Data Source II Ø DR Portscan Ø Organizational CMDB Inventory DB LDAP 7/23/18 Leibniz-Rechenzentrum 17

18 Visualization Phase Visualization gives you answers to questions you didn t know you had. Ben Shneiderman 7/23/18 Leibniz-Rechenzentrum 18

19 Interaction Phase Ø Data Ø Dashboards Leibniz-Rechenzentrum 19

20 Iteration Redefined Question: Ø What are the externally reachable services that use a vulnerable OpenSSL library? Leibniz-Rechenzentrum 20

21 Data Preparation Phase Ø Data Sources Port Scanner Organizational Scan: SSL Cipher-Suites Common Vulnerabilities and Exposures Installed software on each system Leibniz-Rechenzentrum 21

22 Visualization + Interaction Phase Ø Data Ø Dashboards Ø Reports Leibniz-Rechenzentrum 22

23 Conclusion Process Iterations Various iterations Ø Vulnerabilities Ø Ø Ø Unneeded open ports Printer (9100) Ntp (123) Stakeholders Controls Authorized devices Updates and patching Improvement Ø Ø Ø Settings corrected Awareness Leibniz-Rechenzentrum 23

24 Further Iterations Ø Transferable to further Vulnerabilities Security controls Security approaches Ø Updates Ø Vulnerabilities 7/23/18 Leibniz-Rechenzentrum 24

25 Conclusion Ø Initiates Communication among stakeholders Revision of security settings Security and data awareness Ø Supports Implementation of compliance requirements Organizational knowledge generation and transfer Overview of existing systems and security state Ø Knowledge IT management + IT operations Leibniz-Rechenzentrum 25

26 Thank you for your attention Source adapted Leibniz-Rechenzentrum 26