Stakeholder Specific Visualization and Automated Reporting of Network Scanning Results 11. DFN-Forum Kommunikationstechnologien, Günzburg, 27. Juni 2018 Tanja Hanauer, Stefan Metzger 1
Agenda Ø Motivation Ø State of the Art Ø Process Framework Vis4Sec Ø Exemplary Process Iterations Limitation and Control of Network Ports Vulnerable OpenSSL Library Ø Conclusion 23.07.18 Leibniz-Rechenzentrum 2
Motivation Ø Compliance -> Implementation Ø Organizational Knowledge Ø Overview 23.07.18 Leibniz-Rechenzentrum 3
State of the Art Ø Visualization and Data Guidelines Gestalt Theory Tufte s Design Criteria Shneiderman s Information Seeking Mantra 23.07.18 Leibniz-Rechenzentrum 4
Data Quality Dimensions according to Data Management Association UK Ø Completeness: Proportion of stored data against the potential of 100 % complete. Ø Uniqueness: No thing will be recorded more than once based upon how that thing is identified. Ø Timeliness: The degree to which data represent reality from the required point in time. Ø Validity: The data conforms to the syntax (format, type range) of its definition. Ø Accuracy: The degree to which data correctly describes the real world object or event being described. Ø Consistency: The absence of difference, when comparing two or more representations of a thing against a definition. 7/23/18 Leibniz-Rechenzentrum 5
State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls 23.07.18 Leibniz-Rechenzentrum 6
Security Best Practices Ø ISO/IEC 27001 13.1.2 Security of network services 18.2.3 Technical review to ensure compliance with information security policy Ø Critical Security Controls CSC 9 Limitation and control of network ports 9.1 Only ports, protocols, and services with validated business needs are running on each system 9.3 Automated regular port scans against all key servers and comparison of the results to a known baseline 23.07.18 Leibniz-Rechenzentrum 7
State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls Ø Existing Publications 23.07.18 Leibniz-Rechenzentrum 8
Existing Publications 23.07.18 Leibniz-Rechenzentrum 9
State of the Art Ø Visualization and Data Guidelines Ø Security Best Practices ISO/IEC 27001 Critical Security Controls Ø Existing Publications Ø Visualization and Knowledge Processes Ware, Fry, Marty, and Balakrishnan Burkhard 23.07.18 Leibniz-Rechenzentrum 10
Process Framework Vis4Sec Ø Initiation Environment Requirements Stakeholders Planned Actions Ø Question Phase Ø Data Preparation Phase Data Sources Ensure Data Quality Ø Visualization Phase Ø Interaction Phase Ø Iterations 23.07.18 Leibniz-Rechenzentrum 11
Initiation Ø Environment: Scientific Data Center LRZ Ø Requirements Know running services Detect new services Detect and patch potentially vulnerable services Ø Stakeholders System- and security-admins IT management Ø Planned Actions Automation of network scans Stakeholder specific filtering and distribution of results 23.07.18 Leibniz-Rechenzentrum 12
Question Phase? Ø What are the reachable ports on each system? Externally Internally 23.07.18 Leibniz-Rechenzentrum 13
Data Preparation Phase Data Source I DR Portscan Centralized regular network scans Aggregated Automated -reporting Information à operations 23.07.18 Leibniz-Rechenzentrum 14
Data Preparation Phase - Ensure Data Quality I 7/23/18 Leibniz-Rechenzentrum 15
Data Preparation Phase - Ensure Data Quality II 7/23/18 Leibniz-Rechenzentrum 16
Data Preparation Phase - Data Source II Ø DR Portscan Ø Organizational CMDB Inventory DB LDAP 7/23/18 Leibniz-Rechenzentrum 17
Visualization Phase Visualization gives you answers to questions you didn t know you had. Ben Shneiderman 7/23/18 Leibniz-Rechenzentrum 18
Interaction Phase Ø Data Ø Dashboards 23.07.18 Leibniz-Rechenzentrum 19
Iteration Redefined Question: Ø What are the externally reachable services that use a vulnerable OpenSSL library? 23.07.18 Leibniz-Rechenzentrum 20
Data Preparation Phase Ø Data Sources Port Scanner Organizational Scan: SSL Cipher-Suites Common Vulnerabilities and Exposures Installed software on each system 23.07.18 Leibniz-Rechenzentrum 21
Visualization + Interaction Phase Ø Data Ø Dashboards Ø Reports 23.07.18 Leibniz-Rechenzentrum 22
Conclusion Process Iterations Various iterations Ø Vulnerabilities Ø Ø Ø Unneeded open ports Printer (9100) Ntp (123) Stakeholders Controls Authorized devices Updates and patching Improvement Ø Ø Ø Settings corrected Awareness 23.07.18 Leibniz-Rechenzentrum 23
Further Iterations Ø Transferable to further Vulnerabilities Security controls Security approaches Ø Updates Ø Vulnerabilities 7/23/18 Leibniz-Rechenzentrum 24
Conclusion Ø Initiates Communication among stakeholders Revision of security settings Security and data awareness Ø Supports Implementation of compliance requirements Organizational knowledge generation and transfer Overview of existing systems and security state Ø Knowledge IT management + IT operations 23.07.18 Leibniz-Rechenzentrum 25
Thank you for your attention Source adapted https://xkcd.com/1354/ 23.07.18 Leibniz-Rechenzentrum 26