SlideShare a Scribd company logo

Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation)

DevOps Indonesia
DevOps Indonesia

DevOps Indonesia "How Security with DevOps can Deliver more secure software" Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) by Mr. Faisal Yahya

1 of 33
Download to read offline
PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 20 June 2019 DevOps Community in Indonesia Leveraging Vulnerability Management Beyond DPR (Discovery – Prioritization – Remediation) Presented by: Faisal Yahya
About Faisal Yahya, CISSP, CCISO, CCSK v3&4, CSX-P, ITIL-Fv3, CySA+, CEI CyberSecurity Nexus - Practitioner Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342 397/top-asean-cios-to-follow-on- twitter.html Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | [ .. wait for this space .. ]
CVE-2019-0174 – RAMBleed Side Channel Attack The new attack methods described in this paper are not microprocessor-specific, they leverage known issues in DRAM memory. These attacks only impact DDR4 and DDR3 memory modules, and older generations DDR2 and DDR1 memory modules are not vulnerable to these attacks. (ORACLE, 11 June 2019) • Threat found in March 2016, and started to exploit in June 2019. (check http://www.thirdio.com/rowhammer.pdf) https://www.theregister.co.uk/2019/06 /11/rambleed_rowhammer_attack/ 16 June 2019 PAGE3DevOpsIndonesia
Global CyberSecurity Landscape The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialization of attack tools that were once limited to a nation state’s arsenal, and you have the ingredients for significant disruption. The expected global cost of cybersecurity breaches across all sectors by 2021 is US$6 trillion. ey.com PAGE4DevOpsIndonesia
CyberCrime: Global Statistic 70 49 56 63 51 44 58 70 65 69 64 77 94 115 75 81 95 85 108 66 93 91 107 84 0 20 40 60 80 100 120 140 Jan Feb Mar Apr May June July Ags Sept Oct Nov Dec 2017 2018 Total: 736 1,094 49% AVG: 61 91 potential catastrophic events? source data from: https://www.hackmageddon.com PAGE5DevOpsIndonesia
The 4 Biggest Data Breach of 2018 1.1 billion records breached Date disclosed: Jan 3, 2018 340 million records breached Date disclosed: June 26, 2018 150 million records breached Date disclosed: May 25, 2018 500 million records breached Date disclosed: Nov 19, 2018 On average, it takes 120 days to discover a data breach PAGE6DevOpsIndonesia
Target Distribution – Global – Top Ten (2018) Hackmageddon, 2018 PAGE7DevOpsIndonesia
2018 Vulnerability by Impact Type Source: VulnDB, 2019 Integrity 61% Confidentiality 19% Availability 15% Unknown 5% PAGE8DevOpsIndonesia
Indonesia - CyberSecurity Positioning # Criteria Indonesia Worst (60) Best (1) 1 The percentage of mobiles infected with malware Position: 53/60 25.02% of users Bangladesh 35.91% of users Japan 1.34% of users 2 The percentage of computers infected with malware Position: 56/60 24.7% of users Algeria 32.41% Denmark 5.9% of users 3 The number of financial malware attacks Position: 54/60 1.8% of users Germany 3% of users Ukraine 0.3% of users 4 The percentage of telnet attacks (by originating country) Position: 49/60 1.51% of users China 27.15% Algeria, Uzbekistan, and Sri Lanka – 0.01% 5 The percentage of attacks by cryptominers Position: 57/60 8.8% of users Uzbekistan 14.23% of users Denmark 0.61% of users 6 The best-prepared countries for cyber attacks Position: 54/60 0.424 score Vietnam 0.245 score Singapore 0.925 score 7 The countries with the most up-to-date legislation Position: 36/60 4 key category covered Algeria 1 key category covered France, China, Russia, and Germany – all 7 categories covered https://www.comparitech.com PAGE9DevOpsIndonesia
Top 10 Vulnerabilities on 2018 – for …. 407 250 201 158 129 110 92 72 58 48 Google inc. Samsung SGP Tech. Adobe Systems Microsoft WECON Tech. Zoho Corp. LG Electronics Cisco Systems XEROX Corp. 258 248 201 130 129 127 109 97 69 Google Pixel / Nexus Samsung Mobile (Android OS) SilentOS Acrobat Reader DC Acrobat DC Acrobat LeviStudioU Chrome OS LG Mobile Devices (Android OS) Vendors Products n=1,525 n=1,495 CVVS score 9.0 – 10.0 CVVS score 9.0 – 10.0 Source: vulndb PAGE10DevOpsIndonesia
Current Prioritization Methods Don’t Help CVSS < 7 CVSS 7+ 1.3% resulted in a breach 6.9% resulted in a breach Kenna, 2019 PAGE11DevOpsIndonesia
Areas of Interest - 2018 … The number of software apps deployed by large firms across all industries world-wide has increased 68% over the past four years, reaching an average of 129 apps per company by the end of 2018…. (OKTA, 2019) https://www.wsj.com/articles/employees-are-accessing-more-and-more- business-apps-study-finds-11549580017 PAGE12DevOpsIndonesia
SQL injection and Cross- Site Scripting (XSS) vulnerabilities are still counted as the biggest threat for Web Applications. 2018 Web Vulnerabilities by Specified Type PAGE13DevOpsIndonesia
Top 5 Vulnerabilities by Attack Type PAGE14DevOpsIndonesia
Why Manually Managing Vulnerabilities is not Humanly Possible? 14350 15273 16126 22230 22022 0 5000 10000 15000 20000 25000 2014 2015 2016 2017 2018 VULNERABILITIES AVG days from Publish to Exploit: 19.68 days AVG days from Publish to Event: 27.36 days PAGE15DevOpsIndonesia
Security Challenges in DevOps Software security is often viewed as an impediment to DevOps • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly developments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach
The Three Biggest Challenges in Vulnerability Tracking Number of vulnerabilities reported are continuously increasing In 2010 < 10,000 vulnerabilities were reported. In 2018 > 22,000 vulnerabilities were disclosed. Two main reason: more software being created and a growing focus on vulnerability research. Vulnerability reporting becoming decentralized Too many sources that reported same vulnerability caused many disputes. The quality of vulnerability reports has generally fallen Some reports are simply invalid or duplicates of already known vulnerabilities. Numbers of invalid CVE are increasing. PAGE17 DevOpsIndonesia
Changing on the Thread Landscape Carmine Rimi, 2019 PAGE18DevOpsIndonesia
2.3 billion files exposed across online file storage technologies smb 46% ftp 20% rsync 16% s3 8% webindex 7% nas 3% smb ftp rsync s3 webindex nas smb 1,071,090,978 ftp 457,493,871 rsync 386,791,990 s3 182,142,197 webindex 163,568,453 nas 65,471,242 https://www.digitalshadows.com/blog-and-research/2- billion-files-exposed-across-online-file-storage-technologies/ PAGE19DevOpsIndonesia
Application Security Touchpoints • Security Requirements • Threat Models • Risk Analysis Planning • IDE Integration • Static Analysis • Pre-commit Coding • DAST / IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for Deployment Release • Operational protections • Penetration testing Deploy BizTest (Operate / Monitor) Blue teaming | Bug-bounty | Red teaming DevOps ITOps PAGE20DevOpsIndonesia
Offence (TI) / Defence (TM) Defenders Processes Technology Threat Actors Technology & Tech. Indicators Method of Operations Information Exchanges Threat Intelligence Threat Modelling PAGE21DevOpsIndonesia
Requirements for Vulnerability Management Context Vulnerability scanners lack the context security teams require to prioritize what to remediate first. Visibility IT teams lack the visibility required to understand what to fix, how to fix, and why. Precision Poor reporting reduces visibility and reduces board confidence. Measure + Prioritize Predict more than just: Detection – Prioritization – Remediation PAGE22DevOpsIndonesia
Hands-On https://www.exploit- db.com/google- hacking-database PAGE23
Hands-On https://www.threatc rowd.org PAGE24 DevOpsIndonesia
Hands-On https://apility.io PAGE25 DevOpsIndonesia
Hands-On https://www.zoho.c om PAGE26 DevOpsIndonesia
Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege Framework: Damage Potential  Reproducibility  Exploitability  Affected users  Discoverability  DREAD Calculation Formula: Threats D R E A D Rating Repudiation AVG from sub total 8.5 Attacker obtain authentication credentials by Phishing 10 9 7 8 10 9 SQL Command injection 8 8 8 9 7 8 … more Information Disclosure … … more Denial of Service … Elevation of Privilege … Rating = (D + R + E + A + D) / 5 Measure & Prioritize  UNIQUE Risk Rating PAGE27DevOpsIndonesia
Predict: Improving Current Landscape TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 Take Control of your risk posture CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? PAGE28DevOpsIndonesia
Countermeasure Predict Prevent Detect Respond • Harden systems • Isolate systems • Prevent attacks • Risk-prioritized exposure assessment • Anticipate threat/attacks • Baseline systems & security posture • Remediate • Design/model policy change • Incident Retrospective analysis • Detect incidents • Confirm & prioritize risks • Contain incidents PAGE29DevOpsIndonesia
Why do we need to Leverage Vulnerability Management? 1. Reporting: Scan penetration reports are generated more faster and more contextual, reduction processing time of 57% (n=8, 2017). This achieved by combine the countermeasure strategy for the same threat sources. 2. Remediation: with this prioritization approach, it is significantly reducing vulnerabilities exposure and overall related risk. 3. Risk Metrics: reduction of Risk Score, and also median time to discover and remediate high risk issues. 4. Vulnerabilities Focus: contextual vulnerabilities help to mitigate the exposure leveraging reputational and financial risk to company. PAGE30 DevOpsIndonesia
So, what do we get ! • Eventually we are closing the gap between DevOps & Security teams. • Implement predictive from intelligence within pipeline by: • Matching the both DevOps and Security team’s velocity. • Providing contextual and intelligence changes on threat landscape. • Supporting organizations business demands at scale. PAGE31DevOpsIndonesia
Take away • Latest innovation of technologies highly possible to introduce new vulnerabilities and change the threat landscape. Exploits are keep coming. Be vigilant! • Developers can also introduce vulnerabilities outside of the code itself. Vulnerability Management involves finding flaws (or bugs). • Vulnerability Management alone is not enough, you need to have your own risk model. Be contextual or do more by: Measure, Prioritize, and Predict. PAGE32
PAGE33 DEVOPS INDONESIA Stay Connected @devopsindonesia http://www.devopsindonesia.com linkedin.com/in/mademulia/ IDDevOps fy@faisalyahya.com /FaisalYahya @faisal_yahya @faisaly @faisalyahya DevOpsIndonesia

More Related Content

Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation)

  • 1. PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 20 June 2019 DevOps Community in Indonesia Leveraging Vulnerability Management Beyond DPR (Discovery – Prioritization – Remediation) Presented by: Faisal Yahya
  • 2. About Faisal Yahya, CISSP, CCISO, CCSK v3&4, CSX-P, ITIL-Fv3, CySA+, CEI CyberSecurity Nexus - Practitioner Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342 397/top-asean-cios-to-follow-on- twitter.html Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | [ .. wait for this space .. ]
  • 3. CVE-2019-0174 – RAMBleed Side Channel Attack The new attack methods described in this paper are not microprocessor-specific, they leverage known issues in DRAM memory. These attacks only impact DDR4 and DDR3 memory modules, and older generations DDR2 and DDR1 memory modules are not vulnerable to these attacks. (ORACLE, 11 June 2019) • Threat found in March 2016, and started to exploit in June 2019. (check http://www.thirdio.com/rowhammer.pdf) https://www.theregister.co.uk/2019/06 /11/rambleed_rowhammer_attack/ 16 June 2019 PAGE3DevOpsIndonesia
  • 4. Global CyberSecurity Landscape The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialization of attack tools that were once limited to a nation state’s arsenal, and you have the ingredients for significant disruption. The expected global cost of cybersecurity breaches across all sectors by 2021 is US$6 trillion. ey.com PAGE4DevOpsIndonesia
  • 5. CyberCrime: Global Statistic 70 49 56 63 51 44 58 70 65 69 64 77 94 115 75 81 95 85 108 66 93 91 107 84 0 20 40 60 80 100 120 140 Jan Feb Mar Apr May June July Ags Sept Oct Nov Dec 2017 2018 Total: 736 1,094 49% AVG: 61 91 potential catastrophic events? source data from: https://www.hackmageddon.com PAGE5DevOpsIndonesia
  • 6. The 4 Biggest Data Breach of 2018 1.1 billion records breached Date disclosed: Jan 3, 2018 340 million records breached Date disclosed: June 26, 2018 150 million records breached Date disclosed: May 25, 2018 500 million records breached Date disclosed: Nov 19, 2018 On average, it takes 120 days to discover a data breach PAGE6DevOpsIndonesia
  • 7. Target Distribution – Global – Top Ten (2018) Hackmageddon, 2018 PAGE7DevOpsIndonesia
  • 8. 2018 Vulnerability by Impact Type Source: VulnDB, 2019 Integrity 61% Confidentiality 19% Availability 15% Unknown 5% PAGE8DevOpsIndonesia
  • 9. Indonesia - CyberSecurity Positioning # Criteria Indonesia Worst (60) Best (1) 1 The percentage of mobiles infected with malware Position: 53/60 25.02% of users Bangladesh 35.91% of users Japan 1.34% of users 2 The percentage of computers infected with malware Position: 56/60 24.7% of users Algeria 32.41% Denmark 5.9% of users 3 The number of financial malware attacks Position: 54/60 1.8% of users Germany 3% of users Ukraine 0.3% of users 4 The percentage of telnet attacks (by originating country) Position: 49/60 1.51% of users China 27.15% Algeria, Uzbekistan, and Sri Lanka – 0.01% 5 The percentage of attacks by cryptominers Position: 57/60 8.8% of users Uzbekistan 14.23% of users Denmark 0.61% of users 6 The best-prepared countries for cyber attacks Position: 54/60 0.424 score Vietnam 0.245 score Singapore 0.925 score 7 The countries with the most up-to-date legislation Position: 36/60 4 key category covered Algeria 1 key category covered France, China, Russia, and Germany – all 7 categories covered https://www.comparitech.com PAGE9DevOpsIndonesia
  • 10. Top 10 Vulnerabilities on 2018 – for …. 407 250 201 158 129 110 92 72 58 48 Google inc. Samsung SGP Tech. Adobe Systems Microsoft WECON Tech. Zoho Corp. LG Electronics Cisco Systems XEROX Corp. 258 248 201 130 129 127 109 97 69 Google Pixel / Nexus Samsung Mobile (Android OS) SilentOS Acrobat Reader DC Acrobat DC Acrobat LeviStudioU Chrome OS LG Mobile Devices (Android OS) Vendors Products n=1,525 n=1,495 CVVS score 9.0 – 10.0 CVVS score 9.0 – 10.0 Source: vulndb PAGE10DevOpsIndonesia
  • 11. Current Prioritization Methods Don’t Help CVSS < 7 CVSS 7+ 1.3% resulted in a breach 6.9% resulted in a breach Kenna, 2019 PAGE11DevOpsIndonesia
  • 12. Areas of Interest - 2018 … The number of software apps deployed by large firms across all industries world-wide has increased 68% over the past four years, reaching an average of 129 apps per company by the end of 2018…. (OKTA, 2019) https://www.wsj.com/articles/employees-are-accessing-more-and-more- business-apps-study-finds-11549580017 PAGE12DevOpsIndonesia
  • 13. SQL injection and Cross- Site Scripting (XSS) vulnerabilities are still counted as the biggest threat for Web Applications. 2018 Web Vulnerabilities by Specified Type PAGE13DevOpsIndonesia
  • 14. Top 5 Vulnerabilities by Attack Type PAGE14DevOpsIndonesia
  • 15. Why Manually Managing Vulnerabilities is not Humanly Possible? 14350 15273 16126 22230 22022 0 5000 10000 15000 20000 25000 2014 2015 2016 2017 2018 VULNERABILITIES AVG days from Publish to Exploit: 19.68 days AVG days from Publish to Event: 27.36 days PAGE15DevOpsIndonesia
  • 16. Security Challenges in DevOps Software security is often viewed as an impediment to DevOps • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly developments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach
  • 17. The Three Biggest Challenges in Vulnerability Tracking Number of vulnerabilities reported are continuously increasing In 2010 < 10,000 vulnerabilities were reported. In 2018 > 22,000 vulnerabilities were disclosed. Two main reason: more software being created and a growing focus on vulnerability research. Vulnerability reporting becoming decentralized Too many sources that reported same vulnerability caused many disputes. The quality of vulnerability reports has generally fallen Some reports are simply invalid or duplicates of already known vulnerabilities. Numbers of invalid CVE are increasing. PAGE17 DevOpsIndonesia
  • 18. Changing on the Thread Landscape Carmine Rimi, 2019 PAGE18DevOpsIndonesia
  • 19. 2.3 billion files exposed across online file storage technologies smb 46% ftp 20% rsync 16% s3 8% webindex 7% nas 3% smb ftp rsync s3 webindex nas smb 1,071,090,978 ftp 457,493,871 rsync 386,791,990 s3 182,142,197 webindex 163,568,453 nas 65,471,242 https://www.digitalshadows.com/blog-and-research/2- billion-files-exposed-across-online-file-storage-technologies/ PAGE19DevOpsIndonesia
  • 20. Application Security Touchpoints • Security Requirements ��� Threat Models • Risk Analysis Planning • IDE Integration • Static Analysis • Pre-commit Coding • DAST / IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for Deployment Release • Operational protections • Penetration testing Deploy BizTest (Operate / Monitor) Blue teaming | Bug-bounty | Red teaming DevOps ITOps PAGE20DevOpsIndonesia
  • 21. Offence (TI) / Defence (TM) Defenders Processes Technology Threat Actors Technology & Tech. Indicators Method of Operations Information Exchanges Threat Intelligence Threat Modelling PAGE21DevOpsIndonesia
  • 22. Requirements for Vulnerability Management Context Vulnerability scanners lack the context security teams require to prioritize what to remediate first. Visibility IT teams lack the visibility required to understand what to fix, how to fix, and why. Precision Poor reporting reduces visibility and reduces board confidence. Measure + Prioritize Predict more than just: Detection – Prioritization – Remediation PAGE22DevOpsIndonesia
  • 27. Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege Framework: Damage Potential  Reproducibility  Exploitability  Affected users  Discoverability  DREAD Calculation Formula: Threats D R E A D Rating Repudiation AVG from sub total 8.5 Attacker obtain authentication credentials by Phishing 10 9 7 8 10 9 SQL Command injection 8 8 8 9 7 8 … more Information Disclosure … … more Denial of Service … Elevation of Privilege … Rating = (D + R + E + A + D) / 5 Measure & Prioritize  UNIQUE Risk Rating PAGE27DevOpsIndonesia
  • 28. Predict: Improving Current Landscape TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 Take Control of your risk posture CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? PAGE28DevOpsIndonesia
  • 29. Countermeasure Predict Prevent Detect Respond • Harden systems • Isolate systems • Prevent attacks • Risk-prioritized exposure assessment • Anticipate threat/attacks • Baseline systems & security posture • Remediate • Design/model policy change • Incident Retrospective analysis • Detect incidents • Confirm & prioritize risks • Contain incidents PAGE29DevOpsIndonesia
  • 30. Why do we need to Leverage Vulnerability Management? 1. Reporting: Scan penetration reports are generated more faster and more contextual, reduction processing time of 57% (n=8, 2017). This achieved by combine the countermeasure strategy for the same threat sources. 2. Remediation: with this prioritization approach, it is significantly reducing vulnerabilities exposure and overall related risk. 3. Risk Metrics: reduction of Risk Score, and also median time to discover and remediate high risk issues. 4. Vulnerabilities Focus: contextual vulnerabilities help to mitigate the exposure leveraging reputational and financial risk to company. PAGE30 DevOpsIndonesia
  • 31. So, what do we get ! • Eventually we are closing the gap between DevOps & Security teams. • Implement predictive from intelligence within pipeline by: • Matching the both DevOps and Security team’s velocity. • Providing contextual and intelligence changes on threat landscape. • Supporting organizations business demands at scale. PAGE31DevOpsIndonesia
  • 32. Take away • Latest innovation of technologies highly possible to introduce new vulnerabilities and change the threat landscape. Exploits are keep coming. Be vigilant! • Developers can also introduce vulnerabilities outside of the code itself. Vulnerability Management involves finding flaws (or bugs). • Vulnerability Management alone is not enough, you need to have your own risk model. Be contextual or do more by: Measure, Prioritize, and Predict. PAGE32