DISASTER RECOVERY/COMPLIANCE

APPLICATION DEVELOPMENT

DATA CENTER MANAGEMENT

STORAGE ARCHITECTURE
TechGuide

BI/APPLICATIONS
VIRTUALIZATION

NETWORKING
HEALTH IT

SECURITY
CLOUD

1
Vulnerability Management
EDITOR’S NOTE

Programs: A Handbook 2
RANK THE
VULNERABILITIES

for Security Pros 3

To ensure that your vulnerability management program is effective and VULNERABILITY
PROGRAM TIPS
aligned with your broader risk-management goals, you must identify and

4
prioritize vulnerabilities based on sound risk-management principles.

PEN TESTING
TECHNIQUES
 1
EDITOR’S NOTE

Sealing the Security Perimeter With

a Vulnerability Management Program

With each new year, information security means being aware that security attacks are no
Home gets tougher—threats keep growing in both longer unidirectional but might assault your
frequency and sophistication while corporate system via multiple channels. Diana Kelley
Editor’s Note
security budgets never seem to keep pace. So offers keys to a dynamic vulnerability man-
while the why of a corporate vulnerability man- agement program, which include resource-
Rank the
Vulnerabilities
agement program is obvious; what’s less clear is maximizing tips such as how to reduce the
the how. This handbook tackles that dilemma “noise” of false positive threat alerts.
Vulnerability by providing specific techniques and tools   This handbook closes with CTO Dave Shack-
Program Tips InfoSec pros can use to improve their programs. leford’s innovative take on penetration testing,
A company that mounts a vulnerability man- using the latest social engineering concepts.
Pen Testing agement program often soon finds itself with His four techniques—phishing, pretexting,
Techniques an avalanche of information on network secu- media dropping and tailgating—take pen test-
rity vulnerabilities. A crucial next step, then, ing to new levels.
is to wade in and sort out the data, to identify The threats to information security are not
what vulnerabilities get priority. To aid in that going away. But this handbook gives you the
prioritization process, security expert Mike guidance you need to meet the challenge head-
Chapple proposes a three-prong approach, in- on and seal up your enterprise’s security pe-
cluding the calculation of “risk scores.” rimeter. n
Once you’ve got your vulnerability priori-
ties straight, you’ll need a set of best practices Brenda L. Horrigan
to keep things running smoothly. Today that Security Media Group

2   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 2
VULNERABILITIES

How to Rank Security Vulnerabilities in Your System

Soon after initiating a vulnerability environment. These may come from a variety
Home management program, enterprises often find of sources within your vulnerability manage-
themselves facing an intimidating avalanche ment program, including Web and network
Editor’s Note
of data about network security vulnerabilities. vulnerability scanners, data loss preven-
Scan results may show hundreds or even thou- tion systems and configuration management
Rank the
Vulnerabilities
sands of vulnerabilities distributed across a software.
wide variety of systems and applications.
Vulnerability How should security professionals tackle
Program Tips this mountain of risk? In this chapter, we ex- STEP 1: DETERMINE VULNERABILITY SEVERITY
amine a three-prong prioritization program The first data element you need is an assess-
Pen Testing that incorporates external criticality assess- ment of the severity of each vulnerability that
Techniques ments, data sensitivity and the existing control exists in your environment. In many cases, this
environment to help organizations successfully severity information is provided through data
rank vulnerabilities and, in turn, prioritize re- feeds from the vendors that provide your vul-
mediation efforts. nerability management tools.
This three-step process assumes that you The severity assessment should be based
have access to information about the network upon the potential damage that a successful
security vulnerabilities that exist in your en- exploit might cause. For example, a vulner-
vironment, the sensitivity of information ability that allows an attacker to gain admin-
processed by systems and applications, and istrative access to a system is much more
the state of existing security controls in the severe than one that causes a denial of service.

3   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 2
VULNERABILITIES

Severity information may also take into ac-

count the real-world existence of exploits; a
sensitive information. However, the presence
of sensitive information certainly magnifies the
theoretical vulnerability with no known ex- impact of a successful attack.
ploits is less severe than one used by a virulent Gathering information on data sensitivity
piece of malware. can be tricky, depending on the maturity of
For the purposes of our model, we will as- your organization’s information-classification
Home sume that you are using a product that uses program. If you’re just getting started, you may
a five-point vulnerability rating system, with wish to use a fairly simple model that divides
Editor’s Note
vulnerabilities that have the highest risk of a data into three levels:
damaging exploit receiving a 5 rating.
Rank the
■■ Highly sensitive information is either
Vulnerabilities
heavily regulated or would be extremely dam-
Vulnerability STEP 2: IDENTIFY DATA SENSITIVITY aging to the organization if inadvertently re-
Program Tips The risk a vulnerability poses is magnified by leased. This “crown jewel” of our information
the sensitivity of the information processed security programs contains data elements
Pen Testing on systems containing that vulnerability. For such as credit card numbers, protected health
Techniques example, systems containing Social Security information and bank account details. 
numbers or credit card data should generally
be handled with much more care and concern ■■ Internal information is every piece of infor-
than systems containing only publicly available mation that does not fit the “highly sensitive”
information. definition but should not be publicly re-
This does not mean that only systems con- leased. This category may seem overly broad;
taining sensitive information should be well- it is also the hardest to define. If you don’t
managed; a compromise of your public-facing have a data classification program, lump-
website could cause just as much reputational ing all this data into a single category is the
damage to the organization as a disclosure of most expedient way to get started. If business

4   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 2
VULNERABILITIES

needs dictate, consider subdividing this cat-

egory at a later date.
a highly secured network used for extremely
sensitive systems, you might assign these sys-
tems a 5 rating on a five-point control scale.
■■ Public information is anything that your or- Similarly, a system with a public IP address
ganization is willing to disclose to the general that is accessible from the Internet hosting a
public, such as product literature, data shared Web application but not protected by a Web
Home on your public website and released financial application firewall might be assigned a 1 or
statements. 2 rating. Choose a rating scale that accurately
Editor’s Note
reflects the expected controls in your environ-
When it comes time to assign data sensitiv- ment, and assign higher ratings to systems that
Rank the
Vulnerabilities
ity ratings to systems, base your evaluation on have strong security controls.
the highest level of information stored or pro-
Vulnerability cessed by a system. Systems processing highly
Program Tips sensitive information are assigned a data sen- PULLING IT ALL TOGETHER
sitivity rating of 5, while those processing in- Once you’ve gathered all of this information,
Pen Testing ternal information receive a 3 rating. All other you may use it to assess the vulnerabilities that
Techniques systems are rated 1 on data sensitivity. show up on your reports. When you have it all
consolidated in one place, perform this simple
calculation for each vulnerability that exists on
STEP 3: EVALUATE EXISTING CONTROLS a system:
The final step of the process is to evaluate the
existing controls that protect potentially vul- Risk Score= Vulnerability Severity x Data Sensitivity
nerable systems from compromise. The method Existing Controls
you use to assign these ratings will vary de-
pending upon the particular controls your or- If you chose five-point scales for each mea-
ganization requires. For example, if you have sure, this will result in a vulnerability rating

5   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 2
VULNERABILITIES

ranging from a minimum of 0.2 (for a low se-

verity vulnerability in a well-controlled system
vulnerability prioritization efforts. For exam-
ple, you might create a database that contains
containing only public information) to a maxi- data sensitivity and control status information
mum of 25 (for a high severity vulnerability in for all of your server assets. Similarly, scripts
can parse vendor reports to automatically ex-
tract vulnerability severity information, pull
Home An effective vulnerability relevant information from the database and
management program based on calculate the risk score.
Editor’s Note
risk-based prioritization decisions There are many ways to customize a vulner-

Rank the
is a must for any organization ability prioritization system for a particular or-
Vulnerabilities looking to reduce IT security risk. ganization. Regardless of the tweaks you make,
an effective vulnerability management program
Vulnerability based on risk-based prioritization decisions is
Program Tips a system lacking security controls containing a must for any organization looking to reduce
highly sensitive information). IT security risk. Simplifying the process used
Pen Testing While this may seem like a lot of data to to perform vulnerability risk analysis makes it
Techniques gather and math to perform, you can find much easier to begin and sustain such a pro-
ways to automate the process and feed your gram. —Mike Chapple

6   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 3
VULNERABILITY
TIPS

Five Tips to Improve a Threat

and Vulnerability Management Program

Modern enterprise cybersecurity 1. MANAGE ALERTS

Home teams must be prepared to deal with a barrage If a tree falls in the woods and no one is there
of new and rapidly evolving threats. From script to hear it, does it make a sound? This old
Editor’s Note
kiddies to sophisticated hackers working for philosophical question comes to mind when
criminal organizations, if an enterprise doesn’t thinking about threat management. Like that
Rank the
Vulnerabilities
have plans in place to deal with such threats, it tree, are alerts about suspicious activity and
will pay the price in expensive, embarrassing anomalous behavior that can signal an attack in
Vulnerability data breaches. progress that an administrator doesn’t see or
Program Tips An effective threat management program is review really alerts? The most important thing
undoubtedly a vital ingredient for any enter- a company can do to get a handle on threat
Pen Testing prise security team dealing with the modern management is to ensure that someone is there
Techniques threat landscape. to review and respond to an alert that’s been
However, keeping such a program running triggered. To meet this requirement, most or-
smoothly takes time and ongoing planning.   ganizations should assign a dedicated resource,
Resources must be allocated to put a program or resources, with the remit to review log and
in place that can deal with a multitude of alert consoles on a daily basis.
attacks. At the daily alert review level, it’s not un-
In this tip, I offer five best practices that common to see organizations assign different
companies can implement to increase the ef- specialists to review different alert consoles.
fectiveness of their threat and vulnerability For example, a firewall operations expert
management programs. may be in charge with reviewing firewall rule

7   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 3
VULNERABILITY
TIPS

changes and alert logs, while an applications

engineer may be responsible for reviewing the
tablets, smart devices, laptops, Web applica-
tions, databases and servers. To catch multi-
logs and alerts from the Web application fire- channel attackers, organizations should corral
walls and Web app scanners. alerts from all of those systems into a single
console where correlation rules can filter the
seemingly innocuous activity that, when com-
Home 2. TAKE A HOLISTIC VIEW bined, creates a single, organized attack.
In the realm of detection evasion, attackers are
Editor’s Note
growing increasingly sophisticated, as can be
seen with their use of multichannel attacks and 3. REDUCE FALSE POSITIVES
Rank the
Vulnerabilities
other techniques that are designed to fly below Excessive alerts and false positives ratchet up
security radars. An example of a multichan- the “noise” ratio so high that it can be difficult
Vulnerability nel attack is the seemingly innocuous spear (if not impossible) to sift through all the avail-
Program Tips SMSish (SMS phish to a smartphone), which able data to find the truly malicious events. If
fools the user into clicking on a link that leads an organization’s administrators can’t discern
Pen Testing to a rogue site that has been designed to look important alert signals through all the insig-
Techniques legitimate. The user may then be tricked into nificant events, the alert system becomes use-
entering sensitive data or clicking on a link less. To reduce the number of false positives
that infects the targeted machine with a bot. produced, an enterprise should first analyze
Once the user’s sensitive information has been the alert output of its threat-warning console,
collected, the attacker attempts to log in to a or consoles, and determine if the rules can be
system and dig deeper into the corporate net- tuned to reduce the false positive noise, or
work for more valuable information. filter alerts by level of confidence so that ad-
Most organizations already monitor for mins can see which ones are more likely to be
threats and suspicious activity on most de- relevant.
vices, including wired desktops, wireless One way to lower those levels without losing

8   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 3
VULNERABILITY
TIPS

critical alerts is to set threshold levels that

match normal activity on the network. For
4. INTEGRATE WITH THE SOC
As mentioned earlier, aggregating threat in-
example, a company that forces all users to formation into a single console gives orga-
change passwords on the same 90-day cycle nizations threat visibility across the whole
might find that failed logins increase signifi- enterprise. To gain even deeper visibility, a
cantly on the day after the end of a cycle. To ac- company can integrate that single or multicon-
Home count for this occurrence, a rule that normally sole view with its security operations center
(SOC). At most companies, the SOC’s main
Editor’s Note
purpose is to monitor security activity and re-
A company that forces all users spond to attacks quickly, which makes integrat-
Rank the
Vulnerabilities
to change passwords on the same ing the threat management program with the
90-day cycle might find that failed SOC something of a no-brainer.
Vulnerability logins increase significantly on the To integrate threat information with the
Program Tips day after the end of a cycle. SOC, filter alert information into a SIEM sys-
tem and log data into either the SIEM or what-
Pen Testing ever is being used for log centralization. Next,
Techniques signals an alert after three failed logins could create rules in the SIEM, log aggregation tool
be increased to five failed logins on days fol- or both to parse through alert information and
lowing the password change. The logins could flag legitimate attack activity for further inves-
also be linked to other threat indicators, such tigation or response. To integrate effectively,
as attempts to log in using the same ID from make sure that engineers and administrators in
different IP addresses, to increase accuracy. the SOC have access to the standard operating
Keep in mind that overtuning or set- procedures for incident response, so that the
ting thresholds too low will result in false team knows the correct escalation paths, com-
negatives, so test thresholds carefully before munication protocols and approved response
implementation. activities.

9   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 3
VULNERABILITY
TIPS

5. VALIDATE REMEDIATION ACTIVITIES

In the heated atmosphere of an incident re-
CONCLUSION
The modern threat landscape is complex and
sponse, organizations can easily overlook vali- attacks come in from multiple channels and
dating the remediation activities. Even during sources. Organizations need to have a multi-
routine activities like patch management, many channel approach to managing and responding
companies fail to close the remediation loop to threat activity. Rolling up activity data into
Home with validation. Did the patch get loaded prop- the SIEM, or other management console, and
erly? Did it close the intended vulnerability? having trained professionals review the alert
Editor’s Note
Without testing, an organization can’t be cer- data will increase situational awareness and
tain that the remediation was successful and improve response time and efficacy. And when
Rank the
Vulnerabilities
the threat exposure was closed. patches or controls are in place for remedia-
Complete the threat management cycle with tion, don’t forget to validate that they are in-
Vulnerability steps for validation. These can include rescan- stalled and working. Stopping all attack activity
Program Tips ning systems to validate patches and perform- is impossible, but by taking steps to improve a
ing application and network penetration testing threat and vulnerability management program,
Pen Testing to confirm that fixes or controls are blocking businesses can avoid an incident becoming
Techniques vulnerabilities as expected. catastrophic. —Diana Kelley

1 0   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 4
PEN TESTING

Social Engineering Penetration Testing:

Four Effective Techniques

Social engineering has become one of ■■ Socialproof: Looking to others for guidance
Home the more prevalent attack methods in use to- on how to act.
day, and has been featured heavily in some
Editor’s Note
high-profile breaches. The 2011 RSA breach, ■■ Commitment/Consistency: Developing pat-
for example, involved a targeted spear phishing terns of behavior and maintaining them out
Rank the
Vulnerabilities
campaign and an exploit-laden Excel file. Thus, of habit.
for organizations to adequately model the real
threats they face, social engineering penetra- ■■ Liking: Wanting to “fit in” and being more
Vulnerability
Program Tips tion testing should be a mandatory tactic in easily persuaded by someone you like.
every pen testing toolkit.
Pen Testing Social engineering relies heavily on psychol- ■■ Authority:Acquiescing to requests or de-
Techniques ogy. There are several types of incentives and mands from perceived authority figures.
motivators to which people are highly suscepti-
ble, allowing social engineers to persuade peo- ■■ Scarcity:
Feeling higher motivation to pursue
ple to take an action. For example, Dr. Robert something if it is limited or exclusive.
Cialdini in his classic book Influence: The Psy-
chology of Persuasion (first published in 1984) Pen testers can leverage these motiva-
described six key motivators: tors when performing social engineering
assessments.
■■ Reciprocation: Feeling indebted to someone There are four social engineering tech-
for doing something for you. niques that pen testers can use to test an

1 1   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 4
PEN TESTING

organization’s security: phishing, pretexting,

media dropping and tailgating.
always remembers to check spelling and gram-
mar; a well-written email, even a short one, is
much more believable.
Probably the best-known tool for creating
PHISHING phishing attacks is the open source Social En-
Phishing involves sending an email to a user gineering Toolkit (SET). With its menu-driven
Home to persuade the user to perform an action. The email and attack-creation system, it’s one of
goal of most phishing emails in a pen test- the simplest ways to get started with phishing.
Editor’s Note
ing project is simply to entice the user to click Commercial tools like PhishMe Inc.’s PhishMe
something and then record that activity, or to and Wombat Security’s PhishGuru can also be
Rank the
Vulnerabilities
actually install a program as part of a larger useful.
penetration testing effort. In the latter case,
Vulnerability exploits can be tailored to client-side software
Program Tips known to have problems, such as browsers and PRETEXTING
dynamic content/media plug-ins and software. Pretexting involves telephoning the target
Pen Testing The key to a successful phishing campaign is and trying to solicit information from him or
Techniques personalization. Tailoring the email to the tar- her, usually by pretending to be someone who
geted user, such as by sending it from a trusted needs assistance. This technique can work well
(or perceived-to-be-trusted) source, makes it in a penetration testing project by targeting
more likely the user will read the email or fol- non-technical users who can provide useful
low some direction in it. A good pen tester information.

Pen testers can use phishing, pretexting, media dropping and

tailgating to test an organization’s security vulnerabilities.

1 2   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 4
PEN TESTING

The best strategy is to start with small  

requests and drop names of real people in the  
MEDIA DROPPING
Media drops usually involve a USB flash drive
organization who may be waiting for some- left somewhere conspicuous, like a parking lot
thing. In the pretexting conversation, the pen or building entrance area. The social engineer
tester explains they need the target’s help. places an interesting-sounding file on the flash
(Most people are willing to do small tasks that drive that launches some sort of client-side  
Home aren’t perceived as suspicious requests.) Once attack when opened.
rapport has been established, the pen tester can One free tool for creating these files is
Editor’s Note
ask for something more substantial with more Metasploit, with its built-in malicious payload
success. generators. The “Infectious Media Genera-
Rank the
Vulnerabilities
Reconnaissance before the pretexting ex- tor” option in SET also uses Metasploit, but
ercise, using Google and tools like Paterva’s helps automate the process. SET can create a
Vulnerability Maltego, can provide needed background   “legitimate” executable that runs automatically
Program Tips information. Phone-masking and proxying when Autorun is enabled on a target’s PC. Us-
tools like SpoofCard (a subsidiary of TelTech ing automatic execution techniques and inter-
Pen Testing Systems) and SpoofApp from SpoofApp.com esting-sounding files together can increase the
Techniques LLC, as well as Asterisk PBX add-ons from chances of success.
Digium Inc., can disguise the pen tester’s A more sophisticated approach to perform-
phone number, even making it appear to   ing a media drop as part of a pen testing project
come from the organization’s own number is to develop custom attacks and programs on
block. a USB drive, or to purchase USB drives that are

Phone-masking and proxying tools can disguise a pen

tester’s phone number, making it appear to come from
the organization’s own number block.

1 3   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 4
PEN TESTING

pre-built for this purpose. To increase the suc-

cess of USB attacks, add both automated ex-
install a pen testing drop box device to provide
Wi-Fi or 3G network access back to the envi-
ploits and attack-laden files to the device (PDF, ronment later.
Word and Excel formats are best). Labeling
the device with an interesting sticker, like “HR
Data” or “Employment,” can help, too.
A pen tester can uncover
Home vulnerabilities and then
recommend security controls
Editor’s Note
TAILGATING and education techniques
Rank the
Tailgating involves getting into a physical fa- that will reduce the odds of
Vulnerabilities
cility by coercing or fooling staff there, or just malicious attacks.
walking in. Usually the focus of these tests is
Vulnerability to demonstrate that the pen tester can bypass
Program Tips physical security. By using these four social engineering tech-
Pen testers should plan to procure sensitive niques, the pen tester can uncover an organi-
Pen Testing data or install a device quickly to prove they zation’s vulnerabilities and then recommend
Techniques were successful, as they may have only a short security controls and education techniques  
window of time before needing to leave the that will reduce the odds of an organization  
facility. The pen tester can take pictures of ex- falling prey to malicious social engineering  
posed documents left on printers or desks, or attacks. —Dave Shackleford

1 4   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S
 ABOUT
THE
AUTHORS
MIKE CHAPPLE, Ph.D., CISA, CISSP, is an IT security
manager with the University of Notre Dame. He previously
served as an information security researcher with the
National Security Agency and the U.S. Air Force. Chapple
is a frequent contributor to SearchSecurity and serves as its
resident expert on enterprise compliance, frameworks and Vulnerability Management Programs: A Handbook for Security
Pros is a SearchSecurity.com e-publication.
Home standards for its Ask the Experts panel. He previously served
as site expert on network security, is a technical editor for Robert Richardson | Editorial Director

Editor’s Note
Information Security magazine and the author of several Eric Parizo | Executive Editor
information security titles, including the CISSP Prep Guide Kathleen Richards | Features Editor
and Information Security Illuminated.
Rank the Kara Gattine | Senior Managing Editor
Vulnerabilities Brenda L. Horrigan | Associate Managing Editor
DIANA KELLEY is a partner with Amherst, N.H.-based
Brandan Blevins | Associate Editor
consulting firm SecurityCurve. She formerly served as
Vulnerability
vice president and service director with research firm Sharon Shea | Assistant Editor
Program Tips
Burton Group. She has extensive experience creating secure Linda Koury | Director of Online Design
network architectures and business solutions for large Neva Maniscalco | Graphic Designer
Pen Testing
Techniques
corporations and delivering strategic, competitive knowl- Doug Olender | Vice President/Group Publisher
edge to security software vendors. [email protected]

DAVE SHACKLEFORD is principal consultant at Voodoo
Security, senior vice president of research and CTO at
IANS and a SANS analyst, instructor and course author.
He previously worked as CSO for Configuresoft, CTO for
the Center for Internet Security and as a security architect,
analyst and manager for several Fortune 500 companies.
He is co-author of a SANS Institute book on virtual
security and currently serves on the board of directors at
TechTarget
275 Grove Street, Newton, MA 02466 
www.techtarget.com
© 2014 TechTarget Inc. No part of this publication may be transmitted or re-
produced in any form or by any means without written permission from the
publisher. TechTarget reprints are available through The YGS Group.
About TechTarget: TechTarget publishes media for information technology
professionals. More than 100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and pro-
cesses crucial to your job. Our live and virtual events give you direct access to
independent expert commentary and advice. At IT Knowledge Exchange, our
social community, you can get advice and share solutions with peers and experts.

the SANS Technology Institute.

1 5   V U L N E R A B I L I T Y M A N AG E M E N T P R O G R A M S : A H A N D B O O K F O R S E C U R I T Y P R O S