SlideShare ist ein Scribd-Unternehmen logo

Vulnerability Management Scoring Systems

Security B-Sides
Security B-Sides

Evert Smith ZaCon 2009 http://www.zacon.org.za/Archives/2009/slides/

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
Vulnerability  Scoring   Making  sense  of  it  all   Evert  Smith  -­‐  ZaCon09  –  21  November  2009  
#index   •  Ramblings   •  Intro  –  days  of  yore   •  CVSS  –  the  beginning   •  CVSS  –  the  metrics   •  CalculaGon  Insight   •  Vulnerability  InvesGgaGon  
#Caveat     PresentaGon  is  a  result  of:    -­‐  general  curiosity    -­‐  thirst  for  anything  historic   This  is  not:    -­‐  an  aKempt  to  find  fault  or  suggest   recommendaGons  
#Bio  
#amygdala   •   Fear  overrules  reason   • Amygdala  vs  Neocortex     •   “Afraid  of  the  dark”    
#DaysofYore   1995   •  Windows  3.1  Workgroup  /  95  /  NT4.0   •  Solaris  2.3/2.4   •  Linux  Kernel:  1.1,  1.2   •  Banyan  Vines   •  BugTrac  just  began  
#DaysofYore   -­‐  SATAN   -­‐  COPS   -­‐  ESM  Omniguard  (Axent  Technologies)   -­‐  Nessus   -­‐  CyberCop  (NA  -­‐>  McAfee:  circa  2000)   -­‐  NETRECON  (Axent  Technologies  -­‐>  Symantec:  circa  2000)   -­‐  ISS   -­‐  Qualys  
#DaysofYore   •  NIST  –  1901   •  CERT  –  DARPA  1988  afer  the  Morris  worm   •   CVE  –  MITRE  corporaGon  (DHS,  NCSD)  1999   •  NVD  -­‐  is  synchronized  with,  and  based  on  the  CVE  list   Everyt hing Ameri can I •  CSD  –  NIST  (2002)   see
#Didyouknow?   NVD  contains:   39396  CVE  VulnerabiliGes   129  Checklists   183  US-­‐CERT  Alerts   2348    US-­‐CERT  Vuln  Notes   2517  OVAL  Queries   Last  updated:    11/20/09   CVE  PublicaGon  rate:   12  vulnerabili-es  /  day  
./NessusPlugin   MS08-­‐067:          Microsof  Windows  Server  Service  Crafed  RPC   Request  Handling  Unspecified  Remote  Code   ExecuGon  (958644)   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  
#VendorScoringSystems   Microso<  Model   Low  –  exploitaGon  difficult   Moderate–  miGgaGng  in  place   Important  –  CIA  compromised   Cri-cal  –  worm  type  exploits  
#Vulnerability   •  CondiGons  ==  fail  ++   – DoS   – Non-­‐repudiaGon   – ImpersonaGon   – Data  destrucGon   – ExploiGng  an  encrypGon  system  
./CVSS  the  beginning   ExisGng  scoring  systems  in  2003  were:   – Different   – Non-­‐common  metrics   – Internet  centric   – No  change  over  Gme   – No  space  for  operaGonal  environments  
#IniGalPlan   IniGal  plan  was  to  create  a  system  which   was:   – Open   – Comprehensive   – Interoperable   – Flexible   – Simple  
#CVSSthebeginning   •  Started  July  2003  -­‐  Completed  in  January  2004  –   released  January  2005  on  DHS  website   •  ObjecGves:   •  Understand  the  severity  of  vulnerabiliGes   •  Method  to  prioriGze  remediaGon  efforts   •  Develop  overall  scoring  method  
#ParGcipants   CVSS  was  a  joint  effort   •         CERT/CC     •         Cisco   •         DHS/MITRE   •         eBay   •         IBM  Internet  Security  Systems   •         Microsof   •         Qualys   •         Symantec  
#CurrentCustodian   •  The  Forum  of  Incident  Response  and  Security  Teams   (FIRST)  sponsors  and  supports  the  Common   Vulnerability  Scoring  System-­‐Special  Interest  Group   (CVSS-­‐SIG.   •  The  team  –  36  people  from  Cisco,  Unisys,  MITRE,   Lumeta,  IBM,  BB&T,  nCircle,  RedSeal,  CERT/CC,  NIST,   Skybox,  Tenable.,  Qualys  
#Adopters  
#WhatItsNot   Does  colour   really  make  us   safe?   •  CVSS  is  not  a  threat  scoring  system  (DHS   colour  warning  system),     •  a  vulnerability  database  or     •  a  real-­‐Gme  aKack  scoring  system.  
#CVSS  –  this  is  it  
#Metrics   •  Base  Metric  Group   – Access  Vector   – Access  Complexity   – AuthenGcaGon   – ConfidenGality  Impact   – Integrity  Impact   – Availability  Impact   The  metric  which  shows  the  intrinsic  nature  of  the  vulnerability  
Access  Vector   Access  Vector   Value   Access  Complexity   LOW   Local   Complexity   Access   AuthenGcaGon   NOT-­‐REQUIRED   Adjacent   High   Authen-ca-on   Network     Medium   ConfidenGality  Impact   NONE   MulGple   Confiden-ality  Impact   Integrity  Impact   NONE   Low     Single   Availability  Impact   COMPLETE   None   Impact   Integrity   None     ParGal   Impact  Bias   AVAILABILITY   None   Availability  Impact   BASE  SCORE       5.0   Complete     ParGal   None   Exploitability   HIGH   Complete     ParGal   RemediaGon  Level   OFFICIAL-­‐FIX   Complete     Report  Confidence   CONFIRMED   TEMPORAL  SCORE   4.4   Collateral  Damage  PotenGal   NONE   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C   Target  DistribuGon   HIGH   ENVIRONMENTAL  SCORE   4.4  
#Doh  
#Sowehavenumbers?   How  should  the  numbers  drive  us?   0-­‐3  =  No  impact,  wait  for  SP   4-­‐5  =  Next  patch  cycle   6-­‐7  =  Next  14  days   7-­‐10  =  ASAP  –  this  week  
#Say  Nuts  
#conFicker   Official  BulleGn:   A  remote  code  execuGon  vulnerability  exists  in   the  Server  service  on  Windows  systems.  The   vulnerability  is  due  to  the  service  not  properly   handling  specially  crafed  RPC  requests.  An   aKacker  who  successfully  exploited  this   vulnerability  could  take  complete  control  of  an   affected  system.  
#conFicker   The  payload:   #Payload  for  Windows  2003[SP2]  target   payload_2='x41x00x5cx00'   payload_2+='x2ex00x2ex00x5cx00x2ex00'   payload_2+='x2ex00x5cx00x0ax32xbbx77'   payload_2+='x8bxc4x66x05x60x04x8bx00'   payload_2+='x50xffxd6xffxe0x42x84xae'   payload_2+='xbbx77xffxffxffxffx01x00'   payload_2+='x01x00x01x00x01x00x43x43'   payload_2+='x43x43x37x48xbbx77xf5xff'   payload_2+='xffxffxd1x29xbcx77xf4x75'   payload_2+='xbdx77x44x44x44x44x9exf5'   payload_2+='xbbx77x54x13xbfx77x37xc6'   payload_2+='xbax77xf9x75xbdx77x00x00'  
#conFicker   MiGgaGon  (Server  Service  Vulnerability)   -­‐  To  protect  against  external  –  implement   firewall  rules  to  block  RPC  traffic   -­‐  On  Vista  –  the  aKack  only  works  if  the  a`acker   is  authen-cated     -­‐  Disable  Server  and  Computer  Browser  service  
#conFickerCVSS   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)   Code   Ra-ng   New   AV   N   N   AC   L   L   AU   N   R   C   C   C   I   C   C   A   C   C   BASE  SCORE   10   6  
./NessusPlugin  -­‐  revisit   MS08-­‐067:     CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  10   (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)  =  10   CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C)  =  4.8   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   hKp://nvd.nist.gov/cvss.cfm?calculator  
#Ponders   Does  it  tally?   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  3.3   Add  ImpactBias  =  Weight  Availability   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  5  
#BUT   And when they've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall

Empfohlen

Performance Attacks on Intrusion Detection Systems
Performance Attacks on Intrusion Detection SystemsPerformance Attacks on Intrusion Detection Systems
Performance Attacks on Intrusion Detection SystemsDavide Eynard
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 

Empfohlen

Performance Attacks on Intrusion Detection Systems
Performance Attacks on Intrusion Detection SystemsPerformance Attacks on Intrusion Detection Systems
Performance Attacks on Intrusion Detection SystemsDavide Eynard
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low CostDataLeader.io
 
Issnip Presentation
Issnip PresentationIssnip Presentation
Issnip Presentationpauldeng
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009csharney
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
My network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-readyMy network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-readyOPNFV
 
saurabh soni rac
saurabh soni racsaurabh soni rac
saurabh soni racsaurabh soni
 
Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6Security B-Sides
 

Weitere ähnliche Inhalte

Ähnlich wie Vulnerability Management Scoring Systems

Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static AnalysisConSanFrancisco123
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)Jonathan Cran
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low CostDataLeader.io
 
Issnip Presentation
Issnip PresentationIssnip Presentation
Issnip Presentationpauldeng
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationLong Nguyen
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009csharney
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
My network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-readyMy network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-readyOPNFV
 

Ähnlich wie Vulnerability Management Scoring Systems (20)

Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
 
Managing High Availability with Low Cost
Managing High Availability with Low CostManaging High Availability with Low Cost
Managing High Availability with Low Cost
 
Issnip Presentation
Issnip PresentationIssnip Presentation
Issnip Presentation
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth PresentationJust In Time Scalability Agile Methods To Support Massive Growth Presentation
Just In Time Scalability Agile Methods To Support Massive Growth Presentation
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009Nevmug Vizioncore V Foglight Jan 2009
Nevmug Vizioncore V Foglight Jan 2009
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
My network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-readyMy network functions are virtualized, but are they cloud-ready
My network functions are virtualized, but are they cloud-ready
 
saurabh soni rac
saurabh soni racsaurabh soni rac
saurabh soni rac
 

Mehr von Security B-Sides

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atlSecurity B-Sides
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c Security B-Sides
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Security B-Sides
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySecurity B-Sides
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...Security B-Sides
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonSecurity B-Sides
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity B-Sides
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Security B-Sides
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineSecurity B-Sides
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsSecurity B-Sides
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldSecurity B-Sides
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?Security B-Sides
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSecurity B-Sides
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Security B-Sides
 

Mehr von Security B-Sides (20)

Lord of the bing b-sides atl
Lord of the bing b-sides atlLord of the bing b-sides atl
Lord of the bing b-sides atl
 
The road to hell v0.6
The road to hell v0.6The road to hell v0.6
The road to hell v0.6
 
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c 2010 07 BSidesLV Mobilizing The PCI Resistance 1c
2010 07 BSidesLV Mobilizing The PCI Resistance 1c
 
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
Tastes Great vs Less Filling: Deconstructing Risk Management (A Practical App...
 
Social Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike BaileySocial Penetration - Mike Murray and Mike Bailey
Social Penetration - Mike Murray and Mike Bailey
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
 
Risk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex HuttonRisk Management - Time to blow it up and start over? - Alex Hutton
Risk Management - Time to blow it up and start over? - Alex Hutton
 
Security? Who cares! - Brett Hardin
Security? Who cares! - Brett HardinSecurity? Who cares! - Brett Hardin
Security? Who cares! - Brett Hardin
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Ke...
 
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio VaccineThe Great Compliance Debate: No Child Left Behind or The Polio Vaccine
The Great Compliance Debate: No Child Left Behind or The Polio Vaccine
 
Dominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource toolsDominique Karg - Advanced Attack Detection using OpenSource tools
Dominique Karg - Advanced Attack Detection using OpenSource tools
 
2009 Zacon Haroon Meer
2009 Zacon Haroon Meer2009 Zacon Haroon Meer
2009 Zacon Haroon Meer
 
Enterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the GoldEnterprise Portals - Gateway to the Gold
Enterprise Portals - Gateway to the Gold
 
From fishing to phishing to ?
From fishing to phishing to ?From fishing to phishing to ?
From fishing to phishing to ?
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
Make Tea Not War
Make Tea Not WarMake Tea Not War
Make Tea Not War
 
OWASP Proxy
OWASP ProxyOWASP Proxy
OWASP Proxy
 
Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)Smashing the stats for fun (and profit)
Smashing the stats for fun (and profit)
 
Exploitation
ExploitationExploitation
Exploitation
 

Kürzlich hochgeladen

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Kürzlich hochgeladen (20)

H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Vulnerability Management Scoring Systems

  • 1. Vulnerability  Scoring   Making  sense  of  it  all   Evert  Smith  -­‐  ZaCon09  –  21  November  2009  
  • 2. #index   •  Ramblings   •  Intro  –  days  of  yore   •  CVSS  –  the  beginning   •  CVSS  –  the  metrics   •  CalculaGon  Insight   •  Vulnerability  InvesGgaGon  
  • 3. #Caveat     PresentaGon  is  a  result  of:    -­‐  general  curiosity    -­‐  thirst  for  anything  historic   This  is  not:    -­‐  an  aKempt  to  find  fault  or  suggest   recommendaGons  
  • 5. #amygdala   •   Fear  overrules  reason   • Amygdala  vs  Neocortex     •   “Afraid  of  the  dark”    
  • 6.
  • 7. #DaysofYore   1995   •  Windows  3.1  Workgroup  /  95  /  NT4.0   •  Solaris  2.3/2.4   •  Linux  Kernel:  1.1,  1.2   •  Banyan  Vines   •  BugTrac  just  began  
  • 8. #DaysofYore   -­‐  SATAN   -­‐  COPS   -­‐  ESM  Omniguard  (Axent  Technologies)   -­‐  Nessus   -­‐  CyberCop  (NA  -­‐>  McAfee:  circa  2000)   -­‐  NETRECON  (Axent  Technologies  -­‐>  Symantec:  circa  2000)   -­‐  ISS   -­‐  Qualys  
  • 9. #DaysofYore   •  NIST  –  1901   •  CERT  –  DARPA  1988  afer  the  Morris  worm   •   CVE  –  MITRE  corporaGon  (DHS,  NCSD)  1999   •  NVD  -­‐  is  synchronized  with,  and  based  on  the  CVE  list   Everyt hing Ameri can I •  CSD  –  NIST  (2002)   see
  • 10. #Didyouknow?   NVD  contains:   39396  CVE  VulnerabiliGes   129  Checklists   183  US-­‐CERT  Alerts   2348    US-­‐CERT  Vuln  Notes   2517  OVAL  Queries   Last  updated:    11/20/09   CVE  PublicaGon  rate:   12  vulnerabili-es  /  day  
  • 11. ./NessusPlugin   MS08-­‐067:          Microsof  Windows  Server  Service  Crafed  RPC   Request  Handling  Unspecified  Remote  Code   ExecuGon  (958644)   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  
  • 12. #VendorScoringSystems   Microso<  Model   Low  –  exploitaGon  difficult   Moderate–  miGgaGng  in  place   Important  –  CIA  compromised   Cri-cal  –  worm  type  exploits  
  • 13.
  • 14. #Vulnerability   •  CondiGons  ==  fail  ++   – DoS   – Non-­‐repudiaGon   – ImpersonaGon   – Data  destrucGon   – ExploiGng  an  encrypGon  system  
  • 15. ./CVSS  the  beginning   ExisGng  scoring  systems  in  2003  were:   – Different   – Non-­‐common  metrics   – Internet  centric   – No  change  over  Gme   – No  space  for  operaGonal  environments  
  • 16. #IniGalPlan   IniGal  plan  was  to  create  a  system  which   was:   – Open   – Comprehensive   – Interoperable   – Flexible   – Simple  
  • 17. #CVSSthebeginning   •  Started  July  2003  -­‐  Completed  in  January  2004  –   released  January  2005  on  DHS  website   •  ObjecGves:   •  Understand  the  severity  of  vulnerabiliGes   •  Method  to  prioriGze  remediaGon  efforts   •  Develop  overall  scoring  method  
  • 18. #ParGcipants   CVSS  was  a  joint  effort   •         CERT/CC     •         Cisco   •         DHS/MITRE   •         eBay   •         IBM  Internet  Security  Systems   •         Microsof   •         Qualys   •         Symantec  
  • 19. #CurrentCustodian   •  The  Forum  of  Incident  Response  and  Security  Teams   (FIRST)  sponsors  and  supports  the  Common   Vulnerability  Scoring  System-­‐Special  Interest  Group   (CVSS-­‐SIG.   •  The  team  –  36  people  from  Cisco,  Unisys,  MITRE,   Lumeta,  IBM,  BB&T,  nCircle,  RedSeal,  CERT/CC,  NIST,   Skybox,  Tenable.,  Qualys  
  • 21. #WhatItsNot   Does  colour   really  make  us   safe?   •  CVSS  is  not  a  threat  scoring  system  (DHS   colour  warning  system),     •  a  vulnerability  database  or     •  a  real-­‐Gme  aKack  scoring  system.  
  • 22. #CVSS  –  this  is  it  
  • 23. #Metrics   •  Base  Metric  Group   – Access  Vector   – Access  Complexity   – AuthenGcaGon   – ConfidenGality  Impact   – Integrity  Impact   – Availability  Impact   The  metric  which  shows  the  intrinsic  nature  of  the  vulnerability  
  • 24. Access  Vector   Access  Vector   Value   Access  Complexity   LOW   Local   Complexity   Access   AuthenGcaGon   NOT-­‐REQUIRED   Adjacent   High   Authen-ca-on   Network     Medium   ConfidenGality  Impact   NONE   MulGple   Confiden-ality  Impact   Integrity  Impact   NONE   Low     Single   Availability  Impact   COMPLETE   None   Impact   Integrity   None     ParGal   Impact  Bias   AVAILABILITY   None   Availability  Impact   BASE  SCORE       5.0   Complete     ParGal   None   Exploitability   HIGH   Complete     ParGal   RemediaGon  Level   OFFICIAL-­‐FIX   Complete     Report  Confidence   CONFIRMED   TEMPORAL  SCORE   4.4   Collateral  Damage  PotenGal   NONE   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C   Target  DistribuGon   HIGH   ENVIRONMENTAL  SCORE   4.4  
  • 26. #Sowehavenumbers?   How  should  the  numbers  drive  us?   0-­‐3  =  No  impact,  wait  for  SP   4-­‐5  =  Next  patch  cycle   6-­‐7  =  Next  14  days   7-­‐10  =  ASAP  –  this  week  
  • 28. #conFicker   Official  BulleGn:   A  remote  code  execuGon  vulnerability  exists  in   the  Server  service  on  Windows  systems.  The   vulnerability  is  due  to  the  service  not  properly   handling  specially  crafed  RPC  requests.  An   aKacker  who  successfully  exploited  this   vulnerability  could  take  complete  control  of  an   affected  system.  
  • 29. #conFicker   The  payload:   #Payload  for  Windows  2003[SP2]  target   payload_2='x41x00x5cx00'   payload_2+='x2ex00x2ex00x5cx00x2ex00'   payload_2+='x2ex00x5cx00x0ax32xbbx77'   payload_2+='x8bxc4x66x05x60x04x8bx00'   payload_2+='x50xffxd6xffxe0x42x84xae'   payload_2+='xbbx77xffxffxffxffx01x00'   payload_2+='x01x00x01x00x01x00x43x43'   payload_2+='x43x43x37x48xbbx77xf5xff'   payload_2+='xffxffxd1x29xbcx77xf4x75'   payload_2+='xbdx77x44x44x44x44x9exf5'   payload_2+='xbbx77x54x13xbfx77x37xc6'   payload_2+='xbax77xf9x75xbdx77x00x00'  
  • 30. #conFicker   MiGgaGon  (Server  Service  Vulnerability)   -­‐  To  protect  against  external  –  implement   firewall  rules  to  block  RPC  traffic   -­‐  On  Vista  –  the  aKack  only  works  if  the  a`acker   is  authen-cated     -­‐  Disable  Server  and  Computer  Browser  service  
  • 31. #conFickerCVSS   CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)   Code   Ra-ng   New   AV   N   N   AC   L   L   AU   N   R   C   C   C   I   C   C   A   C   C   BASE  SCORE   10   6  
  • 32. ./NessusPlugin  -­‐  revisit   MS08-­‐067:     CriGcal  /  CVSS  Base  Score  :  10.0   (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  10   (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)  =  10   CVSS2#AV:N/AC:L/Au:R/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:H/Au:R/C:C/I:C/A:C)  =  4.8   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   hKp://nvd.nist.gov/cvss.cfm?calculator  
  • 33. #Ponders   Does  it  tally?   CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)  =  6   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  3.3   Add  ImpactBias  =  Weight  Availability   CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)  =  5  
  • 34. #BUT   And when they've given you their all Some stagger and fall after all it's not easy, banging your heart against some mad buggers wall