{"id":298,"date":"2016-11-19T05:40:05","date_gmt":"2016-11-18T22:40:05","guid":{"rendered":"http:\/\/www.seven-stones.biz\/blog\/?p=298"},"modified":"2016-11-21T06:10:20","modified_gmt":"2016-11-20T23:10:20","slug":"clouds-and-vulnerability-management","status":"publish","type":"post","link":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/","title":{"rendered":"Clouds and Vulnerability Management"},"content":{"rendered":"<p class=\"p1\">In the world of Clouds and Vulnerability Management, based on observations, it seems like a critical issue has slipped under the radar: if you&#8217;re running with PaaS and SaaS VMs, you cannot deliver anything close to a respectable level of vulnerability management with these platforms. This is because to do effective vulnerability management, the first part of that process &#8211; the vulnerability assessment &#8211; needs to be performed with administrative access (over SSH\/SMB), and with PaaS and SaaS, you do not, as a customer, have such access (this is part of your agreement with the cloud provider). The rest of this article explains this issue in more detail.<\/p>\n<p class=\"p1\"><span class=\"s1\">The main reason for the clouding (sorry) of this issue, is what is still, after 20+ years, a fairly widespread lack of awareness of the ineffectiveness of unauthenticated vulnerability scanning. More and more security managers are becoming aware that credentialed scans are the only way to go. However, with a lack of <em><strong>objective<\/strong><\/em> survey data available, I can only draw on my own experiences. See &#8211; i&#8217;m one of those disgraceful contracting\/consultant types, been doing security for almost 20 years, and been intimate with a good number of large organisations, and with each year that passes I can say that more organisations are waking up to the limitations of unauthenticated scanning. But there are also still lots more who don&#8217;t clearly see the limitations of unauthenticated scanning.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">The original Nessus from the late 90s, now with <a href=\"http:\/\/www.tenable.com\/\">Tenable<\/a>, is a great product in terms of doing what it was intended to do. But false negatives were never a concern in with the design of Nessus. <a href=\"http:\/\/www.openvas.org\/\">OpenVAS<\/a> is still open source and available and it is also a great tool from the point of view of doing what it was intended to do. But if these tools are your sole source of vulnerability data, you are effectively running blind.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">By the way <a href=\"http:\/\/www.tenable.com\/\">Tenable<\/a> do offer a product that covers credentialed scans for enterprises, but i have not had any hands-on experience with this tool. I do have hands on experience with the other market leaders&#8217; products. By in large they all fall some way short but that&#8217;s a subject for another day.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Unauthenticated scanners all do the same thing:<\/span><\/p>\n<ul>\n<li class=\"p1\"><span class=\"s1\">port scan to find open ports<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">grab service banners &#8211; this is the equivalent of nmap -sV, and in fact as most of these tools use nmap libraries, is it _exactly_ that<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">lets say our tool finds Apache HTTP 14.x, it looks in its database of public disclosed vulnerability with that version of Apache, and spews out everything it finds. The tools generally do little in the way of actually probing with HTTP Methods for example, and they certainly were not designed to try, for example, a buffer overflow exploit attempt. They report lots of &#8216;noise&#8217; in the way of false positives, but false negatives are the real concern.<\/span><\/li>\n<\/ul>\n<p class=\"p1\"><span class=\"s1\">So really the tools are doing a port scan, and then telling you you&#8217;re running old warez. Conficker is still very widespread and is the ultimate player in the &#8216;Pee&#8217; arena (the &#8216;Pee&#8217; in APT). An unauthenticated scanner doesn&#8217;t have enough visibility &#8216;under the hood&#8217; to tell you if you are going to be the next Conficker victim, or the next ransomware victim. Some of the Linux vulnerabilities reported in the past few years &#8211; e.g. <a href=\"http:\/\/heartbleed.com\/\">Heartbleed<\/a>, <a href=\"http:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/\">Ghost<\/a>, <a href=\"https:\/\/dirtycow.ninja\/\">DirtyCOW<\/a> &#8211; very few can be detected with an unauthenticated scanner, and none of these 3 examples can be detected with an unauthenticated scanner.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">Credentialed scanning really is the only way to go. Credentialed based scanners are configured with root\/administrative access to targets and are therefore in a position to &#8216;see&#8217; everything.<\/span><\/p>\n<h2 class=\"p1\"><span class=\"s1\">The Connection With PaaS and SaaS<\/span><\/h2>\n<p class=\"p1\"><span class=\"s1\">So how does this all relate to Cloud? Well, there two of the three cloud types where a lack of access to the operating system command shell becomes a problem &#8211; and from this description its fairly clear these are PaaS and SaaS.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">\u00a0<\/span><span class=\"s1\">There are two common delusions abound in this area:<\/span><\/p>\n<ul>\n<li class=\"p1\"><span class=\"s1\">[Cloud maker] handles platform configuration and therefore vulnerability for me, so that&#8217;s ok, no need to worry:<\/span>\n<ul>\n<li class=\"p1\"><span class=\"s1\">Cloud makers like AWS and Azure will deal with patches, but concerns in security are much wider and operating systems are big and complex. No patches exist for <a href=\"http:\/\/www.pctools.com\/security-news\/zero-day-vulnerability\/\">0days<\/a>, and in space, nobody can hear you scream.<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">Many vulnerabilities arise from OS configuration aspects that cannot be removed with a patch &#8211; e.g. Conficker was mentioned above: some Conficker versions (yes its managed very professionally) use &#8216;at&#8217; job scheduling to remain present even after <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms08-067.aspx\">MS08-067<\/a> is patched. If for example you use Azure, Microsoft manage your PaaS and SaaS but they don&#8217;t know if you want to use &#8216;at&#8217; or not. Its safer for them to assume that you do want to use it, so they leave it enabled (when you sign up for PaaS or SaaS you are removed from the decision making here). Same applies to many other local services and file system permissions that are very popular with the dark side.<\/span><\/li>\n<\/ul>\n<\/li>\n<li class=\"p1\"><span class=\"s1\">&#8216;Unauthenticated scanning gets me some of the way, its good enough&#8217; &#8211; how much of the way does it get you? Less than half way? its more like 5% really. Remember its little more than a port scan, and you shouldn&#8217;t need a scanner to tell you you&#8217;re running old software. Certainly for critical cloud VMs, this is a problem.<\/span><\/li>\n<\/ul>\n<p class=\"p1\"><span class=\"s1\">With PaaS and SaaS, you are handing over the management of large and complex operating systems to cloud providers, <strong><em>who are perfectly justified<\/em><\/strong>, and also in many cases <strong><em>perfectly wise<\/em><\/strong>, in leaving open large security holes in your platforms, and as part of your agreement with them, there&#8217;s not a thing you can do about it (other than switch to IaaS or on-premise).<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the world of Clouds and Vulnerability Management, based on observations, it seems like a critical issue has slipped under the radar: if you&#8217;re running with PaaS and SaaS VMs, you cannot deliver anything close to a respectable level of &hellip; <a href=\"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,50,122,1,119,11,16,120,121,117,118,22,49,31,9],"tags":[33,96,123,126,42,34,124,125,79,72],"class_list":["post-298","post","type-post","status-publish","format-standard","hentry","category-blog","category-cloud","category-conficker","category-general","category-iaas","category-information-risk-managment-strategy","category-infosec-strategy","category-nessus","category-openvas","category-paas","category-saas","category-security-software","category-virtual-machines","category-vulnerability-assessment","category-vulnerability-management","tag-autoscanning","tag-cloud","tag-conficker","tag-iaas","tag-information-security-management","tag-os-security-2","tag-paas","tag-saas","tag-vulnerability-assessment","tag-vulnerability-management"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Clouds and Vulnerability Management - Security Macromorphosis<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Clouds and Vulnerability Management - Security Macromorphosis\" \/>\n<meta property=\"og:description\" content=\"In the world of Clouds and Vulnerability Management, based on observations, it seems like a critical issue has slipped under the radar: if you&#8217;re running with PaaS and SaaS VMs, you cannot deliver anything close to a respectable level of &hellip; Continue reading &rarr;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Macromorphosis\" \/>\n<meta property=\"article:published_time\" content=\"2016-11-18T22:40:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-11-20T23:10:20+00:00\" \/>\n<meta name=\"author\" content=\"itibble@gmail.com\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:site\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"itibble@gmail.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/\"},\"author\":{\"name\":\"itibble@gmail.com\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"headline\":\"Clouds and Vulnerability Management\",\"datePublished\":\"2016-11-18T22:40:05+00:00\",\"dateModified\":\"2016-11-20T23:10:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/\"},\"wordCount\":983,\"commentCount\":0,\"keywords\":[\"autoscanning\",\"Cloud\",\"Conficker\",\"IaaS\",\"Information Security Management\",\"OS security\",\"PaaS\",\"SaaS\",\"Vulnerability Assessment\",\"Vulnerability Management\"],\"articleSection\":[\"Blog\",\"Cloud\",\"Conficker\",\"General\",\"IaaS\",\"Information Risk Managment Strategy\",\"Infosec Strategy\",\"Nessus\",\"OpenVAS\",\"PaaS\",\"SaaS\",\"Security Software\",\"Virtual Machines\",\"Vulnerability Assessment\",\"Vulnerability Management\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/\",\"name\":\"Clouds and Vulnerability Management - Security Macromorphosis\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\"},\"datePublished\":\"2016-11-18T22:40:05+00:00\",\"dateModified\":\"2016-11-20T23:10:20+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/clouds-and-vulnerability-management\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Clouds and Vulnerability Management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\",\"name\":\"Security Macromorphosis\",\"description\":\"Ian Tibble&#039;s Security Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\",\"name\":\"itibble@gmail.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"caption\":\"itibble@gmail.com\"},\"description\":\"Author of Security De-engineering, CTO at Seven Stones (Indonesia)\",\"sameAs\":[\"http:\\\/\\\/www.seven-stones.biz\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Clouds and Vulnerability Management - Security Macromorphosis","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/","og_locale":"en_US","og_type":"article","og_title":"Clouds and Vulnerability Management - Security Macromorphosis","og_description":"In the world of Clouds and Vulnerability Management, based on observations, it seems like a critical issue has slipped under the radar: if you&#8217;re running with PaaS and SaaS VMs, you cannot deliver anything close to a respectable level of &hellip; Continue reading &rarr;","og_url":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/","og_site_name":"Security Macromorphosis","article_published_time":"2016-11-18T22:40:05+00:00","article_modified_time":"2016-11-20T23:10:20+00:00","author":"itibble@gmail.com","twitter_card":"summary_large_image","twitter_creator":"@seven_stones","twitter_site":"@seven_stones","twitter_misc":{"Written by":"itibble@gmail.com","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/#article","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/"},"author":{"name":"itibble@gmail.com","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"headline":"Clouds and Vulnerability Management","datePublished":"2016-11-18T22:40:05+00:00","dateModified":"2016-11-20T23:10:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/"},"wordCount":983,"commentCount":0,"keywords":["autoscanning","Cloud","Conficker","IaaS","Information Security Management","OS security","PaaS","SaaS","Vulnerability Assessment","Vulnerability Management"],"articleSection":["Blog","Cloud","Conficker","General","IaaS","Information Risk Managment Strategy","Infosec Strategy","Nessus","OpenVAS","PaaS","SaaS","Security Software","Virtual Machines","Vulnerability Assessment","Vulnerability Management"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/","url":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/","name":"Clouds and Vulnerability Management - Security Macromorphosis","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#website"},"datePublished":"2016-11-18T22:40:05+00:00","dateModified":"2016-11-20T23:10:20+00:00","author":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"breadcrumb":{"@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.seven-stones.biz\/blog\/clouds-and-vulnerability-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.seven-stones.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"Clouds and Vulnerability Management"}]},{"@type":"WebSite","@id":"https:\/\/www.seven-stones.biz\/blog\/#website","url":"https:\/\/www.seven-stones.biz\/blog\/","name":"Security Macromorphosis","description":"Ian Tibble&#039;s Security Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.seven-stones.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28","name":"itibble@gmail.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","caption":"itibble@gmail.com"},"description":"Author of Security De-engineering, CTO at Seven Stones (Indonesia)","sameAs":["http:\/\/www.seven-stones.biz"]}]}},"_links":{"self":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/comments?post=298"}],"version-history":[{"count":3,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions"}],"predecessor-version":[{"id":301,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions\/301"}],"wp:attachment":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/media?parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/categories?post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/tags?post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}