 Good afternoon. My real name is not whatever that says. We'll go with Chef for today. Thank you for coming. It's awesome to be here. Thanks also. So everyone that's affiliated with DEF CON, this is phenomenal. Thank you for the hard work you do. The goons, you guys are doing a great job. This is fantastic. If not overwhelming. And so after you get the letter that says, hey, you've been accepted and the excitement wears off, you think, oh my god, I've been accepted. I hope someone will show up and watch this thing. So thank you for you guys for coming and standing in the line and coming into the room. Uh oh. I'm going to keep going. So what I'm here to talk about today is the beyond the scan, the value proposition of vulnerability assessment. Great title, right? It's not a tools talk though. So first of all, I pulled the room. How many folks are involved in vulnerability assessment or vulnerability management of some type? Great. You're the people I want to talk to. So we already know how to do the scan. I'm sorry. It's not a tools talk. Your talk's been canceled. All right. Well, see ya. Do I still get- We have a little tradition here at DEF CON. When you're first time speaker, you must do a shot on stage. Excellent. Wait a second. I got those mixed up. That one's yours. All right. I do this all day. I know. DEF CON, our brand new speaker. DEF CON, 23. Thank you very much. Good luck. Thank you. Water chaser. So a lot of us already do vulnerability assessment. We're involved in scanning types of activities. So we kind of know how that works. We're doing that already in our organizations. But I think there's a lot of the aspects of performing scanning that are not well understood. Maybe not by us, but perhaps by our organizations. And I think when I started working on this presentation, I was a client and several clients that I've worked with over the years that knew that they needed to do this, but they weren't necessarily all together clear on what we would do with that information once we got it. And so in working with clients and going through that narrative on what we're doing while we're performing the scans, I realized that there's an opportunity maybe to help us as performing this activity do really make more meaningful changes with our organizations. And you'll hear me say this a couple of times, kind of where the layer 8 happens, you know, as we get further away from the technical activity and we're actually trying to impact the business and make meaningful change. I'm going to talk a lot about too, as us, the human beings that are doing the scans and also trying to communicate with the business that we support. So that's what we're talking about. This is me, managing consultant at IO Active from Louisiana, like we say in Texas. I'm not from Texas, but I got there as fast as I could. Since 1995, and I started focusing on Infosecond 2001. So I love, like all of you, I love this industry. I like the dynamic nature of the world we live in. I love being a part of the dialogue so there's some contact information you can find it on the CD as well. So I love talking about this. So stay in touch. All right. So it's, we're not talking about clicking scan. So how many of us, you do vulnerability assessment, you say, okay, I'm one of your tools, guys, I do vulnerability assessment. And a lot of people might think, okay, you set up the scan or you click scan. And that's it. That's all you do, right? Would you agree that it's a little more complex than that? I mean, hopefully it is. So it's regarded as one of the least sexy things in Infosecond, right? Our industry is really exciting right now and has been for a while and there's a lot of interesting things going on. And so vulnerability assessment tends to get lost over, I think. But it's my view that it's a key component of our information security program and one that's often overlooked. And if you overlook it and you don't give it the attention it deserves it, you're doing a disservice to your organization. So as I talk through this and talk about some of the success stories I have had, hopefully this will be useful to you when you go back to, you know, your organization that you're supporting. So yeah, we're going to talk about how we can go beyond the scan and provide tangible value, not only to the security team but the entire business that we're supporting. Because at the end of the day, that's the point, right? Information assurance of whatever business we're doing this for. So whether you're a red team or blue team, we're doing kind of the heavy lifting blue collar security work, I think, is what we're talking about. So this next slide, we talk with clients I've worked with, we talk a lot about the human scanner, sorry, the human tester and the tools based scanning. And the scan data by itself is very, very useful, right? I mean, it tells you a lot about your environment and what you're doing. And the human testing is absolutely critical. Without the human testers, you're just gathering data and making a bunch of noise. But I really feel strongly that when you apply the human testers, it's all of us, to the data that we gather, that's when actionable information happens. And I think that's the sweet spot when you apply the human to the scan data we gather, magical things start to happen. So I point that out just to reiterate the point that this isn't a tools based talk. I'm advocating for using tools in a smart way, but more importantly, you've got to have people who know what they're doing when they use these tools. Does that make sense? I mean, have you ever, you know, I'm sure you've experienced this too, but you've had cases where you say, oh, we need to do a scan, so we'll give it to some new guy that works in desktop and we'll give him the scanner and let him go run off and scan the network. I don't generally respond positively to that. Please don't do that. You need to have the talented humans that are doing it. So in addition to talking about, you know, having the talented human and applying that to the data, a question that comes up a lot and perhaps you've heard this question as well, what should we scan? And it's an important question because our organization might be very small or very large. I advocate for what I like to call longitudinal scans, scan everything. Because clicking scan is easy but, you know, making sense of the data is the hard part and to realize some of the benefits I'm going to get to later on in this deck when I talk about the case studies, you have to do, again, longitudinal studies over time of a large number of hosts. Preferably if it has an IP stack, you should scan it. Now there may be different times where you're targeting scans and you're scanning very specific things that you're interested in. But at some point to really understand your network environment, you need to see everything that's on there, not just the known quantities that you have. And there's some interesting stories coming up talking about that. So have your talented humans that are looking at the data and also scan all of the things. Another point I want to make, this, obviously we can't avoid talking about the tools because that's what we're using to gather this data. But I am going to try and be as vendor agnostic as possible. There's some names up here of some tools and they're all very, very good in their own way. When you, you know, your current engagement or future engagements, you may have a situation where you need to pick a new tool and that's very specific to the organization and what your goals are when you're doing it. There is one tool that I'm using currently that's doing very fine. But all of them will work and you have to just, you know, make sure you're working with your organizations internally to decide which is the right one for you. So all that having been said, before we start talking about scanning, I'm going to make you sit through a history lesson. So when did all this start? When I was preparing the slide deck, I vaguely remembered when some of this started happening but I did a little bit of research. The security administrator tool for analyzing networks or Satan was released in 1995. Now obviously they're very talented folks that created it but they weren't interested in marketing obviously with the name like Satan. I don't know that worked very well. And if anybody, was anybody around in the industry in 95 other than me, anybody where? Thank goodness, my people. So that was a big deal when that happened. It absolutely polarized the industry. I remember reading in some of the trade rags and mailing lists that about half the folks thought this is the worst idea ever. Why in the world would you create a tool to make it easy to find vulnerabilities? The other half of the people thought thank goodness, now I as a systems administrator have a way to find these vulnerabilities easily. And it was a very difficult conversation. A lot of people got very passionate about it and it was the same type of discussion that we had years ago where firewalls were nothing more than, you know, an expensive way to slow down your network and router ACLs will work just fine. We know that's not true, right? We should. So PC Mag in 1996 published an article and just to give you a little context on what the state of the art was back then. It was at 166 megahertz processors, 2 gig hard drives. It was a long time ago, right? Things were a lot different back then. So PC Mag wrote this article and as you can see the DOJ became very, very concerned about this tool and actually threatened to press charges against one of the authors of the tool. And I think they dropped the charges only after he lost his job. So to show you for now today and, you know, 2015 when we do scans all the time, there's people out there that are literally scanning the Internet, 20 years ago this would get you landed in jail. You know, that's just two decades. It's amazing to think that it was such a dramatic new thing that we were doing back then. One of the other tools that came out after Satan did Internet scanner which later became I.S.S. can scan more than 100 known vulnerabilities. Think about that for a minute. I've got 100 known vulnerabilities on the computer in my pocket right now probably that many of you are trying to find by the way. The scanner I'm using now, last time I checked it, it was scanning for something like 160,000 different specific vulnerabilities across multiple platforms. So in 20 years we've gone from 100 known things that were primarily on Linux to now, you know, almost a couple hundred thousand on many, many different platforms. So you can learn more about these folks that were involved in creating Satan. They went on to have successful careers and interestingly a couple of folks got together and forked Satan into the security administrator's integrated network tool. They wisely chose Saint. So now this story is somewhat like a Dan Brown novel. Satan and saying, yeah, thank you. I wrote that joke myself. And it became a commercial product in 1998. So Satan came out in 95, all hell broke loose, 98 now all of a sudden we've got commercial products and obviously you remember from my earlier slide there's lots of commercial products that exist. So from those humble beginnings we've got now an entirely new capability that we didn't have before in InfoSec. It was very difficult to figure out what is wrong with our systems. So it progressed from simple scanning, 100 known vulnerabilities to now we're doing vulnerability assessment. We're looking across multiple platforms across a large number of hosts and that leads into vulnerability management. And I'm going to pause on this just for a moment to make the point that it's not just performing the scan. I distinguish vulnerability assessment from vulnerability management because vulnerability management includes the things like, okay, now that we have this information and we know this, what are we going to do about it? And that's the whole risk management thing. You mitigate it, you accept it or you transfer it, right? You got to do something now that we know this and then now that we've decided what to do about it, how are we going to document it in an audible way? So we did this thing, how do we know that we did this thing and that it's actually working and then now that we've documented it, how do we know that this decision that we made today continues to be the correct decision moving on in the future? Maybe there's a vulnerability that I know about but I don't care because the threat landscape seems to be very, very tiny, but that can change. All of a sudden a new zero day comes out targeting whatever that vulnerability was, now I care all of a sudden. So vulnerability management includes all of those things from now that I know about it, what am I going to do, now that I've done it, how do I document it and make sure that that continues to be the right decision? So already what I'm telling you is once the scan is complete there is a lot of work that goes on organizationally for us to make sure that we're actually protecting our information assets. So I went through all that just to say and this is either you already know this because you're doing it now and so hopefully it's reinforcing this for you so when you go back to work it will help out or if you're relatively new to this type of activity hopefully you're starting to see that oh man after the scan is over you're not done at all. So a couple of decades excuse me that was loud. A couple of decades ago scanners came out and yet I still feel like in our industry particularly where we start touching the business they're still understood. I love that cartoon. Did no one else like it? No laughs? Thank you. They're still misunderstood so in working with clients several clients over the last several years I eventually started one question that always comes up is okay I've got human testing that's going on so people are doing things and trying to break into things and I'm doing tools based scanning so if I get this new scanner what can I get rid of? And that was a terrifying conversation that I started to have so I actually started talking about the scanning activity relative to the OSI model and what this is going to show is what certain tools that we might use how they work relative to other tools so are we all familiar with the OSI model? Love it, hate it. There's lots of models to choose from this just happened to be the one that worked the best so down at the bottom we've got physical we're talking about electrons and photons going through fiber. If we're interested in things like TCP, UDP, IP ports maybe we use something like in-map to gather that information. If we're interested in thick client applications that are talking to a server somewhere now we're higher up in the model in the host layers it's giving us visibility into there. User facing web applications maybe we use web inspector burp and it's again, oops I forgot to, there you go, up in the high in the host layers and again down on the network if we're wanting to sniff traffic and it goes on so you can see already when I drop the scanner in there it's giving us a little bit wider view than some of those other tools are so if the question ever comes up okay we bought this great expensive scanner what can we get rid of the answer is nothing because this isn't replacing something this is giving us additional information that's useful and it kind of serves as an adjunct to the other information we're gathering and of course the only thing which is capable of scanning the entire stack is the humans, us. They're actually doing the work and whether it's manually penetration testing on an application or manually trying to break in or if it's just looking at the results of a tools based scan that we gathered the people are the most important thing and I've gotten a lot of really good feedback and I would be interested to hearing from you folks if this particular OSI slide is useful because when again going to layer 8 leaving the technical and going to the starting to talk to the business this really helps them see that we've got a lot of information we're dealing with when we talk about securing applications or systems and there's lots of different ways we have to gather that information so just to kind of illustrate that in a different way so you can see our tools are very very useful for those longitudinal scans that I talked about doing scans over time of a large number of hosts and comparing results so we can see okay what was our security posture today and as that changes it moves on and statistical reporting it but the people don't ever let anyone tell you if you decide to start using tools which is a great idea it's not going to replace other tools it's also not going to replace your people you still have to have people who know what that data is and what they're looking at and you can read through the list of things that are on there it's just a very you know short list of the things that we're good at that the tools are not so they're critical but limited without the skills security professionals alright this is an interesting example of that I told the story earlier and it worked out so we did an assessment for a client and we came back with a lot of HTTP based vulnerabilities a lot of Apache things and we went to the ops team and said hey can you update Apache please this it seems to be broke and they came back and said well those aren't web servers so obviously those are false positives and we said okay well yes that server's job is not to be a web server but I can see the banner right here I assure you that there's a web demon somewhere running on that thing and as it turns out it was a web based management tool from the OEM that was sitting there helping gather data and so even though it wasn't a web server in that that's not what his primary job was there still was in fact a web demon running on that server and it wasn't until and apparently that had been reported previously but it had gone unfixed because there wasn't that human analyst that was able to say well no it's not a false positive and here is why that was a fun conversation to have so one other thing I'm not going to spend too much time on this one but when you start having those conversations when you're sharing results with operations or with business units or other people I found a really interesting thing that when you use words the same word might mean something completely different depending on who you're talking to so use interface as an example if I say interface three times it's going to mean three different things depending on who I'm talking to right if you all ever had this experience as well you know if you're talking to you know if you say interface there might be talk you know think rest API right it's an API that's allowing things you talk to you know routing and switching guys and they're talking about you know a network interface card that attaches a computer to a network so it's important to be cognizant of who you're talking to when you're delivering these results or you're working on remediation efforts because language you can you know can be a confusing thing so you have to know what you're talking about you need to know your environment as well on a client engagement we're trying to decide how to scan a very large network that had a global presence so we had distributed scan engines that existed in various key locations around the world and there's a location in southeast Texas there was one in Brazil one in Argentina so intuitively it seemed like well to scan South America we should send a scan engine down to South America right when we met with the networking folks what we realized is that both Brazil and Argentina backhauled through Houston so if I wanted to scan Argentina from Brazil it went by way of Houston first so architecturally the smart decision to do was to scan South America from North America so it's not enough just to say okay we'll put a scanner out there somewhere and click scan and go nuts if you have a sufficiently large and complex environment you really need to know how those packets are getting to where they're headed to so understand the architecture of your network logically and physically so now we know what language to use now we know our environment now we need to know our organization okay don't panic I'm not going to walk you through this whole slide I know there's a lot of boxes and a lot of things going on but what it illustrates is working with a particular client there's lots of ways a scanner can allow us to slice and dice data right now we've all done this we can do different types of reports we can look at specific vulnerabilities and host and group them in many different ways but to get to that actionable and meaningful data that we're giving to the organization we have to be make very conscious decisions on how we're going to organize the data and how it relates to the support organizations that ultimately are going to fix the problems we identify get a little feedback if you happen to be the same person that's identifying the problems and then also fixing them then that might be a slightly different story but in a lot of ways you're reporting out information and you're working on helping validate findings and remediation efforts but just the point of this is you spend a lot of time understanding how the data is going to relate to the different parts of the organization that you're going to talk to and I really think that's a critical critical thing alright so now I'm going to get into the case studies the very specific stories I have where we did some things beyond the scan that were a little unexpected if not intuitive so the list here some of it's very obvious identifies potential vulnerabilities well yes of course that's why we're doing this in the first place right but there's a lot of other things that a good scanner will do for us numbers three and four are not really specifically named capabilities but if you're doing it right asset management and software management and almost by accident so you need to capitalize on that in your organization and don't focus solely on well I'm telling you what's wrong with your box but all these other things as well so let's get right into the case study part of it identifies potential vulnerabilities so what we're trying to figure out here and if you're already doing this this might be a little obvious but I think it's important to reiterate it so bear with me what are the targets what patches are missing from those targets but also is our environment configured properly so it's not just about the specific host but the entire enterprise as a whole so for example we did a perimeter scan of an organization and found that SIFS was exposed to the open internet and we panic these were net bios ports on Windows boxes many of which were Windows XP this was 2013 and what happened is we asked the question why? why is that set up that way that is the worst thing you could ever do is to put those Windows boxes on the internet in that way and the answer we got back is that it was necessary for support and by the way it's never a good idea to put a Windows box exposed with net bios ports on the open internet you're asking for trouble but the support organization at this company didn't they believed that that was the best way to do what they were trying to do and so they opened up those ports and of course there's VPNs there's remote access there's a million billion better ways to do this thing but because we asked the question why rather than just saying hey close those ports and have a nice day we realized that there was a gap in the understanding of how those boxes should even be supported in the first place there was also a related issue where those boxes needed access to a legacy application that required IP based authentication so they needed to have unique IP addresses and that's how this remote application would let them in so they not only were those ports exposed but they had static NAT setup so that each of these machines had a routable IP address and so when they set up the NAT which by itself isn't necessarily a huge deal but for some reason they put an inbound firewall rule that was pretty much any any except so everything was coming inbound to these boxes so what was interesting about that is we identified not only some technical problems but also a business problem that was broken because they never should have allowed that firewall rule to be put in place as it was right so it's not again just about finding a vulnerability but we found these processes that weren't working the way they should I got ahead of myself my apologies so yeah there were multiple misunderstandings that resulted in poor decisions the poor decisions were left unchecked for a very very long time then you get into oh well Bob set that up ten years ago and he's retired and we can call him to ask him why and we're afraid to change it because something might stop working so we're going to leave it alone so we resulted we found not only those vulnerabilities but there was poor documentation we couldn't figure out why this thing was set up the way it was again the broken processes that allowed the firewall rule to get put in place in the first place and a lack of understanding of what the specific requirements were at this same organization we found that there is an obsolete version of Java that resulted in hundreds of findings so if you do scanning obsolete Java shouldn't be a surprise and having it result in hundreds of specific vulnerabilities shouldn't be a surprise either but when we went back and again same question why is this set up the way it is the team came back and said well business critical application that requires that version of Java seemed like a sketchy answer we didn't like it so we actually called the vendor which apparently no one had ever done before and we said hey do you really require this specific version of Java and they said no we require at least that version of Java but apparently that wasn't it's a very subtle detail that was left out at this client site you can't no longer hide behind the idea that well we have to use this version because the vendor said to if I were a cynical person and for those of you that know me I kind of am really I think they were just using that as an excuse to not do the work of upgrading Java in a large enterprise so you can help them understand the importance of what they're doing so very similar results there was poor documentation failures of the oral tradition where well you know I heard somebody say that that's the one that was required so it must be true all of these things were benefits that the organization got long after the scan was over and it happened when we started working with the business units and the support organizations to figure these things out so it'll provide a scanning tool will provide remediation information things that might be obvious to a lot of us in here but I've worked with a lot of clients who are surprised to find out that not only will it tell me what's wrong with the systems I'm scanning but a good commercial product will also tell us how we can fix it and I think this client that I'm thinking of perhaps had only ever seen the results of a scan in a spreadsheet that says IP address, host name what's wrong with it and when we provided a more detailed report that included the remediation information it became hugely more valuable to this organization because now they knew not only what was wrong but also what they needed to do to fix it so make sure you capitalize how many times did that happen to you there's this weird problem operations please go fix this thing and it's impossible for any of us to know everything so they might not know so make sure you take advantage of the information that's already in the tool that you're using another cartoon so asset management is anybody involved in asset management as well for your organizations here so you know what I'm talking about here with herding cats that's very difficult I have a pretty good idea of what everything is on my home network but in a big organization if anyone tells you that oh yeah we know exactly what is on our wire everywhere across the organization here's where you have to make a decision and I talked about in my opening remarks are you going to scan a specific list of hosts that you're interested in or are you going to scan all the things and try and figure out what's out there now those are two different activities that are solving two different problems but I think we should do them both a client I worked with scanned all of the cider blocks that they knew about and we actually had a little bit of time left over in the engagement at the end we decided okay let's scan the stuff that you think doesn't exist let's scan it anyway and lo and behold we found active networks that were completely undocumented obviously the switches didn't turn themselves on right and hosts didn't come online on their own somebody had set up those networks but it wasn't documented they were forgotten about somehow but by doing that activity we can find parts of our networks that we maybe what was there so in addition to scanning known hosts also it's a good idea to scan the cider blocks the big ranges of IP addresses that exist on your network to try and figure out what's there one client that I'm working with when you do that and you scan these huge blocks you end up creating a very nice inventory of what exists on your network and if you have people that do configuration management in addition to asset management it became very useful to share that information with them because now there's a check and balance to validate the data that they have so it's not even at that point a security related issue at all as much as it is asset management but still hugely important you know if you don't know what is on your network how can you possibly secure it right an interesting thing happened at a previous client where we found a large number of IP cameras so these cameras weren't on anybody's list it was a little embedded system it wasn't even a computer as such that anyone cared about but they were all over this place and many of them were configured incorrectly with default credentials I mean how many times have we seen default credentials be a problem but even though IT didn't care because they were a different organization it was a huge win for the client because they fixed a very big problem that could have could have been a very big problem the same client again it wasn't a security related issue but we found some Nintendo machines on the network now it was a children's hospital so it was okay I mean they were supposed to be there so the kids could play the games but it illustrated the point that if IT didn't know they were there now you have to ask the question wait a minute I've got gaming consoles that are on the same network as some of my production equipment is that really the best place to put that so that starts driving the conversations of how is our network configured are we doing this in an appropriate way and the best way we can last example for asset management was a drilling company I worked with they had a lot of rigs in the Gulf of Mexico and the way they couched it for us was the platform has exactly four hosts on it and that's all you're going to find okay cool so we do the scan go over the V-SAT connection and we scan and most of the platforms did in fact have exactly four hosts and it was fine but there was a couple that had way more than that and we went back to the client said look there's a dozen hot IP addresses coming off of this rig and you obviously don't know what they are because you told me they were supposed to be four so they got really interested in that what were those machines that were out there was obviously folks flying out to the location and bringing unauthorized devices so asset management I can't emphasize enough that in addition to finding what's wrong with the things that's on our network finding out what is on our network in the first place is a huge idea and I got permission from a gentleman I work with that if you don't believe me he said this on Twitter so it must be true running an infosack program is 90% asset management if you're not doing it you're screwed no matter what else you're doing and I think that's very very true and I think it speaks to the importance of this activity and why we should spend a lot of time making sure we're hitting every corner of our network we get to so similarly with software management do you know what software is running on every single machine in your enterprise that you're scanning we might have a pretty good idea but a good scanner that's doing credentialed scans and by the way that's a whole other part of the discussion you know do we scan with or without credentials obviously you're going to get a lot more information if you provide credentials and if you do the good scanning tool will allow us to enumerate everything that's installed on a box and by the way once we've done those scans we can always go back and run reports and try and figure out if there's anything interesting there that we should that you would know about maybe you've standardized on internet explorer for your browser sorry if you did and maybe you don't want firefox for some reason or what about a bit torrent clients or if you found those on your network you'd be very interested in knowing about that and don't forget that having a list of that software that's running is hugely hugely important so compliance on some level we're scanning things and we're flinging packets information comes back and we make decisions about what the configuration is and we can learn more about activities we need to take to make them more secure but make sure your scanner is an issue for you is compliance an issue for anyone by the way if it's a standard like PCI or if it's a regulation like HIPAA, Sarbanes Oxley GLBA your scanner should be able to tell you what your security posture looks like relative to something else and that can be important if you do work with audit folks or again with compliance folks make sure you're taking advantage of the fact that you can gather that information and help you understand what your compliance status is that's all I'm going to say about that so strategically the information we're gathering should be very important to our organizations as well and I'm talking about ongoing operational intelligence so again I'll use the word again because I like it I'm talking about these longitudinal scans that we do over time we're scanning large numbers of hosts so it's not a scan at a point in time we're looking at the trends that are developing as we continue to do these scans and that can become very strategic and important in an unexpected way and that is if you look and you see that you're continuing to find vulnerabilities but they're not getting fixed maybe you have a resourcing problem and I've actually seen where managers were able to say wait a minute we're not fixing things quickly enough or efficiently enough so that can be data that you can use to help find out if you have staffing problems or even process problems with your organization so strategically it can be very, very important tactically it can be very, very important as well so if we're doing these scans often and over time if something happens like heart bleed happens well I don't necessarily have to scan perform a new scan right now if heart bleed is going to be an issue for me I've already scanned these systems so I should know what versions of SSL exist and whether or not I care about these things what platforms they're running on and those sorts of questions or if something happens and now all of a sudden bash is vulnerable we don't need to perform a new scan straight away we should already know if this is in our environment and if we need to do something so not only is it strategically very, very important but tactically it can be very, very important as well so does anybody work in either healthcare or work on environments that have industrial control systems more hands alright so this is this conversation is going on a lot in our industry now and it's going to continue because these systems in particular are not the same as the other computers that are on our networks biomedical devices and control systems SCADA things that help run plants and refineries and what not they're highly, highly specialized and they're purpose built and they're used to getting a very, very specific type of traffic so when you start throwing unexpected traffic at them as you're trying to scan it it's on there weird things can happen and that's both true for biomedical and ICS so if you work in a healthcare organization and there's biomed you need to be careful so my first bullet point there FDA 510K that's kind of a hot button for me because although the FDA is getting a little stronger in forcing equipment manufacturers to do it in a more secure way a lot of times you'll find that your manufacturer will hide behind the FDA regulation and by the way if you want to hear more about FDA there's a link there I blogged about it and there's some good information I think does anyone know specifically what FDA 510K is and have to deal with it now maybe not so FDA the Food and Drug Administration says that before you sell a medical device go through pre-market submission that is to say they have to examine it and make sure that it's not going to harm the patient once the FDA says yes this device is fine you can use it you can't make any changes to it that becomes a problem when I say you need to patch your X-ray machine because they tend to say well no we can't change it because pre-market submission says we can't change it so be aware of that if you're in charge of finding vulnerabilities in your organization you have to work very closely with your biomedical team the guidance that's come out from the FDA in the past years they're really strengthening the position and saying look applying a patch to an X-ray machine that happens to run a windows operating system that's fine please do that in fact not patching it causes greater risk to the patient than patching the device and potentially changing it it's the security versus supportability issue and it's not by any means unique to healthcare but it's a problem we have to deal with all the time and sometimes that can lead to poor design decisions for example we did a scan of some radiology devices and it was a large number of workstations that were in this hospital the vendor supported the software and they supported it with FTP so every one of these workstations had IIS installed and it was running FTP but to make it easy to support they set it up so anonymous logins were enabled and to make sure that they had access to the file system they moved the FTP root all the way up to the root of the system drive so in effect I'm not making this up I know who in the world would ever do that buy me a beer and I'll tell you later who did that but basically everybody that had access to the network had anonymous FTP access to the entire file system and the service account by the way that was used to do this had local administrative access so it's the worst thing you could possibly ever do and so normally if you scan and you see FTP that might not be a big deal but that's why it became a big deal very very quickly so similar set of stories with industrial control systems if any of you work with that now again I'm talking about the control systems that may be turn valves refineries or chemical plants and those sorts of things operational technology, OT, SCADA those things they're not the same as information technology at all shutting down a plant to do maintenance on computers is extremely expensive and their patch cycles might be measured in months or years so if you find yourself working on these types of systems you need to make sure that you work closely with the OT people to understand that once you find the vulnerability remediation efforts aren't going to be as simple as applying a patch or making a change and in fact when you do scan it it's the same with biomedical they're purpose built very very specific unusual traffic they might not deal with it very well at all so be very cautious in those environments I know I'm running out of time so I'd be glad to talk about this more later if you want but basically the story I've tried to tell you is that scanning's been around for a long time it's matured to something that's a lot more useful to our organizations than it was 10 years ago and don't think of the data that's in your scanner as being data that's in a bucket powerful when shared appropriately so look for opportunities to share this data within your organization and if you develop a mature vulnerability management program that includes all these processes I think you'll really impact your organization in a meaningful way thank you very much for sitting through all that and enjoy DEF CON 23 thank you