Steven Hartman State Information Security Officer State of Nebraska

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Network Security Policy Why do I need a network security policy? Dr. Charles T. Wunker.
The State of Security Management By Jim Reavis January 2003.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Vulnerability Assessments
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Homeland Security. Learning Topics Purpose Introduction History Homeland Security Act Homeland Defense Terrorism Advisory System Keeping yourself safe.
Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.
Information Security What is Information Security?
JMU GenCyber Boot Camp Summer, Welcome Cyber Defense Boot camp for High School Teachers Cyber Defense Lab (ISAT/CS Room 140) Department of Computer.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Introduction to Information Security
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
INFRASTRUCTURE SELF-ASSESSMENT (ISA) For public and private stakeholders Chad Fullmer Critical Infrastructure Protection (CIP) Office: (907)
Module 7: Designing Security for Accounts and Services.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Incident Response Christian Seifert IMT st October 2007.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”
SSCP: A High-Speed Introduction to the Exam Domains
Headquarters U.S. Air Force
Defining your requirements for a successful security (and compliance
JMU GenCyber Boot Camp Summer, 2016
OIT Security Operations
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Risk management.
Critical Security Controls
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Standard: “reasonable security”
Security Risk Profiles – Tips and Tricks
Compliance with hardening standards
Evaluating Existing Systems
Putting It All Together
Putting It All Together
Leverage What’s Out There
Evaluating Existing Systems
NYBA 2017 Technology, Compliance &
IS4550 Security Policies and Implementation
I have many checklists: how do I get started with cyber security?
Building a Security Operations Center
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Understanding your enemy!
Edvinas Pranculis MM, CISA, CISM
National Cyber Security
Chapter 4: Protecting the Organization
IS Risk Management Framework Overview
Security week 1 Introductions Class website Syllabus review
Cybersecurity Threat Assessment
Presentation transcript:

Steven Hartman State Information Security Officer State of Nebraska Vulnerability and Threat Management Creating a Vulnerability Assessment Program at the State of Nebraska Steven Hartman State Information Security Officer State of Nebraska

Agenda Introductions Vulnerabilities vs. Threats Components of a Vulnerability Assessment Program Bringing it all together Quiz © November 18, 2008 Nebraska Cyber Security Center. 2008 Nebraska Digital Summit

Vulnerabilities vs. Threats What’s the Difference?

Definitions Vulnerability – Susceptible to attack. (Webster) A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Threat – An expression of intention to inflict evil, injury, or damage (Webster) A threat is the possibility of something bad happening (qualitative). Attack - An attack is when a vulnerability is exploited to realize a Threat. © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting .

Definition’s continued Risk - A Risk is the quantifiable likelihood of loss due to a realized Threat (quantitative) Countermeasures - Countermeasures are defensive technologies or modules that are used to detect, deter, or deny attacks Four types of Countermeasures Preventative Reactive Detective Administrative © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

A Word about Threat Modeling Threats are applied to assets If there are no assets, you can not have an attack If the asset has no value you have no Risk Threat modeling really forces you to understand the interactions between the various pieces of your components within your application. © September 21, 2018 Nebraska Cyber Security Center.

Components of a Vulnerability Assessment Program What are they you ask?

Five Main Components Vulnerability Assessments and testing Threat Modeling Remediation Management Incident Response Security Event Monitoring and logging © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Vulnerability Assessments and Testing The State of Nebraska has purchased a product called Qualys Ability to perform assessments on 2,700 devices 1,700 servers 1,000 network devices Role based web application that allows agencies to only see their servers and assessments. Ability to scan both internally and externally. Can perform PCI Audit scans © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting .

Threat Modeling Look for sources that identify vulnerabilities and threats. US-CERT / MS-ISAC SANS Vendors If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu, The Art of War © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Remediation Management Patch Management SMS WSUS PatchLink Server Hardening Disable all un-necessary ports and services Limit administrative privileges Firewall or other network controls NITC 8-103 Minimum Server Configuration Standard http://www.nitc.state.ne.us/standards/security/Minimum_Server_Configuration_Standard_20070627.pdf © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Incident Response NITC 8-401 Incident Response and Reporting Standard An Incident Response Program contains Five Components Preparation Analysis Containment Eradication Recovery NITC 8-401 Incident Response and Reporting Standard http://www.nitc.state.ne.us/standards/8-401.html © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Security Event Monitoring and logging Microsoft Security Computer Operations Manager (SCOM) IDS/IPS Forti-Analyzer Cisco Compliance Manager others… © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Demo Bringing it all together?

Bringing it all together We know we can not eliminate all vulnerabilities, so we proactively look at lowering our Risk be reducing our ‘Attack Surface’ By running regularly scheduled scans we can start to see trends develop internally that allow us to concentrate on areas showing weakness. Allows us to prioritize the work we do. (higher risk servers receive attention before low risk servers). By accurately defining asset groups, we can create clear levels of responsibility and ownership Compliance, Compliance, Compliance. © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Quiz

FAIR – Factor Analysis of Information Risk Picture in your mind a worthless old bald tire. Imagine that it’s so bald you can hardly tell that it ever had any tread. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

FAIR – Factor Analysis of Information Risk Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

FAIR – Factor Analysis of Information Risk Now, imagine that the rope is frayed about halfway through, just below where its tied to the tree branch. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

FAIR – Factor Analysis of Information Risk Finally, imagine that the tire swing is suspended over an 80-foot cliff – with sharp rocks below. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

FAIR – Factor Analysis of Information Risk What if I told you the risk for all 4 scenarios was the same. What is the value of the tire? Picture in your mind a worthless old bald tire. Imagine that it’s so bald you can hardly tell that it ever had any tread. © September 21, 2018 Nebraska Cyber Security Center.

FAIR – Factor Analysis of Information Risk Never forget that risk is directly tied to the value of an asset. Risk is not a thing… Risk is a derived value Similar to speed (a value derived from distance / time) Don’t equate vulnerability with risk Vulnerability is only one component of Risk © September 21, 2018 Nebraska Cyber Security Center.

Q & A

Resources NIST SP 800-37 FIPS – 199 FISMA http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf FIPS – 199 http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf FISMA http://csrc.nist.gov/groups/SMA/fisma/index.html Wilson, Carl; What Is Certification and Accreditation? http://e-articles.info/e/a/title/What-Is-Certification-and-Accreditation/ - article added at 03/21/2007 © April 28, 2008 Nebraska Cyber Security Center. 2008 MS-ISAC Annual Meeting

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.