Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Slides:



Advertisements
Similar presentations
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
Advertisements

David A. Brown Chief Information Security Officer State of Ohio
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Boost your network security with NETASQ Vulnerability Manager.
Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Computer Security: Principles and Practice
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Introduction to Network Defense
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
Source One Network Solutions with Corporate Headquarters based in Fitchburg, Wisconsin specializes in providing multi- location clients, with nationwide.
HOMELAND SECURITY ADVISORY SYSTEM. Established after the terrorist attacks on America September 11, 2001.
Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
1 EIR Accessibility Web Scanning Program Jeff Kline, Statewide Accessibility Coordinator Texas Department of Information Resources October, 2012.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
GCSC August Backup Exec Critical Vulnerability Cannot offer tcp/6101, tcp/6106 & tcp/10000 to offsite Will be scanning from offsite soon Strongly.
PMC Update on Cyber Sprint June 18, Overview: 30-Day Cyber Sprint 1.Interagency Cyber Sprint Team: Launched June 11 and executing against the.
HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
SecSDLC Chapter 2.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Welcome Information Security Office Services Available to Counties Security Operations Center Questions.
Continuous Quality Improvement Basics Created by Michigan’s Campaign to End Homelessness Statewide Training Workgroup 2010.
Kevin Watson and Ammar Ammar IT Asset Visibility.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Your Partner for Superior Cybersecurity
OIT Security Operations
BruinTech Vendor Meet & Greet December 3, 2015
3 Do you monitor for unauthorized intrusion activity?
Cybersecurity - What’s Next? June 2017
Team 1 – Incident Response
Critical Security Controls
Lessons Learned: Implementing a Vulnerability Management Program
Compliance with hardening standards
Putting It All Together
Putting It All Together
Making Information Security Manageable with GRC
Healthcare Cloud Security Stack for Microsoft Azure
Skybox Cyber Security Best Practices
AppExchange Security Certification
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
3 Do you monitor for unauthorized intrusion activity?
Healthcare Cloud Security Stack for Microsoft Azure
3 Do you monitor for unauthorized intrusion activity?
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Anatomy of a Common Cyber Attack
Presentation transcript:

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

ATTACKS 80 % More than 80% of attacks target known vulnerabilities 79 % PATCHES 79% of vulnerabilities have patches available on day of disclosure Most Breaches Exploit Known Vulnerabilities 2

Threats vs. Vulnerabilities 3

Patch and Vulnerability Management A security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The continuous process of identifying, classifying, remediating, and mitigating vulnerabilities. 4

Configuration Management The process of evaluating, coordinating, approving, disapproving, and implementing changes to systems and software. Security Perspective: The process of ensuring systems are configured to prevent successful cyber attacks and stay that way. 5

Major Constraints on Security Teams 6

Attack-Defend Cycle (OODA Loop) 7

Laws of Vulnerabilities Half-Life – time interval for reducing occurrence of a vulnerability by half. Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year. Persistence – total lifespan of vulnerabilities Exploitation – time interval between an exploit announcement and the first attack 8

Half-Life 29.5 Days 9

Prevalence 8 critical vulnerabilities retained a constant presence in the Top 20 10

Persistence Indefinite Stabilize at 5-10% 11

Exploitation Average: < 10 days Critical client vulnerabilities: < 48 hours –Exploit Kits offer money back guarantees / Next day delivery 12

Cyber Hygiene Campaign Multi-year effort that provides key recommendations for a low-cost security program that any organization can adopt to achieve immediate and effective defenses against cyber security attacks. 13

14 Pilot of scanning baselines completed Using Qualys, CIS provided a baseline network and app scan, for 12 States, at the following key agencies: o health o public safety o revenue Reports were sent to each State with the results and information to remediate; follow up discussions were available if needed Re-scans provided to remediate findings Feedback from the pilot states has helped to improve the process. CIS is ready to offer the same baseline scans to other governments, for further information, contact Kathleen Patentreger at

Cyber Hygiene Scans 15

Summary Results Network Based Vulnerabilities 16

Summary Results Application Based Vulnerabilities 17

Summary Results Types of Vulnerabilities 18

MS-ISAC Guidance The goal of your security team is to reduce risk by identifying and eliminating weaknesses in your network assets. To do this, there are a few questions you need to ask about your organization. 19

MS-ISAC Guidance 1.Do you maintain an asset inventory? Is it up to date? 2.Manage the flow of information -- what machines have access to critical information, how does that information get dispersed across your network? 3.Are your network assets classified? If not, assign them a position in a hierarchy. The systems at the top being the most critical. 4.Have you done a risk assessment on these systems? What level of risk is your organization okay with? 5.How often do you perform vulnerability assessments on these hosts? 6.How is the remediation of these hosts being tracked? How long does it take to remediate hosts on average? 7.If a host was compromised, how would you respond? 20

Case Studies State of New York University of Colorado State of Michigan State of Ohio Colorado Statewide Internet Portal Authority 21

The Great Divide 22

Vulnerability & Compliance Scanning Automated Remediation SecOps integration Vulnerability Information Matched vulnerabilities and patches SecOps Integration If then 23

Best Practices Vulnerability and configuration management should be an essential part of any security program Obtain executive level support –Identify and obtain an executive level champion –Build partnerships with other execs who need the same data –When selling security, keep it simple –Establish supporting written policies and procedures Communicate vertically and horizontally within your Organization –Essential to remove fear, uncertainty, and doubt 24

Best Practices Continued Scan everything and scan often –Scan anything connected to your network –Scan your perimeter daily and servers and endpoints weekly –Be prepared for zero days / use predictive analytics Use credentialed scanning Use metrics to drive risk reduction and program support Use tags to manage VM/CM processes / workflows –Use tags for business value, ownership, and compliance 25

Best Practices Continued Measure the security and ops teams’ performance by the half-life results & treatment of the persistence law –Include results in HR performance reviews Use metrics to communicate with senior management Integrate VM/CM solution with patch management systems, asset inventory systems, ticketing systems, configuration systems (Chef / Puppet), and reporting systems for best results 26

Best Practices Continued Focus patching on those things that will hurt you most Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration Learn to speak the language of Ops staff / Ensure VM/CM data are reported in the most useful format 27

Question and Answers 28

@jonathantrull Government Series Webcasts: More Resources: Qualys Top 4 Security Controls Qualys Free Tools and Trials Cyber Hygiene Toolkits

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.