Vulnerability Assessments

Slides:

Advertisements

Similar presentations

Test process essentials Riitta Viitamäki,

Advertisements

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Automated Software Testing: Test Execution and Review Amritha Muralidharan (axm16u)

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

I n t e g r i t y - S e r v i c e - E x c e l l e n c e Business & Enterprise Systems Introduction to Hewlett Packard (HP) Application Lifecycle Management.

10.5 Report Performance The process of collecting and distributing performance information, including status reports, progress measurements and forecasts.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Maintaining and Updating Windows Server 2008

Network security policy: best practices

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

Complying With The Federal Information Security Act (FISMA)

Website Hardening HUIT IT Security | Sep

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

SEC835 Database and Web application security Information Security Architecture.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Information Systems Security Computer System Life Cycle Security.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Software Quality Assurance Activities

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

NIST Special Publication Revision 1

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 6 of the Executive Guide manual Technology.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Information Security What is Information Security?

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Alaa Mubaied Risk Management Alaa Mubaied

Project Risk Management Planning Stage

Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.

Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Ensuring Information Security through Audit Umesh Kulkarni.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Critical Security Controls

Security Standard: “reasonable security”

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

Compliance with hardening standards

Leverage What’s Out There

I have many checklists: how do I get started with cyber security?

Chapter 19: Building Systems with Assurance

IS4680 Security Auditing for Compliance

Drew Hunt Network Security Analyst Valley Medical Center

IS4680 Security Auditing for Compliance

Third-party risk management (TPRM)

Presentation transcript:

Vulnerability Assessments Best Practices for Vulnerability Assessments Presented by: Nathan Heck, IT Security & Privacy Analyst

A Quick Vocabulary Lesson Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that may result in a security breach or a violation of the system's security policy. Threat: The potential for a specific vulnerability to be exercised either intentionally or accidentally Control: measures taken to prevent, detect, minimize, or eliminate risk to protect the Integrity, Confidentiality, and Availability of information. Vulnerability Assessment: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

Vulnerability Assessment Basics Vulnerability Assessment is a subset of Vulnerability Management Proactive vs. reactive Vulnerability assessment vs. penetration testing Examples of IT vulnerability assessments

Why Do Vulnerability Assessments? System accreditation Risk assessment Network auditing Provide direction for security controls Can help justify resource expenditure Can provide greater insight into process and architecture Compliance checking Continuous monitoring

Vulnerabilities Where do they come from? Flaws in software Faulty configuration Weak passwords Human error Inappropriately assigned permission levels System inappropriately placed in infrastructure/environment Vulnerabilities don’t go away by themselves

Best Practices Establish chain of command/authority Create official purpose and procedures Decide on schedule Build your reputation Build relationships

Best Practices Think in terms of risk Document everything! Know your environment Be prepared

CERT Methodology 1) Setup 2) Test Execution 3) Vulnerability Analysis 4) Reporting 5) Remediation Repeat!

Step 1: Setup Begin documentation Secure permission Update tools Configure tools

Step 2: Test Execution Run the tools Document as you go Run a packet capture while running the assessment tools

Step 3: Vulnerability Analysis Human interpretation is required to make results meaningful That interpretation includes Assessing risk presented by vulnerabilities Comparing the results to security policy Verifying vulnerabilities Prioritizing vulnerabilities

Step 3: Vulnerability Analysis Assessing risk and prioritizing vulnerabilities A subjective process but you can be objective by using CVSS Common Vulnerability Scoring System (CVSS) NIST provides a CVSS calculator at http://nvd.nist.gov/cvss.cfm?calculator By adjusting the different values based on the characteristics of the vulnerability, the CVSS score will go either up or down depending on the risk presented to your specific environment

Step 3: Vulnerability Analysis Researching vulnerabilities The Common Vulnerabilities and Exposures (CVE) numbers http://cve.mitre.org Some tools will provide with the CVE CVE numbers can be used to look up additional vulnerability information from trusted sources US-CERT Vulnerability Notes Database: http://www.kb.cert.org/vuls/ National Vulnerability Database: http://nvd.nist.gov Secunia.com Vendor Sites

Step 3: Vulnerability Analysis Researching vulnerabilities Without a CVE number Google Security Sites Security email list archives http://seclists.org Be careful who you get information from/trust Best to go to a known good security site (e.g. sans.org) CERIAS Cassandra service - https://cassandra.cerias.purdue.edu Verify with a trusted source or multiple sources if possible

Step 3: Vulnerability Analysis Causes of errors during vulnerability analysis Environmental Issues Timing Issues Privilege Issues Tool Issues People/knowledge Issue

Step 3: Vulnerability Analysis Error types False Positive - Identifying a vulnerability that is not present False Negative - Failing to identify the presence of a vulnerability Error prevention Use several different tools for verification Examine the traffic generate by tools Consult with the system owner/administrator

Step 4: Reporting Goals Present a meaningful summary of the vulnerabilities found Prioritize and explain vulnerabilities Provide possible remediation suggestions

Step 4: Reporting Anatomy of a report Header Summary List of vulnerabilities - For each vulnerability, at a minimum provide: Unique tracking number Risk level High - Immediate action Medium - Action required Low - Action recommended Brief description Appendices - At a minimum the following two should be included Vulnerability details Assessment Setup

Step 4: Reporting Metrics Tracking progress of key metrics over time allows progress to be quantified Also a good idea to tie metrics to cost savings Examples: Number of vulnerabilities found by criticality Average number of vulnerabilities found Number of vulnerabilities remediated Time from vulnerability discovery to remediation Time per assessment Total assessments done

Step 4: Reporting Best Practices Standardization Know your audience Avoid fluff Prioritize by risk Track progress

Step 5: Remediation Vulnerability remediation is the process of fixing vulnerabilities Pick the issues you want to fix because you may not have enough resources to fix them all Remediation choices For every vulnerability there are three choices for remediation: Fix - eliminate vulnerability altogether Accept - the cost of fixing outweighs the risk Mitigate - don't outright fix but use additional layers of security to lessen the risk presented by the vulnerability

Step 5: Remediation Types of remediation Manual Automatic remediation Pros - less likely to cause system problems Cons - does not scale well, time consuming Automatic remediation Pros - scales very well Cons - may cause system problems, may not actually remediate, potential for breaking something is greater Manual - unique or critical system Automatic - many similar items

Step 5: Remediation Remediation Planning Plan for remediating all vulnerabilities found in the system Plan should include: Whether to fix, mitigate or accept vulnerabilities Whether to use automatic or manual remediation Strategy to mitigate any remaining vulnerabilities Justification for accepting any vulnerability

Step 5: Remediation Test remediation on a dev instance before implementing on a production system Verification Cooperation required for successful remediation Don’t forget change management

Questions? Best Practices for Vulnerability Assessments Presented by: Nathan Heck, IT Security & Privacy Analyst