1 SANS Technology Institute - Candidate for Master of Science Degree 1 Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs.

Slides:



Advertisements
Similar presentations
VITA = Life - YOURS! VITA Managed Workplace Solutions By: TechnologyUS We allow YOU More time to focus on your business initiatives and projects Managed.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HP Quality Center Overview.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
SANS Technology Institute - Candidate for Master of Science Degree 1 Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
High-Level Assessment Month Year
Network security policy: best practices
by Evolve IP Managed Services
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Patch Management Strategy
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Security Imperatives in a New Workplace Partnering to Protect Digital Information in the 21st Century Presented by Michael Ferris, Alaska Enterprise Solutions.
SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.
Event Management & ITIL V3
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
TeamCluster Project Real time project management solutions Harry Hvostov April 27, 2002.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Information Security What is Information Security?
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Enterprise Cybersecurity Strategy
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
ValGenesis Closed Loop Change Management ValGenesis, Inc Christy Street, Fremont, CA Ph:
Kevin Watson and Ammar Ammar IT Asset Visibility.
Chapter 7. Identifying Assets and Activities to Be Protected
EI Architecture Overview/Current Assessment/Technical Architecture
Cybersecurity - What’s Next? June 2017
Security Testing Methods
Compliance with hardening standards
Leverage What’s Out There
Cyber Protections: First Step, Risk Assessment
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Achievements and Pitfalls of Creating and Maintaining Vulnerability Assessment Programs Tim Proffitt March 2009 GIAC GCIH, GCPM, GLEG, GSEC, GSLC

SANS Technology Institute - Candidate for Master of Science Degree 2 How are Successful Organizations Leveraging Vulnerability Assessment? –Identifying known vulnerabilities –Identifying foreign systems and adhoc networks –Auditing NAC initiatives –Auditing patching efforts –Auditing software lifecycles –Assisting with web application security assessments –Meeting compliancy requirements such as PCI – Defining risk by providing risk assessment data

SANS Technology Institute - Candidate for Master of Science Degree 3 Understand and Managing Risk Vulnerability Overload: In most enterprise networks there are simply too many vulnerabilities to fix. Root-Cause Analysis: Fixing of vulnerabilities does not necessarily address the root cause. Network Inventory: Vulnerabilities do not exist in isolation. There will always be risk to the organization, so the goal is not to eliminate risk, but rather to understand and manage risk at an acceptable level.

SANS Technology Institute - Candidate for Master of Science Degree 4 What Risk Level Is Acceptable? Aligning the right context of assets that relate back to the business is mandatory. Otherwise, data may not be meaningful or actionable by management By reporting on groups of assets that are defined from a business viewpoint, the metrics suddenly take on an importance to the decision makers. Focusing on certain vulnerabilities will enable a working group to ensure that the strategy will address the existing communities vulnerabilities of greatest concern.

SANS Technology Institute - Candidate for Master of Science Degree 5 Utilize a Known Scoring System Teams can utilize the open common vulnerability scoring system (CVSS) or to address the goal of a common platform to discuss risk. Environmental Metrics Base Metrics Temporal Metrics qualities that are fundamental to any given vulnerability that do not change over time or in different environments. characteristics of a vulnerability that are time-dependent and change as the vulnerability ages. characteristics of vulnerabilities that are tied to implementation and environment

SANS Technology Institute - Candidate for Master of Science Degree 6 Deriving Severity Levels Consequence - allow low to highs depending on the environment Probability - Some vulnerabilities are more likely than others to be exploited Criticality - allow more vulnerabilities on less critical systems than others Industry - You might be willing remediate vulnerabilities quicker if you manage FAA gear Time - Vulnerabilities are a moving target

SANS Technology Institute - Candidate for Master of Science Degree 7 Real World Scenario Risk = Threat x Vulnerability x Impact Countermeasures VA scan reveals MS is missing from a server in a DMZ segment Research shows MS is a Server Message Block (SMB) buffer overflow allowing attackers to take complete control of the system and allowing remote execution of code Analysis determines the server in the DMZ is a MS fileserver containing customer data. SMB is allowed through the firewall to this network segment. High probability of loss with High probability of consequence causes risk to be Unacceptable with immediate action Cost benefit analysis shows only a patch is needed or a firewall rule change.

SANS Technology Institute - Candidate for Master of Science Degree 8 Top Objectives for Approval and Defining Policies Executive sign-off is crucial before VA efforts are started Understanding that VA will have an impact on systems Define what segments are out of scope Define what type of hardware is off limits Define external scanning versus internal scanning Define what you do with partner networks Include VA provisions in legal contracts

SANS Technology Institute - Candidate for Master of Science Degree 9 9 Awareness Pitfalls Successful training includes details about: –How is risk applied? –Impacts to log files, authentication attempts, successive connections, trace files –Generation of alerts and/or s –Bandwidth considerations –Frequency of scans for troubleshooting –False positive remediation How does the VA scanning not impact systems: –Effects on firewalls (state tables) or IPS –Does the VA scanner block traffic?

SANS Technology Institute - Candidate for Master of Science Degree 10 Know Which Information Assets Are Targets Standard items such as workstations, laptops and servers are targets, but what about? –Network enabled printers Printer specific vulnerabilities reported up 105% in 2008 –VOIP Phones VIPER Lab has identified thousands of VOIP vulnerabilities since 2003 –Security cameras, HVAC management, AV gear, medical equipment, SCADA, etc. Seems everything is becoming network manageable, but did the vendor consider security? How can these be compromised? What is the risk to the business of a compromise?

SANS Technology Institute - Candidate for Master of Science Degree 11 Optimal Returns Successful scanning teams will consist of several components: –Scan frequently, on a negotiated schedule –Exclude known harmful vulnerabilities to equipment –Utilize multiple authentication records –Manage exceptions with system owners –Organize assets into risk based groups With failed programs, teams typically will: –Scan infrequently enough to be irrelevant –Not utilize authentication –Scan aggressively across entire segments –Re-negotiate risk metrics to fit the situation –Not break up assets into domains

SANS Technology Institute - Candidate for Master of Science Degree 12 Biggest Reporting Mistakes Producing reports detailing every vulnerability from “informational” to “urgent” for the entire assessment Providing C-Level management (or auditors) a 300 page vulnerability report Not performing trending analysis Automatic “blanket” ticket generation from VA reporting Not producing actionable information utilizing risk metrics Not filtering the reports for specific system administrators

SANS Technology Institute - Candidate for Master of Science Degree 13 Compliance and the life cycle Vulnerability Assessment has a never ending life cycle. This cycle continually scans, reports, assesses, remediates and evaluates. Any one piece of the lifecycle cannot be effective without the other. Have reasonable life cycle expectations been set? Is the VA team working with the correct set of administrators to accomplish their goals? Has the life cycle slowed as the program matured or become lax? The VA team is not generating reports on a regular basis. Pitfalls:

SANS Technology Institute - Candidate for Master of Science Degree 14 Program Success Utilize metrics to assign risk. Scoring systems from “high to low” and/or “5 to 1” provided by VA solutions do not adequately reflect the true risk to the enterprise. Successful programs will scan more than traditional workstations and servers. Overlooking network aware devices is painting a partial picture of your security landscape. Device attack vectors are on the rise. Utilize vulnerability assessment data to supplement other security efforts. This data can be manipulated to support compliance, NAC, user provisioning, licensing, etc.

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary A VA program can be leveraged to ease the burden of compliance efforts, reducing their risk levels, perform due diligence, provide forensic data and generate reports that can be used as technology metrics. By creating a comprehensive VA program, the organization will be adding yet another layer to the defense in depth. Identifying those key vulnerabilities to the organization, and performing mitigation actions before those vulnerabilities can be exploited. A successful comprehensive VA program will position the organization for a safer, more secure computing environment.