© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Slides:

Advertisements

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Advertisements

OCTAVESM Process 4 Create Threat Profiles

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

SACM Terminology Nancy Cam-Winget, David Waltermire, March.

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

System and Network Security Practices COEN 351 E-Commerce Security.

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Stephen S. Yau CSE , Fall Security Strategies.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Department Of Computer Engineering

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.

Introduction to Telecommunications by Gokhale CHAPTER 9 NETWORK MANAGEMENT.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Security Architecture

COEN 252 Computer Forensics Collecting Network-based Evidence.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Module 14: Configuring Server Security Compliance

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

TCOM Information Assurance Management System Hacking.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Retina Network Security Scanner

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Computer Security By Duncan Hall.

How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Securing Network Servers

CSCE 548 Student Presentation By Manasa Suthram

Working at a Small-to-Medium Business or ISP – Chapter 8

Secure Software Confidentiality Integrity Data Security Authentication

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

I have many checklists: how do I get started with cyber security?

IT Vocab IT = information technology Server Client or host

TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.

How to Mitigate the Consequences What are the Countermeasures?

Intrusion Detection system

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

© 2001 by Carnegie Mellon University SS5 -2 Vulnerability Evaluation Topics Terminology Vulnerability tools Vulnerability reports Strategies for conducting vulnerability evaluations

© 2001 by Carnegie Mellon University SS5 -3 Terminology Technology vulnerability weakness in a system that can directly lead to unauthorized action Exploit process of using a technology vulnerability to violate security policy

© 2001 by Carnegie Mellon University SS5 -4 Vulnerability Tools Vulnerability tools identify known weaknesses in technology misconfigurations of ‘well known’ administrative functions, such as -file permissions on certain files -accounts with null passwords what an attacker can determine about your systems and networks

© 2001 by Carnegie Mellon University SS5 -5 What Vulnerability Tools Identify Physical Security Information Technology Security Staff Security Operational Practice Areas System and Network Management Monitoring and Auditing IT Security Authentication and Authorization Encryption Vulnerability Management System Administration Tools Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security

© 2001 by Carnegie Mellon University SS5 -6 What Vulnerability Identification Tools Do Not Identify Misapplied or improper system administration (users, accounts, configuration settings) Unknown vulnerabilities in operating systems, services, applications, and infrastructure Incorrect adoption or implementation of organizational procedures

© 2001 by Carnegie Mellon University SS5 -7 Vulnerability Evaluation Tools Operating system scanners Network infrastructure scanners Specialty, targeted, and hybrid scanners Checklists Scripts

© 2001 by Carnegie Mellon University SS5 -8 Operating System Scanners Operating system scanners target specific operating systems, including Windows NT/2000 Sun Solaris Red Hat Linux Apple Mac OS

© 2001 by Carnegie Mellon University SS5 -9 Network Infrastructure Scanners Network infrastructure scanners target the network infrastructure components, including routers and intelligent switches DNS servers firewall systems intrusion detection systems

© 2001 by Carnegie Mellon University SS5 -10 Specialty, Targeted, and Hybrid Scanners Specialty, targeted, and hybrid scanners target a range of services, applications, and operating system functions, including web servers (CGI, JAVA) database applications registry information (Windows NT/2000) weak password storage and authentication services

© 2001 by Carnegie Mellon University SS5 -11 Checklists Checklists provide the same functionality as automated tools. Checklists are manual, not automated. Checklists require a consistent review of the items being checked and must be routinely updated

© 2001 by Carnegie Mellon University SS5 -12 Scripts Scripts provide the same functionality as automated tools but they usually have a singular function. The more items you test, the more scripts you’ll need. Scripts requires a consistent review of the items being checked and must be routinely updated.

© 2001 by Carnegie Mellon University SS5 -13 Vulnerability Tool Reports Vulnerability reports usually provide: identification and ranking of the severity of technological weaknesses found mitigation and corrective steps to eliminate vulnerabilities Determine what information you require, and then match your requirements to the report(s) provided by the tool(s).

© 2001 by Carnegie Mellon University SS5 -14 Sample Report

© 2001 by Carnegie Mellon University SS5 -15 Other Report Data

© 2001 by Carnegie Mellon University SS5 -16 Scoping Vulnerability Evaluations You need to scope a vulnerability evaluation. Two approaches are examining every component of your computing infrastructure over a defined period of time (comprehensive vulnerability evaluation) grouping similar components into categories and examining selected components from each category (targeted vulnerability evaluation)

© 2001 by Carnegie Mellon University SS5 -17 Targeted Vulnerability Evaluation Strategies Strategies for targeted vulnerability evaluations include grouping similar components into categories. Categories can include how components are used the primary operators of components classes of components

© 2001 by Carnegie Mellon University SS5 -18 OCTAVE Phase 2 Strategy Phase 2 of OCTAVE is a targeted vulnerability evaluation. Key classes of components are identified by considering how critical assets are stored processed transmitted