Presentation is loading. Please wait.

Presentation is loading. Please wait.

Steven Hartman State Information Security Officer State of Nebraska

Published byMarsha Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Steven Hartman State Information Security Officer State of Nebraska"— Presentation transcript:

1 Steven Hartman State Information Security Officer State of Nebraska
Vulnerability and Threat Management Creating a Vulnerability Assessment Program at the State of Nebraska Steven Hartman State Information Security Officer State of Nebraska

2 Agenda Introductions Vulnerabilities vs. Threats
Components of a Vulnerability Assessment Program Bringing it all together Quiz © November 18, 2008 Nebraska Cyber Security Center Nebraska Digital Summit

3 Vulnerabilities vs. Threats What’s the Difference?

4 Definitions Vulnerability – Susceptible to attack. (Webster)
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Threat – An expression of intention to inflict evil, injury, or damage (Webster) A threat is the possibility of something bad happening (qualitative). Attack - An attack is when a vulnerability is exploited to realize a Threat. © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting .

5 Definition’s continued
Risk - A Risk is the quantifiable likelihood of loss due to a realized Threat (quantitative) Countermeasures - Countermeasures are defensive technologies or modules that are used to detect, deter, or deny attacks Four types of Countermeasures Preventative Reactive Detective Administrative © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

6 A Word about Threat Modeling
Threats are applied to assets If there are no assets, you can not have an attack If the asset has no value you have no Risk Threat modeling really forces you to understand the interactions between the various pieces of your components within your application. © September 21, 2018 Nebraska Cyber Security Center.

7 Components of a Vulnerability Assessment Program What are they you ask?

8 Five Main Components Vulnerability Assessments and testing
Threat Modeling Remediation Management Incident Response Security Event Monitoring and logging © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

9 Vulnerability Assessments and Testing
The State of Nebraska has purchased a product called Qualys Ability to perform assessments on 2,700 devices 1,700 servers 1,000 network devices Role based web application that allows agencies to only see their servers and assessments. Ability to scan both internally and externally. Can perform PCI Audit scans © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting .

10 Threat Modeling Look for sources that identify vulnerabilities and threats. US-CERT / MS-ISAC SANS Vendors If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu, The Art of War © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

11 Remediation Management
Patch Management SMS WSUS PatchLink Server Hardening Disable all un-necessary ports and services Limit administrative privileges Firewall or other network controls NITC Minimum Server Configuration Standard © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

12 Incident Response NITC 8-401 Incident Response and Reporting Standard
An Incident Response Program contains Five Components Preparation Analysis Containment Eradication Recovery NITC Incident Response and Reporting Standard © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

13 Security Event Monitoring and logging
Microsoft Security Computer Operations Manager (SCOM) IDS/IPS Forti-Analyzer Cisco Compliance Manager others… © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

14 Demo Bringing it all together?

15 Bringing it all together
We know we can not eliminate all vulnerabilities, so we proactively look at lowering our Risk be reducing our ‘Attack Surface’ By running regularly scheduled scans we can start to see trends develop internally that allow us to concentrate on areas showing weakness. Allows us to prioritize the work we do. (higher risk servers receive attention before low risk servers). By accurately defining asset groups, we can create clear levels of responsibility and ownership Compliance, Compliance, Compliance. © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

16 Quiz

17 FAIR – Factor Analysis of Information Risk
Picture in your mind a worthless old bald tire. Imagine that it’s so bald you can hardly tell that it ever had any tread. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

18 FAIR – Factor Analysis of Information Risk
Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

19 FAIR – Factor Analysis of Information Risk
Now, imagine that the rope is frayed about halfway through, just below where its tied to the tree branch. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

20 FAIR – Factor Analysis of Information Risk
Finally, imagine that the tire swing is suspended over an 80-foot cliff – with sharp rocks below. How much Risk is there? © September 21, 2018 Nebraska Cyber Security Center.

21 FAIR – Factor Analysis of Information Risk
What if I told you the risk for all 4 scenarios was the same. What is the value of the tire? Picture in your mind a worthless old bald tire. Imagine that it’s so bald you can hardly tell that it ever had any tread. © September 21, 2018 Nebraska Cyber Security Center.

22 FAIR – Factor Analysis of Information Risk
Never forget that risk is directly tied to the value of an asset. Risk is not a thing… Risk is a derived value Similar to speed (a value derived from distance / time) Don’t equate vulnerability with risk Vulnerability is only one component of Risk © September 21, 2018 Nebraska Cyber Security Center.

23 Q & A

24 Resources NIST SP 800-37 FIPS – 199 FISMA
FIPS – 199 FISMA Wilson, Carl; What Is Certification and Accreditation? article added at 03/21/2007 © April 28, 2008 Nebraska Cyber Security Center MS-ISAC Annual Meeting

Download ppt "Steven Hartman State Information Security Officer State of Nebraska"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Network Security Policy Why do I need a network security policy? Dr. Charles T. Wunker.

Network Security Policy Why do I need a network security policy? Dr. Charles T. Wunker.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.

Chapter 1 Introduction. Art of War  If you know the enemy and know yourself, you need not fear the result of a hundred battles.  If you know yourself.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Vulnerability Assessments

Vulnerability Assessments
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Homeland Security. Learning Topics Purpose Introduction History Homeland Security Act Homeland Defense Terrorism Advisory System Keeping yourself safe.

Homeland Security. Learning Topics Purpose Introduction History Homeland Security Act Homeland Defense Terrorism Advisory System Keeping yourself safe.
Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.

Why build a strategy? 7/15/2015 University of Wisconsin–Madison2 Options: Detection or Prevention Last strategic plan was five years old and never formally.

Similar presentations

Ads by Google