Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

Published byCurtis Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson."— Presentation transcript:

1 Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

2 Copyright Security-Assessment.com 2004 By the Numbers… 67% of senior tech executives admit their organization has experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g

3 Copyright Security-Assessment.com 2004 Why Vulnerability Management? Building a strong program based on mitigating known vulnerabilities has transformed from a security centric process to an operational necessity for business success. The root cause of the problem is the existence of vulnerabilities in the corporate network. Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.

4 Copyright Security-Assessment.com 2004 Why Vulnerability Management? Patch Management is ineffective and inefficient. The most intelligent equation is investing in a vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.

5 Copyright Security-Assessment.com 2004 What is Vulnerability Management? Dynamic best practices (Yankee Group, 2004) – Classify. Assign network resources with a heirarchy based on criticality – Measure. Assess security performance in reducing exposures to key vulnerabilities – Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning. – Audit. Regularly audit the effectiveness of integrated vulnerability processes

6 Copyright Security-Assessment.com 2004 Laws of Vulnerabilities

7 Copyright Security-Assessment.com 2004 The Law of Half Life Lessons learned: – You can’t patch them all at once – Mitigate more than the remaining half of the vulnerabilities over the next month – Improve the reduction in risk in the enterprise by shrinking the half life to less than 30 days Best practices: Patch within 21 days for critical systems, and a rollout procedure to other assets based on their priority level

8 Copyright Security-Assessment.com 2004 The Law of Prevalence Lessons Learned: – New critical vulnerabilities occur throughout the year – Half of the vulnerabilities still exist in the network a year later – Vulnerability Management is a never-ending process Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase

9 Copyright Security-Assessment.com 2004 The Law of Persistence Lessons Learned: – Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network – Be alert for vulnerabilities that may be lurking in application code Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process

10 Copyright Security-Assessment.com 2004 The Law of Exploitation Lessons Learned: – Keep an eagle eye on key vendors for early warnings of available patches for critical resources – Make a team decision on when to patch – Integrate with automated patch management and configuration control systems. Verify the patch has eliminated the weakness – Be prepared to scan for vulnerabilities on an attack basis

11 Copyright Security-Assessment.com 2004 Yankee Group Dynamic Best Practice Model

12 Copyright Security-Assessment.com 2004 Dynamic Best Practice - Classify Classify network resources Tier the hierarchy of assets by value to the business

13 Copyright Security-Assessment.com 2004 Dynamic Best Practice - Measure Measure your network against the half life and persistence curves Measure team performance by the half life results and the treatment of the persistence law Use gathered metrics to communicate the security problem to Senior Management

14 Copyright Security-Assessment.com 2004 Dynamic Best Practice - Integrate Integrate with discovery systems such as network integrity systems Integrate with patch management systems to confirm completion of the task Integrate into management reporting portals. Take the mystery out of security.

15 Copyright Security-Assessment.com 2004 Dynamic Best Practice - Audit Evaluate actual vulnerability management results against targeted metrics Regularly review vulnerability management reports with the security teams Measure the performance of security teams by the reduction of critical vulnerabilities

16 Copyright Security-Assessment.com 2004 Vulnerability Management Business Models Discovery Business Prioritisation Assessment Analysis and Policy Compliance Remediation Model 1 Model 2

17 Copyright Security-Assessment.com 2004 Summary of Dynamic Best Practices

18 Copyright Security-Assessment.com 2004 VM and Qualys Solutions

19 Copyright Security-Assessment.com 2004 Business Reporting and Risk Management

20 Copyright Security-Assessment.com 2004 Business Reporting

21 Copyright Security-Assessment.com 2004 Questions?

Download ppt "Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson."

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.

Author(s): Don M. Blumenthal, 2010 License: Unless otherwise noted, this material is made available under the terms of the Attribution – Non-commercial.
Information Security Policies and Standards

Information Security Policies and Standards
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Vulnerability Assessments

Vulnerability Assessments
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.

1 Continuous Monitoring Proprietary Information of SecureInfo ® Corporation © 2011 All Rights Reserved.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google