Presentation is loading. Please wait.

Presentation is loading. Please wait.

HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action.

Published byMyra Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action."— Presentation transcript:

1 HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action

2 Agenda Introduction Analyzing a Vulnerability Types of Assessment Programs –Basic Vulnerability Assessment –Advanced Vulnerability Assessment –Application Vulnerability Assessment Understanding the Limitations of Technology Conclusion

3 Introduction Fear, Uncertainty, and Doubt –90% report security breach, up from 42% in 1996 –74% cite the Internet as a frequent source of attack, up from 59% –Reported Losses totaled over $455 million –Fraud and theft cost the most, 55 respondents reported losses of over $286 million –34% reported breaches to law enforcement, up from 16% in 1996 –21% didn’t know if their web server had been attacked From the 2002 CSI/FBI Survey

4 Introduction The Risk Management Equation: Risk = (Threat + Vulnerability) * Value

5 Introduction Understand your Threat Model –Insider Fraud –External Thieves, Spies, etc. –Customers –Ankle-Biters Design an Appropriate Security Policy –Identify Key Assets –Identify Risks and Threats –Build and Maintain Countermeasures –Continually Re-assess

6 Introduction Vulnerability Assessment Technologies –Network-Based Mostly Non-Credentialed Inferential v. “Live Fire” Generally Does Not Play Well with Others Sometimes Finds Things Host-based cannot –Host-based Depends on Administrative Access Often Requires Code on Box Generally More Accurate than Network-based Sometimes Finds Things Network-based cannot –Issues Scalability, Reliability, Manageability

7 Analyzing a Vulnerability Notifications –Monitor Open Sources Triage Function –Affected Platforms –Impact of Exploit –Map Vulnerability to Risk –Prioritize Determine Action –Apply Patch? –Shut down service? –Reconfigure? –Emergency or Regular Procedure?

8 Analyzing a Vulnerability Consider Organizational/Functional Issues –Who found the vulnerability? –Who needs to take the action? –Have business continuity issues been considered while analyzing the priority?

9 Basic Vulnerability Assessment Goal: Stop the Ankle-Biters Network Assessment of Internet-facing systems –Find and close the Big Holes Actions: –Strip out unnecessary services –Apply the important patches –Minimize user accounts –Tighten ACLs

10 Basic Vulnerability Assessment How To: –Consider Outsourcing –Run a network scanner daily or weekly –Keep the scanner up to date –Establish baseline configuration –Alert staff when there are exceptions

11 Advanced Vulnerability Assessment Goal: Stop External Attackers and Insider Fraud Mostly Host-based Assessment Actions: –Minimize user privileges –Maintain security standards on workstations and servers –Automate vulnerability discovery

12 Advanced Vulnerability Assessment How To: –Define security policies and standards –Scan regularly (at least monthly) for exceptions –Respond swiftly to exceptions on a tiered basis –Maintain a test lab for patches, verify them quickly –Keep the scanner up to date –Consider Outsourcing the scans –Distribute the information load

13 Application Vulnerability Assessment Goal: Stop Customers and Attackers Usually a consulting engagement Actions: –Design for Security in the Beginning –Code Review –Ethical Hacking, aka Adversary Testing

14 Application Vulnerability Assessment How To: –Consider Outsourcing –Involve security staff in earliest design phases –Use peer code review within development –Use outside experts for security code review –Engage reputable firm for adversary testing

15 Understanding the Limitations of Technology Firewalls –Must have holes to function Intrusion Detection –Limited to known signatures –May be subject to attack/evasion Anti-Virus –Limited to known signatures –Must be kept constantly updated Encryption –VPN/SSL only provide transmission security, not endpoint –Data storage encryption good, but key management is the bottleneck Vulnerability Assessment –Limited to known signatures –Balance reliability v. impact on targets

16 Conclusion Understand the Threat Model Constantly Search for Vulnerabilities Combine Threat and Vulnerability to Manage Risk Use Technology, but Know the Limits

17 Q&A Questions?

Download ppt "HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Chapter 12 Network Security.

Chapter 12 Network Security.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Morris Bennett Altman Director of Network Services Internet Security Officer Queens College, CUNY Are You Exposed? Network Security.

Morris Bennett Altman Director of Network Services Internet Security Officer Queens College, CUNY Are You Exposed? Network Security.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

Similar presentations

Ads by Google