Vulnerability management

•Download as PPTX, PDF•

0 likes•461 views

CarlThorp

Presentation to Salford University MSc Information Security students

Data & Analytics

2015
VULNERABILITY KILL CHAIN
Carl Thorp
MSc FBCS CITP M.Inst.ISP VRSM CISM CGEIT CISSP CLAS CCP.RA
CCP.SA

What is Vulnerability
• Vulnerability is a measure
of the extent to which a
community, structure,
service or geographical
area is likely to be
damaged or disrupted, on
account of its nature or
location, by the impact of
a particular disaster
hazard [OECD 2015]

What is Vulnerability
• A weakness of an asset or
group of assets that can be
exploited by one or more
threats [ISO/IEC 13335-
1:2004]
• Or anything attackers find
that they can exploit

Vulnerability Management
• The identification of
vulnerabilities that can be
exploited within a system
– Vulnerability Assessment
– Penetration Testing
• The remediation / risk
management of
vulnerabilities

Types of Testing
• SAST
• DAST
– Web Layer
– Host / Infrastructure
– Database
• Manual validation
• ITS NOT A PEN TEST

• Business1
• Environmental2
• Threat3
Context

Business Context
• Business drivers and
objectives
• Understand your assets
• We want to be Secure but
we DO NOT WANT Security
– John Callas PGP, Apple,
Entrust & Silent Circle
• System 1 & System 2
thinking

Environmental Context
• Understand your assets
• Understand the operating
environment
• Deep knowledge of
compensating controls
• Tool selection

Threat Intel
• External Threats
– Indirect Intel
– Direct Intel
• Internal Threats

Get Message Right
• Less blah blah blah
• Use business context
examples
• Negative to positive
• Do not belittle people
– Israel Barrack ex-Israeli
Defence Force Red Team
Lead

Kill Chain
Projects
Asset
Mgmt.
Threat Intelligence
VMS
Onboard
Test Analysis Resolution
Decom
a
Incidents
Report

Conclusion
• Work with your organisation
not against it
• Plan ahead
• Understand your
environment
• Develop threat intelligence

Useful Links / Feeds
RSS Feeds
https://isc.sans.edu/rssfeed.xml
rhttp://feeds.feedburner.com/sucuri/blog
http://seclists.org/rss/fulldisclosure.rss
http://www.intelligentexploit.com/feed/
https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog
Podcasts
http://securityweekly.com/podcast/psw.xml
https://isc.sans.edu/dailypodcast.xml
http://leo.am/podcasts/sn
All Round Defence / WestThor Ltd take no responsibility for the content of these sites / podcasts

What's hot

Risk Assessment and Threat Modelingsedukull

Vulnerability Assessmentprimeteacher32

Bescherm jezelf tegen ransomwareSophos Benelux

Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault

Blue Ocean IT SecurityJonathan Sinclair

Risk Factory Information Security Coordination Challenges & Best PracticeRisk Crew

Effective Vulnerability ManagementVicky Ames

Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke

Application Control - Maintenance Headache or Manageable Solution?Ivanti

Incident response live demo slides finalAlienVault

Implementing Vulnerability Management Argyle Executive Forum

Saner 2.0 product sheetSecPod Technologies

Software Vulnerabilities Risk RemediationBruce Hafner

Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault

SecPod SanerChandrashekhar B

Creating Correlation Rules in AlienVaultAlienVault

Demo how to detect ransomware with alien vault usm_ggAlienVault

What's hot (17)

Risk Assessment and Threat Modeling

Vulnerability Assessment

Bescherm jezelf tegen ransomware

Vulnerability Management: What You Need to Know to Prioritize Risk

Blue Ocean IT Security

Risk Factory Information Security Coordination Challenges & Best Practice

Effective Vulnerability Management

Planning and Deploying an Effective Vulnerability Management Program

Application Control - Maintenance Headache or Manageable Solution?

Incident response live demo slides final

Implementing Vulnerability Management

Saner 2.0 product sheet

Software Vulnerabilities Risk Remediation

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits

SecPod Saner

Creating Correlation Rules in AlienVault

Demo how to detect ransomware with alien vault usm_gg

Viewers also liked

Cal Net Tech Talk Webinar Vulnerability Management 101-10 Essential Rules to ...Laryssa Mereszczak

Vulnerability and Risk Management in Megacities: The Case of IstanbulGlobal Risk Forum GRFDavos

Innovating mental health at Europe - Catalonia (Spain)PARC DE SALUT

Vulnerability Management In An Application Security World: AppSecDCDenim Group

Information Secuirty Vulnerability Managementtschraider

Vulnerability ManagementRisk Analysis Consultants, s.r.o.

Vulnerability and Patch Managementn|u - The Open Security Community

Patch and Vulnerability ManagementMarcelo Martins

La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut ...Antoine Vigneron

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly

How to write a story. mrsgabriela

tư vấn làm phim quảng cáo 3dbroderick225

Натурал сандардың ең кіші ортақ еселігін табуға есептер шығаруBilim All

Resume_YasirGhauri_HODYasir Ghauri

AFOLABI BOLUWATIFE JOSEPHAfolabi Boluwatife

500 conectoresGrupo Educación y Empresa

Viewers also liked (16)

Cal Net Tech Talk Webinar Vulnerability Management 101-10 Essential Rules to ...

Vulnerability and Risk Management in Megacities: The Case of Istanbul

Innovating mental health at Europe - Catalonia (Spain)

Vulnerability Management In An Application Security World: AppSecDC

Information Secuirty Vulnerability Management

Vulnerability Management

Vulnerability and Patch Management

Patch and Vulnerability Management

La gouvernance au cœur de la transformation numérique - Comment COBIT 5 peut ...

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...

How to write a story.

tư vấn làm phim quảng cáo 3d

Натурал сандардың ең кіші ортақ еселігін табуға есептер шығару

Resume_YasirGhauri_HOD

AFOLABI BOLUWATIFE JOSEPH

500 conectores

Similar to Vulnerability management

Future-proofing Supply Chain against emerging Cyber-physical ThreatsSteven SIM Kok Leong

3_orm.pptdantx32914

Module 6.pptxssuser66c4d5

Preparing for a Black Swan: Planning and Programming for Risk Mitigation in E...juliekannai

ch01.pptsamsam693199

information security presentation topicsOlajide Kuku

educational content, educational contented educational contentOlajide Kuku

Tour of duty - risk managementSeta Wicaksana

INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion

IIA August Briefing_15AUG2015Robert Baldi

Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies

Cybersecurity risk management 101Srinivasan Vanamali

Information Security Risk Management and Compliance.pptxAbraraw Zerfu

IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed

Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity

Sales-deck-pitch-Cyberpion-sales-pitch-deck- v4.pptxfavoritechildband

Health information security session 4 risk managementDr. Lasantha Ranwala

Challenges in implementating cyber securityInderjeet Singh

Wasn't expecting that! Now what?Jisc

Lessons from Texas City | Michael P. Broadribb, Baker Engineering & Risk Cons...Cairn India Limited

Similar to Vulnerability management (20)

Future-proofing Supply Chain against emerging Cyber-physical Threats

3_orm.ppt

Module 6.pptx

Preparing for a Black Swan: Planning and Programming for Risk Mitigation in E...

ch01.ppt

information security presentation topics

educational content, educational contented educational content

Tour of duty - risk management

INFORMATION SECURITY STUDY GUIDE for STUDENTS

IIA August Briefing_15AUG2015

Stay Ahead of Threats with Advanced Security Protection - Fortinet

Cybersecurity risk management 101

Information Security Risk Management and Compliance.pptx

IS-Risk-Management-Lecture-2.pdf

Using an Open Source Threat Model for Prioritized Defense

Sales-deck-pitch-Cyberpion-sales-pitch-deck- v4.pptx

Health information security session 4 risk management

Challenges in implementating cyber security

Wasn't expecting that! Now what?

Lessons from Texas City | Michael P. Broadribb, Baker Engineering & Risk Cons...

Recently uploaded

Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Delhi Call girls

CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion

Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Riyadh +966572737505 get cytotec

VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY

CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE9953056974 Low Rate Call Girls In Saket, Delhi NCR

Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls

Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson

Discover Why Less is More in B2B Researchmichael115558

Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083

Mature dropshipping via API with DroFx.pptxolyaivanovalion

Halmar dropshipping via API with DroFxolyaivanovalion

Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila

Invezz.com - Grow your wealth with trading signalsInvezz1

(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7Call Girls in Nagpur High Profile Call Girls

Data-Analysis for Chicago Crime Data 2023ymrp368

BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceDelhi Call girls

Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71

100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate

Week-01-2.ppt BBB human Computer interactionfulawalesam

Recently uploaded (20)

Best VIP Call Girls Noida Sector 22 Call Me: 8448380779

CebaBaby dropshipping via API with DroFX.pptx

Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec

VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...

CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf

Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night

Schema on read is obsolete. Welcome metaprogramming..pdf

Discover Why Less is More in B2B Research

Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call

Mature dropshipping via API with DroFx.pptx

Halmar dropshipping via API with DroFx

Accredited-Transport-Cooperatives-Jan-2021-Web.pdf

Invezz.com - Grow your wealth with trading signals

(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7

Data-Analysis for Chicago Crime Data 2023

BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service

Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha

100-Concepts-of-AI by Anupama Kate .pptx

Week-01-2.ppt BBB human Computer interaction

Vulnerability management

1. 2015 VULNERABILITY KILL CHAIN Carl Thorp MSc FBCS CITP M.Inst.ISP VRSM CISM CGEIT CISSP CLAS CCP.RA CCP.SA

2. Welcome

3. What is Vulnerability • Vulnerability is a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular disaster hazard [OECD 2015]

4. What is Vulnerability • A weakness of an asset or group of assets that can be exploited by one or more threats [ISO/IEC 13335- 1:2004] • Or anything attackers find that they can exploit

5. Vulnerability Management • The identification of vulnerabilities that can be exploited within a system – Vulnerability Assessment – Penetration Testing • The remediation / risk management of vulnerabilities

6. Types of Testing • SAST • DAST – Web Layer – Host / Infrastructure – Database • Manual validation • ITS NOT A PEN TEST

7. Why is it difficult?

8. • Business1 • Environmental2 • Threat3 Context

9. Getting it Right

10. Business Context • Business drivers and objectives • Understand your assets • We want to be Secure but we DO NOT WANT Security – John Callas PGP, Apple, Entrust & Silent Circle • System 1 & System 2 thinking

11. Environmental Context • Understand your assets • Understand the operating environment • Deep knowledge of compensating controls • Tool selection

12. Threat Intel • External Threats – Indirect Intel – Direct Intel • Internal Threats

13. Get Message Right • Less blah blah blah • Use business context examples • Negative to positive • Do not belittle people – Israel Barrack ex-Israeli Defence Force Red Team Lead

14. Kill Chain

15. Kill Chain Projects Asset Mgmt. Threat Intelligence VMS Onboard Test Analysis Resolution Decom a Incidents Report

16. Conclusion • Work with your organisation not against it • Plan ahead • Understand your environment • Develop threat intelligence

17. QUESTIONS?

18. APPENDIX

19. Useful Links / Feeds RSS Feeds https://isc.sans.edu/rssfeed.xml rhttp://feeds.feedburner.com/sucuri/blog http://seclists.org/rss/fulldisclosure.rss http://www.intelligentexploit.com/feed/ https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog Podcasts http://securityweekly.com/podcast/psw.xml https://isc.sans.edu/dailypodcast.xml http://leo.am/podcasts/sn All Round Defence / WestThor Ltd take no responsibility for the content of these sites / podcasts

Vulnerability management

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (16)

Similar to Vulnerability management

Similar to Vulnerability management (20)

Recently uploaded

Recently uploaded (20)

Vulnerability management