Security Weekly, profile picture
Uploaded bySecurity Weekly
PDF, PPTX2,223 views

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

The document discusses the complexities of vulnerability management, using whimsical metaphors like robots, ninjas, and pirates to illustrate various roles within IT security and the challenges they face. It emphasizes the importance of thorough and proactive vulnerability management practices, cautioning against shortcuts and highlighting the necessity of awareness and continuous monitoring. The presentation concludes with guidance and goals for effective vulnerability management and encourages engaging with ongoing security discussions and resources.

Embed presentation

Download as PDF, PPTX
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program © Copyright Defensive Intuition, LLC 2004-2015 Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly
© Copyright Defensive Intuition, LLC 2004-2015 Slide 2 About Paul
Agenda • Some slides with random pictures from the Internet • Paul talks about vulnerability management over said slides • Folks may have questions or challenge my thoughts/ideas (please do) • More random Internet pictures • Paul ranting a bit more while laughing at ridiculous pictures • These are the only bullets in this presentation… • End with tips on how to be successful © Copyright Defensive Intuition, LLC 2004-2015 Slide 3
Vulnerability Management… © Copyright Defensive Intuition, LLC 2004-2015 Slide 4 You have all the right tools…
A Robot, Ninja & Pirate Get Into a Fight, Who Wins? © Copyright Defensive Intuition, LLC 2004-2015 Slide 5 We have arguments like this all the time. ! Sometimes they center around vulnerability management…
Why Do We Need Vulnerability Management? © Copyright Defensive Intuition, LLC 2004-2015 Slide 6 You The Internet
Don’t Be Blind… You can’t fix what you don’t know is broken… © Copyright Defensive Intuition, LLC 2004-2015
Meet The Robots, Ninjas and Pirates in the Security Dept. © Copyright Defensive Intuition, LLC 2004-2015
The Robot Without a care in the world… © Copyright Defensive Intuition, LLC 2004-2015 “Going to scan the network!”
The Robot Cares even less how long the report will be… © Copyright Defensive Intuition, LLC 2004-2015 File -> Print… Reporting!!!!
The Robot What your network looks like after the scan… © Copyright Defensive Intuition, LLC 2004-2015
The Robot What the sysadmins, network admins, developers, help desk and operations are saying about you… © Copyright Defensive Intuition, LLC 2004-2015
Robots reporting to management © Copyright Defensive Intuition, LLC 2004-2015 “The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer overflow attacks aren’t quite stable.The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!].They’ve encased the web server in a WAF, it should be quite well protected, unless there is a bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”
Moral of the story… © Copyright Defensive Intuition, LLC 2004-2015
The Ninjas © Copyright Defensive Intuition, LLC 2004-2015 Wrote Nmap script to patch everything and disable TELNET.
The Report © Copyright Defensive Intuition, LLC 2004-2015
The Network Problems can be mysterious…. © Copyright Defensive Intuition, LLC 2004-2015
Sysadmins be like… Sysadmins be like… © Copyright Defensive Intuition, LLC 2004-2015
Ninjas be like… © Copyright Defensive Intuition, LLC 2004-2015
Pirates To find the booty… © Copyright Defensive Intuition, LLC 2004-2015 I’m gonna scan your network. Hard.
During the scan… © Copyright Defensive Intuition, LLC 2004-2015
The Report © Copyright Defensive Intuition, LLC 2004-2015 +
Pirate in meeting after report has been distributed © Copyright Defensive Intuition, LLC 2004-2015 Patch your shit! Aaaaaaaaaarrgh!! Pirates Lack Social Skillz
Sysadmins: Fear them… © Copyright Defensive Intuition, LLC 2004-2015
Meet the Robots, Ninja and Pirate Attackers © Copyright Defensive Intuition, LLC 2004-2015
Perception Of Scanning Even a broken clock is right twice a day © Copyright Defensive Intuition, LLC 2004-2015 “Your slave?” “You wish!You'll do shitwork, scan, crack copyrights…"
Attackers, like robots, automate… Attacks above are common, but less severe (typically) © Copyright Defensive Intuition, LLC 2004-2015
Or APT, or Cyber<something> © Copyright Defensive Intuition, LLC 2004-2015
Ninjas © Copyright Defensive Intuition, LLC 2004-2015
Cyber Pirate Attackers Pirates will steal bandwidth, often very loud. © Copyright Defensive Intuition, LLC 2004-2015
Now We Understand Some Of The Dynamics What we learned up to this point: ! Vulnerability Management is HARD, attackers will not let up. © Copyright Defensive Intuition, LLC 2004-2015
© Copyright Defensive Intuition, LLC 2004-2015 Slide 32 Shortcuts Are Trouble
“We’ll just scan once per quarter” ! “We can just use the default scan policy” ! “We can just scan parts of the network” © Copyright Defensive Intuition, LLC 2004-2015
© Copyright Defensive Intuition, LLC 2004-2015 “We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother showing me everything.”
5 Reasons Why This Will End Badly © Copyright Defensive Intuition, LLC 2004-2015
#1 What you don’t know will probably be the thing that hurts you © Copyright Defensive Intuition, LLC 2004-2015
#2 Ask any evil bad guy or penetration tester and they will tell you “we string together seemingly low severity vulnerabilities to achieve a goal” © Copyright Defensive Intuition, LLC 2004-2015 Example: Chris Gates from Low to Pwned (2012) https:// www.youtube.com/watch?v=u68QvWXYW_Q
#3 External conditions change, so not patching a vulnerabilities because there is no public exploit today doesn’t mean there will not be an exploit in the future (or someone has it already) © Copyright Defensive Intuition, LLC 2004-2015
#4 Internal conditions change. Not discovering vulnerabilities in XYZ software because you don’t use XYZ software is dangerous ! Someone could be installing XYZ software as we speak © Copyright Defensive Intuition, LLC 2004-2015
For Example… © Copyright Defensive Intuition, LLC 2004-2015
#5 Vulnerability management is a historical reference. ! You may not care which USB device were plugged into your systems today, but when malware spreads via USB devices tomorrow… © Copyright Defensive Intuition, LLC 2004-2015
Malware Here? © Copyright Defensive Intuition, LLC 2004-2015
! “Just send them the raw results” ! “Just patch CVSS > 8.0” Goals & Results Matter… © Copyright Defensive Intuition, LLC 2004-2015
Results Matter, Don’t Be Lazy No one reads raw results © Copyright Defensive Intuition, LLC 2004-2015
Can You Make That 8 a 7? CVSS is subjective © Copyright Defensive Intuition, LLC 2004-2015
Vulnerability Management Goals © Copyright Defensive Intuition, LLC 2004-2015
Goal: Prevention – prevent bad things with the resources you have © Copyright Defensive Intuition, LLC 2004-2015 Stop waiting around for the perfect solution!
Goal: Detection ! Know where you are vulnerable and monitor © Copyright Defensive Intuition, LLC 2004-2015
Goal: React - Define priorities and enable people to take action Vulnerability management is a repeatable process. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Do it yourself. ! Vulnerability scanning is not what a pen tester should do for you Tools have matured to allow for continuous scanning. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Evaluate tools – Define the evaluation criteria Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Checks and Balances: How are my other defenses working or not? Anti-Virus, Firewalls, Compliance/System Hardening Programs © Copyright Defensive Intuition, LLC 2004-2015
Goal: Metrics: Don’t Give Up On Them © Copyright Defensive Intuition, LLC 2004-2015 Searches for “dating tips” Searches for “fleshlight” What does management want to see?
Goal: Threat Modeling © Copyright Defensive Intuition, LLC 2004-2015
Goal: Don’t just find a standard or copy what may work for others Be a LEADER and set your own standards. © Copyright Defensive Intuition, LLC 2004-2015
Goal: Get people to understand and change their behavior Become a remarkable IT Security Leader © Copyright Defensive Intuition, LLC 2004-2015
Some Fun Facts Podcasts/Blogs/Videos: http://securityweekly.com Contact Me: paul@securityweekly.com © Copyright Defensive Intuition, LLC 2004-2015 http://securityweekly.com/attend Security Weekly & Tenable are always hiring. ! You can some to our studio on Thursday nights and watch the show live. ! I post all my slides to http://slideshare.net/securityweekly ! Larry really does have a tattoo in “that place”. ! Jack is really old. ! Also, Ninja is the winner.

More Related Content

PPT
Give Me Three Things: Anti-Virus Bypass Made Easy
bySecurity Weekly
 
PDF
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
PPTX
Pwn phone2014 jrs
bySecurity Weekly
 
PPTX
Getting ready for a Capture The Flag Hacking Competition
byJoe McCray
 
PPTX
Big Bang Theory: The Evolution of Pentesting High Security Environments
byJoe McCray
 
PPTX
You Spent All That Money And Still Got Owned
byJoe McCray
 
PPTX
Test & Tea : ITSEC testing, manual vs automated
byZoltan Balazs
 
Give Me Three Things: Anti-Virus Bypass Made Easy
bySecurity Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
bySecurity Weekly
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
bySecurity Weekly
 
Pwn phone2014 jrs
bySecurity Weekly
 
Getting ready for a Capture The Flag Hacking Competition
byJoe McCray
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
byJoe McCray
 
You Spent All That Money And Still Got Owned
byJoe McCray
 
Test & Tea : ITSEC testing, manual vs automated
byZoltan Balazs
 

What's hot

PDF
Building a low cost hack lab
byJoe McCray
 
PDF
Let's Hack a House
bySynack
 
PPTX
So you wanna be a pentester - free webinar to show you how
byJoe McCray
 
PPTX
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
PPTX
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
PDF
Top Security Challenges Facing Credit Unions Today
byChris Gates
 
PDF
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
byNorth Texas Chapter of the ISSA
 
PDF
terry-gilsenan-pie-operating.10433
byTerry Gilsenan
 
PDF
Life as an enterprise security geek from underground. (What enterprises want ...
byLINE Corporation
 
PDF
AusCERT - Developing Secure iOS Applications
byeightbit
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
PPTX
Advanced SQL Injection
byJoe McCray
 
PDF
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
byVerein FM Konferenz
 
PPTX
Cybereason - behind the HackingTeam infection server
byAmit Serper
 
PPTX
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
PDF
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
ODP
Web application-security-and-why-you-should-review-yours
byDavid Busby, CISSP
 
PPTX
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 
Building a low cost hack lab
byJoe McCray
 
Let's Hack a House
bySynack
 
So you wanna be a pentester - free webinar to show you how
byJoe McCray
 
Wireless Pentesting: It's more than cracking WEP
byJoe McCray
 
Ransomware - what is it, how to protect against it
byZoltan Balazs
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
Top Security Challenges Facing Credit Unions Today
byChris Gates
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
byNorth Texas Chapter of the ISSA
 
terry-gilsenan-pie-operating.10433
byTerry Gilsenan
 
Life as an enterprise security geek from underground. (What enterprises want ...
byLINE Corporation
 
AusCERT - Developing Secure iOS Applications
byeightbit
 
Android security and penetration testing | DIVA | Yogesh Ojha
byYogesh Ojha
 
Advanced SQL Injection
byJoe McCray
 
FMK2014 FileMaker Security and Database Encryption by Jon Thatcher
byVerein FM Konferenz
 
Cybereason - behind the HackingTeam infection server
byAmit Serper
 
RPS/APS vulnerability in snom/yealink and others - slides
byCal Leeming
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
byCybereason
 
Web application-security-and-why-you-should-review-yours
byDavid Busby, CISSP
 
How an Attacker "Audits" Your Software Systems
bySecurity Innovation
 
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 

Viewers also liked

PDF
How To Do A Podcast - Bsides RI 2013
bySecurity Weekly
 
PPT
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
PPT
Transportation broker kpi
byjomyefv
 
PPT
Hoskins lecture: Coastal Citizens - a Brief Primer of the Goergia Coast
byAsa H Gordon Library/Savannah State University
 
PPT
Transportation clerk kpi
byjomyefv
 
PPTX
The politics of harris neck justice movement 1
byAsa H Gordon Library/Savannah State University
 
PPT
Secretary of transportation kpi
byjomyefv
 
PPT
Transportation engineer kpi
byjomyefv
 
PPT
Transportation driver kpi
byjomyefv
 
PPT
Warehouse clerk kpi
byjomyefv
 
PPT
Transportation director kpi
byjomyefv
 
PPT
Transportation officer kpi
byjomyefv
 
PPT
Transportation aide kpi
byjomyefv
 
PPT
Transportation assistant kpi
byjomyefv
 
PPT
Transportation technician kpi
byjomyefv
 
PPTX
Photos from confucius institute
byAsa H Gordon Library/Savannah State University
 
PPTX
Institutional Repositories @ Savannah State
byAsa H Gordon Library/Savannah State University
 
PPT
Warehouse worker kpi
byjomyefv
 
PPTX
Black lives matter
byAsa H Gordon Library/Savannah State University
 
PPT
Warehouse supervisor kpi
byjomyefv
 
How To Do A Podcast - Bsides RI 2013
bySecurity Weekly
 
Attacking Embedded Devices (No Axe Required)
bySecurity Weekly
 
Transportation broker kpi
byjomyefv
 
Hoskins lecture: Coastal Citizens - a Brief Primer of the Goergia Coast
byAsa H Gordon Library/Savannah State University
 
Transportation clerk kpi
byjomyefv
 
The politics of harris neck justice movement 1
byAsa H Gordon Library/Savannah State University
 
Secretary of transportation kpi
byjomyefv
 
Transportation engineer kpi
byjomyefv
 
Transportation driver kpi
byjomyefv
 
Warehouse clerk kpi
byjomyefv
 
Transportation director kpi
byjomyefv
 
Transportation officer kpi
byjomyefv
 
Transportation aide kpi
byjomyefv
 
Transportation assistant kpi
byjomyefv
 
Transportation technician kpi
byjomyefv
 
Photos from confucius institute
byAsa H Gordon Library/Savannah State University
 
Institutional Repositories @ Savannah State
byAsa H Gordon Library/Savannah State University
 
Warehouse worker kpi
byjomyefv
 
Black lives matter
byAsa H Gordon Library/Savannah State University
 
Warehouse supervisor kpi
byjomyefv
 

Similar to Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
PPTX
Vulnerability Management
byjustinkallhoff
 
PDF
Understanding Vulnerability Management | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PPTX
Vulnerability_Management.pptx
byShriya Rai
 
PDF
Patch and Vulnerability Management
byMarcelo Martins
 
PDF
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
PPTX
Cyber Attack Survival: Are You Ready?
byRadware
 
PDF
All these vulnerabilities, rarely matter
byJeremiah Grossman
 
PDF
NTXISSACSC3 - Vulnerability Management Isn't Simple ... (or How to Make Your ...
byNorth Texas Chapter of the ISSA
 
PDF
Best Practices to Cybersecurity Vulnerability Management,.pdf
byTuan Yang
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
PDF
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
PPTX
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
PDF
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
byTrungNguyn964221
 
PPTX
Enterprise Class Vulnerability Management Like A Boss
byrbrockway
 
PDF
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
byMatt Dunn
 
PDF
Managed Vulnerability Scan
byShawn Jordan
 
PDF
Security Testing for Blue Teamers
byBen Finke
 
PDF
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
PDF
Sexy defense
byIftach Ian Amit
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
Vulnerability Management
byjustinkallhoff
 
Understanding Vulnerability Management | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
Vulnerability_Management.pptx
byShriya Rai
 
Patch and Vulnerability Management
byMarcelo Martins
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
byOpenDNS
 
Cyber Attack Survival: Are You Ready?
byRadware
 
All these vulnerabilities, rarely matter
byJeremiah Grossman
 
NTXISSACSC3 - Vulnerability Management Isn't Simple ... (or How to Make Your ...
byNorth Texas Chapter of the ISSA
 
Best Practices to Cybersecurity Vulnerability Management,.pdf
byTuan Yang
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
Securing Systems - Still Crazy After All These Years
byAdrian Sanabria
 
CEH v12 Lesson 5 _ Vulnerability Assessment To (1).pdf
byTrungNguyn964221
 
Enterprise Class Vulnerability Management Like A Boss
byrbrockway
 
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
byMatt Dunn
 
Managed Vulnerability Scan
byShawn Jordan
 
Security Testing for Blue Teamers
byBen Finke
 
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
Sexy defense
byIftach Ian Amit
 

Recently uploaded

PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
final.pdf
byomarbishtawi04
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
apidays Paris 2025 | API Layer7 Security: Real-World Use Cases (BBVA & Nexi)
byapidays
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Workflow and decision Automation with Flowable
bychakib ch
 

Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Program

  • 1.
    Robots, Ninjas, Piratesand Building an Effective Vulnerability Management Program © Copyright Defensive Intuition, LLC 2004-2015 Paul Asadoorian Day: Product Strategist, Tenable Network Security Nights & Weekends: Founder & CEO, Security Weekly
  • 2.
    © Copyright DefensiveIntuition, LLC 2004-2015 Slide 2 About Paul
  • 3.
    Agenda • Some slideswith random pictures from the Internet • Paul talks about vulnerability management over said slides • Folks may have questions or challenge my thoughts/ideas (please do) • More random Internet pictures • Paul ranting a bit more while laughing at ridiculous pictures • These are the only bullets in this presentation… • End with tips on how to be successful © Copyright Defensive Intuition, LLC 2004-2015 Slide 3
  • 4.
    Vulnerability Management… © CopyrightDefensive Intuition, LLC 2004-2015 Slide 4 You have all the right tools…
  • 5.
    A Robot, Ninja& Pirate Get Into a Fight, Who Wins? © Copyright Defensive Intuition, LLC 2004-2015 Slide 5 We have arguments like this all the time. ! Sometimes they center around vulnerability management…
  • 6.
    Why Do WeNeed Vulnerability Management? © Copyright Defensive Intuition, LLC 2004-2015 Slide 6 You The Internet
  • 7.
    Don’t Be Blind… Youcan’t fix what you don’t know is broken… © Copyright Defensive Intuition, LLC 2004-2015
  • 8.
    Meet The Robots,Ninjas and Pirates in the Security Dept. © Copyright Defensive Intuition, LLC 2004-2015
  • 9.
    The Robot Without acare in the world… © Copyright Defensive Intuition, LLC 2004-2015 “Going to scan the network!”
  • 10.
    The Robot Cares evenless how long the report will be… © Copyright Defensive Intuition, LLC 2004-2015 File -> Print… Reporting!!!!
  • 11.
    The Robot What yournetwork looks like after the scan… © Copyright Defensive Intuition, LLC 2004-2015
  • 12.
    The Robot What thesysadmins, network admins, developers, help desk and operations are saying about you… © Copyright Defensive Intuition, LLC 2004-2015
  • 13.
    Robots reporting tomanagement © Copyright Defensive Intuition, LLC 2004-2015 “The chances of cross-site scripting being exploited are 725 to 1. Its quite possible the buffer overflow attacks aren’t quite stable.The odds of successfully surviving an attack on the Apache web server are…[Shut up 3po!].They’ve encased the web server in a WAF, it should be quite well protected, unless there is a bypass. I noticed the IPS pre-processor rules are damaged, its impossible to block attacks.”
  • 14.
    Moral of thestory… © Copyright Defensive Intuition, LLC 2004-2015
  • 15.
    The Ninjas © CopyrightDefensive Intuition, LLC 2004-2015 Wrote Nmap script to patch everything and disable TELNET.
  • 16.
    The Report © CopyrightDefensive Intuition, LLC 2004-2015
  • 17.
    The Network Problems canbe mysterious…. © Copyright Defensive Intuition, LLC 2004-2015
  • 18.
    Sysadmins be like… Sysadminsbe like… © Copyright Defensive Intuition, LLC 2004-2015
  • 19.
    Ninjas be like… ©Copyright Defensive Intuition, LLC 2004-2015
  • 20.
    Pirates To find thebooty… © Copyright Defensive Intuition, LLC 2004-2015 I’m gonna scan your network. Hard.
  • 21.
    During the scan… ©Copyright Defensive Intuition, LLC 2004-2015
  • 22.
    The Report © CopyrightDefensive Intuition, LLC 2004-2015 +
  • 23.
    Pirate in meetingafter report has been distributed © Copyright Defensive Intuition, LLC 2004-2015 Patch your shit! Aaaaaaaaaarrgh!! Pirates Lack Social Skillz
  • 24.
    Sysadmins: Fear them… ©Copyright Defensive Intuition, LLC 2004-2015
  • 25.
    Meet the Robots,Ninja and Pirate Attackers © Copyright Defensive Intuition, LLC 2004-2015
  • 26.
    Perception Of Scanning Evena broken clock is right twice a day © Copyright Defensive Intuition, LLC 2004-2015 “Your slave?” “You wish!You'll do shitwork, scan, crack copyrights…"
  • 27.
    Attackers, like robots, automate… Attacksabove are common, but less severe (typically) © Copyright Defensive Intuition, LLC 2004-2015
  • 28.
    Or APT, orCyber<something> © Copyright Defensive Intuition, LLC 2004-2015
  • 29.
    Ninjas © Copyright DefensiveIntuition, LLC 2004-2015
  • 30.
    Cyber Pirate Attackers Pirateswill steal bandwidth, often very loud. © Copyright Defensive Intuition, LLC 2004-2015
  • 31.
    Now We UnderstandSome Of The Dynamics What we learned up to this point: ! Vulnerability Management is HARD, attackers will not let up. © Copyright Defensive Intuition, LLC 2004-2015
  • 32.
    © Copyright DefensiveIntuition, LLC 2004-2015 Slide 32 Shortcuts Are Trouble
  • 33.
    “We’ll just scanonce per quarter” ! “We can just use the default scan policy” ! “We can just scan parts of the network” © Copyright Defensive Intuition, LLC 2004-2015
  • 34.
    © Copyright DefensiveIntuition, LLC 2004-2015 “We don’t care about finding all the vulnerabilities. Just show me the important ones. I can’t fix everything, so don’t bother showing me everything.”
  • 35.
    5 Reasons WhyThis Will End Badly © Copyright Defensive Intuition, LLC 2004-2015
  • 36.
    #1 What youdon’t know will probably be the thing that hurts you © Copyright Defensive Intuition, LLC 2004-2015
  • 37.
    #2 Ask anyevil bad guy or penetration tester and they will tell you “we string together seemingly low severity vulnerabilities to achieve a goal” © Copyright Defensive Intuition, LLC 2004-2015 Example: Chris Gates from Low to Pwned (2012) https:// www.youtube.com/watch?v=u68QvWXYW_Q
  • 38.
    #3 External conditions change,so not patching a vulnerabilities because there is no public exploit today doesn’t mean there will not be an exploit in the future (or someone has it already) © Copyright Defensive Intuition, LLC 2004-2015
  • 39.
    #4 Internal conditions change.Not discovering vulnerabilities in XYZ software because you don’t use XYZ software is dangerous ! Someone could be installing XYZ software as we speak © Copyright Defensive Intuition, LLC 2004-2015
  • 40.
    For Example… © CopyrightDefensive Intuition, LLC 2004-2015
  • 41.
    #5 Vulnerability management isa historical reference. ! You may not care which USB device were plugged into your systems today, but when malware spreads via USB devices tomorrow… © Copyright Defensive Intuition, LLC 2004-2015
  • 42.
    Malware Here? © CopyrightDefensive Intuition, LLC 2004-2015
  • 43.
    ! “Just send them theraw results” ! “Just patch CVSS > 8.0” Goals & Results Matter… © Copyright Defensive Intuition, LLC 2004-2015
  • 44.
    Results Matter, Don’tBe Lazy No one reads raw results © Copyright Defensive Intuition, LLC 2004-2015
  • 45.
    Can You MakeThat 8 a 7? CVSS is subjective © Copyright Defensive Intuition, LLC 2004-2015
  • 46.
  • 47.
    Goal: Prevention –prevent bad things with the resources you have © Copyright Defensive Intuition, LLC 2004-2015 Stop waiting around for the perfect solution!
  • 48.
    Goal: Detection ! Know where you are vulnerable and monitor ©Copyright Defensive Intuition, LLC 2004-2015
  • 49.
    Goal: React -Define priorities and enable people to take action Vulnerability management is a repeatable process. © Copyright Defensive Intuition, LLC 2004-2015
  • 50.
    Goal: Do it yourself. ! Vulnerability scanningis not what a pen tester should do for you Tools have matured to allow for continuous scanning. © Copyright Defensive Intuition, LLC 2004-2015
  • 51.
    Goal: Evaluate tools– Define the evaluation criteria Virtualization, Cloud, Mobile, Patch Management, Agents, Web Apps. © Copyright Defensive Intuition, LLC 2004-2015
  • 52.
    Goal: Checks andBalances: How are my other defenses working or not? Anti-Virus, Firewalls, Compliance/System Hardening Programs © Copyright Defensive Intuition, LLC 2004-2015
  • 53.
    Goal: Metrics: Don’tGive Up On Them © Copyright Defensive Intuition, LLC 2004-2015 Searches for “dating tips” Searches for “fleshlight” What does management want to see?
  • 54.
    Goal: Threat Modeling ©Copyright Defensive Intuition, LLC 2004-2015
  • 55.
    Goal: Don’t justfind a standard or copy what may work for others Be a LEADER and set your own standards. © Copyright Defensive Intuition, LLC 2004-2015
  • 56.
    Goal: Get peopleto understand and change their behavior Become a remarkable IT Security Leader © Copyright Defensive Intuition, LLC 2004-2015
  • 57.
    Some Fun Facts Podcasts/Blogs/Videos:http://securityweekly.com Contact Me: paul@securityweekly.com © Copyright Defensive Intuition, LLC 2004-2015 http://securityweekly.com/attend Security Weekly & Tenable are always hiring. ! You can some to our studio on Thursday nights and watch the show live. ! I post all my slides to http://slideshare.net/securityweekly ! Larry really does have a tattoo in “that place”. ! Jack is really old. ! Also, Ninja is the winner.