This document provides an overview of threat and vulnerability management from Ryan Elmer of FRSecure. It discusses that vulnerability management is a critical part of an information security program and involves identifying, classifying, remediating and mitigating vulnerabilities through a cyclical process. It defines vulnerabilities, threats, and risks and explains how vulnerability assessments differ from vulnerability management by sometimes only identifying issues rather than resolving them.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Security testing tools are only as good as the humans who use them. Learn how to turn an automated security effort into an effective security assessment.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Security testing tools are only as good as the humans who use them. Learn how to turn an automated security effort into an effective security assessment.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
The protection of applications against cyber threats is paramount. With hackers becoming increasingly sophisticated, organizations must prioritize robust security testing practices. In this informative session, we will unveil a comprehensive security testing checklist designed to fortify your applications against potential vulnerabilities and attacks.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.
From the OWASP Northern Virginia meeting August 6, 2009.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly, which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface can bring peace of mind and actual direct improvements to your information security posture.
The more your organization knows about potential threats, the safer your critical assets will be, but are traditional solutions, such as monthly scans and haphazard patching enough? What your scanner isn’t telling you are the critical vulnerabilities that should be fixed first.
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
Cybersecurity - Rainbow Teaming - what are the colour teams in cybersecurity, how purple differs from red teaming, what is white team and other colours ?
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
There's always a need to stop bad stuff from coming in, but it's important to remember that those inside the firewall can pose an even bigger risk to your network security. Whether its unsuspecting users clicking on phishing e-mails, someone running bit torrent in your datacenter, or a truly malicious user out to sabotage the network, insider threats can really keep you up at night.
Join us for this technical demo showing how USM can help you detect:
Malware infections on end-user machines
Insiders misusing network resources
Privileged users engaging in suspicious behaviors
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
The protection of applications against cyber threats is paramount. With hackers becoming increasingly sophisticated, organizations must prioritize robust security testing practices. In this informative session, we will unveil a comprehensive security testing checklist designed to fortify your applications against potential vulnerabilities and attacks.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.
From the OWASP Northern Virginia meeting August 6, 2009.
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
As a CISO, you have been asked why you can't just trust your employees to do the right thing. What benefit to the business comes from technical security controls? You have likely been asked to reduce risk and action every funded project at once. In this session, we will realistically consider which projects can reduce risk most quickly, which layers of security are most important, and how things like privilege management, vulnerability control, over-communicating, and simply reducing the attack surface can bring peace of mind and actual direct improvements to your information security posture.
The more your organization knows about potential threats, the safer your critical assets will be, but are traditional solutions, such as monthly scans and haphazard patching enough? What your scanner isn’t telling you are the critical vulnerabilities that should be fixed first.
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
Cybersecurity - Rainbow Teaming - what are the colour teams in cybersecurity, how purple differs from red teaming, what is white team and other colours ?
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
Insider Threats: How to Spot Trouble Quickly with AlienVault USMAlienVault
There's always a need to stop bad stuff from coming in, but it's important to remember that those inside the firewall can pose an even bigger risk to your network security. Whether its unsuspecting users clicking on phishing e-mails, someone running bit torrent in your datacenter, or a truly malicious user out to sabotage the network, insider threats can really keep you up at night.
Join us for this technical demo showing how USM can help you detect:
Malware infections on end-user machines
Insiders misusing network resources
Privileged users engaging in suspicious behaviors
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
1. powered by
Why won’t these damn things just patch themselves?: The
Hitchhiker’s Guide to Threat and Vulnerability Management
2. Meet Your Presenter
Ryan Elmer
• Master of Science, Security Technologies – The University of Minnesota
• Published by American Banker, Star Tribune, Bloomberg Business Week
• Former faculty member ICBA Community Bank IT Institute
• Technology Implementer (The Ohio State University, Total Networx)
• Information Security Auditor (RSM McGladrey)
FRSecure
• Founded in 2008
• HQ in Minnetonka
• Sole focus fixing a broken information security industry
• Full suite of InfoSec services
• Product Agnostic – Your IT guys will love us!
3. • A Threat and Vulnerability Management is one of the most critical
elements of an Information Security Program.
• Organizations which lack “brilliance in the basics” and will have difficulties
implementing an effective vulnerability management program.
• Vulnerability Assessments are often confused for Vulnerability
Management. This can lead to unmitigated vulnerabilities and increased
risk.
• Most importantly, it means wasted money.
Meet Your Presentation
4.
5. A vulnerability is a system susceptibility or flaw
A threat is an attacker who can access the flaw and has the capability to exploit it.
A risk is a convergence of a vulnerability and threat that has a defined likelihood
and impact.
Vulnerability Management is the cyclical practice of identifying, classifying,
remediating and mitigating vulnerabilities.
Meet Your Definitions
6. An inherent weakness in technology tools resulting from a design
flaw. Universal to everyone utilizing that tool.
• System and Applications not patched for known security flaws
• Hardware, OS, Application, Database, Network Equipment
• Web Applications and Web Services
• Known security issues, incorrectly coded, unpatched known security flaws
• Browser and Plugins
• Not up to date, not patched for known security flaws
• Application and OS Configs
• Never configured, configuration changes
Vulnerability - Technical
7. Weaknesses resulting from implementation, configuration and
convergence of technological tools. Specific to that organization.
• Remote Access (Admin, Terminal Servers)
• Lack of Segmentation (Flat Networks)
• Weak Passwords
• Default Configs (WPAD over LLMNR)
• Convergence issues (Auto-Authenticate)
Conceptual and Architectural Issues
10. An effective vulnerability management program relies on other mature
programs.
Foundations of vulnerability management
Vulnerability
Management
Access Control
Change Management
Asset Management
11. Expectations
• Accurate, Reviewed and Reconciled Inventories of Hardware,
Software and Data Assets.
• Data is categorized as public, non-public and confidential and assets
are classified by the types of data which they house.
• Extra credit: Data flow diagrams show connections between systems
Reasons
• A complete list of assets ensures that everything gets scanned
• Classified assets allows for more flexibility in accepting risk
(depending on data and interconnectedness)
Asset Management-- Realistically
12. Expectations
• The organization tracks significant changes to technology with tools as complex as a
COTS Ticketing System or a spreadsheet.
• Minimum Tracking:
• Description/Nature of Change
• System
• Testing/Business Unit Sign-off
• Roll-Back Procedures
• Approval
Reasons
• Changes to devices can introduce new vulnerabilities and configuration issues
• The testing and roll-back procedures make sure that you don’t wreck your
environment.
Change Management -- Realistically
13. Expectations
• Access control is in place. This includes user, system and service account
access.
• vLANs and ACLs are in place
Reasons
• Appropriate security can be placed on segregated systems according to the
data which resides on them.
• This is always easier to talk about than to actually implement. De-activate
service accounts when they are not use, create vLANs to the best of your
ability. Pen Test to verify this has been done well.
Access Control -- Realistically
16. Vulnerability Scanning
Purpose Identify, rank and report technical vulnerabilities
Goal Determine all the vulnerabilities that we know can be exploited
Example Checking all exterior and interior doors
Focus Breadth over Depth
Tactics Fast and Loud
Tests Preventative Controls
Cadence Quarterly, Monthly
What it do?!
17. • Enumeration
• Discover Ports and Services (SSH, Telnet, SNMP)
• Interrogation of Services
• Scan
• Analyze
• Viability of Vulnerability
• CVSS
• Research
• Impact
• Data
• Connections
• Make Risk Determinations
• Mitigate (patch, re-config)
• Transfer (outsource, insure)
• Accept (document, compensate)
• Avoid (turn it off)
Vulnerability Assessment Process
18. • Banks need to increase the frequency which they scan.
• Vulnerability scans are not inherently better or worse than a penetration
test, it depends on your objectives. Vendors and Examiners who tell you
this are wrong.
• Running a vulnerability scan is very easy. Interpreting the results are
difficult the first time and get easier as you go.
• On-going scanning with external vendors should be pretty damn cheap. In
fact, you can do it for free with OpenVAS.
• Credentialed Scans provide a more accurate picture of your vulnerabilities.
Attaining a credential isn’t that hard, this does not distort the results.
Vulnerability Scanning – Insider Secrets
20. Penetration Testing
Purpose Exploit vulnerabilities to circumvent or defeat security
Goal Determine what can be accomplished exploiting those vulnerabilities
Example Entering first available door to search
Focus Depth over Breadth
Tactics Low and Slow
Tests Effectiveness of Vulnerability Management Program; Detective and Reactive Controls
Cadence Annually
What it do?!
21. • Pen Tests are one of the fastest maturing areas of information security, even
though we don’t fully understand the basics.
• Scope
• Internal
• External
• Threat Emulation
• Blue Team/Red Team/Purple Team
• Knowledge
• White Box - Full knowledge of Systems – Faster, More Thorough
• Black Box – No Knowledge – Most accurate threat emulation
• What is an Assumed Breach?
• Providing credentials
• Downloading payload
Penetration Testing
22. Penetration Test – Insider Secrets
• Using white box testing, dropping defenses or assuming a breach
(giving credentials) save money, they aren’t “cheating”
• Saves Money!
• Goal is to identify vulnerabilities, not confirm you’re safe.
• If you want your penetration test to mimic the real world, use social
engineering.
• Performing the only vulnerability scan of the year during the pen test
is a very bad investment. Should not pay a premium to find low
hanging fruit. Frees Pen Tester time to focus on issues not found by
scanner.
23. • The “right” pen test for your organization should align with objectives.
• Will and should change from year to year, might mean going “backward”
• Want to test newly implemented vLAN? Provide several credentials from multiple
segments.
• Done that for a couple years? Maybe a black box test is best.
• Scoping
• Share results and key metrics from vulnerability scans, confirm their test isn’t looking
for technical vulnerabilities
• Talk about the network and any recent changes (local admin, segmentation, user
profiles, shares, interconnectedness)
• Talk about objectives, what do you want to accomplish?
• Look for architectural and conceptual issues
• Test detective and reactive controls
• Affirm segmentation
• Train staff on indicators of compromise
• Confirm confidential data is well protected
Picking the right Pen Test
25. • Not a project, but a program
• No beginning or end, revolving process
• Meeting regulatory goals
• Defined success factors (number by severity level, number of hosts with
vulnerabilities, vulnerability age)
• Measurable – Because we have success factors
• Repeatable – Documented Process
• Involved with other programs (patch management, ticketing, asset
management, configuration management)
• Accountability – Historical data to compare performance
• Context, context and more context
Vulnerability Management
26. Vulnerability Management Best Practices
• Set the foundation: Asset Inventory, Change Management, Access Control
• Run your typical vulnerability assessment process.
• Track your key metrics
• Make risk decisions and document the process
• Repeat to gather all low hanging fruit
• Pen Test to find the issues vulnerability scanners cannot find. This will also then measure
the effectiveness of your vulnerability management process.
27. • Questions * ††
*there are no stupid questions
†† unless you’re a Packer fan
• Answers (kind of)
Ryan Elmer
relmer@frsecure.com
(952) 451-5081
28. • If executives do not understand a project, they will not allocate the
time, money or resources needed to make it successful.
• Attackers only need to be right one time, whereas IT needs to be right
100%
Risks
29. Information security is the application of administrative, physical and
technical controls used to mitigate risks to the confidentiality, integrity and
availability of information.
Information Security
Administrative
• People
Physical
• Stuff
Technical
• Machines
Confidentiality
• Privacy
Integrity
• Accuracy
Availability
• Accessibility
30. • Assets with varying value
• Defined Perimeter (outside and inside)
• Things which have high likelihood of theft or high impact go inside, things which have
low probability or low impact go outside.
• Means of ingress/egress (doors, windows)
• Implemented controls
• Preventative (locks)
• Detective (alarm systems, dogs)
• Reactive (law enforcement, guns, maybe your dog, but not mine)
• Corrective
InfoSec as a House
31. Risk Management
Identification –– Indicator of a major risk
Articulation –– Specifies the event
Ownership –– Party responsible
Remediation –– How it’s fixed
“Oh My God!”
“The Bar’s On Fire”
“Somebody”
“Save the Beer”
The forecasting and evaluation of risks together with the identification of procedures
to avoid or minimize their impact
32. “I cannot secure it if I don’t know that I have it”
• Asset Management
• Determines what is going to be scanned
• Defines the priority of the asset (classification of data on it, interconnectedness)
“I cannot secure what I cannot control”
• Access Control
• A flat network with no access control means that every vulnerability needs to be fixed
• Change Management
• Tracks deliberate changes to the environment through ticketing and testing
• Used to detect unauthorized changes
Foundations of vulnerability management
33. Vulnerability Scan Penetration Test
Purpose Identify, rank and report vulnerabilities Exploit vulnerabilities to circumvent or defeat
security
Goal Determine all vulnerabilities that could
exploited
Determine what can be accomplished exploiting
those vulnerabilities
Real World Example Checking all exterior and interior doors Entering first available door to search
Focus Breadth over Depth Depth over Breadth
Tactics Loud and Fast Low and Slow
Tests Preventative controls Detective and Reactive controls
Vulnerability Scans vs. Penetration Tests
34. • Different tools for different purposes
• Port scanner (Nmap)
• Network Vulnerability Scanner (Nessus)
• Web App Security Scanner (Burp Suite, Accunetix)
• Database Security Scanner
• Host-based vulnerability scanner (Lynis, Microsoft Baseline Security Analyzer)
• AIX Security Configuration Scanner
Vulnerability Scanner
Editor's Notes
I know I set that up as pretty scary, but don’t panic. This is the hitchhiker’s guide to vulnerability management
Before I get into vulnerability management, I need to define what a vulnerability is.
Humans have a myriad of vulnerabilities. We can be tricked into doing things, we can be coerced by threat or force, and we also just generally do dumb shit. Humans are the single greatest weakness to your organization. Training and Awareness is the only thing that fixes this. I’ve left this out because it’s a completely different conversation, but it needs to be understood.
Vulnerability Assessment
Running a vulnerability scanning as a project (has beginning, middle and end)
No measurement of long-term success
Occurs once a year, maybe twice
Vulnerability Management
Building a program
Meeting regulatory goals
Defined success factors (number by severity level, number of hosts, vulnerability age)
Measurable
Repeatable
Involved with other programs (patch management, ticketing, asset management, configuration management)
Accountability – there are long term measurements of success and historical information. This should be accurate to the point where we can identify when you went on vacation for a month. Cause that happens right? You all have houses in the Mexican riveria?
The process to find rate, and remediate isn’t just about the technical vulnerabilities found in scans, it’s about analyzing your process. You can talk with your peers, hopefully your auditor can shed some light on it.
Context is the ability to surround a vulnerability with information which accurately describes the true reality. If you have
My point is that there is going to be a lot of sexy sounding pen tests that people are going to try to sell you. They are going to sound awesome. But you might not be ready for them.