Uploaded byprimeteacher32
PPTX, PDF17,808 views

Vulnerability Assessment

Vulnerability assessment is the systematic evaluation of an organization's exposure to threats. It involves identifying assets, evaluating threats against those assets, determining vulnerabilities, assessing risks, and selecting appropriate controls. Various techniques can be used including asset identification, threat modeling, vulnerability scanning, penetration testing, and risk assessment. The goal is to establish a security baseline and mitigate risks through hardening systems and ongoing monitoring.

Embed presentation

Downloaded 551 times
Vulnerability Assessment
What Is Vulnerability Assessment?  First step any security protection plan begins with assessment of vulnerabilities  Vulnerability assessment - Systematic and methodical evaluation of exposure of assets to attackers, forces of nature, and any other entity that could cause potential harm  Variety of techniques and tools can be used in evaluating the levels of vulnerability
Elements of Vulnerability Assessment  Asset Identification - Process of inventorying items with economic value  Identify what needs to be protected  After an inventory of the assets has been its important to determine each item’s relative value.  Threat Evaluation - List potential threats from threat agent  What pressures are against those assets  Threat agents are not limited to attackers  After an inventory of the assets has been its important to determine each item’s relative value.  Threat Modeling - Goal of understanding attackers and their methods  Vulnerability Appraisal - Determine current weaknesses as snapshot of current organization security  How susceptible current protection is  Every asset should be viewed in light of each threat  Risk Assessment - Determine damage resulting from attack and assess likelihood that vulnerability is risk to organization  What damages could result from the threats  Not all vulnerabilities pose the same risk
Attack Tree Examples
Vulnerability Assessment Actions And Steps
Assessment Techniques  Baseline Reporting - Comparison of present state of system to its baseline  Baseline - Imaginary line by which an element is measured or compared; can be seen as standard  IT baseline is checklist against which systems can be evaluated and audited for security posture  Outlines major security considerations for system and becomes the starting point for solid security  Deviations include not only technical issues but also management and operational issues  Programming Vulnerabilities- List potential threats from threat agent  Important for software vulnerabilities be minimized while software being developed instead of after released  Software improvement to minimize vulnerabilities difficult:  Size and complexity  Lack of formal specifications  Ever-changing attacks
Assessment Tools  Port scanners - Software can be used to search system for port vulnerabilities  Banner grabbing tools – Software used to intentionally gather message that service transmits when another program connects to it.  Protocol analyzers - Hardware or software that captures packets to decode and analyze contents  Vulnerability scanners - Automated software searches a system for known security weaknesses  Honeypots and honeynets - Goal is to trick attackers into revealing their techniques  Tools can likewise used by attackers to uncover vulnerabilities to be exploited
Port Scanning
Protocol Analyzer Security Information
Vulnerability Scanning vs. Penetration Testing Vulnerability Scanning  Intrusive vulnerability scan - Attempts to actually penetrate system in order to perform simulated attack  Non-intrusive vulnerability scan - Uses only available information to hypothesize status of the vulnerability  Credentialed vulnerability scan – Scanners that permit username and password of active account to be stored and used  Non-credentialed vulnerability scans - Scanners that do not use credentials Penetration Testing  Penetration testing - Designed to exploit system weaknesses  Relies on tester’s skill, knowledge, cunning  Usually conducted by independent contractor  Tests usually conducted outside the security perimeter and may even disrupt network operations  End result is penetration test report
Vulnerability Scan and Penetration Test Features
Third-Party Integration  Increasing number of organizations use third-party vendors to create partnerships  Third-party integration - Risk of combining systems and data with outside entities, continues to grow  Question: How will entities combine their services without compromising their existing security defenses?  Question: What happens if privacy policy of one of the partners is less restrictive than that of the other partner?  Data considerations - Who owns data generated through the partnership and how data protected?  Inoperability agreements  Service Level Agreement (SLA) - Service contract between a vendor and a client  Blanket Purchase Agreement (BPA) - Prearranged purchase or sale agreement between a government agency and a business  Memorandum of Understanding (MOU) - Describes agreement between two or more parties  Interconnection Security Agreement (ISA) - Agreement intended to minimize security risks for data transmitted across a network
Mitigating and Deterring Attacks  Create a security posture  Initial baseline configuration:  Continuous security monitoring  Remediation  Select appropriate controls  Configuring Controls  Key to mitigating and deterring attacks is proper configuration and testing of the controls  Hardening - Eliminate as many security risks as possible  Reporting - Providing information regarding events that occur
Checkpoint  Vulnerability assessment  Methodical evaluation of exposure of assets to risk  Five steps in an assessment  Risk describes likelihood that threat agent will exploit a vulnerability  Several techniques can be used in a vulnerability assessment  Port scanners, protocol analyzers, honeypots are used as assessment tools  Vulnerability scan searches system for known security weakness and reports findings  Penetration testing designed to exploit any discovered system weaknesses  Tester may have various levels of system knowledge  Standard techniques used to mitigate and deter attacks  Healthy security posture  Proper configuration of controls  Hardening and reporting

More Related Content

PPTX
Vulnerability Assesment
byDedi Dwianto
 
PDF
Vulnerability Management
byasherad
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PDF
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
PPTX
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 
PPTX
Vulnerability Assessment and Penetration testing
byAaftabKhan14
 
PPTX
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
Vulnerability Assesment
byDedi Dwianto
 
Vulnerability Management
byasherad
 
Classification of vulnerabilities
byMayur Mehta
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 
Vulnerability Assessment and Penetration testing
byAaftabKhan14
 
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 

What's hot

PPT
IT Security management and risk assessment
byCAS
 
PPTX
Security risk management
byPrachi Gulihar
 
PPTX
Introduction to Information Security
byShreedevi Tharanidharan
 
PPT
Introduction to Cyber Security
byStephen Lahanas
 
PPSX
Security policies
byNishant Pahad
 
PPTX
Security operation center (SOC)
byAhmed Ayman
 
PPTX
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
PPTX
Security Information and Event Management (SIEM)
byk33a
 
PPTX
Endpoint Protection
bySophos
 
PPTX
Vulnerability Assessment Presentation
byLionel Medina
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PPT
Information Security
byDhilsath Fathima
 
PDF
Risks threats and vulnerabilities
byManish Chaurasia
 
PPT
Information security management
byUMaine
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PPTX
Access Controls
byprimeteacher32
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PPT
Information security in todays world
bySibghatullah Khattak
 
IT Security management and risk assessment
byCAS
 
Security risk management
byPrachi Gulihar
 
Introduction to Information Security
byShreedevi Tharanidharan
 
Introduction to Cyber Security
byStephen Lahanas
 
Security policies
byNishant Pahad
 
Security operation center (SOC)
byAhmed Ayman
 
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
Security Information and Event Management (SIEM)
byk33a
 
Endpoint Protection
bySophos
 
Vulnerability Assessment Presentation
byLionel Medina
 
Introduction to penetration testing
byNezar Alazzabi
 
Information Security
byDhilsath Fathima
 
Risks threats and vulnerabilities
byManish Chaurasia
 
Information security management
byUMaine
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
Access Controls
byprimeteacher32
 
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
Information security in todays world
bySibghatullah Khattak
 

Similar to Vulnerability Assessment

PPTX
Vapt life cycle
bypenetration Tester
 
PPT
NH Bankers 10 08 07 Kamens
bykamensm02
 
PPT
M Kamens Iia Financial Services Presentation At Disney
bykamensm02
 
PPT
Info Security - Vulnerability Assessment
byMarcelo Silva
 
PPTX
Module 6.pptx
byssuser66c4d5
 
PPTX
Adv Sec part onesakjslkajslkjakljssasa.pptx
byssuser45b0e7
 
PPTX
Vulenerability Management.pptx
byThavaselviMunusamy1
 
PPT
Compliance Awareness
byDinesh O Bareja
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
PPTX
CISSP - Security Assessment
byKarthikeyan Dhayalan
 
PPT
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Vulnerability Management: A Comprehensive Overview
bySteven Carlson
 
PPT
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
PDF
2018 5-8 IT Security - What You Need to Know
byRaffa Learning Community
 
PDF
System and Enterprise Security Project - Penetration Testing
byBiagio Botticelli
 
PPTX
UNIT I PPT.pptxsdVDSVDAVDSBGVGNhfzgnnzgdngfh
byTejaswini Vontela
 
PDF
Vulnerability assessment-info-savvy
byinfosavvy
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PPTX
Vulnerability and Penetration Testing
byJeffery Brown
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
Vapt life cycle
bypenetration Tester
 
NH Bankers 10 08 07 Kamens
bykamensm02
 
M Kamens Iia Financial Services Presentation At Disney
bykamensm02
 
Info Security - Vulnerability Assessment
byMarcelo Silva
 
Module 6.pptx
byssuser66c4d5
 
Adv Sec part onesakjslkajslkjakljssasa.pptx
byssuser45b0e7
 
Vulenerability Management.pptx
byThavaselviMunusamy1
 
Compliance Awareness
byDinesh O Bareja
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
CISSP - Security Assessment
byKarthikeyan Dhayalan
 
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Vulnerability Management: A Comprehensive Overview
bySteven Carlson
 
Security_Updates_cybersecuirty ppt presentation.ppt
by21881a6619
 
2018 5-8 IT Security - What You Need to Know
byRaffa Learning Community
 
System and Enterprise Security Project - Penetration Testing
byBiagio Botticelli
 
UNIT I PPT.pptxsdVDSVDAVDSBGVGNhfzgnnzgdngfh
byTejaswini Vontela
 
Vulnerability assessment-info-savvy
byinfosavvy
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
Vulnerability and Penetration Testing
byJeffery Brown
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 

More from primeteacher32

PPT
Software Development Life Cycle
byprimeteacher32
 
PPTX
Variable Scope
byprimeteacher32
 
PPTX
Returning Data
byprimeteacher32
 
PPTX
Intro to Functions
byprimeteacher32
 
PPTX
Introduction to GUIs with guizero
byprimeteacher32
 
PPTX
Function Parameters
byprimeteacher32
 
PPTX
Nested Loops
byprimeteacher32
 
PPT
Conditional Loops
byprimeteacher32
 
PPTX
Introduction to Repetition Structures
byprimeteacher32
 
PPTX
Input Validation
byprimeteacher32
 
PPTX
Windows File Systems
byprimeteacher32
 
PPTX
Nesting Conditionals
byprimeteacher32
 
PPTX
Conditionals
byprimeteacher32
 
PPT
Intro to Python with GPIO
byprimeteacher32
 
PPTX
Variables and Statements
byprimeteacher32
 
PPTX
Variables and User Input
byprimeteacher32
 
PPT
Intro to Python
byprimeteacher32
 
PPTX
Raspberry Pi
byprimeteacher32
 
PPT
Hardware vs. Software Presentations
byprimeteacher32
 
PPTX
Block chain security
byprimeteacher32
 
Software Development Life Cycle
byprimeteacher32
 
Variable Scope
byprimeteacher32
 
Returning Data
byprimeteacher32
 
Intro to Functions
byprimeteacher32
 
Introduction to GUIs with guizero
byprimeteacher32
 
Function Parameters
byprimeteacher32
 
Nested Loops
byprimeteacher32
 
Conditional Loops
byprimeteacher32
 
Introduction to Repetition Structures
byprimeteacher32
 
Input Validation
byprimeteacher32
 
Windows File Systems
byprimeteacher32
 
Nesting Conditionals
byprimeteacher32
 
Conditionals
byprimeteacher32
 
Intro to Python with GPIO
byprimeteacher32
 
Variables and Statements
byprimeteacher32
 
Variables and User Input
byprimeteacher32
 
Intro to Python
byprimeteacher32
 
Raspberry Pi
byprimeteacher32
 
Hardware vs. Software Presentations
byprimeteacher32
 
Block chain security
byprimeteacher32
 

Recently uploaded

PPTX
CAREER GUIDANCE PPT.RIT.pptx CAREER GUIDANCE PPT.RIT.pptx
byDinesh Sekar
 
PDF
cte fvfvbdsvbjvng t p2 sci math jan 2024.pdf
byArjunVishwakarma16
 
PPTX
Discord Template good template for work.pptx
byhassanIrshad20
 
PPTX
Discipline presentation for organization.pptx
byNarayanNeupane3
 
PDF
Reliable Research Proposal Help for Strengthening Proposal Quality
byResearch Proposal Help
 
PPTX
CYCLONES_FORMATION OF CYCLONES IN INDIA AND WORLD
bygmanasuya1992
 
PDF
Banksman.pdf for to be the best banksman
byntmm248
 
PPTX
AXLE JOST 18-20T - ABC_Oct2021 plant enginerr.pptx
byAkhisMansyah
 
PPTX
newbsbzbzbbzbzbxbxbbxhxhxbxbbxjsjsjsjjsnznsnns.pptx
byUseIt6
 
PDF
Lecture7 Complement system.pdf.pdf جامعة الشاطئ
byssuser870344
 
PDF
Provisional_Selected_Dt_021220777725.pdf
byssuser6b37ca
 
PPT
Introduction to Services Selection Board (SSB)
bykrishmirji
 
PDF
Cold_Resistant_Insects_and_Their_Impact_on_Winter_PMI_Estimation.pdf
byabdullhthamer16
 
PPTX
Cybersecurity is the practice of protect
by727822tuad019
 
PPTX
COMPUTER SYSTEMS AND BINARY NUMBERS ARCH
bywakandapemah
 
PDF
Solid state physics_Ch 5 and Ch 6.ppt last year
byabdulsalamhazim30
 
PPTX
basit, lang & geder bas maazkal ppt.pptx
byABDULBASIT631009
 
PPTX
CYBER SECURITY TH GENERA DATA PROTECTION
byvaibhavtiwari302572
 
PPT
pokayoke.ppt presentation for poka yoke tech
byRupaliTalap
 
PPTX
Mastering Safe Web Searching Tips.pptx.vvbb
bynootyash111
 
CAREER GUIDANCE PPT.RIT.pptx CAREER GUIDANCE PPT.RIT.pptx
byDinesh Sekar
 
cte fvfvbdsvbjvng t p2 sci math jan 2024.pdf
byArjunVishwakarma16
 
Discord Template good template for work.pptx
byhassanIrshad20
 
Discipline presentation for organization.pptx
byNarayanNeupane3
 
Reliable Research Proposal Help for Strengthening Proposal Quality
byResearch Proposal Help
 
CYCLONES_FORMATION OF CYCLONES IN INDIA AND WORLD
bygmanasuya1992
 
Banksman.pdf for to be the best banksman
byntmm248
 
AXLE JOST 18-20T - ABC_Oct2021 plant enginerr.pptx
byAkhisMansyah
 
newbsbzbzbbzbzbxbxbbxhxhxbxbbxjsjsjsjjsnznsnns.pptx
byUseIt6
 
Lecture7 Complement system.pdf.pdf جامعة الشاطئ
byssuser870344
 
Provisional_Selected_Dt_021220777725.pdf
byssuser6b37ca
 
Introduction to Services Selection Board (SSB)
bykrishmirji
 
Cold_Resistant_Insects_and_Their_Impact_on_Winter_PMI_Estimation.pdf
byabdullhthamer16
 
Cybersecurity is the practice of protect
by727822tuad019
 
COMPUTER SYSTEMS AND BINARY NUMBERS ARCH
bywakandapemah
 
Solid state physics_Ch 5 and Ch 6.ppt last year
byabdulsalamhazim30
 
basit, lang & geder bas maazkal ppt.pptx
byABDULBASIT631009
 
CYBER SECURITY TH GENERA DATA PROTECTION
byvaibhavtiwari302572
 
pokayoke.ppt presentation for poka yoke tech
byRupaliTalap
 
Mastering Safe Web Searching Tips.pptx.vvbb
bynootyash111
 

Vulnerability Assessment

  • 1.
  • 2.
    What Is VulnerabilityAssessment?  First step any security protection plan begins with assessment of vulnerabilities  Vulnerability assessment - Systematic and methodical evaluation of exposure of assets to attackers, forces of nature, and any other entity that could cause potential harm  Variety of techniques and tools can be used in evaluating the levels of vulnerability
  • 3.
    Elements of VulnerabilityAssessment  Asset Identification - Process of inventorying items with economic value  Identify what needs to be protected  After an inventory of the assets has been its important to determine each item’s relative value.  Threat Evaluation - List potential threats from threat agent  What pressures are against those assets  Threat agents are not limited to attackers  After an inventory of the assets has been its important to determine each item’s relative value.  Threat Modeling - Goal of understanding attackers and their methods  Vulnerability Appraisal - Determine current weaknesses as snapshot of current organization security  How susceptible current protection is  Every asset should be viewed in light of each threat  Risk Assessment - Determine damage resulting from attack and assess likelihood that vulnerability is risk to organization  What damages could result from the threats  Not all vulnerabilities pose the same risk
  • 4.
  • 5.
  • 6.
    Assessment Techniques  BaselineReporting - Comparison of present state of system to its baseline  Baseline - Imaginary line by which an element is measured or compared; can be seen as standard  IT baseline is checklist against which systems can be evaluated and audited for security posture  Outlines major security considerations for system and becomes the starting point for solid security  Deviations include not only technical issues but also management and operational issues  Programming Vulnerabilities- List potential threats from threat agent  Important for software vulnerabilities be minimized while software being developed instead of after released  Software improvement to minimize vulnerabilities difficult:  Size and complexity  Lack of formal specifications  Ever-changing attacks
  • 7.
    Assessment Tools  Portscanners - Software can be used to search system for port vulnerabilities  Banner grabbing tools – Software used to intentionally gather message that service transmits when another program connects to it.  Protocol analyzers - Hardware or software that captures packets to decode and analyze contents  Vulnerability scanners - Automated software searches a system for known security weaknesses  Honeypots and honeynets - Goal is to trick attackers into revealing their techniques  Tools can likewise used by attackers to uncover vulnerabilities to be exploited
  • 8.
  • 9.
  • 10.
    Vulnerability Scanning vs. PenetrationTesting Vulnerability Scanning  Intrusive vulnerability scan - Attempts to actually penetrate system in order to perform simulated attack  Non-intrusive vulnerability scan - Uses only available information to hypothesize status of the vulnerability  Credentialed vulnerability scan – Scanners that permit username and password of active account to be stored and used  Non-credentialed vulnerability scans - Scanners that do not use credentials Penetration Testing  Penetration testing - Designed to exploit system weaknesses  Relies on tester’s skill, knowledge, cunning  Usually conducted by independent contractor  Tests usually conducted outside the security perimeter and may even disrupt network operations  End result is penetration test report
  • 11.
    Vulnerability Scan andPenetration Test Features
  • 12.
    Third-Party Integration  Increasingnumber of organizations use third-party vendors to create partnerships  Third-party integration - Risk of combining systems and data with outside entities, continues to grow  Question: How will entities combine their services without compromising their existing security defenses?  Question: What happens if privacy policy of one of the partners is less restrictive than that of the other partner?  Data considerations - Who owns data generated through the partnership and how data protected?  Inoperability agreements  Service Level Agreement (SLA) - Service contract between a vendor and a client  Blanket Purchase Agreement (BPA) - Prearranged purchase or sale agreement between a government agency and a business  Memorandum of Understanding (MOU) - Describes agreement between two or more parties  Interconnection Security Agreement (ISA) - Agreement intended to minimize security risks for data transmitted across a network
  • 13.
    Mitigating and DeterringAttacks  Create a security posture  Initial baseline configuration:  Continuous security monitoring  Remediation  Select appropriate controls  Configuring Controls  Key to mitigating and deterring attacks is proper configuration and testing of the controls  Hardening - Eliminate as many security risks as possible  Reporting - Providing information regarding events that occur
  • 14.
    Checkpoint  Vulnerability assessment Methodical evaluation of exposure of assets to risk  Five steps in an assessment  Risk describes likelihood that threat agent will exploit a vulnerability  Several techniques can be used in a vulnerability assessment  Port scanners, protocol analyzers, honeypots are used as assessment tools  Vulnerability scan searches system for known security weakness and reports findings  Penetration testing designed to exploit any discovered system weaknesses  Tester may have various levels of system knowledge  Standard techniques used to mitigate and deter attacks  Healthy security posture  Proper configuration of controls  Hardening and reporting