1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior...
-
Upload
ashley-dickerson -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior...
![Page 1: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/1.jpg)
1
Vulnerability Management: Mitigating Your Company’s
Security Risks
Vulnerability Management: Mitigating Your Company’s
Security Risks
Matt Tolbert, CISSP
Senior Manager, Ernst & Young Security & Technology Solutions Group, New York City
![Page 2: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/2.jpg)
2
AGENDA:
1. Where are today’s security risks?
2. What are today’s solutions to mitigate risk?
3. How are others managing their security vulnerabilities?
4. How do I manage my company’s vulnerabilities?
![Page 3: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/3.jpg)
3
While simple is desirable…
![Page 4: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/4.jpg)
4
…business processes are complex…
15. Go
od
s Is
su
e
Book MasterInc Stores
MTE
Vendors
MTDB, WDB,Fargo
SAP MMInventory - purchasing - goods receipt - goods issue - inventory mgnt
Web FrontEnd
PO Filedemand
driven
PO's(replenishment
)
Ve
nd
ors
24. paymentauthorization
25. Title
s
22. Inv
en
tory
lev
els
i2
16. Ja
me
sb
urg
Inv
en
tory
Customer
13. PO
's(d
em
an
d d
rive
n)
order shipment
Vendors
order shipment
17. PO
's to
SA
P(re
ple
nis
hm
en
t)
SAP CO/PA - Cost Center Accounting - Profitability Analysis
SAP MMConsumables - purchasing - goods receipt - goods issue
ITR
23. Goods receipt - to ITR
BN IncAP
18. PO
's to
EX
E(re
ple
nis
hm
en
t)
BN IncPurchasing
4. Sales/demand information
5. summarizedsales
BookazineBaker & TaylorIngram
System I
ExternalRetailer
2. w
eb
ord
er in
fo
ASN. Advance Shipment Notice15. Goods Receipt30. Product Updates32. PO's for BN Inc
OtherVendors
PO's
9. PO extract
System IMemphis
3. externalorders
Dayton
Jamesburg
26. Titles - System H
27. Titles/Inventory- BN Shop
28. Title
s - i2
29. Title
s - A
S 4
00
ASN
ASN
ASN
32
32
SAP FI- General Ledger- A/R- A/P- Inventory Accounts
text - functionality PwC will implementtext - functionality PwC will augmenttext - functionality that will be left as is
Existing BN.COM interface/system
Interface/system assumed to be inplace for May 1stSAP related interface/system forMay 1st
BN Inc
invoice
invoices
System IJamesburg -
shop
BN Store(MTE)
INC
39
. ord
er
sta
tus
1. MTE
AS 400Jamesburg - INC
purchasing for INCand COM
ship for INC
E-GateProduct IQ
30
30
8. request - order info/PO
10. yes/no - order status
8. request - order info/PO
10. yes/no - order status
37. B2
B C
us
t. Inv
oic
es
12. Ord
er S
hip
pin
g In
fo
11. Pic
kin
g R
eq
ue
sts
/Op
en
Ord
ers
21. Pic
kin
gc
on
firma
tion
36. Inv
en
tory
lev
els
31. RecommendedPO's
Electronic Invoice (A
/P)
Pay to$
Check
INC
19. Goods receipt
8. re
qu
es
t -
ord
er
info
/PO
10. y
es
/no
-s
hip
sta
tus
System IDayton -
shop/inductionand ship
EXE
43. Goods Issue for Returns to Vendor
System HDayton (issues),
Rockleigh (issuesand returnreceipts)
34. Inv. Adjustments
40. Tra
ns
sh
ipm
en
t AS
N's
14. Go
od
s R
ec
eip
ts
9. PO Extract
44. Go
od
s Is
su
e fo
r Re
turn
s to
Ve
nd
or
42. Go
od
s R
ec
eip
t from
Cu
sto
me
r Re
turn
41. Dro
p-S
hip
Co
nfirm
for S
tatis
tica
l Go
od
s R
ec
eip
t
47. Replenishment Catalog POs
![Page 5: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/5.jpg)
5
…application architectures are extensive…
Web Server
Communication
Control
Query & Rpt.Fir
ewal
l / L
oad
Bal
anci
ng
Web “Contact” Services
Media Apps
Chat
Messaging
HTTP
Audit
Monitoring
Search & Index
Usage Statistics
Streaming Audio
Streaming Video
Application Services
Core Services
E-Commerce
Content Mgmt.
Fir
ewal
l
EAI
State / Session
Membership / Registration
Personalization//Localization
Rules Engine
Configurator
Credit Check
Fulfillment
Syndication
Translation / Mapping
XML
EDI
Content Mgmt/Delivery
Storefront / Catalog
Marketing / Promotion
CustomBusiness Logic
Data Services
File System
Structured
Unstructured
Legacy
RDBMS
ODBMS
Mail Store
Message Store
Mainframe
Midrange
SANS
Documents
Images
Browser
Client Services
HTML
DHTML
XML
Java
ActiveX
Client DevicesPC
Phone / CellPhone
Fax
Pager
PDA
HPC
ERP
Analysis
CRM
SCM
Corporate Services
SFA
Call Center
DW / DSS
Business Intelligence
Financials
Logistics
Human Resources
Procurement
Manufacturing
Order Processing
KMIndex / Retrieval
![Page 6: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/6.jpg)
6
…and IT infrastructures are nontrivial…INTERNETACCESS
TIER
WEBPRESENTATION
TIER
WEBSERVICES
TIER
BUSINESSOPERATIONS
TIER
DSU/CSUConnection toISP & Internet
FirewallServers
LoadBalancers
Cache Servers
Gigabit EthernetBackbone Switch
Gigabit EthernetBackbone Switch
EthernetSwitches
Web Servers
• Application Servers• Catalog Servers• Content Management Servers
DM
Z S
ubn
et
Inte
rnet A
ccess Sub
net
Prese
ntation
Su
bnets
Prese
ntation
Services S
ubne
t
EthernetSwitch
• ERP (Financials, Logistics, HR, etc.)• Data Warehouse/Data Mart• EAI (Messaging)• Warehouse Management
We
b Se
rvicesS
ubne
t
Op
eration
sS
ubne
t
Gigabit EthernetBackbone Switch
FirewallServer
FirewallServer
![Page 7: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/7.jpg)
7
…so the risk of exposure to securityvulnerabilities
are greater than ever.
![Page 8: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/8.jpg)
8
1. TODAY’S SECURITY RISKS1. TODAY’S SECURITY RISKS
![Page 9: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/9.jpg)
9
Where are Today’s Security Risks?
• Malevolent actions and attacks—internal and external
• Unintended consequences due tolack of internal controls
• Non-compliance with government regulations
• Competitive intelligence
• Pervasive computing
• Integration of systems and applications
1.1 Today’s Security Risks
![Page 10: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/10.jpg)
10
Reported Security Incidents Growing
©2001 Carnegie Mellon University
25000
20000
15000
10000
5000
20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
25000
20000
15000
10000
5000
20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
1.2 Today’s Security Risks
![Page 11: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/11.jpg)
11
Where Do These Incidents Originate?1.3 Today’s Security Risks
Internal &external sources ofrisks arenearlyequivalent
![Page 12: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/12.jpg)
12
Cited Security Vulnerabilities1.4 Today’s Security Risks
![Page 13: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/13.jpg)
13
What are the Consequences?
• Financial losses– Direct loss of revenue
– Costs to recover and remedy
– Insurance recovery and premiums
• Public perception and brand recognition
• Customer impact
• Government regulatory compliance– Fines
– Imprisonment
1.5 Today’s Security Risks
![Page 14: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/14.jpg)
14
Financial Impact of Security Vulnerabilities1.6 Today’s Security Risks
![Page 15: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/15.jpg)
15
Attack Trends
• Automated attacks through new tools
• Increasing sophistication of attack tools
• Faster discovery of vulnerabilities
• Increasing permeability of firewalls
• Increasingly asymmetric threats
• Increasing threat from infrastructure attacks
1.7 Today’s Security Risks
![Page 16: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/16.jpg)
16
Speed of Attack: Honeypot Findings
• Server discovered in under 20 minutes
• Vulnerability scans commence in under 2 hours
• Concerted intrusion attempts in under 2-3 days
• Discovery of vulnerability after initial intrusion on average of 5 minutes
1.8 Today’s Security Risks
![Page 17: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/17.jpg)
17
Likely Sources of Attack1.9 Today’s Security Risks
![Page 18: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/18.jpg)
18
Sophistication of Attacks Increasing
©2001 Carnegie Mellon University
1980 1985 1990 1995 2002
High
Low
Intruder Knowledge
Attack Sophistication
Attackers
Tools
password guessing
self-replicating code
password crackingExploiting known vulnerabilities
burglariesHijacking sessions
Network mgmt. diagnostics
GUIAutomated probes/scans
www attacksDDOS attacks
“stealth”/advanced scanning techniques
Denial of servicePacket spoofingsniffers
sweepers
Back doors
Disabling audits
1.10 Today’s Security Risks
![Page 19: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/19.jpg)
19
Internet the Most Common Point of Attack1.11 Today’s Security Risks
![Page 20: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/20.jpg)
20
Attack Trends: Top Attack Categories
Protocol Violation
43%
Back Door1%
Pre-attack Probe
6%Denial of Service
10%
Suspicious Activity
18%
Unauthorized Access Attempt
22%
Internet Security Systems June 2002
1.12 Today’s Security Risks
![Page 21: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/21.jpg)
21
Attack Trends: Top Attack Sources
United States38%
Other35%
Great Britain5%
China & Hong Kong
6%
Korea7%
Italy9%
United States41%
Taiwan4%
Canada6%Italy
4%
Great Britain4%
Japan3%
France6%
Germany8%
China11%
Korea13%
Riptech 3-4Q2001
Internet Security Systems June 2002
1.13 Today’s Security Risks
![Page 22: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/22.jpg)
22
Attack Trends: Top Declared Emergencies
Internet Stalking
18%
Denial of Service
9%
Hacker Intrusion
18%
Disgruntled Former
Employee10%
Fraud9%
Theft of information
9%Internet Extortion
27%
Internet Security Systems June 2002
1.14 Today’s Security Risks
![Page 23: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/23.jpg)
23
Attack Trends: Attacks by Industry
422 439477
520561 592 600
706 725
895961
0
200
400
600
800
1000
Atta
ck
s p
er C
om
pa
ny
Oth
er
Health
care
E-Com
mer
ceASP
Man
ufact
uring
Nonprofit
Busines
s Ser
vices
Med
ia-E
nterta
inm
ent
Power
& E
nergy
Finan
cial
Serv
ices
High T
ech
Riptech 3-4Q2001
1.15 Today’s Security Risks
![Page 24: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/24.jpg)
24
Attack Trends: Severe Attacks by Industry
0.16 0.331.06 1.19 1.42 1.45
2.05 2.62
6.63
9.23
12.5
0
2
4
6
8
10
12
14
Se
ve
re A
ttac
ks
pe
r C
om
pa
ny
ASP
E-Com
mer
ce
Nonprofit
Med
ia/E
nterta
inm
ent
Oth
er
Health
care
Man
ufact
uring
Busines
s Ser
vices
High T
ech
Finan
cial
Indust
ry
Power
& E
nergy
Riptech 3-4Q2001
1.16 Today’s Security Risks
![Page 25: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/25.jpg)
25
Attack Trends: Attacks by Company Size
560
905 901845
0
200
400
600
800
1000
Atta
ck
s p
er C
om
pa
ny
1-449
500-
999
1000
-499
9
5000
+
Riptech 3-4Q2001
1.17 Today’s Security Risks
![Page 26: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/26.jpg)
26
Attack Trends: Top Destination Ports
Port 80 (Web/http)67%
Port 22 (ssh)2%
Port 69 (tftp)3%
Port 162 (snmp out)3%
Port 139 (netbios-ssn)2% Port 23 (telnet)
1%
Port 1433 (sql)3%
Port 25 (mail/smtp)5%
Port 21 (ftp)6%
Port 161 (snmp in)8%
Port 80 (Web/http)
Port 161 (snmp in)
Port 21 (ftp)
Port 25 (mail/smtp)
Port 1433 (sql)
Port 69 (tftp)
Port 22 (ssh)
Port 162 (snmp out)
Port 139 (netbios-ssn)
Port 23 (telnet)
Internet Security Systems June 2002
1.18 Today’s Security Risks
![Page 27: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/27.jpg)
27
Regulatory Compliance
• Electronic Signatures in Global & National Commerce Act (“E-Sign”)
• FDA 21 CFR Part 11
• Gramm-Leach-Bliley (GLB) Act of 1999
• Health Insurance Portability & Accountability Act (HIPAA) of 1996
• Uniform Computer Information Transactions Act (UCITA)
• USA Patriot Act of 2001
• U.S. Safe Harbor
1.19 Today’s Security Risks
![Page 28: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/28.jpg)
28
Consequences of Non-Compliance
• Significant fines
• Imprisonment
• Increased insurance premiums
• Additional legal costs
• Higher costs for reacting to compliance audits
• Direct and indirect business loss
1.20 Today’s Security Risks
![Page 29: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/29.jpg)
29
2. TODAY’S SOLUTIONS FORMITIGATING RISK
2. TODAY’S SOLUTIONS FORMITIGATING RISK
![Page 30: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/30.jpg)
30
Resolving Security Risks2.1 Today’s Solutions for Mitigating Risk
![Page 31: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/31.jpg)
31
Vulnerability Alerts
• CERT: www.cert.org
• eSecurityOnline: www.eSecurityOnline.com
• SecurityFocus: www.SecurityFocus.com
2.2 Today’s Solutions for Mitigating Risk
![Page 32: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/32.jpg)
32
Security Technology Enablers
• Network– Firewalls– Intrusion detection (IDS)– Internal/external VPN– Wireless encryption
• Server– Intrusion detection (IDS)– Secure shell– Trusted system configuration– Enterprise antivirus software
• Entitlement Management– Directory services (LDAP)– Single sign-on (SSO)– Biometrics
• Integration– Encrypted EDI– Public key infrastructure (PKI)– IPSec
2.3 Today’s Solutions for Mitigating Risk
![Page 33: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/33.jpg)
33
HP Security Solutions
• Atalla Network Security Processors For secure financial transactions (ATM, POS, EFT)
• HP-UX AAA authentication, authorization & accounting based on RADIUS protocol
• HP-UX Secure Shell
• HP-UX Trusted System
• HP Toptools Remote Security Management• HP IDS/9000
System-level intrusion detection
• Proliant-based VPN/Firewall Based on CheckPoint VPN-1 and Firewall-1 software
• HP-UX IPSec/9000• HP-UX IP Filter
Stateful firewall server
2.4 Today’s Solutions for Mitigating Risk
www.hp.com/security
![Page 34: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/34.jpg)
34
HP IDS/9000 Example2.5 Today’s Solutions for Mitigating Risk
![Page 35: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/35.jpg)
35
3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES
3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES
![Page 36: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/36.jpg)
36
Characteristics of World-Class Vulnerability Management
1. Business and security objectives are aligned
2. Security programs are enterprise-wide
3. Vulnerability management is continuous
4. Response to vulnerabilities are proactive
5. Security programs are validated
6. Security frameworks are formalized
3.1 How Others Manage their Security Vulnerabilities
![Page 37: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/37.jpg)
37
Security Readiness
Risk Intelligence
Time
Proactive
Traditional
Initial AssessmentOngoing Monitoring Periodic Assessment
3.2 How Others Manage their Security Vulnerabilities
©2001 Ernst & Young LLP
![Page 38: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/38.jpg)
38
Vulnerability Management Model3.3 How Others Manage their Security Vulnerabilities
©2001 Ernst & Young LLP
![Page 39: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/39.jpg)
39
Security Technologies Used3.4 How Others Manage their Security Vulnerabilities
![Page 40: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/40.jpg)
40
4. MANAGING MY ORGANIZATION’SVULNERABILITY
4. MANAGING MY ORGANIZATION’SVULNERABILITY
![Page 41: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/41.jpg)
41
Vulnerability Scorecard
1. Do I know of all the IT assets I have?
2. Am I confident my critical IT assets are secure?
3. Am I monitoring my assets to detect virus attacks, external hacks, and internal intrusions?
4. Do I have updated policies and procedures addressing IT security?
5. Do I have current disaster and business continuity planning?
6. Do I know what my Business Partners are doing?
7. Does my Internal Audit group assess and validate my risk profile?
8. Am I fully compliant with government regulations?
YES NO
4.1 Managing My Organization’s Vulnerability
![Page 42: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/42.jpg)
42
Approach to Vulnerability Management
1. Security Governance
2. IT Asset Management
3. Vulnerability Assessment
4. Vulnerability Management
4.2 Managing My Organization’s Vulnerability
![Page 43: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/43.jpg)
43
Step 1: Security Governance4.3 Managing My Organization’s Vulnerability
©2001 Ernst & Young LLP
![Page 44: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/44.jpg)
44
Step 2: IT Asset Management
• Continuous process for managing IT assets
• Automated asset discovery software
• Detailed asset management database
• Change controls processes in place
• Integration with helpdesk services
• Self-service functions
4.4 Managing My Organization’s Vulnerability
![Page 45: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/45.jpg)
45
Step 3: Vulnerability Assessment
• Implement a continuous assessment process
• Leverage detailed asset management database
• Business impact assessment to organization if vulnerability is realized
• Prioritization & alignment with organization goals and requirements
4.5 Managing My Organization’s Vulnerability
![Page 46: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/46.jpg)
46
Step 4: Vulnerability Management
• Enterprise security strategy and standards
• Centralized management of monitoring and testing
• Proactive identification of vulnerabilities specific to your organization
– Asset management database– eSecurityOnline-type customized notification
• Computer Emergency Response Program (CERP)
• Mitigation of risks through technology enablers– Firewalls– Enterprise antivirus software and mail filters– Enterprise entitlement management – Intrusion detection systems
4.6 Managing My Organization’s Vulnerability
![Page 47: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/47.jpg)
47
SUMMARY
• Know your risks so as to make informed decisions
• Align with business goals and requirements
• Establish security governance
• Enterprise-wide consistent approach
• Implement proactive and continuous processes as well as security technologies to manage vulnerabilities
![Page 48: 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior Manager, Ernst & Young Security & Technology Solutions.](https://reader036.fdocuments.in/reader036/viewer/2022070415/5697bff31a28abf838cbc3a2/html5/thumbnails/48.jpg)
48
Matt Tolbert, CISSP
Ernst & Young, LLP Security & Technology Solutions Group
(212) 773-5967 [email protected]