Beginning Czech Research By Shon R. Edwards A.G., M.A. [email protected].
Vulnerability Management Let’s Get It Right This Time! Shon Harris CEO Logical Security.
-
Upload
godwin-carson -
Category
Documents
-
view
223 -
download
0
Transcript of Vulnerability Management Let’s Get It Right This Time! Shon Harris CEO Logical Security.
Vulnerability ManagementLet’s Get It Right This Time!
Shon HarrisCEOLogical Security
Evolving in our approaches to information security
We are currently here
Steps of vulnerability management lifecycle
What to do first is usually the hardest question for companies to answer…
Step 1: Define roles and responsibilitiesAll of the best practices, checklists and procedures do not add up
to a pile of beans if individuals are not tasked with the necessary responsibilities
Roles, responsibility and enforcement go a lot farther than any new expensive gadget promising you everlasting security bliss
Step 2: Inventory It is important to know what needs to be
protected and then drill down into how to protect it.
Identify the roles of the different assets to your organization.
• This will help you understand the business impact if one or more of these assets are negatively affected.
The following outlines the necessary steps of asset management;
• Identify all assets, configurations, versions, software, and patches
• Update and maintain this information on all assets through their life cycles – from procurement to disposal
• Identify an individual who is responsible for asset management
Step 3: Develop metrics Metrics for tracking and reporting
• Number and type of incidents per month
• Cost of recovery from incidents in man hours
• Time it takes to resolve experienced incidents
Classifications that you could use can be
mapped to maximum tolerable downtime (MTD)
calculations;
• Non-essential = MTD 30 days
• Normal = MTD 7 days
• Important = MTD 72 hours
• Urgent = MTD 24 hours
• Critical = MTD Minutes to hours
Step 4: Assess and baselineCarry out initial vulnerability
assessments to recognize your current level of vulnerability and threat level.
• Types of assessments you choose to carry out depends upon your scope of vulnerabilities you are going to address.
Once you establish the metrics your company will use, then you need to determine the range of deviations your company can accept
Step 5: Develop a CSIRT
Many companies try to prevent bad things from taking
place but do not properly plan for what to do when bad
things take place.
The team should be made up of technical staff,
management, legal and human resources. • http://www.csrc.nist.gov/publications/nistpubs/800-3/800-3.pdf.
Step 6: Control vulnerability information flow
Do not be overwhelmed with
an excessive amount of alerts
that do not affect you.
• META Security Group
• TruSecure IntelliShield Early
Warning System (EWS)
• SecureNet Solutions
• Computer Associate’s eTrust
Managed Vulnerability Service
• There are many more out
there…
Step 7: Develop threat classifications
Classify vulnerabilities based
on their level of threat and
degree of success
Classify asset according to
their level of vulnerability, role
in company and value
Decision on remediation
activities are based on a
combination of technical and
business data
Step 8: Standardized procedures
Develop standardized procedures and
checklists to follow when a new
vulnerability is identified.
This formalized approach reduces wasted
time and operational costs.
Vulnerability action steps
Vulnerability action steps
Vulnerability action steps
Vulnerability action steps
overview
We will dig a littler deeper into a few of these steps…
Vulnerability identification Goal:
• Identify weaknesses before they can be exploited
Process:
• Continually scan for new vulnerabilities
• Continually scan for rogue technology devices
• Keep up-to-date on vulnerability alerts
• Carry out compliance testing
• Carry out operational availability analysis
Technologies:
• Scanners
• Vulnerability assessment tools
• Penetration testing tools
• New vulnerability alert subscription
Threat analysis Goal:
• Identify threat agents that can exploit identified vulnerabilities
• Measure the efficiency of current controls and countermeasures
• Minimize down time due threat activity and other negative ramifications
Process:
• Classify new vulnerabilities based on probability of success of exploitation and potential damage
• Classify vulnerable asset by role in company and business impact of disruption
• Align threats with business impact and develop proper mediation steps
• Use results of incidents to improve preventative measures
Technologies:
• Vulnerability management automated tools
• Intrusion detection systems
• Event correlation
• Content scanning
• Antivirus
Remediation Goal:
• Reduce business down time and business impact
• Contain and mitigate damages
• Respond effectively and efficiently to incident
Process:
• Role out temporary fix
• Test and implement permanent fix
• Carry out proper configuration management
• Report activities to affected business units and personnel
• Document change to environment
Technologies:
• Patch management
• Configuration and software deployment tools
• Vulnerability management automated tools
Step 9: Improve preventative controls
When an intrusion is endured the security
staff should treat this as an opportunity to
reinforce necessary security barriers.
Too many times companies just “plug the
hole” without investigating the layers of
controls that had to be penetrated for this
threat to be successful.
Step 10: Continual monitoring
Vulnerability management
is a process, not a product
or a project
Common vulnerabilities that are overlooked Remote access servers
• Is this traffic monitored via firewalls and IDS?
Out-going ports (egress filtering)
• Are your employees carrying out hacking activities or are any of your systems infected with zombie software?
Hanging modems and rogue access points
• Have new ones popped up on your environment you are unaware of?
Personnel security knowledge assessment
• The most commonly overlooked item that can cause the most damage.
Data validation and buffer overflows in software
• Have you properly tested for these types of attacks?
Proper configuration of security devices
• IDS, firewalls, access controls misconfigurations count for most of the serious vulnerabilities in many of the environments today.
More vulnerabilities Authorization creep
• Employees and contractors gaining more and more access rights without their access needs being validated.
Internal fraud
• Authorized users are the most difficult to audit and monitor because they have been granted privileged access.
Confidential data
• Are your employees sending this type of information out through e-mail or saving it to disks to take out of the environment?
PBX fraud
• Are you monitoring long distance use to ensure that phreakers are not selling access to your telephone service?
Wireless
• Checking for rouge access points, possibility of sniffing, and man-in-the-middle attacks.
A process - not a product or a project Do not throw money and resources at the
issue
Develop a strategic and on-going process
that is integrated into every day activities
A large corporation of over 200,000
employees created an 80-person staff
dedicated just to vulnerability management.
• They could not keep up and be successful
because of lack of organization, vision,
strategy, and process integration
• Not from a lack of money
How do we do that again? Process:
• Capture baseline of security posture
• Develop desired baseline of security posture Acceptable risk level
• Inventory and classify assets based on value to company
• Develop a Computer Security Incident Response Team (CSIRT)
• Control vulnerability information flow
• Develop standardized procedures and checklists to follow when a new vulnerability is identified
• Integrate activities with asset management, event and patch management processes
• Review and improve upon preventative countermeasures currently in place
• Continually to monitor environment’s security baseline