Vulnerability ManagementLet’s Get It Right This Time!

Shon HarrisCEOLogical Security

Evolving in our approaches to information security

We are currently here

Steps of vulnerability management lifecycle

What to do first is usually the hardest question for companies to answer…

Step 1: Define roles and responsibilitiesAll of the best practices, checklists and procedures do not add up

to a pile of beans if individuals are not tasked with the necessary responsibilities

Roles, responsibility and enforcement go a lot farther than any new expensive gadget promising you everlasting security bliss

Step 2: Inventory It is important to know what needs to be

protected and then drill down into how to protect it.

Identify the roles of the different assets to your organization.

• This will help you understand the business impact if one or more of these assets are negatively affected.

The following outlines the necessary steps of asset management;

• Identify all assets, configurations, versions, software, and patches

• Update and maintain this information on all assets through their life cycles – from procurement to disposal

• Identify an individual who is responsible for asset management

Step 3: Develop metrics Metrics for tracking and reporting

• Number and type of incidents per month

• Cost of recovery from incidents in man hours

• Time it takes to resolve experienced incidents

Classifications that you could use can be

mapped to maximum tolerable downtime (MTD)

calculations;

• Non-essential = MTD 30 days

• Normal = MTD 7 days

• Important = MTD 72 hours

• Urgent = MTD 24 hours

• Critical = MTD Minutes to hours

Step 4: Assess and baselineCarry out initial vulnerability

assessments to recognize your current level of vulnerability and threat level.

• Types of assessments you choose to carry out depends upon your scope of vulnerabilities you are going to address.

Once you establish the metrics your company will use, then you need to determine the range of deviations your company can accept

Step 5: Develop a CSIRT

Many companies try to prevent bad things from taking

place but do not properly plan for what to do when bad

things take place.

The team should be made up of technical staff,

management, legal and human resources. • http://www.csrc.nist.gov/publications/nistpubs/800-3/800-3.pdf.

Step 6: Control vulnerability information flow

Do not be overwhelmed with

an excessive amount of alerts

that do not affect you.

• META Security Group

• TruSecure IntelliShield Early

Warning System (EWS)

• SecureNet Solutions

• Computer Associate’s eTrust

Managed Vulnerability Service

• There are many more out

there…

Step 7: Develop threat classifications

Classify vulnerabilities based

on their level of threat and

degree of success

Classify asset according to

their level of vulnerability, role

in company and value

Decision on remediation

activities are based on a

combination of technical and

business data

Step 8: Standardized procedures

Develop standardized procedures and

checklists to follow when a new

vulnerability is identified.

This formalized approach reduces wasted

time and operational costs.

Vulnerability action steps

Vulnerability action steps

Vulnerability action steps

Vulnerability action steps

overview

We will dig a littler deeper into a few of these steps…

Vulnerability identification Goal:

• Identify weaknesses before they can be exploited

Process:

• Continually scan for new vulnerabilities

• Continually scan for rogue technology devices

• Keep up-to-date on vulnerability alerts

• Carry out compliance testing

• Carry out operational availability analysis

Technologies:

• Scanners

• Vulnerability assessment tools

• Penetration testing tools

• New vulnerability alert subscription

Threat analysis Goal:

• Identify threat agents that can exploit identified vulnerabilities

• Measure the efficiency of current controls and countermeasures

• Minimize down time due threat activity and other negative ramifications

Process:

• Classify new vulnerabilities based on probability of success of exploitation and potential damage

• Classify vulnerable asset by role in company and business impact of disruption

• Align threats with business impact and develop proper mediation steps

• Use results of incidents to improve preventative measures

Technologies:

• Vulnerability management automated tools

• Intrusion detection systems

• Event correlation

• Content scanning

• Antivirus

Remediation Goal:

• Reduce business down time and business impact

• Contain and mitigate damages

• Respond effectively and efficiently to incident

Process:

• Role out temporary fix

• Test and implement permanent fix

• Carry out proper configuration management

• Report activities to affected business units and personnel

• Document change to environment

Technologies:

• Patch management

• Configuration and software deployment tools

• Vulnerability management automated tools

Step 9: Improve preventative controls

When an intrusion is endured the security

staff should treat this as an opportunity to

reinforce necessary security barriers.

Too many times companies just “plug the

hole” without investigating the layers of

controls that had to be penetrated for this

threat to be successful.

Step 10: Continual monitoring

Vulnerability management

is a process, not a product

or a project

Common vulnerabilities that are overlooked Remote access servers

• Is this traffic monitored via firewalls and IDS?

Out-going ports (egress filtering)

• Are your employees carrying out hacking activities or are any of your systems infected with zombie software?

Hanging modems and rogue access points

• Have new ones popped up on your environment you are unaware of?

Personnel security knowledge assessment

• The most commonly overlooked item that can cause the most damage.

Data validation and buffer overflows in software

• Have you properly tested for these types of attacks?

Proper configuration of security devices

• IDS, firewalls, access controls misconfigurations count for most of the serious vulnerabilities in many of the environments today.

More vulnerabilities Authorization creep

• Employees and contractors gaining more and more access rights without their access needs being validated.

Internal fraud

• Authorized users are the most difficult to audit and monitor because they have been granted privileged access.

Confidential data

• Are your employees sending this type of information out through e-mail or saving it to disks to take out of the environment?

PBX fraud

• Are you monitoring long distance use to ensure that phreakers are not selling access to your telephone service?

Wireless

• Checking for rouge access points, possibility of sniffing, and man-in-the-middle attacks.

A process - not a product or a project Do not throw money and resources at the

issue

Develop a strategic and on-going process

that is integrated into every day activities

A large corporation of over 200,000

employees created an 80-person staff

dedicated just to vulnerability management.

• They could not keep up and be successful

because of lack of organization, vision,

strategy, and process integration

• Not from a lack of money

How do we do that again? Process:

• Capture baseline of security posture

• Develop desired baseline of security posture Acceptable risk level

• Inventory and classify assets based on value to company

• Develop a Computer Security Incident Response Team (CSIRT)

• Control vulnerability information flow

• Develop standardized procedures and checklists to follow when a new vulnerability is identified

• Integrate activities with asset management, event and patch management processes

• Review and improve upon preventative countermeasures currently in place

• Continually to monitor environment’s security baseline