Upload
fahim
View
118
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Vulnerability Management. Dimension Data – Tom Gilis 24 November 2011. Dimension Data. Dimension Data Belgium - Security Consulting – Advisory & Assurance. - PowerPoint PPT Presentation
Citation preview
Vulnerability Management
Dimension Data – Tom Gilis24 November 2011
Dimension Data
2Vulnerability Management22/04/23
Dimension Data Belgium - Security Consulting – Advisory & Assurance
• Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management.
Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few.
• Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses.
Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum.
Problem Statement - A day in the life of an IT Officer
3Vulnerability Management22/04/23
• How do I manage the privacy of the corporate data ?• Are my endpoints a risk to my corporate network?
• Are they subject to targeted attacks?
• How do I demonstrate compliance with standards and regulations?
• How do I maintain our security standards when outsourcing ?• How can I show the value of security within my organisation ?
• Can I combine the new business requirements and uphold a
strong secure network environment ?
• ….
Questions
Problem Statement – Security Landscape
4Vulnerability Management22/04/23
The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex
New vulnerabilities are found every day : • Much more research for vulnerabilities and security weaknesses• “On average, about 3000 vulnerabilities per year get reported to CERT and only
about 10% are published.” CERT
Source : http://www.gfi.com/blog/wp-content/uploads/2009/10/Florian-graph.JPG
Problem Statement – Security Landscape
5Vulnerability Management22/04/23
The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex
Increase in attacks at the application layer : • Every 1,000 lines of code averages 15 critical security defects (US Department
of Defense)
Problem Statement – Security Landscape
6Vulnerability Management22/04/23
The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex
Change in malicious attacks: • Increased professionalism and commercialization of malicious activities• Threats that are increasingly tailored for specific regions• Increasing numbers of multi-staged attacks• More targeted attacks with bigger financial loss
Problem Statement – Security Landscape
7Vulnerability Management22/04/23
Compliance pressure and stringent legal requirements continue to drive security focus
Compliance explicitly calling for vulnerability management and security assessments
ISO 27001/27002 , PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA,
NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)...
• Vulnerability Management• Penetration Testing• Source Code and Binary Code Review• ...
Problem Statement – Security Landscape
8Vulnerability Management22/04/23
Problem Statement – Security Landscape
9Vulnerability Management22/04/23
Compliance pressure and stringent legal requirements continue to drive security focus
Compliance explicitly calling for vulnerability management and security assessments
• PCI – DSS : Req. 12 - Regularly test security systems and processes • ISO 27002 : 12.6.1 - Control of technical vulnerabilities• Directive 95/46/EC of the European Parliament : The Principle of Security
A Strategic Approach
10Vulnerability Management22/04/23
• How do you consistently calculate risk across a diverse enterprise?
o ‘Finger in the air’o Who shouts the loudest ?o Excelo CVSS (Common Vulnerability Scoring System)o ….
• Can you do this in an automated and repeatable manner ?
• Is this used to help prioritize your remediation efforts ?• …
Determine Risk Level
A Strategic Approach
11Vulnerability Management22/04/23
• How fast can your organization deploy a patch to all affected systems?
• Is it more cost effective to protect first and fix later ?
• What is the most effective tool to mitigate the risk ?
• Example :
Implement appropriate protection
Typical Savings 2005 2006
Number of patch cycles 19 9
Number of people assigned to patch operations 41 19
Average hours per patch cycle 73 68
Total FTE 27 5.6
Patch Management savings of one of the largest security vendors in the world. Vulnerability Management helped them decide to patch or not to.
Depending on type of attacks, type of vulnerabilities, if systems are affected to specific attacks and control mechanisms in place.
A Strategic Approach
12Vulnerability Management22/04/23
Reducing overall IT Security RiskTargeted• New, critical vulnerabilities• Key assets
Bottom-up• Assess vulnerability state• Remediate detected vulnerabilitiesTop-down• Define asset baseline• Define security baseline• Enforce IT security configuration
Near day mitigation
Scan and remediate
Policy audit and enforcement
A Strategic Approach
13Vulnerability Management22/04/23
We need something that ...
•provides continuous insight on the security posture of an external or internal infrastructure
•helps us stay in control and measure security maturity and progress in between extended assessments e.g. an annual Penetration Test
• automates the combating against vulnerabilities which crucial for success. Manual detection and remediation workflow is too slow, too expensive and ineffective.
•can be used to drive the internal Patch Management process and provides valuable information to decide on priorities
•Consolidate Proactive and Reactive security controls!•Demonstrates compliance and control•……..
“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”
“Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners”
Vulnerability Management
14Vulnerability Management22/04/23
What is VM ?
Source : Wikipedia
1. Discover and inventory assets
2. Categorise and prioritise assets
3. Scan for vulnerabilities
4. Report, classify and rank risks
5. Remediate – apply patches, fixes and workarounds
6. Verify – Re-scan to confirm fixes and verify security
Vulnerability Management
15Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
1. Discover and inventory assets• Establish baseline of all assets
o IP devices connected to the network o Software, applications and serviceso Individual configurations, latest software release, patches, etc.
2. Categorize and Prioritize Inventory• By measurable business value
• By potential impact on business availability
• Establish interrelations between systems and services
Vulnerability Management
16Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
3. Scan for vulnerabilities• Scan assets against comprehensive and industry standard database of
vulnerabilities, this increases accuracy of scanning and minimizes false positives
• Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks
• Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities
Vulnerability Management
17Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
4. Report, classify and rank risks• Create manual or automated reports and distribute to the respective
stakeholders
• Maintain overview for instant risk analysis
• Proof compliancy with regulations
Vulnerability Management
18Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
5. Remediate• Apply patches, updates and fixes or install workarounds to mitigate the risk.
• Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation.
• Pre-test all patches, etc. in your organization's test environment before deployment
Vulnerability Management
19Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
6. Verify – Re-scan to confirm fixes and verify security• Re-scan to verify applied patches and confirm compliance
• Update the remediation workflow and the assets baseline
Vulnerability Management
20Vulnerability Management22/04/23
The 6 Steps of Vulnerability Management
Belnet Vulnerability Scanner
21Vulnerability Management22/04/23
Web-based SAAS solution
IPv6 Compliant
Secure Solution with strong authentication and encryption… 99.997% proven accuracy
Easy, transparent reporting using customizable templates
Web Application Vulnerability scanning module
Modules for specific compliance requirements (PCI DSS, …) ….
Advantages
• What are my compliance requirements and legal boundaries ?
• Are my current security controls proactive or reactive ?
• Is my Vulnerability Management tool efficient ?
• Do I know what the current security state of my network is ?
• Is my confidential data sufficiently protected ?
• Can I properly protect my assets in this security landscape ?
Vulnerability Management - Conclusion
22Vulnerability Management22/04/23
Things to think about ...
Vulnerability Management - Conclusion
23Vulnerability Management22/04/23
Hacking is easy
Vulnerability Management - Conclusion
24Vulnerability Management22/04/23
Hacking is easy
Vulnerability Management - Conclusion
25Vulnerability Management22/04/23
Hacking is easy
Thank you !!
Vulnerability Management - Conclusion
26Vulnerability Management22/04/23