Vulnerability Management - •Vulnerability Management –Is an essential part of any modern Security Management Program –Is required now by all Security Frameworks

  • Published on
    10-Mar-2018

  • View
    212

  • Download
    0

Embed Size (px)

Transcript

  • Vulnerability Management - William Favre Slater, III 1

    Vulnerability Management

    August 17, 2016

    A Practitioners PerspectiveWilliam Favre Slater, III

    M.S., MBA, PMP, CISSP, SSCP, CISA, ITIL, IPv6Senior IT Consultant in Cybersecurity

    Chicago, IllinoisUnited States of America

    slater@billslater.comhttp://billslater.com/interview

    mailto:slater@billslater.comhttp://billslater.com/interview

  • Agenda Introduction

    What are Vulnerabilities?

    What are Threats?

    Quick Story about David Brewer, Michael Nash, and the "Brewer Events".

    Tools

    Planning Your Scanning

    Vulnerability Management & Reporting

    Remediation Management & Reporting

    Vulnerability Aging Reporting

    Personal Insights from Experience

    Summary

    Conclusion

    Questions

    Resources

    August 17, 2016 Vulnerability Management - William Favre Slater, III 2

  • Introduction Vulnerability Management

    Is an essential part of any modern Security Management Program

    Is required now by all Security Frameworks

    Requires careful planning, rigor, and discipline

    Requires Diplomacy

    Requires Strong Management Support

    Is required to keep you out of lawsuits

    Is required to help protect your organization from deadly attacks and data breaches

    August 17, 2016 Vulnerability Management - William Favre Slater, III 3

  • Information Security is a Continuous Process

    August 17, 2016 Vulnerability Management - William Favre Slater, III 4

  • Information Security is a Continuous Process

    August 17, 2016 Vulnerability Management - William Favre Slater, III 5

  • Vulnerability Management Life Cycle

    August 17, 2016 Vulnerability Management - William Favre Slater, III 6

  • Vulnerability ManagementSecurity Management

    August 17, 2016 Vulnerability Management - William Favre Slater, III 7

  • Vulnerability ManagementSecurity Management

    August 17, 2016 Vulnerability Management - William Favre Slater, III 8

  • Computer Network Defense (CND)

    The Four Pillars

    Forensics Threat Analysis

    Vulnerability Assessment

    Network Defense

    Operations (NDO)

    August 17, 2016 Vulnerability Management - William Favre Slater, III 9

  • Security Architecture & Management

    August 17, 2016 Vulnerability Management - William Favre Slater, III 10

  • Measuring and Reporting onSecurity Architecture & Management

    August 17, 2016 Vulnerability Management - William Favre Slater, III 11

  • Is There a Capability Maturity Model for Threat and Vulnerability Management?

    August 17, 2016 Vulnerability Management - William Favre Slater, III 12

    Source: https://blog.coresecurity.com/2014/10/21/the-threat-and-vulnerability-management-maturity-model/

    https://blog.coresecurity.com/2014/10/21/the-threat-and-vulnerability-management-maturity-model/

  • WHAT ARE VULNERABILITIES?

    August 17, 2016 Vulnerability Management - William Favre Slater, III 13

  • Vulnerabilities

    Vulnerability definition

    Vulnerability examples

    14August 17, 2016 Vulnerability Management - William Favre Slater, III

    Thetis dipping Achilles

    into the River Styx

  • Vulnerabilities

    What is a vulnerability?

    A situation or condition that represents an opportunity for a threat to damage or for information to be stolen from the organization, IT Systems or network.

    Comes from the Latin word, vulnus, meaning wound

    Sometimes called, The Achilles Heel.

    15August 17, 2016 Vulnerability Management - William Favre Slater, III

    Thetis dipping Achilles

    into the River Styx

  • The Death of Achilles

    August 17, 2016 Vulnerability Management - William Favre Slater, III 16

    Achilles was mortally wounded in the

    one place he was vulnerable: his heel.

  • Some Sources of Vulnerabilities Complicated user interface

    Default passwords not changed

    Disposal of storage media without deleting data

    Equipment sensitivity to changes in voltage

    Equipment sensitivity to moisture and contaminants

    Equipment sensitivity to temperature

    Inadequate cabling security

    Inadequate capacity management

    Inadequate change management

    Inadequate classification of information

    Inadequate control of physical access

    Inadequate maintenance

    Inadequate network management

    Inadequate or irregular backup

    Inadequate password management

    Inadequate physical protection

    17August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Some Sources of Vulnerabilities Inadequate protection of cryptographic keys

    Inadequate replacement of older equipment

    Inadequate security awareness

    Inadequate segregation of duties

    Inadequate segregation of operational and testing facilities

    Inadequate supervision of employees

    Inadequate supervision of vendors

    Inadequate training of employees

    Incomplete specification for software development

    Insufficient software testing

    Lack of access control policy

    Lack of clean desk and clear screen policy

    Lack of control over the input and output data

    Lack of internal documentation

    Lack of or poor implementation of internal audit

    Lack of policy for the use of cryptography

    18August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Some Sources of Vulnerabilities Lack of procedure for removing access rights upon termination of employment

    Lack of protection for mobile equipment

    Lack of redundancy

    Lack of systems for identification and authentication

    Lack of validation of the processed data

    Location vulnerable to flooding

    Poor selection of test data

    Single copy

    Too much power in one person

    Uncontrolled copying of data

    Uncontrolled download from the Internet

    Uncontrolled use of information systems

    Undocumented software

    Unmotivated employees

    Unprotected public network connections

    User rights are not reviewed regularly

    19August 17, 2016 Vulnerability Management - William Favre Slater, III

  • WHAT ARE THREATS?

    August 17, 2016 Vulnerability Management - William Favre Slater, III 20

  • Threats

    Threat definition

    Some sources of threats

    More threat examples

    21August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Threats

    What is a threat?

    Something that can potentially cause damage or theft to the organization, IT Systems or network.

    22August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Some Sources of Threats Misguided Employees

    Mistakes by careless Employees

    External Parties

    Low awareness of security issues

    Lack of or lapse in security policy compliance

    Growth in networking and distributed computing

    Growth in complexity and effectiveness of hacking

    tools and viruses

    Natural disasters e.g. fire, flood, earthquake

    23August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Typical Threats that Represent Business Risks

    August 17, 2016 Vulnerability Management - William Favre Slater, III 24

  • QUICK STORY ABOUT DAVID BREWER AND THE "BREWER EVENTS".

    August 17, 2016 Vulnerability Management - William Favre Slater, III 25

  • So Lets Simplify This StuffAnd Make it Easier, Achievable and More Manageable

    26

    Co-author of the ISO 27001 standard security framework, October 2005

    Co-author of ISO 27001 Annex A Insights, December 2010

    Director, Gamma Secure Systems Limited

    ISO/IEC 27001 and ISO 9001 Certified for the

    Provision of Information Security Consultancy

    www.gammassl.co.uk

    Note: with clients he had to start using the Word, EVENT, because he learnedExecutive Management got upsetAbout the connotation of Words like ASSETS, THREATS and VULNERABILITIES

    Vulnerability Management - William Favre Slater, III

    http://www.gammassl.co.uk/research/27001annexAinsights.pdfSource:

    http://www.gammassl.co.uk/research/27001annexAinsights.pdf

  • An Event is

    When Threat Meets Vulnerability or

    When a Threat EXPLOITS a Vulnerability

    August 17, 2016 Vulnerability Management - William Favre Slater, III 27

  • Brewer Event List

    28August 17, 2016 Vulnerability Management - William Favre Slater, III

  • Risk Management Strategies

    29ISMS Project Update Meeting - Information Asset & Information Security Discussion June 10, 2011August 17, 2016

    Vulnerability Management - William Favre Slater, III

  • Applying the Brewer Events withRisk Management Strategies

    30August 17, 2016 Vulnerability Management - William Favre Slater, III

  • TOOLS

    August 17, 2016 Vulnerability Management - William Favre Slater, III 31

  • Tools:

    Scanners

    Nexpose

    IBM VMS

    Nessus

    Netcat

    August 17, 2016 Vulnerability Management - William Favre Slater, III 32

  • Tools: Nexpose

    August 17, 2016 Vulnerability Management - William Favre Slater, III 33

    Source: Rapid7

  • Tools: Generic Vulnerability Scanning

    August 17, 2016 Vulnerability Management - William Favre Slater, III 34

    Source: Skoudis, E. (2006), Counter Hack Reloaded.

    Target Servers

    Vulnerability

    Database

    User

    Configuration

    Tool

    Scanning

    Engine

    Knowledge

    Base of

    Current Active

    Scan

    Results

    Repository

    and Report

    Generation

    Generic Vulnerability

    Scanner Architecture on

    A Scanning Server

    SwitchRouterFirewall

    Technical Notes:

    1) It is standard practice to white list the IP address of your

    scanner at the Firewall and other IDPS Devices.

    2) The scanner probes for active IP addresses and open

    ports, and associates them with what it finds with the

    Vulnerability Database.

    Data Center

  • PLANNING YOUR SCANNING

    August 17, 2016 Vulnerability Management - William Favre Slater, III 35

  • Planning Your Scanning

    Get Management Support

    Create a Project Plan

    Change Management Request and Approval

    Examples available upon request

    Publish organization-wide announcements before and after the scans complete.

    Do the Vulnerability Scan during the approved change window.

    Note: If a server or network device goes down during or shortly after your scanning, YOU WILL BE BLAMED FOR IT, so document EVERYTHING.

    August 17, 2016 Vulnerability Management - William Favre Slater, III 36

  • VULNERABILITY MANAGEMENT & REPORTING

    August 17, 2016 Vulnerability Management - William Favre Slater, III 37

  • Vulnerability Management

    Get Management Support

    Create a good Vulnerability Management Policy

    Create a good Vulnerability Management Program

    Create a good Remediation Management Program

    August 17, 2016 Vulnerability Management - William Favre Slater, III 38

  • August 17, 2016 Vulnerability Management - William Favre Slater, III 39

    Vulnerability ManagementIT

    Op

    erat

    ion

    sIT

    Sec

    uri

    tyPhase

    Scope and Identify IT Assets and Areas to be

    Scanned

    Scan and Monitor for

    Vulnerabilities

    Assess Risk & Prioritize

    VulnerabilitiesStart

    CriticalVulnerability?

    Post-Implementation Review; Audit and Validate the Work Associated with the Patching

    Change Request

    Patching Team Performs the Patching Activity using Big Fix, or

    in the case of non-supported platforms, using Best Method

    Build, Test, and Plan Release. Hand Off to Patching Team

    Review Change Request and the Designated

    Team(s) will Complete the Actual Work

    Validate Findings

    Change Management

    Perform the Patching Activity

    Release Management

    Change Management

    Create Emergency Change Request

    Incident Management

    Execute Emergency Change Request and

    Contact the Designated Team(s) to Completed the

    Actual Work

    Change Management

    YesNo

    Stop

    September 11, 2015William Slater

    Security Liaison / DPEJLL Consultant

  • August 17, 2016 Vulnerability Management - William Favre Slater, III 40

  • August 17, 2016 Vulnerability Management - William Favre Slater, III 41

  • Vulnerability Reports

    Detail reports To operations groups (Network Teams, and Server Teams)

    Summary by region, device, and severity (To operations groups (Network Teams, and Server Teams)

    Monthly Executive Summaries (to Global CTO, Global CISO, Regional CIOs, CTOs, and CISOs)

    Ad Hoc Reports for Auditors, Managers, etc.

    Strong Advice: Keep all your Data, Queries, Reports, E-mails, Meeting Requests, Meeting Minutes, etc. And have naming standards so you can easily find stuff.

    August 17, 2016 Vulnerability Management - William Favre Slater, III 42

  • Vulnerability Reports

    Summary by region, device, and severity

    (To operations groups (Network Teams, and Server Teams)

    August 17, 2016 Vulnerability Management - William Favre Slater, III 43

  • Vulnerability Reports

    Summary by region, device, and severity

    To operations groups (Network Teams, and Server Teams)

    SQL Statement (from MS Access):

    August 17, 2016 Vulnerability Management - William Favre Slater, III 44

    SELECT DISTINCT AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level], Count(AM_Servers_Combined_2016_0520_VULN.[Vulnerability ID]) AS [CountOfVulnerability ID]FROM AM_Servers_Combined_2016_0520_VULNGROUP BY AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level]ORDER BY AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level] DESC;

    Query name: AM_Servers_with_VULN_Summary_Counts_2016_0520

  • Vulnerability Reports

    Executive Summaries (to CIO, CTO, CISO, etc. )

    August 17, 2016 Vulnerability Management - William Favre Slater, III 45

  • Vulnerability Reports Executive Summaries (to CIO, CTO, CISO, etc. )

    August 17, 2016 Vulnerability Management - William Favre Slater, III 46

  • Vulnerability Reports Executive Summaries

    August 17, 2016 Vulnerability Management - William Favre Slater, III 47

  • Vulnerability Reports Executive Summaries

    August 17, 2016 Vulnerability Management - William Favre Slater, III 48

  • REMEDIATION MANAGEMENT & REPORTING

    August 17, 2016 Vulnerability Management - William Favre Slater, III 49

  • Remediation Management & Reporting

    Vulnerabilities are remediated by:

    Patching

    Firmware updates

    Hardening devices

    Software Upgrades

    Recommended Settings on Operating Systems and/or Applications

    Retirement of a vulnerable device

    August 17, 2016 Vulnerability Management - William Favre Slater, III 50

  • Remediation Management & Reporting

    Remediation reports show what Summaries and Details of what vulnerabilities are getting remediated and how long, on average, it is taking from time of notification to remediation.

    Used to track Security Performance: Critical = 30 days

    Severe = 60 days

    Moderate = 90 days

    Alternative to remediation: Have management review and accept the risk of not remediating. This is usually a formal process and must be requested and granted in writing.

    August 17, 2016 Vulnerability Management - William Favre Slater, III 51

  • Remediation Management & Reporting

    Detail reports

    To operations groups (Network Teams, and Server Teams)

    Summary by region, device, and severity

    (To operations groups (Network Teams, and Server Teams)

    Monthly Executive Summaries (to Global CTO, Global CISO, Regional CIOs, CTOs, and CISOs)

    Ad Hoc Reports for Auditors, Managers, etc.

    Strong Advice: Keep all your Data, Queries, Reports, E-mails, Meeting Requests, Meeting Minutes, etc. And have naming standards so you can easily find stuff.

    August 17, 2016 Vulnerability Management - William Favre Slater, III 52

  • Remediation Management Guiding Principles ( 1 of 5)

    Run Vulnerability Scans AFTER the Patch Updating Process

    Highest Risk: Confidential Data hosted

    Your Team should use and track metrics (i.e. how many vulnerabilities are getting fixed, etc.)

    You only need to go to the level of granularity where you can easily report

    Your Team needs to define what is acceptable risk

    Your Team needs to define its timelines for vulnerability scanning and remediation

    Your Team...

Recommended

View more >