Importance of Vulnerability ManagementImportance of Vulnerability ManagementVulnerability ManagementVulnerability Management
Anthony Asher
What is Vulnerability Management (VM)?1
Why is VM important?2
Examples of vulnerability exploits3
What the difference?4
Vulnerability / Assess / ManageVulnerability / Assess / Manage
• Vulnerability: a weakness of an asset or group of assets that can be exploited by one or more threats.
• Assessment: process of identifyingvulnerabilities in computers and networks as well as weaknesses in policies and practicesweaknesses in policies and practices.
• Management: “process of attempting to identify• Management: process of attempting to identify and mitigate security vulnerabilities within an IT environment on a continuous basis” – Deloitte & Touche
Vulnerability Management LifecycleVulnerability Management Lifecycle
DiscoverVerify
Remediate PrioritizeAssets
Report AssessReport
Why is vulnerability management important?
1990’s – Hacker’s would try
Host #1
1990 s Hacker s would try single exploit on host after host until they found a vulnerable t t t b k i t
Exploit
target to break into.
H@ck3r
Host #3Host #2
Why is vulnerability management important?
Targeted Company
Attack #4
Attack
Targeted C
#4
Att k
#1
Company Attack #5
Attack #2
Attack #6
Attack #3
2008 – Hacker’s target and attack carefully identified companies with an onslaught of attacks until successful.
Why is vulnerability management important?
LegalSensitive
AssetControl(Botnet)
LegalComplianceCompany
Information
Vulnerability ExploitsCripple Companies:Cripple Companies:
ReputationFinancialLegalities
CustomerInformation
Legalities
Master Lock –Th t t t d dl kThe most trusted consumer padlock.
Vulnerability #1: Combination Code Deduction
EXPLOIT: Deducing the code by removing uneven number the lock stops at while under tension will reveal code.
Vulnerability #2: Shackle Spacing
EXPLOIT: Shim made from soda can open lock.
Purpose of Vulnerability Management:p y g
Examine the technologies in place and identifyExamine the technologies in place and identify vulnerabilities. Putting a system in place to continuously compare the vulnerabilities to a policy, and systematically mitigate these vulnerabilities to lower a company’smitigate these vulnerabilities to lower a company s exposure to risk.
Examples of NegligenceExamples of Negligence
Cost of not managing vulnerabilitiesCost of not managing vulnerabilities
Estimates the average data breach costs the company $4.8 million. • Average cost of $182/ lost customer record g $
• Average 26,300 lost records per breach
Five Mistakes of Vulnerability ManagementManagement
Scanning but failing to act
Patching same as VM.
Scanning but failing to act.
VM is only a technical problem.Mistakes
Assessing without whole picture.
Unprepared for Zero Day exploitsUnprepared for Zero-Day exploits.
Is Nessus and/or Patching enough?
Tools of Vulnerability
g g
yManagement Life-Cycle
Group AssessPrioritize Group AssessPrioritize
Nessus Security
NessusScan DiscoverRemediate
Scanner(Assess)
Microsoft PatchingWSUS /
Report Verify
g(Remediate)MBSA
Vulnerability Management CriticalVulnerability Management Critical
• With a growing number of vulnerabilities, coupled with the dynamic attack methods and exploits in today's security landscape places enterprise businesses at great risk. p g
• Implementing a vulnerability management process will help identify and remediatevulnerabilities before exploits are used.
• Scanning and patching alone will not provide the system to comprehensively lower a y p ycompanies security exposure and risk.
Q ti ?Questions?