SlideShare uma empresa Scribd logo

threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx

Transferir como PPTX, PDF
I
ImXaib

Networks

Educação
1 de 34
powered by Why won’t these damn things just patch themselves?: The Hitchhiker’s Guide to Threat and Vulnerability Management
Meet Your Presenter Ryan Elmer • Master of Science, Security Technologies – The University of Minnesota • Published by American Banker, Star Tribune, Bloomberg Business Week • Former faculty member ICBA Community Bank IT Institute • Technology Implementer (The Ohio State University, Total Networx) • Information Security Auditor (RSM McGladrey) FRSecure • Founded in 2008 • HQ in Minnetonka • Sole focus fixing a broken information security industry • Full suite of InfoSec services • Product Agnostic – Your IT guys will love us!
• A Threat and Vulnerability Management is one of the most critical elements of an Information Security Program. • Organizations which lack “brilliance in the basics” and will have difficulties implementing an effective vulnerability management program. • Vulnerability Assessments are often confused for Vulnerability Management. This can lead to unmitigated vulnerabilities and increased risk. • Most importantly, it means wasted money. Meet Your Presentation
A vulnerability is a system susceptibility or flaw A threat is an attacker who can access the flaw and has the capability to exploit it. A risk is a convergence of a vulnerability and threat that has a defined likelihood and impact. Vulnerability Management is the cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities. Meet Your Definitions
An inherent weakness in technology tools resulting from a design flaw. Universal to everyone utilizing that tool. • System and Applications not patched for known security flaws • Hardware, OS, Application, Database, Network Equipment • Web Applications and Web Services • Known security issues, incorrectly coded, unpatched known security flaws • Browser and Plugins • Not up to date, not patched for known security flaws • Application and OS Configs • Never configured, configuration changes Vulnerability - Technical
Weaknesses resulting from implementation, configuration and convergence of technological tools. Specific to that organization. • Remote Access (Admin, Terminal Servers) • Lack of Segmentation (Flat Networks) • Weak Passwords • Default Configs (WPAD over LLMNR) • Convergence issues (Auto-Authenticate) Conceptual and Architectural Issues
Vulnerability - Human
Vulnerability Management Vulnerability Assessment We Can’t Confuse These Two
An effective vulnerability management program relies on other mature programs. Foundations of vulnerability management Vulnerability Management Access Control Change Management Asset Management
Expectations • Accurate, Reviewed and Reconciled Inventories of Hardware, Software and Data Assets. • Data is categorized as public, non-public and confidential and assets are classified by the types of data which they house. • Extra credit: Data flow diagrams show connections between systems Reasons • A complete list of assets ensures that everything gets scanned • Classified assets allows for more flexibility in accepting risk (depending on data and interconnectedness) Asset Management-- Realistically
Expectations • The organization tracks significant changes to technology with tools as complex as a COTS Ticketing System or a spreadsheet. • Minimum Tracking: • Description/Nature of Change • System • Testing/Business Unit Sign-off • Roll-Back Procedures • Approval Reasons • Changes to devices can introduce new vulnerabilities and configuration issues • The testing and roll-back procedures make sure that you don’t wreck your environment. Change Management -- Realistically
Expectations • Access control is in place. This includes user, system and service account access. • vLANs and ACLs are in place Reasons • Appropriate security can be placed on segregated systems according to the data which resides on them. • This is always easier to talk about than to actually implement. De-activate service accounts when they are not use, create vLANs to the best of your ability. Pen Test to verify this has been done well. Access Control -- Realistically
Patching Vulnerability Scanning Analysis, Decision Making, Mitigation Penetration Testing Vulnerability Management Turning Your Current Program Into Management
Vulnerability Scanning v Pen Testing
Vulnerability Scanning Purpose Identify, rank and report technical vulnerabilities Goal Determine all the vulnerabilities that we know can be exploited Example Checking all exterior and interior doors Focus Breadth over Depth Tactics Fast and Loud Tests Preventative Controls Cadence Quarterly, Monthly What it do?!
• Enumeration • Discover Ports and Services (SSH, Telnet, SNMP) • Interrogation of Services • Scan • Analyze • Viability of Vulnerability • CVSS • Research • Impact • Data • Connections • Make Risk Determinations • Mitigate (patch, re-config) • Transfer (outsource, insure) • Accept (document, compensate) • Avoid (turn it off) Vulnerability Assessment Process
• Banks need to increase the frequency which they scan. • Vulnerability scans are not inherently better or worse than a penetration test, it depends on your objectives. Vendors and Examiners who tell you this are wrong. • Running a vulnerability scan is very easy. Interpreting the results are difficult the first time and get easier as you go. • On-going scanning with external vendors should be pretty damn cheap. In fact, you can do it for free with OpenVAS. • Credentialed Scans provide a more accurate picture of your vulnerabilities. Attaining a credential isn’t that hard, this does not distort the results. Vulnerability Scanning – Insider Secrets
Penetration Testing – Exploit It
Penetration Testing Purpose Exploit vulnerabilities to circumvent or defeat security Goal Determine what can be accomplished exploiting those vulnerabilities Example Entering first available door to search Focus Depth over Breadth Tactics Low and Slow Tests Effectiveness of Vulnerability Management Program; Detective and Reactive Controls Cadence Annually What it do?!
• Pen Tests are one of the fastest maturing areas of information security, even though we don’t fully understand the basics. • Scope • Internal • External • Threat Emulation • Blue Team/Red Team/Purple Team • Knowledge • White Box - Full knowledge of Systems – Faster, More Thorough • Black Box – No Knowledge – Most accurate threat emulation • What is an Assumed Breach? • Providing credentials • Downloading payload Penetration Testing
Penetration Test – Insider Secrets • Using white box testing, dropping defenses or assuming a breach (giving credentials) save money, they aren’t “cheating” • Saves Money! • Goal is to identify vulnerabilities, not confirm you’re safe. • If you want your penetration test to mimic the real world, use social engineering. • Performing the only vulnerability scan of the year during the pen test is a very bad investment. Should not pay a premium to find low hanging fruit. Frees Pen Tester time to focus on issues not found by scanner.
• The “right” pen test for your organization should align with objectives. • Will and should change from year to year, might mean going “backward” • Want to test newly implemented vLAN? Provide several credentials from multiple segments. • Done that for a couple years? Maybe a black box test is best. • Scoping • Share results and key metrics from vulnerability scans, confirm their test isn’t looking for technical vulnerabilities • Talk about the network and any recent changes (local admin, segmentation, user profiles, shares, interconnectedness) • Talk about objectives, what do you want to accomplish? • Look for architectural and conceptual issues • Test detective and reactive controls • Affirm segmentation • Train staff on indicators of compromise • Confirm confidential data is well protected Picking the right Pen Test
Vulnerability Management
• Not a project, but a program • No beginning or end, revolving process • Meeting regulatory goals • Defined success factors (number by severity level, number of hosts with vulnerabilities, vulnerability age) • Measurable – Because we have success factors • Repeatable – Documented Process • Involved with other programs (patch management, ticketing, asset management, configuration management) • Accountability – Historical data to compare performance • Context, context and more context Vulnerability Management
Vulnerability Management Best Practices • Set the foundation: Asset Inventory, Change Management, Access Control • Run your typical vulnerability assessment process. • Track your key metrics • Make risk decisions and document the process • Repeat to gather all low hanging fruit • Pen Test to find the issues vulnerability scanners cannot find. This will also then measure the effectiveness of your vulnerability management process.
• Questions * †† *there are no stupid questions †† unless you’re a Packer fan • Answers (kind of) Ryan Elmer relmer@frsecure.com (952) 451-5081
• If executives do not understand a project, they will not allocate the time, money or resources needed to make it successful. • Attackers only need to be right one time, whereas IT needs to be right 100% Risks
Information security is the application of administrative, physical and technical controls used to mitigate risks to the confidentiality, integrity and availability of information. Information Security Administrative • People Physical • Stuff Technical • Machines Confidentiality • Privacy Integrity • Accuracy Availability • Accessibility
• Assets with varying value • Defined Perimeter (outside and inside) • Things which have high likelihood of theft or high impact go inside, things which have low probability or low impact go outside. • Means of ingress/egress (doors, windows) • Implemented controls • Preventative (locks) • Detective (alarm systems, dogs) • Reactive (law enforcement, guns, maybe your dog, but not mine) • Corrective InfoSec as a House
Risk Management Identification –– Indicator of a major risk Articulation –– Specifies the event Ownership –– Party responsible Remediation –– How it’s fixed “Oh My God!” “The Bar’s On Fire” “Somebody” “Save the Beer” The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact
“I cannot secure it if I don’t know that I have it” • Asset Management • Determines what is going to be scanned • Defines the priority of the asset (classification of data on it, interconnectedness) “I cannot secure what I cannot control” • Access Control • A flat network with no access control means that every vulnerability needs to be fixed • Change Management • Tracks deliberate changes to the environment through ticketing and testing • Used to detect unauthorized changes Foundations of vulnerability management
Vulnerability Scan Penetration Test Purpose Identify, rank and report vulnerabilities Exploit vulnerabilities to circumvent or defeat security Goal Determine all vulnerabilities that could exploited Determine what can be accomplished exploiting those vulnerabilities Real World Example Checking all exterior and interior doors Entering first available door to search Focus Breadth over Depth Depth over Breadth Tactics Loud and Fast Low and Slow Tests Preventative controls Detective and Reactive controls Vulnerability Scans vs. Penetration Tests
• Different tools for different purposes • Port scanner (Nmap) • Network Vulnerability Scanner (Nessus) • Web App Security Scanner (Burp Suite, Accunetix) • Database Security Scanner • Host-based vulnerability scanner (Lynis, Microsoft Baseline Security Analyzer) • AIX Security Configuration Scanner Vulnerability Scanner

Recomendados

Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assets
Dheeraj Sadawarte
 

Recomendados

Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
ThavaselviMunusamy1
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Ch 1 assets
Ch 1 assetsCh 1 assets
Ch 1 assets
Dheeraj Sadawarte
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
Jeffrey Paulette
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
Skybox Security
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
Core Security
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
Jim Piechocki
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
AlienVault
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
Cognic Systems Pvt Ltd
 
ERD introduction in databases model.pptx
ERD introduction in databases model.pptxERD introduction in databases model.pptx
ERD introduction in databases model.pptx
ImXaib
 
SDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptxSDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptx
ImXaib
 

Mais conteúdo relacionado

Semelhante a threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 

Semelhante a threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx (20)

Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USMInsider Threats: How to Spot Trouble Quickly with AlienVault USM
Insider Threats: How to Spot Trouble Quickly with AlienVault USM
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 

Mais de ImXaib

ERD introduction in databases model.pptx
ERD introduction in databases model.pptxERD introduction in databases model.pptx
ERD introduction in databases model.pptx
ImXaib
 
SDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptxSDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptx
ImXaib
 
terminal a clear presentation on the topic.pptx
terminal a clear presentation on the topic.pptxterminal a clear presentation on the topic.pptx
terminal a clear presentation on the topic.pptx
ImXaib
 
What is Machine Learning_updated documents.pptx
What is Machine Learning_updated documents.pptxWhat is Machine Learning_updated documents.pptx
What is Machine Learning_updated documents.pptx
ImXaib
 
Grid Computing and it's applications.PPTX
Grid Computing and it's applications.PPTXGrid Computing and it's applications.PPTX
Grid Computing and it's applications.PPTX
ImXaib
 
lecture2.ppt
lecture2.pptlecture2.ppt
lecture2.ppt
ImXaib
 
lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.ppt
ImXaib
 
Fullandparavirtualization.ppt
Fullandparavirtualization.pptFullandparavirtualization.ppt
Fullandparavirtualization.ppt
ImXaib
 
mis9_ch08_ppt.ppt
mis9_ch08_ppt.pptmis9_ch08_ppt.ppt
mis9_ch08_ppt.ppt
ImXaib
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
ImXaib
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Database schema architecture.ppt
Database schema architecture.pptDatabase schema architecture.ppt
Database schema architecture.ppt
ImXaib
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
ImXaib
 
Trends in DM.pptx
Trends in DM.pptxTrends in DM.pptx
Trends in DM.pptx
ImXaib
 
AleksandrDoroninSlides.ppt
AleksandrDoroninSlides.pptAleksandrDoroninSlides.ppt
AleksandrDoroninSlides.ppt
ImXaib
 
dm15-visualization-data-mining.ppt
dm15-visualization-data-mining.pptdm15-visualization-data-mining.ppt
dm15-visualization-data-mining.ppt
ImXaib
 

Mais de ImXaib (20)

ERD introduction in databases model.pptx
ERD introduction in databases model.pptxERD introduction in databases model.pptx
ERD introduction in databases model.pptx
 
SDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptxSDA presentation the basics of computer science .pptx
SDA presentation the basics of computer science .pptx
 
terminal a clear presentation on the topic.pptx
terminal a clear presentation on the topic.pptxterminal a clear presentation on the topic.pptx
terminal a clear presentation on the topic.pptx
 
What is Machine Learning_updated documents.pptx
What is Machine Learning_updated documents.pptxWhat is Machine Learning_updated documents.pptx
What is Machine Learning_updated documents.pptx
 
Grid Computing and it's applications.PPTX
Grid Computing and it's applications.PPTXGrid Computing and it's applications.PPTX
Grid Computing and it's applications.PPTX
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
 
4966709.ppt
4966709.ppt4966709.ppt
4966709.ppt
 
lecture2.ppt
lecture2.pptlecture2.ppt
lecture2.ppt
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptx
 
lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.ppt
 
ch12.ppt
ch12.pptch12.ppt
ch12.ppt
 
Fullandparavirtualization.ppt
Fullandparavirtualization.pptFullandparavirtualization.ppt
Fullandparavirtualization.ppt
 
mis9_ch08_ppt.ppt
mis9_ch08_ppt.pptmis9_ch08_ppt.ppt
mis9_ch08_ppt.ppt
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
Database schema architecture.ppt
Database schema architecture.pptDatabase schema architecture.ppt
Database schema architecture.ppt
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
Trends in DM.pptx
Trends in DM.pptxTrends in DM.pptx
Trends in DM.pptx
 
AleksandrDoroninSlides.ppt
AleksandrDoroninSlides.pptAleksandrDoroninSlides.ppt
AleksandrDoroninSlides.ppt
 
dm15-visualization-data-mining.ppt
dm15-visualization-data-mining.pptdm15-visualization-data-mining.ppt
dm15-visualization-data-mining.ppt
 

Último

Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Krashi Coaching
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 

Último (20)

Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 

threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx

  • 1. powered by Why won’t these damn things just patch themselves?: The Hitchhiker’s Guide to Threat and Vulnerability Management
  • 2. Meet Your Presenter Ryan Elmer • Master of Science, Security Technologies – The University of Minnesota • Published by American Banker, Star Tribune, Bloomberg Business Week • Former faculty member ICBA Community Bank IT Institute • Technology Implementer (The Ohio State University, Total Networx) • Information Security Auditor (RSM McGladrey) FRSecure • Founded in 2008 • HQ in Minnetonka • Sole focus fixing a broken information security industry • Full suite of InfoSec services • Product Agnostic – Your IT guys will love us!
  • 3. • A Threat and Vulnerability Management is one of the most critical elements of an Information Security Program. • Organizations which lack “brilliance in the basics” and will have difficulties implementing an effective vulnerability management program. • Vulnerability Assessments are often confused for Vulnerability Management. This can lead to unmitigated vulnerabilities and increased risk. • Most importantly, it means wasted money. Meet Your Presentation
  • 4.
  • 5. A vulnerability is a system susceptibility or flaw A threat is an attacker who can access the flaw and has the capability to exploit it. A risk is a convergence of a vulnerability and threat that has a defined likelihood and impact. Vulnerability Management is the cyclical practice of identifying, classifying, remediating and mitigating vulnerabilities. Meet Your Definitions
  • 6. An inherent weakness in technology tools resulting from a design flaw. Universal to everyone utilizing that tool. • System and Applications not patched for known security flaws • Hardware, OS, Application, Database, Network Equipment • Web Applications and Web Services • Known security issues, incorrectly coded, unpatched known security flaws • Browser and Plugins • Not up to date, not patched for known security flaws • Application and OS Configs • Never configured, configuration changes Vulnerability - Technical
  • 7. Weaknesses resulting from implementation, configuration and convergence of technological tools. Specific to that organization. • Remote Access (Admin, Terminal Servers) • Lack of Segmentation (Flat Networks) • Weak Passwords • Default Configs (WPAD over LLMNR) • Convergence issues (Auto-Authenticate) Conceptual and Architectural Issues
  • 10. An effective vulnerability management program relies on other mature programs. Foundations of vulnerability management Vulnerability Management Access Control Change Management Asset Management
  • 11. Expectations • Accurate, Reviewed and Reconciled Inventories of Hardware, Software and Data Assets. • Data is categorized as public, non-public and confidential and assets are classified by the types of data which they house. • Extra credit: Data flow diagrams show connections between systems Reasons • A complete list of assets ensures that everything gets scanned • Classified assets allows for more flexibility in accepting risk (depending on data and interconnectedness) Asset Management-- Realistically
  • 12. Expectations • The organization tracks significant changes to technology with tools as complex as a COTS Ticketing System or a spreadsheet. • Minimum Tracking: • Description/Nature of Change • System • Testing/Business Unit Sign-off • Roll-Back Procedures • Approval Reasons • Changes to devices can introduce new vulnerabilities and configuration issues • The testing and roll-back procedures make sure that you don’t wreck your environment. Change Management -- Realistically
  • 13. Expectations • Access control is in place. This includes user, system and service account access. • vLANs and ACLs are in place Reasons • Appropriate security can be placed on segregated systems according to the data which resides on them. • This is always easier to talk about than to actually implement. De-activate service accounts when they are not use, create vLANs to the best of your ability. Pen Test to verify this has been done well. Access Control -- Realistically
  • 14. Patching Vulnerability Scanning Analysis, Decision Making, Mitigation Penetration Testing Vulnerability Management Turning Your Current Program Into Management
  • 16. Vulnerability Scanning Purpose Identify, rank and report technical vulnerabilities Goal Determine all the vulnerabilities that we know can be exploited Example Checking all exterior and interior doors Focus Breadth over Depth Tactics Fast and Loud Tests Preventative Controls Cadence Quarterly, Monthly What it do?!
  • 17. • Enumeration • Discover Ports and Services (SSH, Telnet, SNMP) • Interrogation of Services • Scan • Analyze • Viability of Vulnerability • CVSS • Research • Impact • Data • Connections • Make Risk Determinations • Mitigate (patch, re-config) • Transfer (outsource, insure) • Accept (document, compensate) • Avoid (turn it off) Vulnerability Assessment Process
  • 18. • Banks need to increase the frequency which they scan. • Vulnerability scans are not inherently better or worse than a penetration test, it depends on your objectives. Vendors and Examiners who tell you this are wrong. • Running a vulnerability scan is very easy. Interpreting the results are difficult the first time and get easier as you go. • On-going scanning with external vendors should be pretty damn cheap. In fact, you can do it for free with OpenVAS. • Credentialed Scans provide a more accurate picture of your vulnerabilities. Attaining a credential isn’t that hard, this does not distort the results. Vulnerability Scanning – Insider Secrets
  • 20. Penetration Testing Purpose Exploit vulnerabilities to circumvent or defeat security Goal Determine what can be accomplished exploiting those vulnerabilities Example Entering first available door to search Focus Depth over Breadth Tactics Low and Slow Tests Effectiveness of Vulnerability Management Program; Detective and Reactive Controls Cadence Annually What it do?!
  • 21. • Pen Tests are one of the fastest maturing areas of information security, even though we don’t fully understand the basics. • Scope • Internal • External • Threat Emulation • Blue Team/Red Team/Purple Team • Knowledge • White Box - Full knowledge of Systems – Faster, More Thorough • Black Box – No Knowledge – Most accurate threat emulation • What is an Assumed Breach? • Providing credentials • Downloading payload Penetration Testing
  • 22. Penetration Test – Insider Secrets • Using white box testing, dropping defenses or assuming a breach (giving credentials) save money, they aren’t “cheating” • Saves Money! • Goal is to identify vulnerabilities, not confirm you’re safe. • If you want your penetration test to mimic the real world, use social engineering. • Performing the only vulnerability scan of the year during the pen test is a very bad investment. Should not pay a premium to find low hanging fruit. Frees Pen Tester time to focus on issues not found by scanner.
  • 23. • The “right” pen test for your organization should align with objectives. • Will and should change from year to year, might mean going “backward” • Want to test newly implemented vLAN? Provide several credentials from multiple segments. • Done that for a couple years? Maybe a black box test is best. • Scoping • Share results and key metrics from vulnerability scans, confirm their test isn’t looking for technical vulnerabilities • Talk about the network and any recent changes (local admin, segmentation, user profiles, shares, interconnectedness) • Talk about objectives, what do you want to accomplish? • Look for architectural and conceptual issues • Test detective and reactive controls • Affirm segmentation • Train staff on indicators of compromise • Confirm confidential data is well protected Picking the right Pen Test
  • 25. • Not a project, but a program • No beginning or end, revolving process • Meeting regulatory goals • Defined success factors (number by severity level, number of hosts with vulnerabilities, vulnerability age) • Measurable – Because we have success factors • Repeatable – Documented Process • Involved with other programs (patch management, ticketing, asset management, configuration management) • Accountability – Historical data to compare performance • Context, context and more context Vulnerability Management
  • 26. Vulnerability Management Best Practices • Set the foundation: Asset Inventory, Change Management, Access Control • Run your typical vulnerability assessment process. • Track your key metrics • Make risk decisions and document the process • Repeat to gather all low hanging fruit • Pen Test to find the issues vulnerability scanners cannot find. This will also then measure the effectiveness of your vulnerability management process.
  • 27. • Questions * †† *there are no stupid questions †† unless you’re a Packer fan • Answers (kind of) Ryan Elmer relmer@frsecure.com (952) 451-5081
  • 28. • If executives do not understand a project, they will not allocate the time, money or resources needed to make it successful. • Attackers only need to be right one time, whereas IT needs to be right 100% Risks
  • 29. Information security is the application of administrative, physical and technical controls used to mitigate risks to the confidentiality, integrity and availability of information. Information Security Administrative • People Physical • Stuff Technical • Machines Confidentiality • Privacy Integrity • Accuracy Availability • Accessibility
  • 30. • Assets with varying value • Defined Perimeter (outside and inside) • Things which have high likelihood of theft or high impact go inside, things which have low probability or low impact go outside. • Means of ingress/egress (doors, windows) • Implemented controls • Preventative (locks) • Detective (alarm systems, dogs) • Reactive (law enforcement, guns, maybe your dog, but not mine) • Corrective InfoSec as a House
  • 31. Risk Management Identification –– Indicator of a major risk Articulation –– Specifies the event Ownership –– Party responsible Remediation –– How it’s fixed “Oh My God!” “The Bar’s On Fire” “Somebody” “Save the Beer” The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact
  • 32. “I cannot secure it if I don’t know that I have it” • Asset Management • Determines what is going to be scanned • Defines the priority of the asset (classification of data on it, interconnectedness) “I cannot secure what I cannot control” • Access Control • A flat network with no access control means that every vulnerability needs to be fixed • Change Management • Tracks deliberate changes to the environment through ticketing and testing • Used to detect unauthorized changes Foundations of vulnerability management
  • 33. Vulnerability Scan Penetration Test Purpose Identify, rank and report vulnerabilities Exploit vulnerabilities to circumvent or defeat security Goal Determine all vulnerabilities that could exploited Determine what can be accomplished exploiting those vulnerabilities Real World Example Checking all exterior and interior doors Entering first available door to search Focus Breadth over Depth Depth over Breadth Tactics Loud and Fast Low and Slow Tests Preventative controls Detective and Reactive controls Vulnerability Scans vs. Penetration Tests
  • 34. • Different tools for different purposes • Port scanner (Nmap) • Network Vulnerability Scanner (Nessus) • Web App Security Scanner (Burp Suite, Accunetix) • Database Security Scanner • Host-based vulnerability scanner (Lynis, Microsoft Baseline Security Analyzer) • AIX Security Configuration Scanner Vulnerability Scanner

Notas do Editor

  1. I know I set that up as pretty scary, but don’t panic. This is the hitchhiker’s guide to vulnerability management
  2. Before I get into vulnerability management, I need to define what a vulnerability is.
  3. Humans have a myriad of vulnerabilities. We can be tricked into doing things, we can be coerced by threat or force, and we also just generally do dumb shit. Humans are the single greatest weakness to your organization. Training and Awareness is the only thing that fixes this. I’ve left this out because it’s a completely different conversation, but it needs to be understood.
  4. Vulnerability Assessment Running a vulnerability scanning as a project (has beginning, middle and end) No measurement of long-term success Occurs once a year, maybe twice Vulnerability Management Building a program Meeting regulatory goals Defined success factors (number by severity level, number of hosts, vulnerability age) Measurable Repeatable Involved with other programs (patch management, ticketing, asset management, configuration management) Accountability – there are long term measurements of success and historical information. This should be accurate to the point where we can identify when you went on vacation for a month. Cause that happens right? You all have houses in the Mexican riveria? The process to find rate, and remediate isn’t just about the technical vulnerabilities found in scans, it’s about analyzing your process. You can talk with your peers, hopefully your auditor can shed some light on it. Context is the ability to surround a vulnerability with information which accurately describes the true reality. If you have
  5. My point is that there is going to be a lot of sexy sounding pen tests that people are going to try to sell you. They are going to sound awesome. But you might not be ready for them.