2. AGENDA
2
Intro to Vulnerability Management
• Learning Objectives
Live Threat Demonstration
• Penetration Testing Demonstration
Vulnerability Management Overview
• Definitions
• Lifecycle
• Vulnerabilities across USPS networks
Vulnerability Scanning
• Overview: Current and Future States
• Remediation Prioritization
Penetration Testing
• Definition & Example
• Process & Benefits
• Pen Testing Exercise
Remediation Management
• Overview & Goals
• Key Stakeholders
• Process
• Case Study
• Application Code Scanning
• Scanning Exercise
• Validation/Remediation
3. What You’ll Learn
3
Learning Objectives
Types of Vulnerabilities
Vulnerability Assessments
Vulnerability vs. Risk
Vulnerability Lifecycle Discover
Prioritize
Assess
Notify
Validate
Remediate
4. 4
Vulnerability Management
Image Source: planetminecraft.com
3
2
1
4 Second Layer of Defense
3
Breach occurred because
fortifications around the water
supply were not strong enough
4
Personally Identifiable
Information (PII)
5
Threat
1
First Layer of Defense:
Perimeter
2
5
Defense in depth (known as Castle Approach) is an information assurance (IA) concept in which multiple
layers of security controls (defense) are placed throughout an information technology (IT) system.
Vulnerability Management ensures the layers of defense are
reviewed for strength and are updated or improved as necessary.
9. Vulnerability Management LifeCycle
Vulnerability Management is the "cyclical practice of identifying, classifying, prioritizing,
remediating, and mitigating“ information system vulnerabilities
….not to be confused with…
Patch Management is a strategy for managing patches or upgrades for software applications
and technologies.
Discover
Prioritize
Assess
Notify
Validate
Remediate
Prioritize vulnerabilities of USPS critical
assets
Assess the impact of the vulnerabilities
across USPS
Notify system owners of the vulnerabilities
and the need to remediate
Discover vulnerabilities on all assets across
the USPS enterprise
Support and track the Remediation of the
vulnerabilities
Validate the vulnerabilities were correctly
remediated
10. Discover Vulnerabilities
Discover
Prioritize
Assess
Notify
Validate
Remediate
Discover Vulnerabilities on all Assets Across the USPS Enterprise
Sources for Vulnerabilities:
Common Vulnerabilities and
Exposures (CVE®) is a list of
common identifiers for publicly
known cybersecurity vulnerabilities.
(https://cve.mitre.org/)
National Vulnerability Database
(NVD) houses the U.S. government
repository of standards based on
vulnerability management data.
(https://nvd.nist.gov/)
What is a Vulnerability Assessment? Vulnerability assessment is a
process of defining, identifying, and classifying the security vulnerabilities in
information technology systems.
11. Discover Vulnerabilities
Discover
Prioritize
Assess
Notify
Validate
Remediate
Discover Vulnerabilities on all Assets Across the USPS Enterprise
Vulnerability Scanning is a technique used to
identify weakness in assets and is based on the
CVEs
Compliance Scanning or Check focuses on the
configuration settings (or security hardening) being
applied to a system. In short, compliance scans
assess adherence to a specific compliance
framework.
Methods of Discovering Vulnerabilities
12. Application Code Scanning
Discover
Prioritize
Assess
Notify
Validate
Remediate
Discover Vulnerabilities on all Assets Across the USPS Enterprise
Application Code Reviews is the manual process of
auditing the source code of an application to verify
security controls are in place
Application Code Scanning
• SAST - Static Application Security Testing is an
automated process of auditing source code
• DAST – Dynamic Application Security Testing
is an automated process of scanning applications
to find run-time errors.
• IAST – Interactive Application Security Testing
combines the features of the SAST and DAST. It
places an agent within the application and
performs analysis in real-time
• RASP – Run-time Application Security is
plugged into the application or production
environment and can control the application
execution.
Methods of Discovering Vulnerabilities
13. Red Team tests CSOC’s ability to identify, respond to, and defend against a real-world cyber attack.
Blue Team defends against the attack.
Rules of Engagement (ROE)
The ROE documents penetration testing team members, system owners, test
schedule, targets, testing methods, and network authorization.
Discovering Vulnerabilities
Penetration tests are simulated cyberattacks performed in a
controlled environment and used to assess the Postal Service’s
ability to protect against internal and external vulnerabilities.
Application Penetration Testing
uses hacker-like methods to
identify vulnerabilities especially
externally facing applications.
Objective: To fully exercise all
aspects of the application
capabilities to identify
vulnerabilities.
Network / Infrastructure Pen
Testing: Investigates different
attack paths used to gain access
to systems and resources.
Objective: Discover attack paths,
establish a foothold in the
environment to access to sensitive
data.
13
Discover Vulnerabilities on all Assets Across the USPS Enterprise
Discover
Prioritize
Assess
Notify
Validate
Remediate
Red Team Exercises:
14. Discover
Prioritize
Assess
Notify
Validate
Remediate
Prioritizing Vulnerabilities
Prioritize Vulnerabilities of USPS Critical Assets
Prioritized assets by USPS criticality:
• USPS Perimeter
• USPS Critical Sites
• Defined by U.S. Postal Inspection
Service
• PCI Environment
• Payment Card Industry (PCI)
• https://www.pcisecuritystandards.org/pci_security/
• Tier 0
Rating vulnerabilities through Common
Vulnerability Scoring System (CVSS)
• CVSS captures the principal technical
characteristics of software, hardware, and
firmware vulnerabilities.
• CVSS provides numerical scores indicating the
severity of a vulnerability relative to other
vulnerabilities
• https://www.first.org/cvss/specification-document
CVSS 3.1 Scoring
Severity Base Score Range
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0
15. USPS Priority Prioritization
15
USPS Vulnerability Priority Calculator
Real-World Example:
Scoring Rubric:
Criteria Scale
Number of
vulnerabilities
discovered
Severity
rating for the
findings
Status of exploit
publication
Asset
criticality
within BIA
Data
sensitivity
within BIA
Exposure to
external
stakeholders
Total priority
score for
campaign
The campaign priority calculator considers multiple factors when prioritizing remediation campaigns, as shown in the
calculator below.
Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score
>10,000 5 Critical 5 Exploit published 5 Yes 5 Yes 5 External 5 Critical >20
5,000-10,000 4 High 4 Mix 3 Mix 3 Mix 3 Compliance 3 High 11-20
1,000-5,000 3 Medium 3 No 1 No 1 No 1 Internal 2 Medium 6-10
100-1,000 2 Low 2 Low <5
<100 1
Vulnerability Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score
WebSphere 5 3 3 3 3 3 High 20
iTunes 5 5 5 3 3 2 Critical 23
XML 5 4 5 3 3 2 Critical 22
WinZip 5 5 1 1 1 2 High 15
16. Assess Vulnerabilities
Discover
Prioritize
Assess
Notify
Validate
Remediate
Assess the Impact of the Vulnerabilities Across USPS
• Determine how many USPS assets are
impacted by the vulnerability
• Determine criticality of vulnerabilities
• Determine if vulnerabilities warrant a risk
• Verify system owner
IDENTIFY ANALYZE MONITOR REPORT
ADDRESS
1 2 3 4 5
Cyber Risk Management Process
18. Notify System Owners
Discover
Prioritize
Assess
Notify
Validate
Remediate
Notify System Owners of the Vulnerabilities and the Need to Remediate
Contact the system owners to
take action on the vulnerabilities
Communicate the:
• Vulnerabilities
• Criticality
• Remediation timeline
• Recommended solutions
Binding Operational Directive
(BOD) 19-02
Vulnerability Remediation
Requirements for Internet-Accessible
Systems
Remediate critical and high vulnerabilities as follows:
• Critical – within 15 calendar days of initial detection
• High – within 30 calendar days of initial detection
19. Remediate Vulnerabilities
Discover
Scanning discovers vulnerabilities
Prioritize
Assess
Notify
Validate
Remediate
Support and Track the Remediation of the Vulnerabilities
System owner must:
• Remediate within the
timeframe associated with the
criticality of the vulnerability
or
• Accept the risk to the USPS
enterprise with an authorized
Risk Acceptance Letter (RAL)
20. Validate Vulnerabilities
Discover
Prioritize
Assess
Notify
Validate
Remediate
Validate the vulnerabilities were correctly remediated
Once the vulnerabilities are
remediated, the modification to
the system is validated through
the same mechanism that the
vulnerabilities were found:
• Vulnerability scanning
• Compliance scanning
• Application code reviews
• Application code scanning
• Penetration testing
Notice how the process starts all over again.
22. VMA Organization Chart
Vulnerability Management Organization:
Vulnerability Management &
Assessments
(VMA)
Cybersecurity
Risk Management
Chris Nielsen, (A) Manager
Brandon Paulson, Manager
Penetration Testing
(PEN)
Eric Utley, Manager
Remediation
Management (RMT)
TBD, Manager
Automated Vulnerability
Assessments
(AVA)
Eric Utley, (A) Manager
23
Risk Remediation
Mark Rinas, Manager
Program Overarching Goal
Continuously identify and analyze USPS technology asset vulnerabilities, prioritize and manage
remediation efforts, and report cyber risks.
23. VMA Mission and Vision
24
Mission:
The Vulnerability Management &
Assessment (VMA) program
expeditiously identifies,
assesses, and reports USPS
enterprise vulnerabilities.
Additionally, VMA monitors and
tracks the remediation of
vulnerabilities to closure or risk
acceptance.
Vision:
Protect the USPS mission by
implementing an enterprise
cybersecurity assessment
strategy by employing a
repeatable, measureable, and
automated vulnerability
management and assessment
process across the enterprise.
Securing USPS through Vulnerability Elimination
• Vulnerability
Scanning
• Security Control
Assessments
• Applications
Security
Assessments
VMA & Risk
Remediation
• Penetration
Testing
24. Internal & External Stakeholders
Key Stakeholders
Engineering: Provides services to support scanning and remediate
vulnerabilities that are identified by the AVA team, including the Mail Processing
Environment (MPE) in the future.
Cyber Risk Management: Manages risks identified through vulnerabilities
scanning.
Information Technology (IT): Provides services to support scanning activities
and remediate vulnerabilities that are identified by the Automated Vulnerability
Assessment team (AVA).
Certification and Accreditation (C&A): Reviews the identified vulnerabilities
for each of the USPS systems and monitors the remediation of the
vulnerabilities to determine the risk of the system to Postal Service.
25
Department of Homeland Security (DHS): Agreements are in place to
conduct scanning across USPS perimeter networks.
Mail Entry & Payment Technologies (MEPT): Provides services to support
scanning and remediate vulnerabilities that are identified by the AVA team.
26. AVA Overview
Automated Vulnerability Assessments (AVA) is responsible for configuring, conducting,
and reporting vulnerability scans that search USPS systems, networks, and applications for
potential weaknesses according to AS-805 policy.
PCI Environment
Scanning Across the USPS Enterprise
Tenable Scan &
Log data
Blue Network
Future
Enterprise
Information
Repository (EIR)
Asset Inventory
Management
System (AIMS)
IP Asset
Management
(IPAM)
Advanced
CMDB Reporting
System (ACRS)
Asset Management Systems
User
Dashboards
Servers
Workstations &
Laptops
Infrastructure
Servers
Workstations &
Laptops
Infrastructure
MPE / MHE
Servers
Workstations &
Laptops
Infrastructure
Tier 0
Servers
Workstations &
Laptops
Infrastructure
28. Remediation Management (RMT) Overview
The Cyber Risk Remediation and Response Management Instruction (MI) gives CISO the
authority to pursue remediation activities and prioritize the patching of information
systems across the enterprise. Remediation activities are continuous and range from the
time risks are identified through the period they are mitigated.
RMT is responsible for:
Remediation Management Overview:
• Continually analyzing risks and vulnerabilities
• Prioritizing vulnerabilities and initiating remediation campaigns
• Tracking completion of required remediation activities
• Evaluating campaign effectiveness
Collect &
prioritize
vulnerabilities
1
Create
remediation
campaign
2
Issue a
request
for action
3
Communicate
remediation
campaign
4
Track
remediation
activities
5
Evaluate
remediation
effectiveness
6
Remediation Management Process
The remediation management process begins with the collection and prioritization of vulnerabilities and ends with evaluation of the
implemented remediation solution. Refer to the Appendix for a detailed process flow of remediation management.
29. 31
Completed Campaigns
Campaign
Start
Date
End
Date
Vulnerabilities
Eliminated
Comment
Flash 02/2017 07/2017 ~1,000,000
Some versions were more than six years old presenting multiple
vulnerabilities within a single system.
HP
Management
Homepage
04/2017 08/2017 687
Exploitation would have allowed unauthorized access to several
critical systems.
WannaCry 05/2017 06/2017 ~250,000 Work began in late April after the Shadow Brokers release.
Shadow
Brokers
05/2017 07/2017 ~165,000
WannaCry was separated from this effort on 05/12/17 with the
ransomware announcement but continued during the WannaCry
remediation effort.
Petya 06/2017 07/2017 63,000
Most of the threat was eliminated during the WannaCry remediation
effort. This campaign covered an additional vulnerability.
Struts 07/2017 08/2017 2,400
This campaign was a rapid remediation effort to address the Struts
vulnerability.
RMT Accomplishments
31. Penetration Testing (PEN) Overview
The AS 805 and the Cyber Risk Penetration Testing and Remediation
Management Instruction (MI) gives CISO the authority to discover
vulnerabilities on USPS systems through penetration testing and to
pursue remediation of the associated findings across the enterprise.
PEN is responsible for:
Penetration Testing (PEN) Overview:
• Continuous vulnerability identification activities
• Report findings to stakeholders
• Supporting validation of vulnerability remediation
Information
Gathering
1
Vulnerability
Scanning and
Analysis
2
Exploitation
3
Post-
Exploitation
4
Reporting
5
Penetration Testing Process
32. Penetration testing process contributes to the Postal Service’s ability to reduce
enterprise wide risk exposure by:
• Enabling stakeholders and leadership to make effective risk-based decisions regarding
vulnerability remediation and day-to-day operations of information systems
• Determining real-world impact to the Postal Service’s resources, reputation, and users by
emulating techniques, tactics, and procedures used by our adversaries
• Actively exploiting vulnerabilities across the enterprise to better quantify risks to the
organization
PEN: Organizational Benefits
34
Deliver World-
Class Customer
Experience
Equip, Empower, &
Engage Employees
Innovate to
Deliver Value
Invest in Our
Future
USPS PMG Strategic Focus Areas
33. Penetration Testing Process
Penetration Testing Process
Information Gathering
Conduct a scoping study to collect information about the system
undergoing testing and develop ROE to establish guidelines for the
penetration assessment.
Discover known and unknown hosts or assets, and detect potential
vulnerabilities for mapping attack vectors.
Attempt to exploit potential vulnerabilities and gain access to assets,
escalate privileges, and move throughout the network.
Restore system configuration changes and remove testing artifacts.
Create a comprehensive report for the system owner that outlines the
vulnerabilities discovered and their priority along with remediation
recommendations.
1
2
3
5
Attempt to escalate privileges, move through the network, and
compromise additional in scope targets.
4
Vulnerability Scanning &
Analysis
Exploitation
Post-Exploitation
Reporting
36. Deliver World-
Class Customer
Experience
Equip,
Empower, &
Engage
Employees
Innovate to
Deliver Value
Invest in Our
Future
USPS PMG Strategic Focus Areas
• Identifies cyber risks across the enterprise to facilitate business operations consistent with the
Postal Service’s cybersecurity posture
• Communicates identified cyber risks and educates appropriate stakeholders to support deliberate
risk-based decisions
• Increases the visibility of the risk profile of critical systems and sites, such as those in PCI,
Perimeter, Tier 0 and MPE sites
• Fosters an enterprise-wide culture focused on cybersecurity by empowering individuals and teams
to protect USPS technology assets
Pillars of Vulnerability Management
42
Organizational Benefits
37. 43
Course Assessment and Survey
Quiz:
Please fill out the survey to provide your opinion on:
Survey:
• Your instructor
• The facility
• The course content
There is a 10-question quiz:
• You must achieve a score of 70%
Complete
survey and
quiz to get
credit for this
course
Contains Sensitive USPS Information