SlideShare uma empresa Scribd logo

USPS CISO Academy - Vulnerability Management

Transferir como PPTX, PDF
J
Jim Piechocki

Fun graphic treatment comparing cybersecurity vulnerability management skills to defending a Medieval castle.

Educação
1 de 37
Vulnerability Management 1
AGENDA 2 Intro to Vulnerability Management • Learning Objectives Live Threat Demonstration • Penetration Testing Demonstration Vulnerability Management Overview • Definitions • Lifecycle • Vulnerabilities across USPS networks Vulnerability Scanning • Overview: Current and Future States • Remediation Prioritization Penetration Testing • Definition & Example • Process & Benefits • Pen Testing Exercise Remediation Management • Overview & Goals • Key Stakeholders • Process • Case Study • Application Code Scanning • Scanning Exercise • Validation/Remediation
What You’ll Learn 3 Learning Objectives Types of Vulnerabilities Vulnerability Assessments Vulnerability vs. Risk Vulnerability Lifecycle Discover Prioritize Assess Notify Validate Remediate
4 Vulnerability Management Image Source: planetminecraft.com 3 2 1 4 Second Layer of Defense 3 Breach occurred because fortifications around the water supply were not strong enough 4 Personally Identifiable Information (PII) 5 Threat 1 First Layer of Defense: Perimeter 2 5 Defense in depth (known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Vulnerability Management ensures the layers of defense are reviewed for strength and are updated or improved as necessary.
Live Demonstration Penetration Testing 5
6 How Secure is USPS? Live Threat Demonstration
Vulnerability Management Overview 7
Vulnerability Foundations What is a Vulnerability? A vulnerability is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, or availability. (Copyright © 1999–2019, The MITRE Corporation.) What is an Exposure? An exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. (Copyright © 1999–2019, The MITRE Corporation.) What is a Cybersecurity Threat? A threat refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks, and more. How does Risk fit into the Picture? The potential for loss, damage, or destruction of USPS assets and intellectual property — specifically PII — as a result of a threat exploiting a vulnerability
Vulnerability Management LifeCycle Vulnerability Management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating“ information system vulnerabilities ….not to be confused with… Patch Management is a strategy for managing patches or upgrades for software applications and technologies. Discover Prioritize Assess Notify Validate Remediate Prioritize vulnerabilities of USPS critical assets Assess the impact of the vulnerabilities across USPS Notify system owners of the vulnerabilities and the need to remediate Discover vulnerabilities on all assets across the USPS enterprise Support and track the Remediation of the vulnerabilities Validate the vulnerabilities were correctly remediated
Discover Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Sources for Vulnerabilities: Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities. (https://cve.mitre.org/) National Vulnerability Database (NVD) houses the U.S. government repository of standards based on vulnerability management data. (https://nvd.nist.gov/) What is a Vulnerability Assessment? Vulnerability assessment is a process of defining, identifying, and classifying the security vulnerabilities in information technology systems.
Discover Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Vulnerability Scanning is a technique used to identify weakness in assets and is based on the CVEs Compliance Scanning or Check focuses on the configuration settings (or security hardening) being applied to a system. In short, compliance scans assess adherence to a specific compliance framework. Methods of Discovering Vulnerabilities
Application Code Scanning Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Application Code Reviews is the manual process of auditing the source code of an application to verify security controls are in place Application Code Scanning • SAST - Static Application Security Testing is an automated process of auditing source code • DAST – Dynamic Application Security Testing is an automated process of scanning applications to find run-time errors. • IAST – Interactive Application Security Testing combines the features of the SAST and DAST. It places an agent within the application and performs analysis in real-time • RASP – Run-time Application Security is plugged into the application or production environment and can control the application execution. Methods of Discovering Vulnerabilities
Red Team tests CSOC’s ability to identify, respond to, and defend against a real-world cyber attack. Blue Team defends against the attack. Rules of Engagement (ROE) The ROE documents penetration testing team members, system owners, test schedule, targets, testing methods, and network authorization. Discovering Vulnerabilities Penetration tests are simulated cyberattacks performed in a controlled environment and used to assess the Postal Service’s ability to protect against internal and external vulnerabilities. Application Penetration Testing uses hacker-like methods to identify vulnerabilities especially externally facing applications. Objective: To fully exercise all aspects of the application capabilities to identify vulnerabilities. Network / Infrastructure Pen Testing: Investigates different attack paths used to gain access to systems and resources. Objective: Discover attack paths, establish a foothold in the environment to access to sensitive data. 13 Discover Vulnerabilities on all Assets Across the USPS Enterprise Discover Prioritize Assess Notify Validate Remediate Red Team Exercises:
Discover Prioritize Assess Notify Validate Remediate Prioritizing Vulnerabilities Prioritize Vulnerabilities of USPS Critical Assets Prioritized assets by USPS criticality: • USPS Perimeter • USPS Critical Sites • Defined by U.S. Postal Inspection Service • PCI Environment • Payment Card Industry (PCI) • https://www.pcisecuritystandards.org/pci_security/ • Tier 0 Rating vulnerabilities through Common Vulnerability Scoring System (CVSS) • CVSS captures the principal technical characteristics of software, hardware, and firmware vulnerabilities. • CVSS provides numerical scores indicating the severity of a vulnerability relative to other vulnerabilities • https://www.first.org/cvss/specification-document CVSS 3.1 Scoring Severity Base Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0
USPS Priority Prioritization 15 USPS Vulnerability Priority Calculator Real-World Example: Scoring Rubric: Criteria Scale Number of vulnerabilities discovered Severity rating for the findings Status of exploit publication Asset criticality within BIA Data sensitivity within BIA Exposure to external stakeholders Total priority score for campaign The campaign priority calculator considers multiple factors when prioritizing remediation campaigns, as shown in the calculator below. Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score >10,000 5 Critical 5 Exploit published 5 Yes 5 Yes 5 External 5 Critical >20 5,000-10,000 4 High 4 Mix 3 Mix 3 Mix 3 Compliance 3 High 11-20 1,000-5,000 3 Medium 3 No 1 No 1 No 1 Internal 2 Medium 6-10 100-1,000 2 Low 2 Low <5 <100 1 Vulnerability Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score WebSphere 5 3 3 3 3 3 High 20 iTunes 5 5 5 3 3 2 Critical 23 XML 5 4 5 3 3 2 Critical 22 WinZip 5 5 1 1 1 2 High 15
Assess Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Assess the Impact of the Vulnerabilities Across USPS • Determine how many USPS assets are impacted by the vulnerability • Determine criticality of vulnerabilities • Determine if vulnerabilities warrant a risk • Verify system owner IDENTIFY ANALYZE MONITOR REPORT ADDRESS 1 2 3 4 5 Cyber Risk Management Process
18 Build Your Own Scan Scanning Exercise – 60 minutes
Notify System Owners Discover Prioritize Assess Notify Validate Remediate Notify System Owners of the Vulnerabilities and the Need to Remediate Contact the system owners to take action on the vulnerabilities Communicate the: • Vulnerabilities • Criticality • Remediation timeline • Recommended solutions Binding Operational Directive (BOD) 19-02 Vulnerability Remediation Requirements for Internet-Accessible Systems Remediate critical and high vulnerabilities as follows: • Critical – within 15 calendar days of initial detection • High – within 30 calendar days of initial detection
Remediate Vulnerabilities Discover Scanning discovers vulnerabilities Prioritize Assess Notify Validate Remediate Support and Track the Remediation of the Vulnerabilities System owner must: • Remediate within the timeframe associated with the criticality of the vulnerability or • Accept the risk to the USPS enterprise with an authorized Risk Acceptance Letter (RAL)
Validate Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Validate the vulnerabilities were correctly remediated Once the vulnerabilities are remediated, the modification to the system is validated through the same mechanism that the vulnerabilities were found: • Vulnerability scanning • Compliance scanning • Application code reviews • Application code scanning • Penetration testing Notice how the process starts all over again.
Vulnerability Management & Assessment (VMA)
VMA Organization Chart Vulnerability Management Organization: Vulnerability Management & Assessments (VMA) Cybersecurity Risk Management Chris Nielsen, (A) Manager Brandon Paulson, Manager Penetration Testing (PEN) Eric Utley, Manager Remediation Management (RMT) TBD, Manager Automated Vulnerability Assessments (AVA) Eric Utley, (A) Manager 23 Risk Remediation Mark Rinas, Manager Program Overarching Goal Continuously identify and analyze USPS technology asset vulnerabilities, prioritize and manage remediation efforts, and report cyber risks.
VMA Mission and Vision 24 Mission: The Vulnerability Management & Assessment (VMA) program expeditiously identifies, assesses, and reports USPS enterprise vulnerabilities. Additionally, VMA monitors and tracks the remediation of vulnerabilities to closure or risk acceptance. Vision: Protect the USPS mission by implementing an enterprise cybersecurity assessment strategy by employing a repeatable, measureable, and automated vulnerability management and assessment process across the enterprise. Securing USPS through Vulnerability Elimination • Vulnerability Scanning • Security Control Assessments • Applications Security Assessments VMA & Risk Remediation • Penetration Testing
Internal & External Stakeholders Key Stakeholders Engineering: Provides services to support scanning and remediate vulnerabilities that are identified by the AVA team, including the Mail Processing Environment (MPE) in the future. Cyber Risk Management: Manages risks identified through vulnerabilities scanning. Information Technology (IT): Provides services to support scanning activities and remediate vulnerabilities that are identified by the Automated Vulnerability Assessment team (AVA). Certification and Accreditation (C&A): Reviews the identified vulnerabilities for each of the USPS systems and monitors the remediation of the vulnerabilities to determine the risk of the system to Postal Service. 25 Department of Homeland Security (DHS): Agreements are in place to conduct scanning across USPS perimeter networks. Mail Entry & Payment Technologies (MEPT): Provides services to support scanning and remediate vulnerabilities that are identified by the AVA team.
Automated Vulnerability Assessments (AVA)
AVA Overview Automated Vulnerability Assessments (AVA) is responsible for configuring, conducting, and reporting vulnerability scans that search USPS systems, networks, and applications for potential weaknesses according to AS-805 policy. PCI Environment Scanning Across the USPS Enterprise Tenable Scan & Log data Blue Network Future Enterprise Information Repository (EIR) Asset Inventory Management System (AIMS) IP Asset Management (IPAM) Advanced CMDB Reporting System (ACRS) Asset Management Systems User Dashboards Servers Workstations & Laptops Infrastructure Servers Workstations & Laptops Infrastructure MPE / MHE Servers Workstations & Laptops Infrastructure Tier 0 Servers Workstations & Laptops Infrastructure
Remediation Management (RMT)
Remediation Management (RMT) Overview The Cyber Risk Remediation and Response Management Instruction (MI) gives CISO the authority to pursue remediation activities and prioritize the patching of information systems across the enterprise. Remediation activities are continuous and range from the time risks are identified through the period they are mitigated. RMT is responsible for: Remediation Management Overview: • Continually analyzing risks and vulnerabilities • Prioritizing vulnerabilities and initiating remediation campaigns • Tracking completion of required remediation activities • Evaluating campaign effectiveness Collect & prioritize vulnerabilities 1 Create remediation campaign 2 Issue a request for action 3 Communicate remediation campaign 4 Track remediation activities 5 Evaluate remediation effectiveness 6 Remediation Management Process The remediation management process begins with the collection and prioritization of vulnerabilities and ends with evaluation of the implemented remediation solution. Refer to the Appendix for a detailed process flow of remediation management.
31 Completed Campaigns Campaign Start Date End Date Vulnerabilities Eliminated Comment Flash 02/2017 07/2017 ~1,000,000 Some versions were more than six years old presenting multiple vulnerabilities within a single system. HP Management Homepage 04/2017 08/2017 687 Exploitation would have allowed unauthorized access to several critical systems. WannaCry 05/2017 06/2017 ~250,000 Work began in late April after the Shadow Brokers release. Shadow Brokers 05/2017 07/2017 ~165,000 WannaCry was separated from this effort on 05/12/17 with the ransomware announcement but continued during the WannaCry remediation effort. Petya 06/2017 07/2017 63,000 Most of the threat was eliminated during the WannaCry remediation effort. This campaign covered an additional vulnerability. Struts 07/2017 08/2017 2,400 This campaign was a rapid remediation effort to address the Struts vulnerability. RMT Accomplishments
Penetration Testing
Penetration Testing (PEN) Overview The AS 805 and the Cyber Risk Penetration Testing and Remediation Management Instruction (MI) gives CISO the authority to discover vulnerabilities on USPS systems through penetration testing and to pursue remediation of the associated findings across the enterprise. PEN is responsible for: Penetration Testing (PEN) Overview: • Continuous vulnerability identification activities • Report findings to stakeholders • Supporting validation of vulnerability remediation Information Gathering 1 Vulnerability Scanning and Analysis 2 Exploitation 3 Post- Exploitation 4 Reporting 5 Penetration Testing Process
Penetration testing process contributes to the Postal Service’s ability to reduce enterprise wide risk exposure by: • Enabling stakeholders and leadership to make effective risk-based decisions regarding vulnerability remediation and day-to-day operations of information systems • Determining real-world impact to the Postal Service’s resources, reputation, and users by emulating techniques, tactics, and procedures used by our adversaries • Actively exploiting vulnerabilities across the enterprise to better quantify risks to the organization PEN: Organizational Benefits 34 Deliver World- Class Customer Experience Equip, Empower, & Engage Employees Innovate to Deliver Value Invest in Our Future USPS PMG Strategic Focus Areas
Penetration Testing Process Penetration Testing Process Information Gathering Conduct a scoping study to collect information about the system undergoing testing and develop ROE to establish guidelines for the penetration assessment. Discover known and unknown hosts or assets, and detect potential vulnerabilities for mapping attack vectors. Attempt to exploit potential vulnerabilities and gain access to assets, escalate privileges, and move throughout the network. Restore system configuration changes and remove testing artifacts. Create a comprehensive report for the system owner that outlines the vulnerabilities discovered and their priority along with remediation recommendations. 1 2 3 5 Attempt to escalate privileges, move through the network, and compromise additional in scope targets. 4 Vulnerability Scanning & Analysis Exploitation Post-Exploitation Reporting
36 Penetration Testing Penetration Testing Exercise – 45 minutes
Summary 41
Deliver World- Class Customer Experience Equip, Empower, & Engage Employees Innovate to Deliver Value Invest in Our Future USPS PMG Strategic Focus Areas • Identifies cyber risks across the enterprise to facilitate business operations consistent with the Postal Service’s cybersecurity posture • Communicates identified cyber risks and educates appropriate stakeholders to support deliberate risk-based decisions • Increases the visibility of the risk profile of critical systems and sites, such as those in PCI, Perimeter, Tier 0 and MPE sites • Fosters an enterprise-wide culture focused on cybersecurity by empowering individuals and teams to protect USPS technology assets Pillars of Vulnerability Management 42 Organizational Benefits
43 Course Assessment and Survey Quiz: Please fill out the survey to provide your opinion on: Survey: • Your instructor • The facility • The course content There is a 10-question quiz: • You must achieve a score of 70% Complete survey and quiz to get credit for this course Contains Sensitive USPS Information

Recomendados

Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

Recomendados

Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 

Mais conteúdo relacionado

Mais procurados

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 

Mais procurados (20)

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 

Semelhante a USPS CISO Academy - Vulnerability Management

Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfElanusTechnologies
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration TestingBluechip Gulf IT Services
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a bossrbrockway
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxImXaib
 

Semelhante a USPS CISO Academy - Vulnerability Management (20)

Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
What is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdfWhat is the process of Vulnerability Assessment and Penetration Testing.pdf
What is the process of Vulnerability Assessment and Penetration Testing.pdf
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss2016 06 03_threat_mgmt like a boss
2016 06 03_threat_mgmt like a boss
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 

Mais de Jim Piechocki

James Piechocki Resume General Post CS Logos.pdf
James Piechocki Resume General Post CS Logos.pdfJames Piechocki Resume General Post CS Logos.pdf
James Piechocki Resume General Post CS Logos.pdfJim Piechocki
 
Jet Cars for SpeedTV
Jet Cars for SpeedTVJet Cars for SpeedTV
Jet Cars for SpeedTVJim Piechocki
 
Sample Student Activity Guide
Sample Student Activity GuideSample Student Activity Guide
Sample Student Activity GuideJim Piechocki
 
Machine Language Learning Video Storyboard
Machine Language Learning Video StoryboardMachine Language Learning Video Storyboard
Machine Language Learning Video StoryboardJim Piechocki
 
Machine Language Job Aid
Machine Language Job AidMachine Language Job Aid
Machine Language Job AidJim Piechocki
 
Job aid valve replacement
Job aid valve replacementJob aid valve replacement
Job aid valve replacementJim Piechocki
 
Deltek Accounting System Storyboard
Deltek Accounting System StoryboardDeltek Accounting System Storyboard
Deltek Accounting System StoryboardJim Piechocki
 
Cialdini Six Tools of Influence summary
Cialdini Six Tools of Influence summaryCialdini Six Tools of Influence summary
Cialdini Six Tools of Influence summaryJim Piechocki
 
Rm class-day2-influence activity
Rm class-day2-influence activityRm class-day2-influence activity
Rm class-day2-influence activityJim Piechocki
 
Honda Sales Insight Summer 2010
Honda Sales Insight Summer 2010Honda Sales Insight Summer 2010
Honda Sales Insight Summer 2010Jim Piechocki
 
Nursing Medical Mishaps Screenplay
Nursing Medical Mishaps ScreenplayNursing Medical Mishaps Screenplay
Nursing Medical Mishaps ScreenplayJim Piechocki
 
Honda Certified Used Cars Flyer
Honda Certified Used Cars FlyerHonda Certified Used Cars Flyer
Honda Certified Used Cars FlyerJim Piechocki
 
Phishing email PDF Flyer
Phishing email PDF FlyerPhishing email PDF Flyer
Phishing email PDF FlyerJim Piechocki
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course StoryboardJim Piechocki
 
Cancer battle video game report, PEDIATRICS
Cancer battle video game report, PEDIATRICSCancer battle video game report, PEDIATRICS
Cancer battle video game report, PEDIATRICSJim Piechocki
 
VA Supply Chain 100 Student Exercise Guide
VA Supply Chain 100 Student Exercise GuideVA Supply Chain 100 Student Exercise Guide
VA Supply Chain 100 Student Exercise GuideJim Piechocki
 
Difficult Conversations Course Assessment
Difficult Conversations Course AssessmentDifficult Conversations Course Assessment
Difficult Conversations Course AssessmentJim Piechocki
 
Tough conversations assessment
Tough conversations assessmentTough conversations assessment
Tough conversations assessmentJim Piechocki
 

Mais de Jim Piechocki (20)

James Piechocki Resume General Post CS Logos.pdf
James Piechocki Resume General Post CS Logos.pdfJames Piechocki Resume General Post CS Logos.pdf
James Piechocki Resume General Post CS Logos.pdf
 
Jet Cars for SpeedTV
Jet Cars for SpeedTVJet Cars for SpeedTV
Jet Cars for SpeedTV
 
VA Contracting Exam
VA Contracting ExamVA Contracting Exam
VA Contracting Exam
 
Sample Student Activity Guide
Sample Student Activity GuideSample Student Activity Guide
Sample Student Activity Guide
 
Machine Language Learning Video Storyboard
Machine Language Learning Video StoryboardMachine Language Learning Video Storyboard
Machine Language Learning Video Storyboard
 
Machine Language Job Aid
Machine Language Job AidMachine Language Job Aid
Machine Language Job Aid
 
Job aid valve replacement
Job aid valve replacementJob aid valve replacement
Job aid valve replacement
 
Deltek Accounting System Storyboard
Deltek Accounting System StoryboardDeltek Accounting System Storyboard
Deltek Accounting System Storyboard
 
Cialdini Six Tools of Influence summary
Cialdini Six Tools of Influence summaryCialdini Six Tools of Influence summary
Cialdini Six Tools of Influence summary
 
Rm class-day2-influence activity
Rm class-day2-influence activityRm class-day2-influence activity
Rm class-day2-influence activity
 
User journey
User journeyUser journey
User journey
 
Honda Sales Insight Summer 2010
Honda Sales Insight Summer 2010Honda Sales Insight Summer 2010
Honda Sales Insight Summer 2010
 
Nursing Medical Mishaps Screenplay
Nursing Medical Mishaps ScreenplayNursing Medical Mishaps Screenplay
Nursing Medical Mishaps Screenplay
 
Honda Certified Used Cars Flyer
Honda Certified Used Cars FlyerHonda Certified Used Cars Flyer
Honda Certified Used Cars Flyer
 
Phishing email PDF Flyer
Phishing email PDF FlyerPhishing email PDF Flyer
Phishing email PDF Flyer
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Cancer battle video game report, PEDIATRICS
Cancer battle video game report, PEDIATRICSCancer battle video game report, PEDIATRICS
Cancer battle video game report, PEDIATRICS
 
VA Supply Chain 100 Student Exercise Guide
VA Supply Chain 100 Student Exercise GuideVA Supply Chain 100 Student Exercise Guide
VA Supply Chain 100 Student Exercise Guide
 
Difficult Conversations Course Assessment
Difficult Conversations Course AssessmentDifficult Conversations Course Assessment
Difficult Conversations Course Assessment
 
Tough conversations assessment
Tough conversations assessmentTough conversations assessment
Tough conversations assessment
 

Último

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 

Último (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 

USPS CISO Academy - Vulnerability Management

  • 2. AGENDA 2 Intro to Vulnerability Management • Learning Objectives Live Threat Demonstration • Penetration Testing Demonstration Vulnerability Management Overview • Definitions • Lifecycle • Vulnerabilities across USPS networks Vulnerability Scanning • Overview: Current and Future States • Remediation Prioritization Penetration Testing • Definition & Example • Process & Benefits • Pen Testing Exercise Remediation Management • Overview & Goals • Key Stakeholders • Process • Case Study • Application Code Scanning • Scanning Exercise • Validation/Remediation
  • 3. What You’ll Learn 3 Learning Objectives Types of Vulnerabilities Vulnerability Assessments Vulnerability vs. Risk Vulnerability Lifecycle Discover Prioritize Assess Notify Validate Remediate
  • 4. 4 Vulnerability Management Image Source: planetminecraft.com 3 2 1 4 Second Layer of Defense 3 Breach occurred because fortifications around the water supply were not strong enough 4 Personally Identifiable Information (PII) 5 Threat 1 First Layer of Defense: Perimeter 2 5 Defense in depth (known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Vulnerability Management ensures the layers of defense are reviewed for strength and are updated or improved as necessary.
  • 6. 6 How Secure is USPS? Live Threat Demonstration
  • 8. Vulnerability Foundations What is a Vulnerability? A vulnerability is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, or availability. (Copyright © 1999–2019, The MITRE Corporation.) What is an Exposure? An exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. (Copyright © 1999–2019, The MITRE Corporation.) What is a Cybersecurity Threat? A threat refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks, and more. How does Risk fit into the Picture? The potential for loss, damage, or destruction of USPS assets and intellectual property — specifically PII — as a result of a threat exploiting a vulnerability
  • 9. Vulnerability Management LifeCycle Vulnerability Management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating“ information system vulnerabilities ….not to be confused with… Patch Management is a strategy for managing patches or upgrades for software applications and technologies. Discover Prioritize Assess Notify Validate Remediate Prioritize vulnerabilities of USPS critical assets Assess the impact of the vulnerabilities across USPS Notify system owners of the vulnerabilities and the need to remediate Discover vulnerabilities on all assets across the USPS enterprise Support and track the Remediation of the vulnerabilities Validate the vulnerabilities were correctly remediated
  • 10. Discover Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Sources for Vulnerabilities: Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities. (https://cve.mitre.org/) National Vulnerability Database (NVD) houses the U.S. government repository of standards based on vulnerability management data. (https://nvd.nist.gov/) What is a Vulnerability Assessment? Vulnerability assessment is a process of defining, identifying, and classifying the security vulnerabilities in information technology systems.
  • 11. Discover Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Vulnerability Scanning is a technique used to identify weakness in assets and is based on the CVEs Compliance Scanning or Check focuses on the configuration settings (or security hardening) being applied to a system. In short, compliance scans assess adherence to a specific compliance framework. Methods of Discovering Vulnerabilities
  • 12. Application Code Scanning Discover Prioritize Assess Notify Validate Remediate Discover Vulnerabilities on all Assets Across the USPS Enterprise Application Code Reviews is the manual process of auditing the source code of an application to verify security controls are in place Application Code Scanning • SAST - Static Application Security Testing is an automated process of auditing source code • DAST – Dynamic Application Security Testing is an automated process of scanning applications to find run-time errors. • IAST – Interactive Application Security Testing combines the features of the SAST and DAST. It places an agent within the application and performs analysis in real-time • RASP – Run-time Application Security is plugged into the application or production environment and can control the application execution. Methods of Discovering Vulnerabilities
  • 13. Red Team tests CSOC’s ability to identify, respond to, and defend against a real-world cyber attack. Blue Team defends against the attack. Rules of Engagement (ROE) The ROE documents penetration testing team members, system owners, test schedule, targets, testing methods, and network authorization. Discovering Vulnerabilities Penetration tests are simulated cyberattacks performed in a controlled environment and used to assess the Postal Service’s ability to protect against internal and external vulnerabilities. Application Penetration Testing uses hacker-like methods to identify vulnerabilities especially externally facing applications. Objective: To fully exercise all aspects of the application capabilities to identify vulnerabilities. Network / Infrastructure Pen Testing: Investigates different attack paths used to gain access to systems and resources. Objective: Discover attack paths, establish a foothold in the environment to access to sensitive data. 13 Discover Vulnerabilities on all Assets Across the USPS Enterprise Discover Prioritize Assess Notify Validate Remediate Red Team Exercises:
  • 14. Discover Prioritize Assess Notify Validate Remediate Prioritizing Vulnerabilities Prioritize Vulnerabilities of USPS Critical Assets Prioritized assets by USPS criticality: • USPS Perimeter • USPS Critical Sites • Defined by U.S. Postal Inspection Service • PCI Environment • Payment Card Industry (PCI) • https://www.pcisecuritystandards.org/pci_security/ • Tier 0 Rating vulnerabilities through Common Vulnerability Scoring System (CVSS) • CVSS captures the principal technical characteristics of software, hardware, and firmware vulnerabilities. • CVSS provides numerical scores indicating the severity of a vulnerability relative to other vulnerabilities • https://www.first.org/cvss/specification-document CVSS 3.1 Scoring Severity Base Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0
  • 15. USPS Priority Prioritization 15 USPS Vulnerability Priority Calculator Real-World Example: Scoring Rubric: Criteria Scale Number of vulnerabilities discovered Severity rating for the findings Status of exploit publication Asset criticality within BIA Data sensitivity within BIA Exposure to external stakeholders Total priority score for campaign The campaign priority calculator considers multiple factors when prioritizing remediation campaigns, as shown in the calculator below. Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score >10,000 5 Critical 5 Exploit published 5 Yes 5 Yes 5 External 5 Critical >20 5,000-10,000 4 High 4 Mix 3 Mix 3 Mix 3 Compliance 3 High 11-20 1,000-5,000 3 Medium 3 No 1 No 1 No 1 Internal 2 Medium 6-10 100-1,000 2 Low 2 Low <5 <100 1 Vulnerability Span Severity Exploit Published Critical Asset Sensitive Info Exposure Score WebSphere 5 3 3 3 3 3 High 20 iTunes 5 5 5 3 3 2 Critical 23 XML 5 4 5 3 3 2 Critical 22 WinZip 5 5 1 1 1 2 High 15
  • 16. Assess Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Assess the Impact of the Vulnerabilities Across USPS • Determine how many USPS assets are impacted by the vulnerability • Determine criticality of vulnerabilities • Determine if vulnerabilities warrant a risk • Verify system owner IDENTIFY ANALYZE MONITOR REPORT ADDRESS 1 2 3 4 5 Cyber Risk Management Process
  • 17. 18 Build Your Own Scan Scanning Exercise – 60 minutes
  • 18. Notify System Owners Discover Prioritize Assess Notify Validate Remediate Notify System Owners of the Vulnerabilities and the Need to Remediate Contact the system owners to take action on the vulnerabilities Communicate the: • Vulnerabilities • Criticality • Remediation timeline • Recommended solutions Binding Operational Directive (BOD) 19-02 Vulnerability Remediation Requirements for Internet-Accessible Systems Remediate critical and high vulnerabilities as follows: • Critical – within 15 calendar days of initial detection • High – within 30 calendar days of initial detection
  • 19. Remediate Vulnerabilities Discover Scanning discovers vulnerabilities Prioritize Assess Notify Validate Remediate Support and Track the Remediation of the Vulnerabilities System owner must: • Remediate within the timeframe associated with the criticality of the vulnerability or • Accept the risk to the USPS enterprise with an authorized Risk Acceptance Letter (RAL)
  • 20. Validate Vulnerabilities Discover Prioritize Assess Notify Validate Remediate Validate the vulnerabilities were correctly remediated Once the vulnerabilities are remediated, the modification to the system is validated through the same mechanism that the vulnerabilities were found: • Vulnerability scanning • Compliance scanning • Application code reviews • Application code scanning • Penetration testing Notice how the process starts all over again.
  • 21. Vulnerability Management & Assessment (VMA)
  • 22. VMA Organization Chart Vulnerability Management Organization: Vulnerability Management & Assessments (VMA) Cybersecurity Risk Management Chris Nielsen, (A) Manager Brandon Paulson, Manager Penetration Testing (PEN) Eric Utley, Manager Remediation Management (RMT) TBD, Manager Automated Vulnerability Assessments (AVA) Eric Utley, (A) Manager 23 Risk Remediation Mark Rinas, Manager Program Overarching Goal Continuously identify and analyze USPS technology asset vulnerabilities, prioritize and manage remediation efforts, and report cyber risks.
  • 23. VMA Mission and Vision 24 Mission: The Vulnerability Management & Assessment (VMA) program expeditiously identifies, assesses, and reports USPS enterprise vulnerabilities. Additionally, VMA monitors and tracks the remediation of vulnerabilities to closure or risk acceptance. Vision: Protect the USPS mission by implementing an enterprise cybersecurity assessment strategy by employing a repeatable, measureable, and automated vulnerability management and assessment process across the enterprise. Securing USPS through Vulnerability Elimination • Vulnerability Scanning • Security Control Assessments • Applications Security Assessments VMA & Risk Remediation • Penetration Testing
  • 24. Internal & External Stakeholders Key Stakeholders Engineering: Provides services to support scanning and remediate vulnerabilities that are identified by the AVA team, including the Mail Processing Environment (MPE) in the future. Cyber Risk Management: Manages risks identified through vulnerabilities scanning. Information Technology (IT): Provides services to support scanning activities and remediate vulnerabilities that are identified by the Automated Vulnerability Assessment team (AVA). Certification and Accreditation (C&A): Reviews the identified vulnerabilities for each of the USPS systems and monitors the remediation of the vulnerabilities to determine the risk of the system to Postal Service. 25 Department of Homeland Security (DHS): Agreements are in place to conduct scanning across USPS perimeter networks. Mail Entry & Payment Technologies (MEPT): Provides services to support scanning and remediate vulnerabilities that are identified by the AVA team.
  • 26. AVA Overview Automated Vulnerability Assessments (AVA) is responsible for configuring, conducting, and reporting vulnerability scans that search USPS systems, networks, and applications for potential weaknesses according to AS-805 policy. PCI Environment Scanning Across the USPS Enterprise Tenable Scan & Log data Blue Network Future Enterprise Information Repository (EIR) Asset Inventory Management System (AIMS) IP Asset Management (IPAM) Advanced CMDB Reporting System (ACRS) Asset Management Systems User Dashboards Servers Workstations & Laptops Infrastructure Servers Workstations & Laptops Infrastructure MPE / MHE Servers Workstations & Laptops Infrastructure Tier 0 Servers Workstations & Laptops Infrastructure
  • 28. Remediation Management (RMT) Overview The Cyber Risk Remediation and Response Management Instruction (MI) gives CISO the authority to pursue remediation activities and prioritize the patching of information systems across the enterprise. Remediation activities are continuous and range from the time risks are identified through the period they are mitigated. RMT is responsible for: Remediation Management Overview: • Continually analyzing risks and vulnerabilities • Prioritizing vulnerabilities and initiating remediation campaigns • Tracking completion of required remediation activities • Evaluating campaign effectiveness Collect & prioritize vulnerabilities 1 Create remediation campaign 2 Issue a request for action 3 Communicate remediation campaign 4 Track remediation activities 5 Evaluate remediation effectiveness 6 Remediation Management Process The remediation management process begins with the collection and prioritization of vulnerabilities and ends with evaluation of the implemented remediation solution. Refer to the Appendix for a detailed process flow of remediation management.
  • 29. 31 Completed Campaigns Campaign Start Date End Date Vulnerabilities Eliminated Comment Flash 02/2017 07/2017 ~1,000,000 Some versions were more than six years old presenting multiple vulnerabilities within a single system. HP Management Homepage 04/2017 08/2017 687 Exploitation would have allowed unauthorized access to several critical systems. WannaCry 05/2017 06/2017 ~250,000 Work began in late April after the Shadow Brokers release. Shadow Brokers 05/2017 07/2017 ~165,000 WannaCry was separated from this effort on 05/12/17 with the ransomware announcement but continued during the WannaCry remediation effort. Petya 06/2017 07/2017 63,000 Most of the threat was eliminated during the WannaCry remediation effort. This campaign covered an additional vulnerability. Struts 07/2017 08/2017 2,400 This campaign was a rapid remediation effort to address the Struts vulnerability. RMT Accomplishments
  • 31. Penetration Testing (PEN) Overview The AS 805 and the Cyber Risk Penetration Testing and Remediation Management Instruction (MI) gives CISO the authority to discover vulnerabilities on USPS systems through penetration testing and to pursue remediation of the associated findings across the enterprise. PEN is responsible for: Penetration Testing (PEN) Overview: • Continuous vulnerability identification activities • Report findings to stakeholders • Supporting validation of vulnerability remediation Information Gathering 1 Vulnerability Scanning and Analysis 2 Exploitation 3 Post- Exploitation 4 Reporting 5 Penetration Testing Process
  • 32. Penetration testing process contributes to the Postal Service’s ability to reduce enterprise wide risk exposure by: • Enabling stakeholders and leadership to make effective risk-based decisions regarding vulnerability remediation and day-to-day operations of information systems • Determining real-world impact to the Postal Service’s resources, reputation, and users by emulating techniques, tactics, and procedures used by our adversaries • Actively exploiting vulnerabilities across the enterprise to better quantify risks to the organization PEN: Organizational Benefits 34 Deliver World- Class Customer Experience Equip, Empower, & Engage Employees Innovate to Deliver Value Invest in Our Future USPS PMG Strategic Focus Areas
  • 33. Penetration Testing Process Penetration Testing Process Information Gathering Conduct a scoping study to collect information about the system undergoing testing and develop ROE to establish guidelines for the penetration assessment. Discover known and unknown hosts or assets, and detect potential vulnerabilities for mapping attack vectors. Attempt to exploit potential vulnerabilities and gain access to assets, escalate privileges, and move throughout the network. Restore system configuration changes and remove testing artifacts. Create a comprehensive report for the system owner that outlines the vulnerabilities discovered and their priority along with remediation recommendations. 1 2 3 5 Attempt to escalate privileges, move through the network, and compromise additional in scope targets. 4 Vulnerability Scanning & Analysis Exploitation Post-Exploitation Reporting
  • 36. Deliver World- Class Customer Experience Equip, Empower, & Engage Employees Innovate to Deliver Value Invest in Our Future USPS PMG Strategic Focus Areas • Identifies cyber risks across the enterprise to facilitate business operations consistent with the Postal Service’s cybersecurity posture • Communicates identified cyber risks and educates appropriate stakeholders to support deliberate risk-based decisions • Increases the visibility of the risk profile of critical systems and sites, such as those in PCI, Perimeter, Tier 0 and MPE sites • Fosters an enterprise-wide culture focused on cybersecurity by empowering individuals and teams to protect USPS technology assets Pillars of Vulnerability Management 42 Organizational Benefits
  • 37. 43 Course Assessment and Survey Quiz: Please fill out the survey to provide your opinion on: Survey: • Your instructor • The facility • The course content There is a 10-question quiz: • You must achieve a score of 70% Complete survey and quiz to get credit for this course Contains Sensitive USPS Information