1 / 26

Vulnerability Management

Vulnerability Management. Dimension Data – Tom Gilis 24 November 2011. Dimension Data. Dimension Data Belgium - Security Consulting – Advisory & Assurance.

fahim
Télécharger la présentation

Vulnerability Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Management Dimension Data – Tom Gilis 24 November 2011

  2. Dimension Data Dimension Data Belgium - Security Consulting – Advisory & Assurance • Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management. • Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few. • Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses. • Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum. Vulnerability Management

  3. Problem Statement - A day in the life of an IT Officer • How do I manage the privacy of the corporate data ? • Are my endpoints a risk to my corporate network? • Are they subject to targeted attacks? • How do I demonstrate compliance with standards and regulations? • How do I maintain our security standards when outsourcing ? • How can I show the value of security within my organisation ? • Can I combine the new business requirements and uphold a strong secure network environment ? • …. Questions ?? Vulnerability Management

  4. Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex • New vulnerabilities are found every day : • Much more research for vulnerabilities and security weaknesses • “On average, about 3000 vulnerabilities per year get reported to CERT and only about 10% are published.”CERT • Source : http://www.gfi.com/blog/wp-content/uploads/2009/10/Florian-graph.JPG Vulnerability Management

  5. Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex • Increase in attacks at the application layer : • Every 1,000 lines of code averages 15 critical security defects (US Department of Defense) Vulnerability Management

  6. Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex • Change in malicious attacks: • Increased professionalism and commercialization of malicious activities • Threats that are increasingly tailored for specific regions • Increasing numbers of multi-staged attacks • More targeted attacks with bigger financial loss Vulnerability Management

  7. Problem Statement – Security Landscape Compliance pressure and stringent legal requirements continue to drive security focus • Compliance explicitly calling for vulnerability management and security assessments • ISO 27001/27002 , PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA, • NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)... • Vulnerability Management • Penetration Testing • Source Code and Binary Code Review • ... Vulnerability Management

  8. Problem Statement – Security Landscape Vulnerability Management

  9. Problem Statement – Security Landscape Compliance pressure and stringent legal requirements continue to drive security focus • Compliance explicitly calling for vulnerability management and security assessments • PCI – DSS : Req. 12 - Regularly test security systems and processes • ISO 27002 : 12.6.1 - Control of technical vulnerabilities • Directive 95/46/EC of the European Parliament : The Principle of Security Vulnerability Management

  10. A Strategic Approach • How do you consistently calculate risk across a diverse enterprise? • ‘Finger in the air’ • Who shouts the loudest ? • Excel • CVSS (Common Vulnerability Scoring System) • …. • Can you do this in an automated and repeatable manner ? • Is this used to help prioritize your remediation efforts ? • … Determine Risk Level Vulnerability Management

  11. A Strategic Approach • How fast can your organization deploy a patch to all affected systems? • Is it more cost effective to protect first and fix later ? • What is the most effective tool to mitigate the risk ? • Example : Implement appropriate protection Patch Management savings of one of the largest security vendors in the world. Vulnerability Management helped them decide to patch or not to. Depending on type of attacks, type of vulnerabilities, if systems are affected to specific attacks and control mechanisms in place. Vulnerability Management

  12. A Strategic Approach Reducing overall IT Security Risk • Targeted • New, critical vulnerabilities • Key assets • Bottom-up • Assess vulnerability state • Remediate detected vulnerabilities • Top-down • Define asset baseline • Define security baseline • Enforce IT security configuration Near day mitigation Scan and remediate Policy audit and enforcement Vulnerability Management

  13. A Strategic Approach We need something that ... • provides continuous insight on the security posture of an external or internal infrastructure • helps us stay in control and measure security maturity and progress in between extended assessments e.g. an annual Penetration Test • automates the combating against vulnerabilities which crucial for success. Manual detection and remediation workflow is too slow, too expensive and ineffective. • can be used to drive the internal Patch Management process and provides valuable information to decide on priorities • Consolidate Proactive and Reactive security controls! • Demonstrates compliance and control • …….. Vulnerability Management

  14. Vulnerability Management “Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities” “Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners” What is VM ? • Source : Wikipedia Vulnerability Management

  15. Vulnerability Management Discover and inventory assets Categorise and prioritise assets Scan for vulnerabilities Report, classify and rank risks Remediate – apply patches, fixes and workarounds Verify – Re-scan to confirm fixes and verify security The 6 Steps of Vulnerability Management Vulnerability Management

  16. Vulnerability Management • Discover and inventory assets • Establish baseline of all assets • IP devices connected to the network • Software, applications and services • Individual configurations, latest software release, patches, etc. • Categorize and Prioritize Inventory • By measurable business value • By potential impact on business availability • Establish interrelations between systems and services The 6 Steps of Vulnerability Management Vulnerability Management

  17. Vulnerability Management • Scan for vulnerabilities • Scan assets against comprehensive and industry standard database of vulnerabilities, this increases accuracy of scanning and minimizes false positives • Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks • Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities The 6 Steps of Vulnerability Management Vulnerability Management

  18. Vulnerability Management • Report, classify and rank risks • Create manual or automated reports and distribute to the respective stakeholders • Maintain overview for instant risk analysis • Proof compliancy with regulations The 6 Steps of Vulnerability Management Vulnerability Management

  19. Vulnerability Management • Remediate • Apply patches, updates and fixes or install workarounds to mitigate the risk. • Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation. • Pre-test all patches, etc. in your organization's test environment before deployment The 6 Steps of Vulnerability Management Vulnerability Management

  20. Vulnerability Management • Verify – Re-scan to confirm fixes and verify security • Re-scan to verify applied patches and confirm compliance • Update the remediation workflow and the assets baseline The 6 Steps of Vulnerability Management Vulnerability Management

  21. Belnet Vulnerability Scanner • Web-based SAAS solution • IPv6 Compliant • Secure Solution with strong authentication and encryption… • 99.997% proven accuracy • Easy, transparent reporting using customizable templates • Web Application Vulnerability scanning module • Modules for specific compliance requirements (PCI DSS, …) • …. Advantages Vulnerability Management

  22. Vulnerability Management - Conclusion • What are my compliance requirements and legal boundaries ? • Are my current security controls proactive or reactive ? • Is my Vulnerability Management tool efficient ? • Do I know what the current security state of my network is ? • Is my confidential data sufficiently protected ? • Can I properly protect my assets in this security landscape ? Things to think about ... Vulnerability Management

  23. Vulnerability Management - Conclusion Hacking is easy Vulnerability Management

  24. Vulnerability Management - Conclusion Hacking is easy Vulnerability Management

  25. Vulnerability Management - Conclusion Hacking is easy Vulnerability Management

  26. Vulnerability Management - Conclusion Thank you !! Vulnerability Management

More Related