vulnerability management

Importance of Vulnerability ManagementImportance of Vulnerability ManagementVulnerability ManagementVulnerability Management

Anthony Asher

What is Vulnerability Management (VM)?1

Why is VM important?2

Examples of vulnerability exploits3

What the difference?4

Vulnerability / Assess / ManageVulnerability / Assess / Manage

• Vulnerability: a weakness of an asset or group of assets that can be exploited by one or more threats.

• Assessment: process of identifyingvulnerabilities in computers and networks as well as weaknesses in policies and practicesweaknesses in policies and practices.

• Management: “process of attempting to identify• Management: process of attempting to identify and mitigate security vulnerabilities within an IT environment on a continuous basis” – Deloitte & Touche

Vulnerability Management LifecycleVulnerability Management Lifecycle

DiscoverVerify

Remediate PrioritizeAssets

Report AssessReport

Why is vulnerability management important?

1990’s – Hacker’s would try

Host #1

1990 s Hacker s would try single exploit on host after host until they found a vulnerable t t t b k i t

Exploit

target to break into.

H@ck3r

Host #3Host #2

Why is vulnerability management important?

Targeted Company

Attack #4

Attack

Targeted C

#4

Att k

#1

Company Attack #5

Attack #2

Attack #6

Attack #3

2008 – Hacker’s target and attack carefully identified companies with an onslaught of attacks until successful.

Why is vulnerability management important?

LegalSensitive

AssetControl(Botnet)

LegalComplianceCompany

Information

Vulnerability ExploitsCripple Companies:Cripple Companies:

ReputationFinancialLegalities

CustomerInformation

Legalities

Master Lock –Th t t t d dl kThe most trusted consumer padlock.

Vulnerability #1: Combination Code Deduction

EXPLOIT: Deducing the code by removing uneven number the lock stops at while under tension will reveal code.

Vulnerability #2: Shackle Spacing

EXPLOIT: Shim made from soda can open lock.

Purpose of Vulnerability Management:p y g

Examine the technologies in place and identifyExamine the technologies in place and identify vulnerabilities. Putting a system in place to continuously compare the vulnerabilities to a policy, and systematically mitigate these vulnerabilities to lower a company’smitigate these vulnerabilities to lower a company s exposure to risk.

Examples of NegligenceExamples of Negligence

Cost of not managing vulnerabilitiesCost of not managing vulnerabilities

Estimates the average data breach costs the company $4.8 million. • Average cost of $182/ lost customer record g $

• Average 26,300 lost records per breach

Five Mistakes of Vulnerability ManagementManagement

Scanning but failing to act

Patching same as VM.

Scanning but failing to act.

VM is only a technical problem.Mistakes

Assessing without whole picture.

Unprepared for Zero Day exploitsUnprepared for Zero-Day exploits.

Is Nessus and/or Patching enough?

Tools of Vulnerability

g g

yManagement Life-Cycle

Group AssessPrioritize Group AssessPrioritize

Nessus Security

NessusScan DiscoverRemediate

Scanner(Assess)

Microsoft PatchingWSUS /

Report Verify

g(Remediate)MBSA

Vulnerability Management CriticalVulnerability Management Critical

• With a growing number of vulnerabilities, coupled with the dynamic attack methods and exploits in today's security landscape places enterprise businesses at great risk. p g

• Implementing a vulnerability management process will help identify and remediatevulnerabilities before exploits are used.

• Scanning and patching alone will not provide the system to comprehensively lower a y p ycompanies security exposure and risk.

Q ti ?Questions?