vulnerability assesment

24
Vulnerability Assesment Network Security Workshop Dedi Dwianto, C|EH, OSCP Daftar ISI

Upload: dedi-dwianto

Post on 15-Jan-2015

1.268 views

Category:

Documents


5 download

DESCRIPTION

Workshop keamanan jaringan

TRANSCRIPT

Page 1: Vulnerability Assesment

Vulnerability AssesmentNetwork Security Workshop

Dedi Dwianto, C|EH, OSCPDaftar ISI

Page 2: Vulnerability Assesment

2

Contents

Technical Vulnerability Management

Vulnerability analysis tools

Page 3: Vulnerability Assesment

3

Technical Vulnerability Management

vulnerability analysis and assessment is an important element of each required activity in the NIST Risk Management Framework (RMF).

This RMF comprises six steps, into each of which vulnerability analysis and assessment is to be integrated:

Page 4: Vulnerability Assesment

4

Technical Vulnerability Management

Step 1: Categorize Information Systems.

Step 2: Select Security Controls

Step 3: Implement Security Controls.

Step 4: Assess Security Controls.

Step 5: Authorize Information Systems.

Step 6: Monitor Security Controls.

Page 5: Vulnerability Assesment

5

Technical Vulnerability Management

To reduce risks resulting from exploitation of published technical vulnerabilities.

Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

These considerations should include operating systems, and any other applications in use.

Page 6: Vulnerability Assesment

6

Technical Vulnerability Management

A current and complete inventory of assets is a prerequisite for effective technical vulnerability management.

Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems), and the person(s) within the organization responsible for the software.

Page 7: Vulnerability Assesment

7

Technical Vulnerability Management

The following guidance should be followed to establish an effective management process for technical vulnerabilities the organization should define and establish the

roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required;

Page 8: Vulnerability Assesment

8

Technical Vulnerability Management

information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology

a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;

once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken; such action could involve patching of vulnerable systems and/or applying other controls;

Page 9: Vulnerability Assesment

9

Technical Vulnerability Management

depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management

a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;

an audit log should be kept for all procedures undertaken

systems at high risk should be addressed first.

Page 10: Vulnerability Assesment

10

The Patch and Vulnerability Group

The PVG should be a formal group that incorporates representatives from information security and operations.

These representatives should include individuals with knowledge of vulnerability and patch management, as well as system administration, intrusion detection, and firewall management.

Page 11: Vulnerability Assesment

11

The duties of the PVG

Create a System Inventory.

Monitor for Vulnerabilities, Remediations, and Threats.

Prioritize Vulnerability Remediation.

Create an Organization-Specific Remediation Database

Conduct Generic Testing of Remediations.

Deploy Vulnerability Remediations.

Distribute Vulnerability and Remediation Information to Local Administrators.

Perform Automated Deployment of Patches.

Page 12: Vulnerability Assesment

12

The duties of the PVG

Configure Automatic Update of Applications Whenever Possible and Appropriate.

Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning.

Vulnerability Remediation Training.

Page 13: Vulnerability Assesment

13

Report Organization

Section1 Introduction to purpose, organization, scope, and assumptions for this Report.

Section 2 Overview of automated vulnerability assessment tools—including descriptions of the various types of automated vulnerability assessment tools currently available

Section 3 Catalogue of descriptions of current vulnerability assessment tools, categorized by type.

Section 4 Representative listing of vulnerability assessment tools

Section 5 List of resources to additional detailed information about IT and network vulnerability assessment and assessment tools.

Page 14: Vulnerability Assesment

14

Vulnerability Analysis tools

Vulnerability assessment tools generally work by attempting to automate the steps often employed to exploit vulnerabilities: they begin by performing a “footprint” analysis to determine what network services and/or software programs (including versions and patch levels) run on the target.

Vulnerability assessment tools help in that integration, by automating the detection, identification, measurement, and understanding of vulnerabilities found in ICT components at various levels of a target ICT system or infrastructure.

Page 15: Vulnerability Assesment

15

Vulnerability Analysis tools

Most vulnerability assessment tools are capable of scanning a number of network nodes, including networking and networked devices (switches, routers, firewalls, printers, etc.), as well as server, desktop, and portable computers.

The type and level of detail of a vulnerability assessment tool’s findings varies from tool to tool.

Page 16: Vulnerability Assesment

16

Tool type

Network Scanners

Host Scanners

Database Scanners

Web Application Scanners

Multilevel Scanners

Automated Penetration Test Tools

Vulnerability Scan Consolidators

Page 17: Vulnerability Assesment

17

Network Scanners

Assuria Auditor and Auditor RA

Infiltration Systems Infiltrator for Home Users

Microsoft® Attack Surface Analyzer

NileSOFT Secuguard SSE

Numara® Vulnerability Manager

SoftRun Inciter Vulnerability Manager

ThreatGuard® Secutor

Page 18: Vulnerability Assesment

18

Host Scanners

Beyond Security® Automated Vulnerability Detection System Host Scanners

Black Falcon/Net Security Suite Falcon Vulnerability Analysis

DragonSoft Vulnerability Management

eEye® Retina® Network

Fortinet® FortiScan 4.1.0

FuJian RongJi RJ-iTOP

GFI LANguard®

Page 19: Vulnerability Assesment

19

Database Scanners

Application Security AppDetectivePro

DBAPPSecurity MatriXay 3.6

Fortinet FortiDB

Imperva® Scuba

McAfee Repscan and McAfee Vulnerability Manager for Databases

NGSSecure NGS SQuirreL

Safety-Lab Shadow Database Scanner

Page 20: Vulnerability Assesment

20

Web Application Scanners

Acunetix® Web Vulnerability Scanner

Casaba Watcher 1.5.1

Cenzic® Hailstorm® Enterprise Application Risk Controller

eEye Retina Web

Grabber

Mavutina Netsparker®

HP WebInspect®

Page 21: Vulnerability Assesment

21

Multilevel Scanners

Integrigy AppSentry

Open Vulnerability Assessment System 4

SAINT® Professional and SAINT® Enterprise

Symantec® Control Compliance Suite: Vulnerability Manager

Tenable® Nessus®

Venusense Vulnerability Scanning and Management System

Page 22: Vulnerability Assesment

22

AUTOMATED PENETRATION TEST TOOLS

Arachni

CORE IMPACT® Pro

CORE INSIGHT Enterprise

Google® Skipfish

Immunity® CANVAS® Professional

Rapid7® Metasploit®

Rapid7 NeXpose

Page 23: Vulnerability Assesment

23

Monitoring Vulnerabilities

Vendor Web sites and mailing lists

Third-party Web sites

Third-party mailing lists and newsgroups

Vulnerability scanners

Vulnerability databases

Enterprise patch management tools

Other notification tools.

Page 24: Vulnerability Assesment

24

Monitoring Vulnerabilities

http://web.nvd.nist.gov/

http://secunia.com

http://www.exploit-db.com/