vulnerability management
TRANSCRIPT
2015
VULNERABILITY KILL CHAIN
Carl Thorp MSc FBCS CITP M.Inst.ISP VRSM CISM CGEIT CISSP CLAS CCP.RA CCP.SA
What is Vulnerability
• Vulnerability is a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular disaster hazard [OECD 2015]
What is Vulnerability
• A weakness of an asset or group of assets that can be exploited by one or more threats [ISO/IEC 13335-1:2004]
• Or anything attackers find that they can exploit
Vulnerability Management
• The identification of vulnerabilities that can be exploited within a system– Vulnerability Assessment– Penetration Testing
• The remediation / risk management of vulnerabilities
Types of Testing
• SAST• DAST
– Web Layer– Host / Infrastructure– Database
• Manual validation• ITS NOT A PEN TEST
Business Context
• Business drivers and objectives
• Understand your assets• We want to be Secure but we
DO NOT WANT Security– John Callas PGP, Apple, Entrust
& Silent Circle• System 1 & System 2 thinking
Environmental Context
• Understand your assets• Understand the operating
environment• Deep knowledge of
compensating controls• Tool selection
Get Message Right
• Less blah blah blah• Use business context
examples• Negative to positive• Do not belittle people
– Israel Barrack ex-Israeli Defence Force Red Team Lead
Kill Chain
Projects
Asset Mgmt.
Threat Intelligence
VMSOnboard Test Analysis Resolution Decom
a
Incidents
Report
Conclusion
• Work with your organisation not against it
• Plan ahead• Understand your
environment• Develop threat intelligence
Useful Links / FeedsRSS Feedshttps://isc.sans.edu/rssfeed.xmlrhttp://feeds.feedburner.com/sucuri/bloghttp://seclists.org/rss/fulldisclosure.rsshttp://www.intelligentexploit.com/feed/https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog
Podcastshttp://securityweekly.com/podcast/psw.xmlhttps://isc.sans.edu/dailypodcast.xmlhttp://leo.am/podcasts/sn
All Round Defence / WestThor Ltd take no responsibility for the content of these sites / podcasts