vulnerability management

Vulnerability Management

Dimension Data – Tom Gilis24 November 2011

Dimension Data

2Vulnerability Management22/04/23

Dimension Data Belgium - Security Consulting – Advisory & Assurance

• Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management.

Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few.

• Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses.

Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum.

Problem Statement - A day in the life of an IT Officer


• How do I manage the privacy of the corporate data ?• Are my endpoints a risk to my corporate network?

• Are they subject to targeted attacks?

• How do I demonstrate compliance with standards and regulations?

• How do I maintain our security standards when outsourcing ?• How can I show the value of security within my organisation ?

• Can I combine the new business requirements and uphold a

strong secure network environment ?

• ….

Questions

Problem Statement – Security Landscape


The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex

New vulnerabilities are found every day : • Much more research for vulnerabilities and security weaknesses• “On average, about 3000 vulnerabilities per year get reported to CERT and only

about 10% are published.” CERT

Source : http://www.gfi.com/blog/wp-content/uploads/2009/10/Florian-graph.JPG




Increase in attacks at the application layer : • Every 1,000 lines of code averages 15 critical security defects (US Department

of Defense)




Change in malicious attacks: • Increased professionalism and commercialization of malicious activities• Threats that are increasingly tailored for specific regions• Increasing numbers of multi-staged attacks• More targeted attacks with bigger financial loss



Compliance pressure and stringent legal requirements continue to drive security focus

Compliance explicitly calling for vulnerability management and security assessments

ISO 27001/27002 , PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA,

NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)...

• Vulnerability Management• Penetration Testing• Source Code and Binary Code Review• ...



Compliance pressure and stringent legal requirements continue to drive security focus

Compliance explicitly calling for vulnerability management and security assessments

• PCI – DSS : Req. 12 - Regularly test security systems and processes • ISO 27002 : 12.6.1 - Control of technical vulnerabilities• Directive 95/46/EC of the European Parliament : The Principle of Security

A Strategic Approach


• How do you consistently calculate risk across a diverse enterprise?

o ‘Finger in the air’o Who shouts the loudest ?o Excelo CVSS (Common Vulnerability Scoring System)o ….

• Can you do this in an automated and repeatable manner ?

• Is this used to help prioritize your remediation efforts ?• …

Determine Risk Level



• How fast can your organization deploy a patch to all affected systems?

• Is it more cost effective to protect first and fix later ?

• What is the most effective tool to mitigate the risk ?

• Example :

Implement appropriate protection

Typical Savings 2005 2006

Number of patch cycles 19 9

Number of people assigned to patch operations 41 19

Average hours per patch cycle 73 68

Total FTE 27 5.6

Patch Management savings of one of the largest security vendors in the world. Vulnerability Management helped them decide to patch or not to.

Depending on type of attacks, type of vulnerabilities, if systems are affected to specific attacks and control mechanisms in place.



Reducing overall IT Security RiskTargeted• New, critical vulnerabilities• Key assets

Bottom-up• Assess vulnerability state• Remediate detected vulnerabilitiesTop-down• Define asset baseline• Define security baseline• Enforce IT security configuration

Near day mitigation

Scan and remediate

Policy audit and enforcement



We need something that ...

•provides continuous insight on the security posture of an external or internal infrastructure

•helps us stay in control and measure security maturity and progress in between extended assessments e.g. an annual Penetration Test

• automates the combating against vulnerabilities which crucial for success. Manual detection and remediation workflow is too slow, too expensive and ineffective.

•can be used to drive the internal Patch Management process and provides valuable information to decide on priorities

•Consolidate Proactive and Reactive security controls!•Demonstrates compliance and control•……..

“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”

“Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners”



What is VM ?

Source : Wikipedia

1. Discover and inventory assets

2. Categorise and prioritise assets

3. Scan for vulnerabilities

4. Report, classify and rank risks

5. Remediate – apply patches, fixes and workarounds

6. Verify – Re-scan to confirm fixes and verify security



The 6 Steps of Vulnerability Management

1. Discover and inventory assets• Establish baseline of all assets

o IP devices connected to the network o Software, applications and serviceso Individual configurations, latest software release, patches, etc.

2. Categorize and Prioritize Inventory• By measurable business value

• By potential impact on business availability

• Establish interrelations between systems and services




3. Scan for vulnerabilities• Scan assets against comprehensive and industry standard database of

vulnerabilities, this increases accuracy of scanning and minimizes false positives

• Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks

• Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities




4. Report, classify and rank risks• Create manual or automated reports and distribute to the respective

stakeholders

• Maintain overview for instant risk analysis

• Proof compliancy with regulations




5. Remediate• Apply patches, updates and fixes or install workarounds to mitigate the risk.

• Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation.

• Pre-test all patches, etc. in your organization's test environment before deployment




6. Verify – Re-scan to confirm fixes and verify security• Re-scan to verify applied patches and confirm compliance

• Update the remediation workflow and the assets baseline




Belnet Vulnerability Scanner


Web-based SAAS solution

IPv6 Compliant

Secure Solution with strong authentication and encryption… 99.997% proven accuracy

Easy, transparent reporting using customizable templates

Web Application Vulnerability scanning module

Modules for specific compliance requirements (PCI DSS, …) ….

Advantages

• What are my compliance requirements and legal boundaries ?

• Are my current security controls proactive or reactive ?

• Is my Vulnerability Management tool efficient ?

• Do I know what the current security state of my network is ?

• Is my confidential data sufficiently protected ?

• Can I properly protect my assets in this security landscape ?

Vulnerability Management - Conclusion


Things to think about ...



Hacking is easy

Thank you !!



vulnerability management

Documents

security standards

security posture

security assessmentsiso

value of security

security focus compliance

vulnerability assessment

security assurance services

security weaknesseson