vulnerability management v0.1

Vulnerability Management

Presented ByAhmed ElshaerSecurity Operation Specialist


● Terminology:

– Threat: Any Potential Danger To Information Or Systems

– Vulnerability: Weakness That May Provide An Attacker Unauthorized access to resources

– Risk: likelihood of a threat taking advantage of a vulnerability to impact the Business

Threat Vulnerability RiskExploits Leads to


● Vulnerability Can Be Found in:

– Implementation

– Configuration

– Design

● Human Is Weakest Link In The Security Chain :)


● What is the Difference between the following ?

– Vulnerability Assessment

– Penetration Testing

– Compliance Assessment


● Vulnerability Assessment

– Assessment of implementation of technical, operational, and management security controls

– Identify all vulnerabilities present in the system and its components

– Contributes to risk management

– Full knowledge and assistance of systems administrators

– No harm to systems


● Penetration Testing

– Product-focused vulnerability assessment

– Role-based assessment

– Potential Goals● Defend the Network● Understanding your weakness● Assess the Risk

– Limited or no knowledge of systems administrators

– May harm systems and components

– Clean up may be necessary


Compliance Assessment

– An evaluation designed to determine the system’s compliance with a regulation

– Compliance can be determined by multiple methods● Hands-on testing● Interview key personal


● Any Of The Previous Processes require

– Discipline

– Continuously Repeated ● Vulnerability Management Life Cycle

– Discovery [Identify, Classify]

– Prioritization [of Assets and Findings]

– Reporting

– Remediation or Mitigation

– Verification


● Top 3 Vulnerability Management Products by Gartner

– Shavlik Protect

– Qualys Vulnerability Management

– Nessus Vulnerability Manager

http://www.shavlik.com/products/protect/

https://www.qualys.com/enterprises/qualysguard/vulnerability-management/

http://www.tenable.com/products/nessus/nessus-manager


● Tenable Security Products

– Nessus Vulnerability Scanner

– Passive Vulnerability Scanner

– Nessus Vulnerability Manager

– Log Correlation Engine

– SecurityCenter Continuous View


● Deployment Strategies

– Where to Deploy your Manager

– Where to Deploy your Scanners

– How many Scanners you need

– Why to Deploy Multi-scanner Architecture


● Nessus Deployment

– Installation

– Activation and configuration ● Lab#1


● Scanning Functionality

● Scan Creation

● Policies overview

● Policy Creation

● Lab#2


● Compliance overview:

– There are many different types of government and financial compliance requirements.

– These compliance requirements differently depend on the business goals of the organization.

– Compliance requirements must be mapped with the business goals to ensure that risks are appropriately identified and mitigated.


● Compliance Standards not limited to:

– Center for Internet Security Benchmarks (CIS)

– Control Objectives for Information and related Technology (COBIT)

– Federal Information Security Management Act (FISMA)

– Health Insurance Portability and Accountability Act (HIPAA)

– ISO 27002/17799 Security Standards

– Information Technology Information Library (ITIL)

– National Institute of Standards (NIST) configuration guidelines

– National Security Agency (NSA) configuration guidelines

– Payment Card Industry Data Security Standards (PCI DSS)

– Sarbanes-Oxley (SOX)

– Site Data Protection (SDP)

– United States Government Configuration Baseline (USGCB)


● Configuration Audits and Compliance

– What is an Audit ?● Systems comply with a standard

– Audit vs. Vulnerability Scan ● A lack of vulnerabilities does not mean the servers

are configured correctly or are “compliant” with a particular standard.

● Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.


● Windows compliance

– Nessus can test for any setting that can be configured as a “policy” under the Microsoft Windows framework.

– There are several hundred registry settings that can be audited and the permissions of files, directories, and objects can also be analyzed


● Windows Compliance Exmaples

– Account lockout duration

– Retain security log

– Allow log on locally

– Enforce Password History

<item>

name: "Minimum password length"

Value: 7

</item>


● Audit Report

– Compliance results in Nessus are logged as “Pass”, “Fail”, and “Warning”.

– Unlike a vulnerability check that only reports if the vulnerability is actually present, a compliance check always reports something.

– This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.


● Credentials for Devices to be Audited

– Must be Privileged Account to audit the configuration● Lab#3


● Advanced Analysis

– Plug-ins output

– Check Credentials working or not

– Os identification and SW Enumeration

– etc● Audit Trails

● Malicious process detection


● Different Scanning Policies

– Web application scanning

– Infrastructure scanning

– Mobile device analysis

– PCI

– Off line Auditing


● Multi Scanners Architecture

– How many Scanners

– Where to Deploy the Scanners

– How to Control The Scanners


● SecurityCenter Continuous View

– Overview about SC

– Installation and configuration

– Lab#4



– Environment Topology and Organization

– Scan Zone Best Practices

– Lab#5



– Repositories

– Organizations - Users and Roles

– Lab#6



– Scan Policies

– Active Scanning

– Lab#7



– Analysis and Reporting

– Dashboards and Alerting

– Lab#8


● References

– Tenable Security Documentation

http://www.tenable.com/products/nessus/documentation

vulnerability management v0.1

Documents

systems vulnerability

risk management

management security

systems compliance

regulation compliance

security chain

harm systems

security standards info