Vulnerability Management
● Terminology:
– Threat: Any Potential Danger To Information Or Systems
– Vulnerability: Weakness That May Provide An Attacker Unauthorized access to resources
– Risk: likelihood of a threat taking advantage of a vulnerability to impact the Business
Threat Vulnerability RiskExploits Leads to
Vulnerability Management
● Vulnerability Can Be Found in:
– Implementation
– Configuration
– Design
● Human Is Weakest Link In The Security Chain :)
Vulnerability Management
● What is the Difference between the following ?
– Vulnerability Assessment
– Penetration Testing
– Compliance Assessment
Vulnerability Management
● Vulnerability Assessment
– Assessment of implementation of technical, operational, and management security controls
– Identify all vulnerabilities present in the system and its components
– Contributes to risk management
– Full knowledge and assistance of systems administrators
– No harm to systems
Vulnerability Management
● Penetration Testing
– Product-focused vulnerability assessment
– Role-based assessment
– Potential Goals● Defend the Network● Understanding your weakness● Assess the Risk
– Limited or no knowledge of systems administrators
– May harm systems and components
– Clean up may be necessary
Vulnerability Management
Compliance Assessment
– An evaluation designed to determine the system’s compliance with a regulation
– Compliance can be determined by multiple methods● Hands-on testing● Interview key personal
Vulnerability Management
● Any Of The Previous Processes require
– Discipline
– Continuously Repeated ● Vulnerability Management Life Cycle
– Discovery [Identify, Classify]
– Prioritization [of Assets and Findings]
– Reporting
– Remediation or Mitigation
– Verification
Vulnerability Management
● Top 3 Vulnerability Management Products by Gartner
– Shavlik Protect
– Qualys Vulnerability Management
– Nessus Vulnerability Manager
Vulnerability Management
● Tenable Security Products
– Nessus Vulnerability Scanner
– Passive Vulnerability Scanner
– Nessus Vulnerability Manager
– Log Correlation Engine
– SecurityCenter Continuous View
Vulnerability Management
● Deployment Strategies
– Where to Deploy your Manager
– Where to Deploy your Scanners
– How many Scanners you need
– Why to Deploy Multi-scanner Architecture
Vulnerability Management
● Scanning Functionality
● Scan Creation
● Policies overview
● Policy Creation
● Lab#2
Vulnerability Management
● Compliance overview:
– There are many different types of government and financial compliance requirements.
– These compliance requirements differently depend on the business goals of the organization.
– Compliance requirements must be mapped with the business goals to ensure that risks are appropriately identified and mitigated.
Vulnerability Management
● Compliance Standards not limited to:
– Center for Internet Security Benchmarks (CIS)
– Control Objectives for Information and related Technology (COBIT)
– Federal Information Security Management Act (FISMA)
– Health Insurance Portability and Accountability Act (HIPAA)
– ISO 27002/17799 Security Standards
– Information Technology Information Library (ITIL)
– National Institute of Standards (NIST) configuration guidelines
– National Security Agency (NSA) configuration guidelines
– Payment Card Industry Data Security Standards (PCI DSS)
– Sarbanes-Oxley (SOX)
– Site Data Protection (SDP)
– United States Government Configuration Baseline (USGCB)
Vulnerability Management
● Configuration Audits and Compliance
– What is an Audit ?● Systems comply with a standard
– Audit vs. Vulnerability Scan ● A lack of vulnerabilities does not mean the servers
are configured correctly or are “compliant” with a particular standard.
● Knowing how a server is configured, how it is patched and what vulnerabilities are present can help determine measures to mitigate risk.
Vulnerability Management
● Windows compliance
– Nessus can test for any setting that can be configured as a “policy” under the Microsoft Windows framework.
– There are several hundred registry settings that can be audited and the permissions of files, directories, and objects can also be analyzed
Vulnerability Management
● Windows Compliance Exmaples
– Account lockout duration
– Retain security log
– Allow log on locally
– Enforce Password History
<item>
name: "Minimum password length"
Value: 7
</item>
Vulnerability Management
● Audit Report
– Compliance results in Nessus are logged as “Pass”, “Fail”, and “Warning”.
– Unlike a vulnerability check that only reports if the vulnerability is actually present, a compliance check always reports something.
– This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.
Vulnerability Management
● Credentials for Devices to be Audited
– Must be Privileged Account to audit the configuration● Lab#3
Vulnerability Management
● Advanced Analysis
– Plug-ins output
– Check Credentials working or not
– Os identification and SW Enumeration
– etc● Audit Trails
● Malicious process detection
Vulnerability Management
● Different Scanning Policies
– Web application scanning
– Infrastructure scanning
– Mobile device analysis
– PCI
– Off line Auditing
Vulnerability Management
● Multi Scanners Architecture
– How many Scanners
– Where to Deploy the Scanners
– How to Control The Scanners
Vulnerability Management
● SecurityCenter Continuous View
– Overview about SC
– Installation and configuration
– Lab#4
Vulnerability Management
● SecurityCenter Continuous View
– Environment Topology and Organization
– Scan Zone Best Practices
– Lab#5
Vulnerability Management
● SecurityCenter Continuous View
– Repositories
– Organizations - Users and Roles
– Lab#6
Vulnerability Management
● SecurityCenter Continuous View
– Analysis and Reporting
– Dashboards and Alerting
– Lab#8
Vulnerability Management
● References
– Tenable Security Documentation