Reducing the Risk of Known Vulnerabilities

Jason Cathey

CISO

Bank OZK

What is a Vulnerability?

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

vul-ner-a-bil-i-ty (noun)The quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotional.

- Google Dictionary

Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set or procedures, or in anything that leaves information security exposed to a threat. - Techopedia

Why Perform Assessments?

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Regulatory Requirements

✓ FFIEC IT Examination Handbook IV.A.2(c): Vulnerability Assessments

✓ Payment Card Industry Data Security Standard (PCI DSS): Maintain a Vulnerability Management Program

✓ Health Insurance Portability and Accountability (HIPAA ) 45CFR$164.308(a)(1)(ii)(A): …vulnerability assessment of all the IT assets….

Why Perform Assessments?

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Best Practice

• National Institute of Standards and Technology (NIST)

• SP 800-40 v1 (2002), v2 (2005), v3 (2013): Creating a Path and Vulnerability Management Program

• SP 800-115 (2008): Technical Guide to Information Security Testing and Assessment

• SANS/CIS Top 20 Critical Security Controls (CSC)

• CSC 4: Continuous Vulnerability Assessment and Remediation

Why Perform Assessments?

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Real World Threats

• Documented vulnerabilities were the disclosed initial point of entry for 3 of the 5 biggest data breaches of the 21st

century.

• Adult Friend Finder (#2, October 2016) - Local File Inclusion Vulnerability

• Equifax (#4, July 2017) - Website Application Vulnerability

• Heartland Payment Systems (#5, March 2008) – SQL Injection Vulnerability

The 16 biggest data breaches of the 21st centuryhttps://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html

Vulnerability Scanners

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Community Platforms• Nmap Security Scanner

• OpenVAS

• Microsoft Baseline Security Analyzer

• Nexpose Community Edition

Commercial Platforms• Nessus

• Nexpose

• Core Impact

Performing Vulnerability Scans

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

• Identify Asset Groups • Network Segmentation

• Business Unit

• Device Type

• Data Sensitivity

• Network and External Exposure

• Mitigating Controls

• Determine Frequency

• Set Schedules

Analyzing Scan Results

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

CVSS provides 3 important benefits• Standardized vulnerability scores

• Open framework

• Enables prioritized risk

Analyzing Scan Results

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Determining the Risk• Hosts – Know Your Network

• Host Exposure

• Data Sensitivity

• Asset Groups

• Vulnerability – Common Vulnerability Scoring System (CVSS), Scanner Classification, Override when applicable

• Critical

• High

• Medium

• Low

• Informational

Analyzing Scan Results

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

The initial scans will more than likely produce a very large number of findings

The Vulnerability Assessment Program should mature the Configuration Standards and Patch Management Programs

• Now that you know what you didn’t know, who cares?

• Information Technology – Uses the results to target mitigation efforts

• Host-Based Approach – Focus efforts on hosts with a higher volume of more critical vulnerabilities

• Vulnerability-Based Approach – Focus efforts on more critical vulnerabilities that affect a larger number of hosts

• Information Security – Focus preventative and detective controls on assets that are more susceptible due to identified, known vulnerabilities

• Risk/Executives – What is the perceived overall risk to the Confidentiality, Integrity and Availability to the network and corporate data due to the vulnerabilities and is it within the Risk Appetite

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

• Technical Resources have the experience, knowledge and need to work in the details

• Provide access to dashboards, reports and scan output

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Reporting

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

VERI Example

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Vulnerability Management Standard

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

• Topics

• Scope of scanning

• Who is authorized to scan

• Scan Frequency

• Vulnerability Severity Scale

• Time to Remediate

• Access to results and findings

• Enforcement

• Exceptions

• Vendor Maintained Systems

• Have an approved standard to strengthen processes

• Collaborate with IT Staff and Management

Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.

Jason Cathey, CISSP | https://www.linkedin.com/in/jasoncathey/