Reducing the Risk of Known Vulnerabilities•SP 800-40 v1 (2002), v2 (2005), v3 (2013): Creating a...
Transcript of Reducing the Risk of Known Vulnerabilities•SP 800-40 v1 (2002), v2 (2005), v3 (2013): Creating a...
Reducing the Risk of Known Vulnerabilities
Jason Cathey
CISO
Bank OZK
What is a Vulnerability?
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
vul-ner-a-bil-i-ty (noun)The quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotional.
- Google Dictionary
Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system itself, in a set or procedures, or in anything that leaves information security exposed to a threat. - Techopedia
Why Perform Assessments?
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Regulatory Requirements
✓ FFIEC IT Examination Handbook IV.A.2(c): Vulnerability Assessments
✓ Payment Card Industry Data Security Standard (PCI DSS): Maintain a Vulnerability Management Program
✓ Health Insurance Portability and Accountability (HIPAA ) 45CFR$164.308(a)(1)(ii)(A): …vulnerability assessment of all the IT assets….
Why Perform Assessments?
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Best Practice
• National Institute of Standards and Technology (NIST)
• SP 800-40 v1 (2002), v2 (2005), v3 (2013): Creating a Path and Vulnerability Management Program
• SP 800-115 (2008): Technical Guide to Information Security Testing and Assessment
• SANS/CIS Top 20 Critical Security Controls (CSC)
• CSC 4: Continuous Vulnerability Assessment and Remediation
Why Perform Assessments?
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Real World Threats
• Documented vulnerabilities were the disclosed initial point of entry for 3 of the 5 biggest data breaches of the 21st
century.
• Adult Friend Finder (#2, October 2016) - Local File Inclusion Vulnerability
• Equifax (#4, July 2017) - Website Application Vulnerability
• Heartland Payment Systems (#5, March 2008) – SQL Injection Vulnerability
The 16 biggest data breaches of the 21st centuryhttps://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html
Vulnerability Scanners
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Community Platforms• Nmap Security Scanner
• OpenVAS
• Microsoft Baseline Security Analyzer
• Nexpose Community Edition
Commercial Platforms• Nessus
• Nexpose
• Core Impact
Performing Vulnerability Scans
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
• Identify Asset Groups • Network Segmentation
• Business Unit
• Device Type
• Data Sensitivity
• Network and External Exposure
• Mitigating Controls
• Determine Frequency
• Set Schedules
Analyzing Scan Results
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
CVSS provides 3 important benefits• Standardized vulnerability scores
• Open framework
• Enables prioritized risk
Analyzing Scan Results
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Determining the Risk• Hosts – Know Your Network
• Host Exposure
• Data Sensitivity
• Asset Groups
• Vulnerability – Common Vulnerability Scoring System (CVSS), Scanner Classification, Override when applicable
• Critical
• High
• Medium
• Low
• Informational
Analyzing Scan Results
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
The initial scans will more than likely produce a very large number of findings
The Vulnerability Assessment Program should mature the Configuration Standards and Patch Management Programs
• Now that you know what you didn’t know, who cares?
• Information Technology – Uses the results to target mitigation efforts
• Host-Based Approach – Focus efforts on hosts with a higher volume of more critical vulnerabilities
• Vulnerability-Based Approach – Focus efforts on more critical vulnerabilities that affect a larger number of hosts
• Information Security – Focus preventative and detective controls on assets that are more susceptible due to identified, known vulnerabilities
• Risk/Executives – What is the perceived overall risk to the Confidentiality, Integrity and Availability to the network and corporate data due to the vulnerabilities and is it within the Risk Appetite
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
• Technical Resources have the experience, knowledge and need to work in the details
• Provide access to dashboards, reports and scan output
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Executive Leadership doesn’t want the details, they want something simple, clear, concise and measurable over time.
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Reporting
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
VERI Example
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Vulnerability Management Standard
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
• Topics
• Scope of scanning
• Who is authorized to scan
• Scan Frequency
• Vulnerability Severity Scale
• Time to Remediate
• Access to results and findings
• Enforcement
• Exceptions
• Vendor Maintained Systems
• Have an approved standard to strengthen processes
• Collaborate with IT Staff and Management
Disclaimer: Nothing in this presentation represents the opinions, policy position, or activities of my employer.
Jason Cathey, CISSP | https://www.linkedin.com/in/jasoncathey/