Vulnerability Management

Transcription

1 Quelle: fotolia Vulnerability Management The early bird catches the worm Dipl.-Ing. Lukas Memelauer, BSc calpana business consulting gmbh Blumauerstraße 43, 4020 Linz 1

2 Agenda Definitions Vulnerability Management Process What/how to prepare for a pen test? CRISAM Process Model CRISAM Vulnerability Knowledge Pack Live-Demo (Tool, Reporting) 2

3 Vulnerability Management / Vulnerability Scanning Definitions Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). source: SANS 3

4 Vulnerability Management Process Increasing growth of cyber-crime and associated risks Important to obtain a continuous overview of vulnerabilities and the associated risks Prevent attackers from boarding networks and stealing information Regular vulnerability scanning ensures faster detection and remediation of new vulnerabilities 5 Steps Preparation Vulnerability scan Define remediating actions Implement remediating actions Rescan 4

5 What to prepare for a vulnerability scan / pen-test? Define objective / goals Limit scope Conclude form of outcome Determine Type of pen test Identify machines, systems, networks, operational requirements, involved staff Coordinate timing and duration of pen test Define emergency procedure Decide third party handling procedure Legally approve pen testers 5

6 How to prepare for a vulnerability scan / pen-test? Institute for Security and Open Methodologies (ISECOM) Common practice to prepare and perform a pen-test A methodology to test the operational security of physical locations, human interactions, and all forms communications such as wireless, wired, analog, and digital. Provide a scientific methodology for the accurate characterization of operational security 6

7 How to prepare for a vulnerability scan / pen-test? By failing to prepare, you are preparing to fail. Benjamin Franklin 7

8 CRISAM Process Model An ISO compliant approach and process model for handling the IT-GRC process Corporate Strategy, General Conditions CONTEXT ESTABLISHMENT Risk Management Policy Risk Strategy and Risk-Target Risk management policy Risk Strategy and Risk-Target SCOPE ANALYSIS Business Impact in the observed Scope Risk Strategy, Risk Models, Risk Inventory, Risk Limits RISK ASSESSMENT Risk Value, Risk Measures Risk Coverage Requirements Risk Policy Risk Strategy and Risk-Target Risk Coverage Requirements Actual Risk Value, Actual Risk Coverage Value RISK CONTROL MEASURE- PLANNING COST-BENEFIT ANALYSIS Target-deviation Action plan, measures prioritization, Cost of Risk, Action plan, Budget, resources, schedules IMPLEMENTATION Implementation projects, Project plans, test steps for action tracking (CRISAM... Corporate Risk Application Method) 8

9 has impact on -> The role of IT in the company s business IT risks impact the companies business processes. Mayor losses rather occur at business level than in IT departments The Company Enterprise Sales Human Resources Finance and Controlling Corporate Services Manufacturing Business-Processes Market of Informationtechnology and Energy Rawmaterial Market Supplier Human Law Resources Capital-Costs Business Risks 9

10 company process model integrity availablitiy confidentiality CRISAM Knowledge Packs Bundled specialist knowledge Structure: components control objectives weightings evaluation guides mappings to critera mappings to sources 10

11 CRISAM Vulnerability Knowledge Pack Content / Sources Addition to OSSTMM v3 Organizational aspects Secure Software Development (e.g. Client- Server Apps) Webserver security Organizational aspects Based on BSI study Secure Software Development Reporting based on the OWASP Secure Coding Practices Quick Reference Guide Webserver security CRISAM RV ÖNORM A7700 Pack 11

12 CRISAM Vulnerability Knowledge Pack Structure Additional components Organizational aspects Secure Software Development Modular design for further components Additional control objectives Reports Compliance report based on OSSTMM v3, OWASP and BSI studies 12

13 Live Demo - Example Scenario A This example is implemented in a CRISAM sample project The department Finance and Controlling delegates a penetration test to a third-party supplier Scope is the application and the server(s) hosting the application Also in the scope is the corporate network To improve the test results the company uses CRISAM to prepare for the test The following component are added: Pen-Test Documents (Pen-Test Organizational) Pen-Test Exchange (Pen-Test Application) Pen-Test Node101, Pen-Test Node102 (Pen-Test Server) Pen-Test Network (Pen-Test Network) 13

14 Live Demo - Example Scenario B This example is implemented in a CRISAM sample project The department Research and Development is developing a tool for internal use and is advised by management to consider security aspects The department uses CRISAM for secure software development The following aspects are relevant: input validation, output encoding, access control, memory management The following component are added: Secure Tool (Individual Development) Input Validation (SSD Input Validation) Output Encoding (SSD Output Encoding) Access Control (SSD Access Control) Memory Management (SSD Memory Management) 14

15 Live Demo - Results / Report This example is implemented in a CRISAM sample project To show where improvements should be made, a Phase 4: Compliance Analysis report for Vulnerability Management can be created. All relevant components are categorized by Penetration Test and Secure Software Development, which makes it easy to show possible improvements 15

16 Key Findings 1. Components for deeper technical analysis 2. Reporting options based on OSSTMM v3, OWASP and BSI studies for optimizing pen-test results 3. CRISAM for pen test preparation - spare yourself a rude awakening! Thank you for your attention! einfach präzise wertorientiert nachvollziehbar calpana business consulting gmbh A-4020 Linz, Blumauerstraße 43 Tel: +43 (732) Copyright