Making Vulnerability Management Operational
|
|
- Edwin Hill
- 8 years ago
- Views:
Transcription
1 QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture. Making Vulnerability Management Operational Track 1 11:45am-12:30pm/Ballroom A Robert A. Martin The MITRE Corporation
2 Preview of Key Points Strategically leveraging standards-based vulnerability, policy, and remediation capabilities Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring Systems (CVSS) Open Vulnerability and Assessment Language (OVAL) XML Configuration Checklist Data Format (XCCDF) Developing standards-compliant test rules to drive assessment, remediation, and reporting DISA STIGS, CIS Benchmarks, Corporate Rules, & Software Vendor Vulnerability Advisories Capabilities of standards-compliant products Build a compliance process leveraging automation and standards MITRE 2006 Slide 2
3 Flaw Management Today s Flaw (in SW or Configuration) Management Processes IAVAs/STIGs Text-based vendor Advisory / Guidance distributed to customers and public Organizations report and track flaw status manually or with a variety of tools that don t integrate New Flaw Requirement Scanning tools, Enterprise Management Systems, or manual processes used Flaw Compliance Report IAVAs/STIGs Remediation performed manually, by checking tools, or by locally developed scripts Compliant System Assess Compliance Compliant? No Implement Change Yes
4 Use Standards to Provide Flexible, End-to-End Flaw Management Automated Flaw Management Today s Flaw (in SW or Configuration) Management Processes Text-based Vendor Advisories vendor and Guidance Advisory distributed / Guidance to customers and public in distributed standard, machine to readable format customers with unique and public CVE Names Scanning tools import and Scanning OVAL definitions tools, standardized Enterprise to their existing xccdf and New Management set of system OVAL Flaw New Systems, scan or definitions Requirement Vuln manual signatures for patches, Requirement processes and vulnerabilities, used OVAL Results configuration settings format Compliant System A Security Standards-enabled process Assess Compliance Systems Organizations publish results report in and standard machine track flaw readable status OVAL Results format manually and or with a send variety Compliance of tools to a that central don t Tracking integrate System Flaw Compliance Report Compliant? No Remediation management performed tools read manually, in OVAL by Results with its machine checking readable tools, or by list of systems locally developed scripts to remediate Implement Change Yes
5 DoD s Information Assurance Vulnerability Alerts (IAVAs) use CVE names CVE-names
6 DoD IA Implementation Instruction gives preference to products supporting CVE & OVAL Mission Assurance Category III Mission Assurance Category II Mission Assurance Category I The following appears for all three Mission Assurance Categories of DOD systems: VIVM-1 Vulnerability Management: A comprehensive vulnerability management process automated vulnerability assessment or state management tools regular internal and external assessments are conducted For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities.
7 Details: DoD Enterprise Licenses for Scanning & Remediation Tools SCCVI DoD Vulnerability Scanning Tool SCRI DoD Remediation Tool MITRE 2006 Slide 7
8 Difficult to Integrate Information on Vulnerabilities and Exposures Vulnerability Scanners Priority Lists Research? Security Advisories??????????????????????? Vulnerability Web Sites & Databases? Software Vendor Patches Intrusion Detection Systems Incident Response & Reporting
9 The adoption of CVE Names by the Security Finding and sharing vulnerability information has been Community difficult: The is Same starting Problem, to Different address Names this problem O rganization N am e CERT CyberSafe ISS AXEN T Bugtraq BindV iew Cisco IBM ERS CERIAS NAI CA cgi_exam ple_code N etw ork: H TTP phf Attack http-cgi-phf phf CGI allow s rem ote com m and execution PH F A ttacks Fun and gam es for the w hole fam ily #107 cgi-phf #3200 W W W phf attack V ulnerability in N CSA /Apache Exam ple Code http_escshellcmd # W W W phf check Along Which with has the been new caused rule, Whoever by the rule, finds Whoever it, gets finds a CVE it, names for it it MITRE 2006 Slide 9
10 The CVE List provides a path for integrating information on Vulnerabilities and Exposures Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners CVE Intrusion Detection Systems Research Incident Response & Reporting Vulnerability Web Sites & Databases
11 Where the CVE Items Come From New Submissions per/month AXENT, BindView, Harris, Cisco, CERIAS Vulnerability Legacy Submissions ~ pre-1999 Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus Databases CVE Content Team Alerts & Advisories w/candidates per/month Zero Day Public Vulnerabilities New Public Vulnerabilities ISS, SecurityFocus, Neohapsis, NIPC CyberNotes Items with Unique CVE Names ~15,630 Yes Yes Yes Editorial Board MITRE 2006 Slide 11
12 CVE Editorial Board
13 CVE Growth Unique CVE Names Status (as of Mar 13, 2006) 15,630 unique CVE names
14 An NVD Entry MITRE 2006 Slide 14
15 Timeline of CVE Compatibility Declarations CVE-compatible means: it includes CVE names in output for each item (CVE output) you can find items by CVE name (CVE searchable) it explains the CVE functionality (CVE documentation) item mappings are accurate (as of 20 Mar 2006) Now at 244 products and services from 148 organizations MITRE 2006 Slide 15
16 Certificates of CVE Compatibility Awarded to 33 Organizations from 7 Countries for 60 Products Alliance Qualite Logicel Foundstone, Inc. Harris Corp. Kingnet Security, Inc. NSFOCUS Information Tech. Co., Ltd The MITRE Corporation Qualys Red Hat Sintelli Ltd. Citadel Security Software Inc. eeye Digital Security Internet Security Systems, Inc. ncircle Network Security, Inc. PredatorWatch, Inc. SAINT Corporation Information Risk Management Plc Venus Information Technology, Inc. Symantec Corporation CA Dragonsoft Trend Micro, Inc. Venus Info Tech. Software in the Public Interest, Inc. Webzcan Skybox NX Security ArcSight ThreatGuard, Inc. netvigilance, Inc. DesktopStandard Corporation Lockdown Networks, Inc. Secure Elements Incorporated Beyond Security Ltd. MITRE 2006 Slide 16
17 Current State of Security for IT Systems Lots of problems are known. Guides, benchmarks, and other security recommendations are available. When all patches and guidance are applied, systems can resist many attacks. What s holding back good security? Systems are not all kept up to date and compliant with best practices because: guidance is applied incompletely or late fixes and updates are applied inconsistently or improperly sound practices are not maintained (often due to staff turnover or operational pressures) guidance is distorted or mis-translated on the path from SMEs and vendors out to administrators and end users responsible parties have no instruments to measure compliance and keep metrics MITRE 2006 Slide 17
18 Scenario 1, Community Guidance - Today Community group Security tool vendor Customer IT staff tool scripts guidance (english prose) Gov t Agency revised guidance Gov t IT staff MITRE 2006 Slide 18
19 Scenario 1, Community Guidance - Today What can go wrong? Community group Imprecise authoring Security tool vendor Manual translation tool scripts Customer IT staff guidance (english prose) Gov t Agency Manual customization revised guidance Gov t IT staff Manual testing and remediation MITRE 2006 Slide 19
20 General Requirements We need a language or languages to address these areas: Platform independent Platform dependent Support guidance tailoring and customization Collect, structure, and organize guidance Score and track general compliance Define tests to check compliance Define system-specific tests of system state Characterize low-level system state MITRE 2006 Slide 20
21 XCCDF: Extensible Configuration Checklist Description Format An object model and XML specification for expressing security benchmarks, checklists and related documents, and recording checklist results. Designed for three purposes: driving system security checking tools generating human-readable documents and reports scoring and tracking compliance Joint work by NSA, CIS, and MITRE, with input from CIS volunteers, NIST, industry representatives, DISA, and others. The expected/default checking technology for XCCDF is OVAL.
22 User Communities for XCCDF System, OS, and Application vendors common format provides a standardized vehicle for crafting and disseminating security hardening rules and recommendations Security Analysts common format allows comparison of different guidance, tailoring and extension, and common dissemination vehicle Security Tool Vendors common format saves effort, allows quicker support for newly issued guidance, may promote coordination and interoperability System Owners and Users common format allows integration of guidance from different sources, quicker and more uniform application of benchmarks MITRE 2006 Slide 22
23 Scenario 1, Community Guidance - Future Community group Security tool vendor Customer IT staff XCCDF & OVAL in Tool Update guidance (XCCDF and OVAL) Gov t Agency tailored XCCDF & OVAL Gov t IT staff MITRE 2006 Slide 23
24 Scenario 1, Community Guidance - Future Community group precision authoring Security tool vendor No Translation XCCDF & OVAL in Tool Update Customer IT staff Automated Test & Remediate guidance (XCCDF and OVAL) Gov t Agency Controlled Tailoring tailored XCCDF & OVAL Gov t IT staff Automated Test & Remediate MITRE 2006 Slide 24
25 XCCDF Object Details: Rule XCCDF does not specify platform-specific system rule checking logic. The Rule/check element contains information for driving a platform-specific checking engine. XCCDF Benchmark Target system XCCDF Benchmark Compliance Tester Tailoring values, Tests to perform Test results Platform-specific checking engine MITRE 2006 Slide 25
26 The XCCDF And OVAL Link OVAL referenced through an XCCDF <Rule> element. <cdf:rule id="unsigned-driver-installation" selected="1"> <cdf:title>unsigned Driver Installation Behavior</cdf:title> <cdf:description> </cdf:description> <cdf:question> </cdf:question> <cdf:fixtext> </cdf:fixtext> <cdf:fix> </cdf:fix> <cdf:check system=" <cdf:check-export value-id="unsigned-driver-installation" export-name="oval:mitre.org.oval:var:1" /> <cdf:check-content-ref herf="oval.definitions.xml" name="oval:org.mitre.oval:def:1001" /> </cdf:check> </cdf:rule> MITRE 2006 Slide 26
27 OVAL and XCCDF System Security Guidance OVAL OVAL is how is guidance how XCCDF about talks the to security the system of a system that a talks guide is to written the system for. that the guidance is written for. Configuration Configuration Benchmark Document Benchmark & Document List of Vulnerabilities XCCDF XCCDF and IAVAs/SANS Top 20 OVAL System Settings MITRE 2006 Slide 27
28 Focus of OVAL How can we be sure an assessment tool is using the correct test for an issue? How can an organization specify security policy in a standard way that assessment and configuration management tools will understand? How can OS and application vendors precisely identify the types of systems that need a new patch? How can security researchers share their knowledge without spreading exploit code? MITRE 2006 Slide 28
29 OVAL Concept - The Open Vulnerability and Assessment Language Initiative Community-based collaboration Precise definitions to test for each vulnerability, misconfiguration, policy, or patch Standard schema of security-relevant configuration information OVAL schema and definitions freely available for download, public review, and comment Security community suggests new definitions and schema OVAL board considers proposed schema modifications Public unveiling - December 2002
30 OVAL Board MITRE 2006 Slide 30
31 What can OVAL do? Test for a specific machine state vulnerability exists compliant with organizational policy a specific patch should be installed locked in a secure room If the state is machine-verifiable, then you can write it in OVAL. MITRE 2006 Slide 31
32 How is OVAL structured? Three separate XML schemas OVAL System Characteristics Schema OVAL Definition Schema OVAL Results Schema Schema structure core schema individual component schemas Natural for software authors to provide expertise in shaping these schemas. MITRE 2006 Slide 32
33 OVAL System Characteristics XML encoding of the details of a system file versions running processes patches installed etc. provides a snapshot of the system save for auditing purposes use for analysis MITRE 2006 Slide 33
34 OVAL Definitions composed of meta-data Affected family, platforms, and products. Description CVE identifier or other reference and the set of tests (also known as the criteria) Tests can be written to describe any retrievable system information. rpm information registry values file permissions metabase contents MITRE 2006 Slide 34
35 OVAL Results XML encoding of the results of an analysis which systems are vulnerable? which systems are non-compliant? which patches should be installed? Includes the details why are you vulnerable? why are you non-compliant? why should a patch be installed? MITRE 2006 Slide 35
36 The OVAL Process MITRE 2006 Slide 36
37 OVAL Schemas & Definitions 1,506 definitions Vulnerability (1,456) Compliance (50) XML & Pseudo Code Version 4.2 Schemas ( ) Version 5.0 ( ) 6th draft Schemas for: (Core, Independent) Microsoft Windows Sun Solaris Red Hat Linux Debian Linux Cisco IOS Apple Macintosh HP-UX Unix OVAL Open Source Tools XML Definition Interpreters XML Definition Writer
38 OVAL - Industry Adoption (OVAL Compatibility) Compatible Products and Services ArcSight ArcSight ESM 3.0 BigFix Enterprise Suite Citadel Security Software Hercules KACE Networks KBOX IT Management Suite Qualys QualysGuard Enterprise QualysGuard Express QualysGuard Consultant QualysGuard MSP ThreatGuard ThreatGuard Vulnerability Management System ThreatGuard Traveler Declarations of Compatibility Assuria Limited DesktopStandard eeye Digital Security ncircle Network Security NetClarity Patchlink Preventsys Sintelli MITRE 2006 Slide 38
39 OVAL Assessment Tools MITRE 2006 Slide 39
40 Working with OVAL Definitions in Commercial Tools MITRE 2006 Slide 40
41 OVAL Results Feeding CIM and Remediation Tools MITRE 2006 Slide 41
42 For More Information OVAL paper: Transformational Vulnerability Management Through Standards CVE paper: Managing Vulnerabilities in Networked Systems QuickTime and a TIFF (Uncompressed) decompressor are needed to see this picture. CIS web site CVE web site OVAL web site csrc.nist.gov/checklists/xccdf.html XCCDF web site checklists/xccdf.html MITRE 2006 Slide 42
43 Acronyms from this Presentation AFAir Force C3I Communications, Command, Control and Intelligence CIS Center for Internet Security CVE Common Vulnerabilities and Exposures DHS Department of Homeland Security DISA Defense Information Systems Agency DoD Department of Defense FBI Federal Bureau of Investigation FISMA Federal Information Security Management Act FSO Field Services Organization GBLA Graham Leach Billey Act GSA General Services Agency HIPPA Health Insurance Portability and Accountability Act IA Information Assurance IAVA Information Assurance Vulnerability Alert NIST National Institute of Science and Technology NSA National Security Agency OVAL Open Vulnerability and Assessment Language SANS SysAdmin, Audit, Network, Security SOX Sarbanes-Oxley SQL Sequel Query Language USAF United States Air Force WH White House XCCDF Extensible Configuration Checklist Description Format XML Extensible Markup Language MITRE 2006 Slide 43
Introduction to OVAL: A new language to determine the presence of software vulnerabilities
Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Robert Roberge November 2003 The MITRE Corporation Table of Contents Introduction
More informationSecurity Content Automation Protocol for Governance, Risk, Compliance, and Audit
UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security
More informationTransformational Vulnerability Management Through Standards. Robert A. Martin MITRE Corporation
Transformational Vulnerability Management Through Standards Robert A. Martin MITRE Corporation The Department of Defense s new enterprise licenses for vulnerability assessment and remediation tools [1,2]
More informationFederal Desktop Core Configuration (FDCC)
Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to
More informationFDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
More informationBMC Client Management - SCAP Implementation Statement. Version 12.0
BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP
More informationAutomating Compliance with Security Content Automation Protocol
Automating Compliance with Security Content Automation Protocol presented by: National Institute of Standards and Technology Agenda Information Security Current State Security Content Automation Protocol
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationHow To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
More informationCitadel Security Software Inc.
i Citadel Security Software Inc. Hercules Vulnerability Assessment and Remediation Overview Document Number: 205-01-0007 Hercules v4.1 Document Version: 1.0 May 2006 Acknowledgements THIS SOFTWARE AND
More informationOVAL Developer Days. July 11-12, 2006
OVAL Developer Days July 11-12, 2006 Introduction...- 3 - Attendee List...- 4 - Day One...- 5 - Session 1...- 5 - OVAL Tutorial... - 5 - Session 2...- 5 - External Repositories... - 5 - Inventory Definitions...
More informationAn Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance
An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance Presented by: John Banghart, Booz Allen Hamilton SCAP Validation Project Lead Thoughts on Current State
More informationA Vulnerability Assessment Tool based on OVAL in Linux System
A Vulnerability Assessment Tool based on OVAL in Linux System Youngmi Kwon 1, Hui Jae Lee 2, Geuk Lee 3 1 Dept. of InfoCom, Chungnam National University, Daejeon, South Korea ymkwon@cnu.ac.kr 2 Dept. of
More informationCitadel Security Software Inc.
i Citadel Security Software Inc. Hercules Vulnerability Assessment and Remediation Overview Document Number: 205-01-0007 Hercules v3.5.1 Document Version: 1.0 February 2005 Acknowledgements THIS SOFTWARE
More informationHow To Monitor Your Entire It Environment
Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................
More informationAn Enterprise Continuous Monitoring Technical Reference Architecture
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
More informationSTIGs,, SCAP and Data Metrics
Defense Information Systems Agency A Combat Support Agency STIGs,, SCAP and Data Metrics Roger S. Greenwell, CISSP, CISA, CISM Technical Director / Capabilities Implementation Division DISA Field Security
More informationOpen Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT)
NIST Interagency Report 7669(Draft) Open Vulnerability and Assessment Language (OVAL ) Validation Program Test Requirements (DRAFT) John Banghart Stephen Quinn David Waltermire NIST Interagency Report
More informationEFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA
EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016 PERSONAL BACKGROUND
More informationMeasurably reducing risk through collaboration, consensus & practical security management. 2013 CIS Security Benchmarks 1
Measurably reducing risk through collaboration, consensus & practical security management 2013 CIS Security Benchmarks 1 Background City University of New York s Rights and Benefits as a CIS Security Benchmarks
More informationSCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference
SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security
More informationANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details
Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription
More informationIBM Tivoli Endpoint Manager for Security and Compliance
IBM Endpoint Manager for Security and Compliance A single solution for managing endpoint security across the organization Highlights Provide up-to-date visibility and control from a single management console
More informationDynamic Data Center Compliance with Tripwire and Microsoft
Dynamic Data Center Compliance with Tripwire and Microsoft white paper Configuration Control for Virtual and Physical Infrastructures For IT, gaining and maintaining compliance with one or more regulations
More informationStatus Update. Jon Baker September 28, 2010
Status Update Jon Baker September 28, 2010 HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS). OVAL Overview An international, information security, community standard to promote
More informationHealthcare Information Security Governance and Public Safety II
Healthcare Information Security Governance and Public Safety II Technical Track Seminar Agenda 8/26/2009 1 Vulnerability Assessment, Vulnerability Management and Penetration Testing PART 1 9:00 10:30 Anatomy
More informationARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel
ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer
More informationMeasurably reducing risk through collaboration, consensus & practical security management. 2015 CIS Security Benchmarks 1
Measurably reducing risk through collaboration, consensus & practical security management 2015 CIS Security Benchmarks 1 Background State of Idaho s Rights and Benefits as a CIS Security Benchmarks Member
More informationNetIQ FISMA Compliance & Risk Management Solutions
N E T I Q C O M P L I A N C E S E R I E S NetIQ FISMA Compliance & Risk Management Solutions The Federal Information Security Management Act (FISMA) requires federal agencies to create and implement a
More informationContinuous Monitoring
Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums
More informationeeye Digital Security Product Training
eeye Digital Security Product Training Retina CS for System Administration (4MD) This hands-on instructor led course provides security system administration/analysts with the skills and knowledge necessary
More information6. Exercise: Writing Security Advisories
CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview
More informationMetrics Suite for Enterprise-Level Attack Graph Analysis
Metrics Suite for Enterprise-Level Attack Graph Analysis Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Sushil Jajodia (PI), Steven Noel (co-pi) Metrics Suite for Enterprise-Level
More informationQualys PC/SCAP Auditor
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
More informationJohn Smith Prattville, AL career@hashbangsecurity.com
John Smith Prattville, AL career@hashbangsecurity.com Career Objective I am a certified and skilled senior security and UNIX systems administrator with over twenty years of experience. I am seeking a position
More informationSecurity compliance automation with Red Hat Satellite
Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationSymantec Security Information Manager Version 4.7
Version 4.7 Agenda What are the challenges? What is Security Information Manager? How does Security Information Manager work? Why? 2 Security Management Challenges 3 Managing IT Security PREVENT INFORM
More informationSTAT Scanner Product Guide
STAT Scanner Product Guide Introduction to STAT Scanner The Importance of a Healthy Computer Newspaper headlines contain almost daily reports on companies that have lost substantial time and money from
More informationSecstate: Flexible Lockdown, Auditing, and Remediation
Secstate: Flexible Lockdown, Auditing, and Remediation Certifiable Linux Integration Project Tresys Technology Karl MacMillan Topics Secstate Overview Sample session illustrating
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationTECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS
TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS 1 OCTOBER 2004 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationUser s Guide. Skybox Risk Control 7.0.0. Revision: 11
User s Guide Skybox Risk Control 7.0.0 Revision: 11 Copyright 2002-2014 Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox Security and is
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationAssuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information
More informationAnatomy of a Network Marketing Workshop
Monday July 22 nd 2013 10:00-10:10 Welcome Introduce the organizers and notable participants. Describe MITRE s role and the goals for this event. 10:10-10:30 Remediation - Status Update & Session Objectives
More informationThe Operating System Lock Down Solution for Linux
The Operating System Lock Down Solution for Linux The Challenge: Meeting Organizational Security Requirements Linux Operating System Security Operating system (OS) security is a priority for System Administrators
More informationNCIRC Security Tools NIAPC Submission Summary Harris STAT Scanner
NCIRC Security Tools NIAPC Submission Summary Harris STAT Scanner Document Reference: Security Tools Internal NIAPC Submission NIAPC Category: Vulnerability Scanning Date Approved for Submission: 24-04-2007
More informationhttp://www.disa.mil/scm
Enclave Security: Secure Configuration Management (SCM) http://www.disa.mil/scm Agenda SCM Introduction SCM Lifecycle SCM Objectives SCM Community Model Current Capability Framework Governance Model Schedule
More informationPresented by Brian Woodward
Presented by Brian Woodward Log in with least amount of privileges Always use Firewall and AV Monitor channels for security advisories and alerts Know your system(s) Unpatched Systems are the lowest of
More informationIBM Security QRadar SIEM Version 7.1.0 MR1. Vulnerability Assessment Configuration Guide
IBM Security QRadar SIEM Version 7.1.0 MR1 Vulnerability Assessment Configuration Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationIBM Tivoli Endpoint Manager for Security and Compliance
IBM Endpoint Manager for Security and Compliance A single solution for managing endpoint security across the organization Highlights Provide up-to-date visibility and control from a single management console
More informationAN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS
AN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS George Valvisland Despina polemi2 ' University of Pireaus, Informatics Department, Karaoli & Dimitriou 80 Pireaus 18534, Greece gvr~lvi,si@honko/kreece.gt~;
More informationHow To Improve Nasa'S Security
DECEMBER 5, 2011 AUDIT REPORT OFFICE OF AUDITS NASA FACES SIGNIFICANT CHALLENGES IN TRANSITIONING TO A CONTINUOUS MONITORING APPROACH FOR ITS INFORMATION TECHNOLOGY SYSTEMS OFFICE OF INSPECTOR GENERAL
More informationHow To Manage A System Vulnerability Management Program
System Vulnerability Management Definitions White Paper October 12, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows
More informationPUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE
PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE Since Congress instituted the Federal Information Security Management Act (FISMA) of 2002 to address the rapid proliferation
More informationCommon Platform Enumeration (CPE) Technical Use Case Analysis
Common Platform Enumeration (CPE) Technical Use Case Analysis The MITRE Corporation November, 2008 Executive Summary A common theme taken from discussions at the Common Platform Enumeration (CPE) Developer
More informationSecurity Vulnerability Management. Mark J Cox
Security Vulnerability Management Mark J Cox Responsibility & Accountability Unique challenges Many vendors all ship the same thing The vulnerabilities are there. The fact that somebody in the middle of
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationalso inside Volume 5 Number 3 Fall 2002 The Newsletter for Information Assurance Technology Professionals
The Newsletter for Information Assurance Technology Professionals Volume 5 Number 3 Fall 2002 also inside Enterprise Security Enabled by CVE Operationalizing CIP The South Florida Honeynet Project Guard
More informationSecunia Vulnerability Intelligence Manager
TECHNOLOGY AUDIT Secunia Vulnerability Intelligence Manager Secunia Reference Code: OI00070-076 Publication Date: July 2011 Author: Andy Kellett SUMMARY Catalyst Secunia Vulnerability Intelligence Manager
More informationTowards security management in the cloud utilizing SECaaS
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC jan.meszaros@vse.cz
More informationCheck list เตร ยมความพร อมด าน Cyber Security ให หน วยงาน 6 th October 2015 Avirut Liangsiri 1. Effective: 2015-07-01
Check list เตร ยมความพร อมด าน Cyber Security ให หน วยงาน 6 th October 2015 Avirut Liangsiri 1 Agenda Traditional vs. Modern Cyber Defense แตกต างหร อส งเสร มก นและก น อย างไร? Industry Standard Checklist
More informationCPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS
CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS DECEMBER 2008 CPNI would like to acknowledge and thank NCC for their help in the preparation of this report. Disclaimer: Reference to any specific
More informationSecurity Information and Event Management
Security Information and Event Management sponsored by: ISSA Web Conference April 26, 2011 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London Welcome Conference Moderator Phillip H. Griffin ISSA
More informationOVAL Board Meeting (10/15/2012)
OVAL Board Meeting (10/15/2012) Attendees Scott Armstrong Symantec Corporation Chandrashekhar B Secpod, Inc. Carl Banzhof Rockport Systems Anthony Busciglio Cisco Systems, Inc. Blake Frantz Center for
More informationVRDA Vulnerability Response Decision Assistance
VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University VRDA Rationale and Design 2 Problems Duplication of effort Over 8,000 vulnerability
More informationSMITHSONIAN INSTITUTION
SMITHSONIAN INSTITUTION FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012 INDEPENDENT EVALUATION REPORT TABLE OF CONTENTS PURPOSE 1 BACKGROUND 1 OBJECTIVES, SCOPE, AND METHODOLOGY 2 SUMMARY OF RESULTS
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationFISMA Compliance: Making the Grade
FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationAccess FedVTE online at: fedvte.usalearning.gov
FALL 2015 Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk her e or email the Help Desk at support@usalearning.net. To speak with a Help Desk
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationA Comprehensive Cyber Compliance Model for Tactical Systems
A Comprehensive Cyber Compliance Model for Tactical Systems Author Mark S. Edwards, CISSP/MSEE/MCSE Table of Contents July 28, 2015 Meeting Army cyber security goals with an IA advocate that supports tactical
More informationIBM Security QRadar Version 7.2.5. Vulnerability Assessment Configuration Guide IBM
IBM Security QRadar Version 7.2.5 Vulnerability Assessment Configuration Guide IBM Note Before using this information and the product that it supports, read the information in Notices on page 93. Product
More informationRED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 8. 24 July 2015
RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW Version 1, Release 8 24 July 2015 Developed by Red Hat, NSA, and for the DoD Trademark Information Names, products, and
More informationDoD Secure Configuration Management (SCM) Operational Use Cases
Defense Information Systems Agency A Combat Support Agency DoD Secure Configuration Management (SCM) Operational Use Cases DISA PEO-MA Computer Network Defense Enclave Security 26 September 2010 This brief
More informationHow Private Industry Protects Our Country's Secrets. James Kirk
An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls: How Private Industry Protects Our Country's Secrets James Kirk Outline Background DOD Agency Responsible for Interpretation
More informationProactively Managing Servers with Dell KACE and Open Manage Essentials
Proactively Managing Servers with Dell KACE and Open Manage Essentials A Dell Technical White Paper Dell KACE Dell Open Manage Essentials THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN
More informationAutomating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009
Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis.
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Technical and Operational Requirements for Approved Scanning Vendors (ASVs) Version 1.1 Release: September 2006 Table of Contents Introduction...1-1 Naming
More informationD. Best Practices D.2. Administration The 6 th A
Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.2. Administration The 6 th A 1 of 26 The previous section described how to improve IT security through use of better development
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationWhile most organizations have addressed the various
The Vulnerabilities of Developing on the Net Disaster has struck. You would think that firewalls, combined with filtering routers, password protection, encryption, and disciplined use of access controls
More informationImproving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach
Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach Overcoming the challenges to security vulnerability and compliance management through NIST
More informationHost-Oriented Security Test Suite (HOSTS)
1 Host-Oriented Security Test Suite (HOSTS) James A. Finegan 18th Annual Computer Security Applications Conference Enterprise Security December 12, 2002 1 2 Agenda Problem Description What is HOSTS? -
More informationSecurity Control Standard
Department of the Interior Security Control Standard Risk Assessment January 2012 Version: 1.2 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationIntroduction to the HP Server Automation system security architecture
Introduction to the HP Server Automation system security architecture Technical white paper Table of contents Introduction to the HP Server Automation system security architecture... 2 Enforcing strict
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationIntroduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:
Introduction In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater.
More informationConfiguration Audit & Control
The Leader in Configuration Audit & Control Configuration Audit & Control Brett Bartow - Account Manager Kelly Feagans, Sr. Systems Engineer ITIL, CISA March 4, 2009 Recognized leader in Configuration
More informationTowards Unifying Vulnerability Information for Attack Graph Construction
Towards Unifying Vulnerability Information for Attack Graph Construction Sebastian Roschke Feng Cheng, Robert Schuppenies, Christoph Meinel ISC2009-2009-09-08 Internet-Technologies and -Systems Prof. Dr.
More informationKey Considerations for Vulnerability Management: Audit and Compliance
Key Considerations for Vulnerability Management: Audit and Compliance October 5, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software
More informationIntro to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Compliance SaaS Services Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe QualysGuard ICT Security Management Integrated Suite of ICT Security
More informationEverything You Wanted to Know about DISA STIGs but were Afraid to Ask
Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue,
More informationBladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture
BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance
More informationDigi Device Cloud: Security You Can Trust
Digi Device Cloud: Security You Can Trust Abstract Historically, security has oftentimes been an afterthought or a bolt-on to any engineering product. In today s markets, however, security is taking a
More informationAssuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices
The Payment Card Industry (PCI) Data Security Standard (DSS) provides an actionable framework for developing a robust payment card data security process. The Payment Application Data Security Standard
More information