How to Get from Scans to a Vulnerability Management Program
|
|
- Valentine Wells
- 8 years ago
- Views:
Transcription
1 How to Get from Scans to a Vulnerability Management Program Gary McCully Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC.
2 Synopsis Many organizations falsely equate a vulnerability scanner with a Vulnerability Management Program. A scanner is important to the overall program, but can only help with a few processes on its own. This paper discusses the processes involved in a Vulnerability Management Program, while focusing on tasks that vulnerability scanners like Qualys and Nexpose can either directly perform or assist with. Table of Contents Vulnerability Checklist... 3 Discovery... 5 System Inventory and Business Owner Identification... 5 Create Scan Templates Specific to Each Baseline... 6 Scan... 6 False Positive Removal... 7 Prioritization... 7 Remediation and Security Control Implementation... 8 Re-scan... 8 Root Cause Analysis... 9 Monitoring... 9 Ongoing Tracking, Trending, and Analysis Conclusion
3 Vulnerability Checklist Developing a Vulnerability Management Program is crucial for an organization to successfully manage their vulnerabilities. Often times, a Vulnerability Management Program is mistaken for a vulnerability scanner, which is false. Although a vulnerability scanner is an important part of the program, there are only a few processes that the scanner is able to perform on its own; most require human intervention. Even though a vulnerability scanner may assist in performing tasks like a root cause analysis, remediation, and management of false positives, it is unable to perform such tasks without human involvement. Unfortunately, there are several additional tasks a vulnerability scanner is unable to assist with, including defining roles and responsibilities as well as the creation of policies and procedures used to drive the Vulnerability Management Program. The table below lists the processes required for a solid Vulnerability Management Program while focusing on the specific tasks a vulnerability scanner can either directly perform or assist with. Cannot Can Help Task Roles and Responsibilities - Roles and responsibilities must be created for individuals involved in the Vulnerability Management Program. Discovery - This is the process of determining what devices are active on the organization's network. System Inventory and Business Owner Identification - This is the process of creating an inventory of the contents of the devices the discovery scan identified. This inventory should include both technical (Operating System, Applications, Services, etc) as well as non-technical (Types of Data the system stores/transmits/process, the asset owner, etc). Data Classification - The organization must clearly articulate what data they value most. It is also important to know what data the organization stores/processes/transmits that must meet regulatory requirements. Asset Classification - Assets should be grouped according to asset criticality. Asset criticality should take into account the data that is stored/transmitted/processed on the server, business impact, etc. Create High Level Policies and Procedures that Support Vulnerability Remediation Efforts - High level policies must be created at the beginning of the Vulnerability Management Program. These policies must articulate service level agreements that are based on asset criticality and vulnerability severity. Procedures should be established for testing system level changes before making changes to production servers. Create Baselines of Classified Assets - Determine what kind of vulnerabilities pose the greatest risk to a specific asset group. Determine acceptable vulnerability baselines for such assets. Create Scan Templates Specific to Each Baseline - Customize scan templates to meet the needs of each asset group. Asset groups should contain assets of similar asset value. Scan - Use a vulnerability scanner to scan devices on the network for vulnerabilities. 3
4 Cannot Can Help Task False Positive Removal - Remove false positives from scan data. Prioritization - Prioritize vulnerability remediation efforts based on asset classification and vulnerability severity. Remediation and Security Control Implementation - Remediate the vulnerabilities that the scanner identified on vulnerable devices. If the vulnerability cannot be remediated, compensating controls must be implemented to mitigate the risk that the vulnerability poses to the organization. Rescan - Rescan devices that the scanner reported as containing vulnerabilities in order to verify vulnerabilities are remediated. Compensating controls effectively addresses the risk that the vulnerability poses to the organization. Root Cause Analysis - Determine the root cause of the identified vulnerabilities and eliminate the root cause of such vulnerabilities. Create Final Policies and Procedures Regarding Network Segmentation, Patch Management, Minimum Security Baseline Implementation, and Remediation of Vulnerabilities - At this point, the Vulnerability Management Program has finished its first scan, remediated identified vulnerabilities, and addressed root causes of the problems. The next step is to finalize policies and procedures related to the Vulnerability Management Program. Policies and Procedures surrounding Network Segmentation, Patch Management, Minimum Security Baseline Implementation, etc. may also need to be updated and/or created depending on the analysis of the root cause. Monitoring - Monitor the network for new vulnerabilities by performing ongoing security assessments. Manual Assessments to Identify Holes that Scanners Cannot Find and Verify Security Controls and an Effective Vulnerability Management Program - Vulnerability assessments are primarily a tool-based assessment. The problem lies within the fact that tools cannot find certain vulnerabilities (such as flaws in business logic). Manual assessments such as External Attack and Penetration Assessments, Internal Attack and Penetration Assessments, Whitebox, Greybox, and Blackbox Web Application Assessments should be performed in order to determine the effectiveness of the security controls the organization has put in place. Ongoing Tracking, Trending, and Analysis - A Vulnerability Management Program is not a onetime assessment. Instead, it is an ongoing process that should provide continual analysis and trending of the vulnerabilities identified on the network over long periods of time. It should be able to generate reports that clearly reflect the technical security posture of the organization over time. 4
5 This list reveals some pretty interesting items regarding a scanner's role in a Vulnerability Management Program. First, there are several tasks that a scanner cannot perform within a Vulnerability Management Program. Second, there are very few tasks a vulnerability scanner can do in and of itself. The third item that should be noted is the fact that the vulnerability scanner can assist with many tasks that are not specific to vulnerability scanning. In this paper, I will address items related to the Vulnerability Management Program that a scanner can either perform or assist. When I discuss specific vulnerability scanners, I will focus most of my time on Qualys QualysGuard and the Enterprise Version of Nexpose. I have found that both of these vulnerability scanners fit very well into an overall Vulnerability Management Program. Discovery I have always loved war movies. I find that one of the most nerve racking scenarios is when an enemy sniper is hiding and the good guys do not know of the location. The sniper takes aim and starts inflicting damage upon the good guys. The good guys cannot address the problem until the sniper s location has been identified. Once the location is identified, the good guys are able to stop the threat (normally with heavy artillery). This scenario is correlated to the discovery phase of a Vulnerability Management Program. A device may exist on the network which poses a significant risk to the organization's network. However, the threat cannot be addressed until the organization is aware of the device s existence on the network. Discovery involves identifying what assets are active on the organization's network. In fact, this is one task that vulnerability scanners are great at. In order to scan a device for vulnerabilities, the scanner needs to know what devices are active on the network. The scanner will use a number of methods (TCP Packets, ICMP Requests, ect.) in order to identify what systems are alive on the network segment. Once identified, the organization can perform system inventory and owner identification. Qualys & Nexpose: These scanners allow organizations to run discovery scans. This scan uses various types of packets in order to determine which devices are active on the organization's network. It should be noted that a discovery scan s purpose is not to identify vulnerabilities. In fact, its purpose is to determine what assets are active on the organization's network. Both of these vulnerability scanners will also identify which hosts are active on the organization's network as part of the normal vulnerability scanning process. System Inventory and Business Owner Identification System inventory involves cataloging the applications, hardware, operating system, services, data, etc. on the specific device. Most vulnerability scanners, such as Qualys, Nexpose, and Nessus, fingerprint the operating system and the externally facing services. This information is part of the scan results that can be reviewed after a vulnerability scan is completed. Although this information is helpful, it is only a subset of the technical information on a device that should be inventoried. Organizations can purchase software which specializes in tracking system inventory and can be used to pull required inventory information as needed. Additionally, technical information should be inventoried, such as applications, operating systems, services, and the type of data that the device stores. It is critical that the organization knows which devices store/transmit/process sensitive data. In addition to inventorying technical information and what data the system houses, it is important that the owner of the device is tracked. This information should be tracked for a number of reasons. First, if something were to happen to the device during a vulnerability scan (such as it stops responding), the person in charge of running the scans knows who to 5
6 contact. The second reason is so that the person in charge of vulnerability scanning can contact the asset owners of devices containing vulnerabilities as indicated by the scanner. Qualys & Nexpose: Both of these scanners can provide limited information about the devices that they scan. This includes items such as externally accessible services, operating system, etc. Neither can provide the necessary information for a full inventory of technical components, data, and asset owner. Create Scan Templates Specific to Each Baseline Let's suppose that you own two watches. One is a $9,000 Rolex and the other is a $10 Timex watch. Needless to say, you will treat these watches differently! Which watch would you wear when jogging? Which watch would be worn to an important black tie event? You would use these watches differently due to the disparity in value between the two watches. Similar to an individual s watches, all of an organization's assets do not have the same value. Due to the discrepancy in value, the organization should not treat all of their assets the same way. Some assets contain credit card data, others hold sensitive and/or proprietary information, some will have a high business impact on the organization (such as mail server), some maintain applications that are business critical, and others maintain applications that are not business critical. In reality, an organization's assets have different functionality and value. Not all of the organization's assets should be treated the same. It is important to create scan templates for each asset group that meets its specific needs. Qualys and Nexpose: Both of these vulnerability scanners allow users to create various scan templates that can be used to scan different asset groups. Organizations should customize these scan templates to meet the needs of the devices that they are scanning. Scan I remember the first time I watched Star Wars, Return of the Jedi. The Rebellion had created an elaborate plan to destroy the second Death Star. The Starfighters could not destroy the second Death Star until its shield generator was eliminated. Once the team on Endor eliminated the shield generator, the Starfighters could blow the Death Star to pieces. This is similar to the scan portion of the Vulnerability Management Program. A solid Vulnerability Management Program has many steps that must be performed before the actual scan takes place (Roles and Responsibilities, Discovery, Data Classification, Asset Classification, etc.). Once all the preparatory work is complete, it is time to destroy the Death Star!...or run the scan. This is where the vulnerability scanner shows that it is able to do what it claims to do. Vulnerability Scanners should be able to detect vulnerabilities in various operating systems, services, applications, databases, web applications, etc. Qualys & Nexpose: Both of these scanners do a nice job of identifying vulnerabilities on an organization's network. These scanners can identify missing patches, insecurely configured software and services, etc. In addition to running non-credentialed scans against organization's assets, both Qualys and Nexpose can run credentialed scans as well. Credentialed scans generally identify several additional flaws in devices that non-credentialed scans cannot. The reason for this is the fact that a credentialed scan accesses the application as an authenticated user, thus granting less restrictive access to the operating system and installed applications. 6
7 False Positive Removal Have you ever had a conversation that went something like the following: Security Personnel: Good afternoon Mr. Smith, I am calling to inform you that device X.X.X.X. is vulnerable to vulnerability H1-N1. Technical Personnel: Isn't that a vulnerability from over 50 years ago? If I recall correctly, it had something to do with the device broadcasting its username and password every 5 seconds to each device on the network. Is this the vulnerability you are referring to? Security Personnel: That is the exact vulnerability! As you know this is an extreme vulnerability allowing an attacker to gain access to every device on the network at once! Technical Personnel: This is a brand new server. I just installed the newest version of Windows last week. I also verified that it is completely updated. H1-N1 is a vulnerability on UNIX and is 50 years old! This server is not vulnerable to H1- N1! No matter how good a vulnerability scanner is, it is going to report some false positives. These false positives can skew reporting and make it difficult to perform trending and analysis. Not to mention the fact that if the person performing the vulnerability scanning continues to send the same false positives to the same asset owners month after month, these asset owners will tend to get angry at the person performing the scanning. Both Qualys and Nexpose have effective ways to address false positives. Qualys gives the person in charge of running the scans the ability to ignore specific vulnerabilities on specific assets. That person can then run reports that list all ignored vulnerabilities at a later time. This is an important step because vulnerabilities should never be ignored indefinitely. The vulnerability scanner can run an ignored vulnerability report once every three to six months. This report should be reviewed in order to verify that labeling a vulnerability a false positive is still valid. Nexpose allows organizations to mark vulnerabilities as false positives and choose to ignore them for a specific amount of time. When the time comes, the vulnerability will once again appear during the vulnerability scan. This is a good feature because it makes sure that false positives are not ignored indefinitely. This forces the organization to periodically review false positives in order to review the business justification as to why these vulnerabilities are considered false positives. Prioritization Imagine running a scan against an internal network. At the end of the scan, you get a report that shows 700 vulnerabilities on 200 individual systems. Some of these vulnerabilities pose a significant risk to the device the vulnerability was identified on; others pose a substantial risk to the affected device, but are not as severe as some of the other vulnerabilities. Some devices with identified vulnerabilities are part of a test lab, which is fully segmented from the rest of the network. Further vulnerabilities were identified on servers that stored critical business data, and other vulnerabilities were found on systems storing data that must comply with specific regulations. The person in charge of performing vulnerability scanning is responsible for leading remediation efforts. With all the various vulnerabilities and affected systems, it can be difficult to prioritize the remediation efforts. 7
8 Qualys allows grouping of assets into "asset groups". Basic asset criticality information can be assigned to these "asset groups". Qualys is able to run reports correlating asset criticality information with the severity of the vulnerability, serving as a basic remediation roadmap. Nexpose allows assets to be placed in "asset groups". Basic asset criticality can be assigned to each asset group. The asset criticality information is correlated with vulnerability severity in order to prioritize vulnerability remediation efforts. This correlated information can help with the prioritization of remediation efforts. Remediation and Security Control Implementation One of the most important tasks of a vulnerability scanner is to provide clear and detailed reports. These reports should include a vulnerability description, information regarding the threat that the vulnerability poses to the device, details on how to remediate the vulnerability, vulnerability severity, etc. It is critical to know if a vulnerability scanner has the ability to articulate how it found a particular vulnerability as well as a detailed remediation outline. Without this information, the organization may need to spend several hours locating solutions to address the identified vulnerabilities. Qualys & Nexpose scanners both provide detailed information regarding the identified vulnerabilities and what steps are required to remediate the issue. When an organization finishes running their first vulnerability scan and sees all the vulnerabilities on their network, they may feel a little overwhelmed. Often times a scan will reveal hundreds of vulnerabilities on the network that pose a significant risk. Tracking remediation efforts for each of these vulnerabilities can quickly become an overwhelming task! Many individuals attempt to track remediation efforts using spreadsheets; however, they quickly realize a spreadsheet is inadequate to track all the remediation efforts. Larger organizations may significantly benefit by using ticketing systems to track remediation efforts. Both Qualys and Nexpose come with built-in ticketing systems that can be used to support vulnerability remediation efforts. These ticketing systems are nice because they keep all data relating to remediation efforts in one centralized location. Re-Scan Once the organization has finished remediating vulnerabilities and implementing compensating controls, it s time to rescan the assets. The rescan is performed to verify that the vulnerabilities have effectively been addressed. More than once, I have been in situations where I was told that a vulnerability had been remediated. Upon rescanning the affected device, I found that it was still present. I contacted the person who assured the vulnerability had been remediated and informed them that the vulnerability was in fact, still present in the affected asset. A few days later, I was contacted again and told the vulnerability was remediated. Once again, I rescanned the device and found that it was still vulnerable. I proceed to contact the person who let me know that the vulnerability had been remediated and asked them how they attempted to remediate the vulnerability. Upon further inquiry I realized that the person who was working on remediating the vulnerability had no clue as to what the vulnerability was or how to remediate it. The point is, just because someone informs you that a vulnerability has been remediated, does not make it true. It is important to rescan the affected system to verify that the vulnerability has truly been addressed. 8
9 Both Qualys and Nexpose have the ability to scan a specific device multiple times to verify the vulnerability has been addressed. Root Cause Analysis Imagine that you have a broken window in your house. Within a few days, you notice copious amounts of flies have filled the rooms. You bug bomb every room in the house and the flies are pretty much eliminated, however, you never fixed the broken window. A few days later, the flies have started to fill the house once again. Unfortunately, this is a game that many security professionals take part in on a regular basis. The vulnerability scanner identifies a number of missing patches on the network and the organization starts applying patches to all the identified areas. When it's time to run a vulnerability scan once again, you will never guess what the scanner finds...missing Patches! Vulnerabilities are normally the result of a much larger flaw in a secondary process. If the vulnerability scanner keeps identifying missing patches, then maybe it's time to review the patch management program. If the vulnerability scanner keeps identifying applications that have vulnerabilities as a result of insecure configurations (Default Usernames and Passwords, Blank SA, etc.), then maybe it's time to review system hardening procedures, minimum security baselines, policies and procedures regarding the application of minimum security baselines, etc. The point is, if the root of the vulnerability is not addressed, the organization will be forced to deal with the same vulnerabilities month after month. One of the main ways that vulnerability scanners can assist with root cause analysis is by providing robust reporting. Comparative reports are one of the most important reports that can be used for trending and analysis. These reports compare a scan performed at one point in time with a scan performed at a secondary point in time. The report highlights the differences between the two scans, enabling the organization to quickly identify how their security posture has improved and/or deteriorated over time. These reports also can quickly highlight systematic problems with the patch management program, system hardening guidelines, minimum security baselines, and policies and procedures that enforce the application of system hardening guidelines and minimum security baselines, etc. Both Qualys and Nexpose scanners have the ability to report the comparison between two scans performed at separate points in time. Monitoring Imagine that you have a new car. Your maintenance manual states that the oil in the car needs changed every 5,000 miles. The first 5,000 miles is up and you bring the car into the shop to have the oil changed. You follow the maintenance manual s guidelines for changing the oil for the first couple of years. After a while, the novelty of the new car starts to wear off and you stop monitoring the number of miles until the next oil change. A year has passed and you re driving your car down the highway when the lack of oil changes finally catches up with your car. The car suddenly breaks down and when you open the hood, you are greeted by a cloud of black smoke. Congratulations! You just destroyed your car's engine! Once an organization reaches their ideal level of security, they may feel as though "they have finally arrived." Organizations must fight this temptation and continue to monitor their security posture on an ongoing basis. If the organization does not continue to monitor their security posture, they will quickly fall into a deteriorated state of security. A Vulnerability Management Program is not a one-time assessment. It is a continual process utilizing assessments such as vulnerability scanning on a regularly scheduled basis. At a very minimum, the discovery task of the Vulnerability 9
10 Management Program should be performed once a month in order to discover what new devices were placed on the network. As new devices are identified, a full vulnerability scan should be performed to verify no vulnerabilities are contained in these devices. A full vulnerability scan of every device on the network should be performed once a quarter (every three months). Both Qualys and Nexpose scanners can be used on a continual basis to scan the organization's network. Ongoing Tracking, Trending, and Analysis The vulnerability scanner should be able to quickly generate reports that can be used for tracking, trending, and ongoing analysis. It s important have the ability to quickly generate reports showing the current technical vulnerabilities in the organization s network and the threats they pose. Data of vulnerabilities obtained over multiple scans should be able to be quickly correlated and compared. It is recommended that the organization have policies which require scan data to be saved for a minimum of two years. This data should be kept in a format that the scanner can read and use in its reporting engine. Both Qualys and Nexpose scanners are able to generate clear and detailed reports used for Tracking, Trending, and Analysis. Conclusion Qualys and Nexpose are good vulnerability scanners that can be used as a solid part of a much larger Vulnerability Management Program. It is important for organizations to understand the role vulnerability scanners play in an overall Vulnerability Management Program. It is also important to know the limitations of such scanners. They are an important part of a Vulnerability Management Program; however, they are not the program itself. 10
How To Manage A Vulnerability Management Program
VULNERABILITY MANAGEMENT A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationThe Nexpose Expert System
Technical Paper The Nexpose Expert System Using an Expert System for Deeper Vulnerability Scanning Executive Summary This paper explains how Rapid7 Nexpose uses an expert system to achieve better results
More informationOCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: 9.4.2 Last updated: September 6, 2011
OCCS Procedure Title: Vulnerability Scanning and Management Procedure Reference Number: 9.4.2 Last updated: September 6, 2011 Purpose The purpose of this procedure is to define the management and controls
More informationQualys Scanning for PCI Devices University of Minnesota
Qualys is the vulnerability scanner that will be used to map and scan devices that are involved in credit card processing to meet the PCI-DSS quarterly internal scan and map requirement. This document
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationSTATE OF NEW JERSEY IT CIRCULAR
NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Chris Christie, Governor 300 River View E. Steven Emanuel, Chief Information Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationNew Zealand Company Six full time technical staff Offices in Auckland and Wellington
INCREASING THE VALUE OF PENETRATION TESTING ABOUT YOUR PRESENTER Brett Moore Insomnia Security New Zealand Company Six full time technical staff Offices in Auckland and Wellington Penetration Testing Web
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationState of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard
State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationHow To Use Qqsguard At The University Of Minneapolis
Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased
More informationAN OVERVIEW OF VULNERABILITY SCANNERS
AN OVERVIEW OF VULNERABILITY SCANNERS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole
More informationHow to Justify Your Security Assessment Budget
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice
More informationPCI DSS: An Evolving Standard
White Paper PCI DSS: An Evolving Standard PCI 3.0 and 3.1 Key Requirements Explained 2015 SecurityMetrics PCI DSS: An Evolving Standard 2 PCI DSS An Evolving Standard The Payment Card Industry Data Security
More informationBringing Continuous Security to the Global Enterprise
Bringing Continuous to the Global Enterprise Asset Discovery Network Web App Compliance Monitoring Threat Protection The Most Advanced Platform 3+ Billion IP Scans/Audits a Year 1+ Trillion Events The
More informationRunning the SANS Top 5 Essential Log Reports with Activeworx Security Center
Running the SANS Top 5 Essential Log Reports with Activeworx Security Center Creating valuable information from millions of system events can be an extremely difficult and time consuming task. Particularly
More informationYOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE
FAST FORWARD YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE VISUALIZE COMPLY PROTECT RedSeal Networks, Inc. 3965 Freedom Circle, 8th Floor, Santa Clara, 95054 Tel (408) 641-2200 Toll Free (888)
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationNessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson
Nessus A short review of the Nessus computer network vulnerability analysing tool Authors: Henrik Andersson Johannes Gumbel Martin Andersson Introduction What is a security scanner? A security scanner
More informationSample Vulnerability Management Policy
Sample Internal Procedures and Policy Guidelines February 2015 Document Control Title: Document Control Number: 1.0.0 Initial Release: Last Updated: February 2015, Manager IT Security February 2015, Director
More informationFISMA Compliance: Making the Grade
FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of
More informationReview: McAfee Vulnerability Manager
Review: McAfee Vulnerability Manager S3KUR3, Inc. Communicating Complex Concepts in Simple Terms Tony Bradley, CISSP, Microsoft MVP September 2010 Threats and vulnerabilities are a way of life for IT admins.
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationPenetration Testing and Vulnerability Scanning
Penetration Testing and Vulnerability Scanning Presented by Steve Spearman VP of HIPAA Compliance Services, Healthicity 20 years in Health Information Technology HIPAA Expert and Speaker Disclaimer: Nothing
More informationFact or Fiction: Debunking the Top 5 Misconceptions about Vulnerability Management
Fact or Debunking the Top 5 Misconceptions about Vulnerability Management Wednesday, March 26, 2008 Copyright 2008, Lumension Security www.lumension.com Fact or Debunking the Top 5 Vulnerability Management
More informationTRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE
.trust TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE 2007 Table of Contents Introducing Trustwave Vulnerability Management 3 1 Logging In and Accessing Scans 4 1.1 Portal Navigation and Utility Functions...
More informationVulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report
More informationManagement (CSM) Capability
CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE
More informationINTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:
PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration
More informationAUTOMATING THE 20 CRITICAL SECURITY CONTROLS
AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate 2012 the Year of Data Breaches 2013 continued in a similar Way Background
More informationI. Overview. II. Vulnerability Management Improves Security. III. Automating Vulnerability Workflow is Crucial
GUIDE Guide to Effective Remediation of Ne t wor k Vulnerabilities and Compliance Table of Contents I. Overview II. Vulnerability Management Improves Security 2 2 III. Automating Vulnerability Workflow
More informationCDM Vulnerability Management (VUL) Capability
CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation
More informationHow to Grow and Transform your Security Program into the Cloud
How to Grow and Transform your Security Program into the Cloud Wolfgang Kandek Qualys, Inc. Session ID: SPO-207 Session Classification: Intermediate Agenda Introduction Fundamentals of Vulnerability Management
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationSecurity Testing for Web Applications and Network Resources. (Banking).
2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess
More informationDedicated and Distributed Vulnerability Management
Dedicated and Distributed Vulnerability Management December 2002 (Updated February 2007) Ron Gula Chief Technology Officer Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 THE NEED FOR VULNERABILITY
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationWorldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares
EXCERPT Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares IN THIS EXCERPT Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationWhy Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.
Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks
More informationVulnerability Management for the Distributed Enterprise. The Integration Challenge
Vulnerability Management for the Distributed Enterprise The Integration Challenge Vulnerability Management and Distributed Enterprises All organizations face the threat of unpatched vulnerabilities on
More informationWhite Paper The Dynamic Nature of Virtualization Security
White Paper The Dynamic Nature of Virtualization Security The need for real-time vulnerability management and risk assessment Introduction Virtualization is radically shifting how enterprises deploy, deliver,
More informationBlended Security Assessments
Blended Security Assessments Combining Active, Passive and Host Assessment Techniques October 12, 2009 (Revision 9) Renaud Deraison Director of Research Ron Gula Chief Technology Officer Table of Contents
More informationInformation Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives
Information Security and Continuity Management Information Sharing Portal Category: Risk Management Initiatives Contact: Chip Moore, CISO State of North Carolina Office of Information Technology Services
More informationCA Vulnerability Manager r8.3
PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL
More informationREAL SECURITY IS DIRTY
REAL SECURITY IS DIRTY INFORMATION SECURITY AND RISK MANAGEMENT ARE PURSUITS OF BRUTAL SELF- REFLECTION. The most logical business decisions come from facing ugly truths. Before any business spends a dime
More informationApril 23, 2015 ACME Company. Security Assessment Report
April 23, 2015 ACME Company Security Assessment Report 1 Contents Contents... 1 Executive Summary... 2 Project Scope... 3 Network Vulnerabilities... 4 Open Ports... 5 Web Application Vulnerabilities...
More informationLumension Endpoint Management and Security Suite
Lumension Endpoint Management and Security Suite Patch and Remediation Module Evaluation Guide July 2012 Version 1.1 Copyright 2009, Lumension L.E.M.S.S:LPR - Table of Contents Introduction... 3 Module
More informationBest Practices for Building a Security Operations Center
OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,
More informationSimply Sophisticated. Information Security and Compliance
Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns
More informationCybersecurity Health Check At A Glance
This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not
More informationAutomating Software License Management
Automating Software License Management Automating license management saves time, resources, and costs. It also consistently produces high quality data and a documentable method for mapping software licenses
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationFeeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN
Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Balazs Bucsay A Little About Us Hungarian Hacker 14 years of experience in IT- Security Strictly technical
More informationVULNERABILITY MANAGEMENT
Vulnerability Management (VM) software differ in the richness of reporting, and the capabilities for application and security configuration assessment. Companies must consider how a VM technology will
More informationLifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose SPONSORED BY WhatWorks is a user-to-user program in which security managers who have implemented effective Internet security
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationOperational Efficiencies of Proactive Vulnerability Management
Operational Efficiencies of Proactive Vulnerability Management Return on investment analysis Table of Contents Automation Brings Efficiencies 3 Survey Results 3 Cost Elements for 4 Cost Assumptions 4 VMA
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationNE T GENERATION CLOUD SECURITY PLATFORM
Qualys Cloud Platform The Qualys Cloud Platform and integrated suite of solutions enable organizations to simplify the process and reduce the cost of identifying and securing their IT assets, while ensuring
More information4. Getting started: Performing an audit
4. Getting started: Performing an audit Introduction Security scans enable systems administrators to identify and assess possible risks within a network. Through GFI LANguard N.S.S. this is performed automatically,
More informationNOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.
Department of Commerce National Oceanic & Atmospheric Administration National Weather Service NATIONAL WEATHER SERVICE INSTRUCTION 60-703 23 April 2013 Information Technology IT Security VULNERABILITY
More informationThreat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA
www.pwc.com Vulnerability Management (TVM) Protecting IT assets through a comprehensive program Chicago IIA/ISACA 2 nd Annual Hacking Conference Introductions Paul Hinds Managing Director Cybersecurity
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationVulnerability Scanning. By: Chandos Carrow, CISSP. 2015 COV IS Conference Richmond, VA
Vulnerability Scanning By: Chandos Carrow, CISSP 2015 COV IS Conference Richmond, VA Myself ~7 years experience with the state in information security ~2 years experience with the VCCS as an Information
More informationMay 11, 2011. (Revision 10)
Blended Security Assessments Combining Active, Passive and Host Assessment Techniques May 11, 2011 (Revision 10) Renaud Deraison Director of Research Ron Gula Chief Technology Officer Copyright 2011. Tenable
More informationIntro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Intro to QualysGuard IT Risk & Asset Management Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe A Unified and Continuous View of ICT Security, Risks and Compliance
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationWhite Paper. 7 Questions to Assess Data Security in the Enterprise
7 Questions to Assess Data Security in the Enterprise Table of Contents Executive Overview Typical Audit Questions Which Help to Maintain Security in the Enterprise 1. Who Has Which File/Folder Permissions?
More informationFrom the Lab to the Boardroom:
From the Lab to the Boardroom: How to perform a Security Risk Assessment Like a Professional Doug Landoll, CISSP, CISA General Manager, Security Services En Pointe Technologies dlandoll@enpointe.com (512)
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationNETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER
A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K - 1 2 E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationInstalling and Configuring Nessus by Nitesh Dhanjani
Unless you've been living under a rock for the past few years, it is quite evident that software vulnerabilities are being found and announced quicker than ever before. Every time a security advisory goes
More informationSoftware Vulnerability Assessment
Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationHow To: Choosing the Right Catalog for Software License Management
Software License Management Guide How To: Choosing the Right Catalog for Software License Management Software License Management tools all rely on a catalog to reference and validate data. In this guide
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationWhite Paper: Consensus Audit Guidelines and Symantec RAS
Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with
More informationPut into test the security of an environment and qualify its resistance to a certain level of attack.
Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.
More informationWHITE PAPER. Running. Windows Server 2003. in a Post-Support World. By Nick Cavalancia
Running Windows Server 2003 in a Post-Support World By Nick Cavalancia TABLE OF CONTENTS Introduction 1 The Challenge of Staying on Windows Server 2003 2 Building a Vulnerability Mitigation Strategy 4
More informationIBM Security QRadar Vulnerability Manager
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
More informationCSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office Last Revised: 09/17/2015 Final REVISION CONTROL Document Title: Author: File Reference: CSUSB Vulnerability
More informationPenetration Testing. Security Testing
Penetration Testing Gleneesha Johnson Advanced Topics in Software Testing Fall 2004 Security Testing Method of risk evaluation Testing security mechanisms to ensure that their functionality is properly
More informationAUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938
More informationNorth Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing
North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing Introduction ManTech Project Manager Mark Shaw, Senior Executive Director Cyber Security Solutions Division
More information