Vulnerability Management



Similar documents
Checklist for Vulnerability Assessment

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Novell. ZENworks Patch Management Design, Deployment and Best Practices. Allen McCurdy Sr. Technical Specialist

Penetration Testing in Romania

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

WEB Penetration Testing

Penetration Testing - a way for improving our cyber security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Introduction to Penetration Testing Graham Weston

Web Maniac Hacking Trust. Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

PKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Pentests more than just using the proper tools

Pentests more than just using the proper tools

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Penetration Testing and Its Methodologies

Managed Services For Business FAQ Blue Saffron IT Resource Management

Know your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.

Application Security in the Software Development Lifecycle

How To Test For Security On A Network Without Being Hacked

Hands-On Ethical Hacking and Network Defense - Second Edition Chapter 1. After reading this chapter and completing the exercises, you will be able to:

Protecting against cyber threats and security breaches

Reducing Application Vulnerabilities by Security Engineering

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

PCI Data Security Standard 3.0

PCI DSS v3.0 Vulnerability & Penetration Testing

Getting software security Right

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Application Security Testing How to find software vulnerabilities before you ship or procure code

Application Security 101. A primer on Application Security best practices

Information Technology Security Review April 16, 2012

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Penetration Testing Services. Demonstrate Real-World Risk

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Digital Pathways. Penetration Testing

The need for Security Testing An Introduction to the OSSTMM 3.0

Web Application security testing: who tests the test?

Guide to Penetration Testing

Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN

Information Security Management. Dipl.-Ing. (FH) Frank Wagner

Vulnerability Scanning & Management

ISO 9001 Quality Management System Lead Auditor Training (IRCA)

The Protection Mission a constant endeavor

Supplier Security Assessment Questionnaire

GENERATING VALUE WITH CONTINUOUS SECURITY TESTING

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Looking at the SANS 20 Critical Security Controls

Information Security Office

Weak Spots in Enterprise Mobility Management Dennis Schröder

The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) Twitter: Dave_ReL1K

How To Manage A System Vulnerability Management Program

External Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments

The Top Web Application Attacks: Are you vulnerable?

Acceptance Criteria for Penetration Tests According to PCI DSS

AUTOMATED PENETRATION TESTING PRODUCTS

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Patch and Vulnerability Management Program

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Performing Effective Risk Assessments Dos and Don ts

Overview of the Penetration Test Implementation and Service. Peter Kanters

Penetration Testing: Lessons from the Field

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

SAST, DAST and Vulnerability Assessments, = 4

EC-Council. Program Brochure. EC-Council. Page 1

Security and Vulnerability Testing How critical it is?

Building Assurance Into Software Development Life- Cycle (SDLC)

Course Outline. Create and configure virtual hard disks. Create and configure virtual machines. Install and import virtual machines.

Procuring Penetration Testing Services

Vulnerability and Threat Management and Prevention

(Instructor-led; 3 Days)

PCI DSS Overview and Solutions. Anwar McEntee

Transcription:

Quelle: fotolia Vulnerability Management The early bird catches the worm Dipl.-Ing. Lukas Memelauer, BSc lukas.memelauer@calpana.com calpana business consulting gmbh Blumauerstraße 43, 4020 Linz 1

Agenda Definitions Vulnerability Management Process What/how to prepare for a pen test? CRISAM Process Model CRISAM Vulnerability Knowledge Pack Live-Demo (Tool, Reporting) 2

Vulnerability Management / Vulnerability Scanning Definitions Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). source: SANS 3

Vulnerability Management Process Increasing growth of cyber-crime and associated risks Important to obtain a continuous overview of vulnerabilities and the associated risks Prevent attackers from boarding networks and stealing information Regular vulnerability scanning ensures faster detection and remediation of new vulnerabilities 5 Steps Preparation Vulnerability scan Define remediating actions Implement remediating actions Rescan 4

What to prepare for a vulnerability scan / pen-test? Define objective / goals Limit scope Conclude form of outcome Determine Type of pen test Identify machines, systems, networks, operational requirements, involved staff Coordinate timing and duration of pen test Define emergency procedure Decide third party handling procedure Legally approve pen testers 5

How to prepare for a vulnerability scan / pen-test? Institute for Security and Open Methodologies (ISECOM) Common practice to prepare and perform a pen-test A methodology to test the operational security of physical locations, human interactions, and all forms communications such as wireless, wired, analog, and digital. Provide a scientific methodology for the accurate characterization of operational security 6

How to prepare for a vulnerability scan / pen-test? By failing to prepare, you are preparing to fail. Benjamin Franklin 7

CRISAM Process Model An ISO 31000-compliant approach and process model for handling the IT-GRC process Corporate Strategy, General Conditions CONTEXT ESTABLISHMENT Risk Management Policy Risk Strategy and Risk-Target Risk management policy Risk Strategy and Risk-Target SCOPE ANALYSIS Business Impact in the observed Scope Risk Strategy, Risk Models, Risk Inventory, Risk Limits RISK ASSESSMENT Risk Value, Risk Measures Risk Coverage Requirements Risk Policy Risk Strategy and Risk-Target Risk Coverage Requirements Actual Risk Value, Actual Risk Coverage Value RISK CONTROL MEASURE- PLANNING COST-BENEFIT ANALYSIS Target-deviation Action plan, measures prioritization, Cost of Risk, Action plan, Budget, resources, schedules IMPLEMENTATION Implementation projects, Project plans, test steps for action tracking (CRISAM... Corporate Risk Application Method) 8

has impact on -> The role of IT in the company s business IT risks impact the companies business processes. Mayor losses rather occur at business level than in IT departments The Company Enterprise Sales Human Resources Finance and Controlling Corporate Services Manufacturing Business-Processes Market of Informationtechnology and Energy Rawmaterial Market Supplier Human Law Resources Capital-Costs Business Risks 9

company process model integrity availablitiy confidentiality CRISAM Knowledge Packs Bundled specialist knowledge Structure: components control objectives weightings evaluation guides mappings to critera mappings to sources 10

CRISAM Vulnerability Knowledge Pack Content / Sources Addition to OSSTMM v3 Organizational aspects Secure Software Development (e.g. Client- Server Apps) Webserver security Organizational aspects Based on BSI study Secure Software Development Reporting based on the OWASP Secure Coding Practices Quick Reference Guide Webserver security CRISAM RV ÖNORM A7700 Pack 11

CRISAM Vulnerability Knowledge Pack Structure Additional components Organizational aspects Secure Software Development Modular design for further components Additional control objectives Reports Compliance report based on OSSTMM v3, OWASP and BSI studies 12

Live Demo - Example Scenario A This example is implemented in a CRISAM sample project The department Finance and Controlling delegates a penetration test to a third-party supplier Scope is the Email application and the server(s) hosting the application Also in the scope is the corporate network To improve the test results the company uses CRISAM to prepare for the test The following component are added: Pen-Test Documents (Pen-Test Organizational) Pen-Test Exchange (Pen-Test Application) Pen-Test Node101, Pen-Test Node102 (Pen-Test Server) Pen-Test Network (Pen-Test Network) 13

Live Demo - Example Scenario B This example is implemented in a CRISAM sample project The department Research and Development is developing a tool for internal use and is advised by management to consider security aspects The department uses CRISAM for secure software development The following aspects are relevant: input validation, output encoding, access control, memory management The following component are added: Secure Tool (Individual Development) Input Validation (SSD Input Validation) Output Encoding (SSD Output Encoding) Access Control (SSD Access Control) Memory Management (SSD Memory Management) 14

Live Demo - Results / Report This example is implemented in a CRISAM sample project To show where improvements should be made, a Phase 4: Compliance Analysis report for Vulnerability Management can be created. All relevant components are categorized by Penetration Test and Secure Software Development, which makes it easy to show possible improvements 15

Key Findings 1. Components for deeper technical analysis 2. Reporting options based on OSSTMM v3, OWASP and BSI studies for optimizing pen-test results 3. CRISAM for pen test preparation - spare yourself a rude awakening! Thank you for your attention! einfach präzise wertorientiert nachvollziehbar calpana business consulting gmbh A-4020 Linz, Blumauerstraße 43 Tel: +43 (732) 601216-0 www.calpana.com, www.crisam.net Copyright 2013 www.calpana.com www.crisam.net 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information