CSUSB Vulnerability Management Guidelines CSUSB, Information Security & Emerging Technologies Office



Similar documents
CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Sample Vulnerability Management Policy

AHS Vulnerability Scanning Standard

Patch and Vulnerability Management Program

PCI Compliance. Network Scanning. Getting Started Guide

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

eeye Digital Security Product Training

IBM Security QRadar Vulnerability Manager Version User Guide IBM

GOALS. Server Management Program Review / Training. To Review SMP structure, requirements, logistics. To increase quality and benefit of documentation

Vulnerability Management

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

WHITEPAPER. Nessus Exploit Integration

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

IBM Managed Security Services Vulnerability Scanning:

Cisco AnyConnect Secure Mobility Client integration with ISE & SCCM client for patch remediation on windows

Guide to Vulnerability Management for Small Companies

SANS Top 20 Critical Controls for Effective Cyber Defense

rating of 5 out 5 stars

IT Security & Compliance. On Time. On Budget. On Demand.

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Tenable Enterprise Product Training

Lumension Guide to Patch Management Best Practices

Report Book: Retina Network Security Scanner Unlimited

Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)

Software Vulnerability Assessment

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Adobe Systems Incorporated

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

Installing and Configuring Nessus by Nitesh Dhanjani

Network Security and Vulnerability Assessment Solutions

Qualys Scanning for PCI Devices University of Minnesota

Blended Security Assessments

Medical Device Security Health Group Digital Output

GFI White Paper PCI-DSS compliance and GFI Software products

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Integrated Threat & Security Management.

Information Technology Security Review April 16, 2012

Security Standard: Servers, Server-based Applications and Databases

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Patch Management. Module VMware Inc. All rights reserved

Rolling out an Effective Application Security Assessment Program. Jason Taylor, CTO

Security and Vulnerability Testing How critical it is?

How to Grow and Transform your Security Program into the Cloud

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Penetration Testing Report Client: Business Solutions June 15 th 2015

How to build a security assessment program. Dan Boucaut

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

VULNERABILITY MANAGEMENT

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Developing A Successful Patch Management Process

How To Manage A Network Security Risk

RES ONE Automation 2015 Task Overview

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

FREQUENTLY ASKED QUESTIONS

ManageEngine Desktop Central Training

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

McAfee Vulnerability Manager 7.0.2

Information and Communication Technology. Patch Management Policy

Server Security Checklist (2009 Standard)

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

IBM. Vulnerability scanning and best practices

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Chapter 4 Application, Data and Host Security

Xerox Mobile Print Cloud

Cyber Security RFP Template

AN OVERVIEW OF VULNERABILITY SCANNERS

Security Event Management. February 7, 2007 (Revision 5)

Data Management Policies. Sage ERP Online

Designing and Developing Microsoft SharePoint Server 2010 Applications (MS10232)

Best Practices Report

D. Best Practices D.2. Administration The 6 th A

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

xassets Hosted Services Microsoft SAM Assist Audits with xassets

How To Use Qqsguard At The University Of Minneapolis

How To Deploy Software Updates Using SCCM 2012 R2

PCI-DSS Penetration Testing

BeyondInsight Version 5.6 New and Updated Features

Transcription:

CSUSB Vulnerability Management Guidelines CSUSB, Information Security & Emerging Technologies Office Last Revised: 09/17/2015 Final

REVISION CONTROL Document Title: Author: CSUSB Vulnerability Management Guidelines Javier Torner File Reference: Date By Action Pages 09/15/2015 J Torner/J Macdonell Created Standard All 9/17/2015 L Carrizales Guidelines approved by ISET Subcommittee on 9/16/15. Made changes to the document based on recommendations from ISET Subcommittee. All Review/Approval History Date By Action Pages 9/16/2015 ISET Subcommittee Approved Guidelines All

Contents 1. Introduction... 4 2. Inventory Methodologies... 4 2.1. General (Blackbox) Scanning... 4 2.2. Credentialed Scanning... 4 2.3. Application-Specific Scanning... 5 2.4. Systems Management Inventory... 5 2.5. Questionnaires and Benchmarks... 5 3. Scanning Tools... 5 3.1. Development Environments... 5 3.2. Use-case Considerations... 5 3.3. Production Workflow... 6 4. Vulnerability Remediation... 6 4.1. Typical Action... 6 4.2. False Positives... 6 4.3. Reclassification... 6 4.4. Mitigation... 7 5. References... 7

Guidelines - Vulnerability Management 1. Introduction An essential component of risk management for information technology (IT) infrastructure is the inventory and remediation of known vulnerabilities. To reduce this risk, vulnerabilities should be inventoried and remediated in a timely manner. Inventory may be conducted using a variety of techniques: vulnerability scanning software (e.g. Nessus, Retina, Qualys), systems management software (e.g. SCCM), patch management software, code review, and physical inventory. Essentially, each technique probes systems and applications to identify and categorize known vulnerabilities. Remediation, the process of correcting or mitigating a vulnerability, may include a combination of: unattended automatic updates, group policies, scheduled maintenance, code patching, deployment of network or application firewalls, physical relocation, etc. 2. Inventory Methodologies The CSUSB Vulnerability Management Standard requires creating an inventory of systems, applications, and their associated vulnerabilities. Additionally, vulnerability metrics need to be tracked to facilitate vulnerability reporting and risk management. Example metrics include: number of vulnerable systems, number of classified vulnerabilities (critical, high, medium, low), time to remediation, etc. Most metrics are created and tracked using vulnerability scanning software. 2.1. General (Blackbox) Scanning General scans are appropriate for Internet-facing systems. They are meant to report back vulnerabilities found within the public-facing services. They are more aggressive as compared to credentialed scans as the services are repeatedly subjected to known exploits. 2.2. Credentialed Scanning Credentialed scans are appropriate for most CSUSB network-connected systems. These scans are programmed with administrative credentials. The vulnerability scanning agent will crawl filesystems and registries to inventory software versions, policy settings, etc. They are less aggressive as compared to general scans, as they do not include probing with exploits.

2.3. Application-Specific Scanning Application specific vulnerability tools are most appropriate for custom-developed applications. For example, web vulnerability scanners accommodate forms-based logins, and can coordinate with server-side modules that monitor the runtime and system logs generated during the scan. 2.4. Systems Management Inventory A complement or possible alternative to vulnerability scanning is the use of software inventory from systems management software, which can be used to inventory and track at-risk systems by querying for out-of-date software. 2.5. Questionnaires and Benchmarks For information assets and repositories where a network vulnerability scan is inappropriate, such as a paper repository, tools similar to the sensitive data questionnaire or a checklist provided for a regulated data such as electronic health records. 3. Scanning Tools In addition to being used routinely for vulnerability inventory and metrics, vulnerability scanning is a form of security testing and may be used during software development. Vulnerability scanning may also be required as part of the Quality Assurance (QA) process depending on the criticality of an application. Applications in production should be periodically scanned. Web application specifically should be scanned according to a schedule defined in the CSUSB Web Application Standard. 3.1. Development Environments Consider first testing the behavior of vulnerability scanning software against development environments. Vulnerability scanners take precautions to prevent unwanted side effects. However, they are known to crash sensitive devices like printers and videophones and may also corrupt data of particularly vulnerable web applications. 3.2. Use-case Considerations When scanning applications, consider multiple use cases: submitting a form, creating a report, changing permissions, logged in, not logged in, etc. Also consider multiple user roles: guest, trusted user, administrator, etc.

3.3. Production Workflow Scans of production systems and applications should be scheduled to minimize impact. Also consider availability of administrators to correct any issues that may arise as an unintended result of vulnerability scanning. System administrators and developers may perform preliminary or on-demand unofficial scans. To gain access to the scanning tool, send an email to security@csusb.edu. 4. Vulnerability Remediation 4.1. Typical Action For system vulnerabilities, most often a corrective action is included in the vulnerability scan report (e.g. "upgrade openssl to version 1.0.1e-2+deb7u17" or "see Microsoft Security Bulletin MS15-097" or "Apply Group Policy option "). The expected action is to apply a software update, or modify a configuration option. Similarly, for application vulnerabilities, the vulnerability scan report most often references a best practice or references an article to help a developer identify and correct the vulnerability. 4.2. False Positives In some cases, the scanner will flag a possible issue that, upon examination, is found to not actually be a security issue. For example, if a Web page contains a benign string of digits that just-so-happens to match the pattern of a credit card number, the scanner may raise an alert on that pattern. However, the digits might not actually be a credit card number. This is called a False Positive. Often false positives can be excluded from future reports through the report editing feature of the vulnerability scanning software. 4.3. Reclassification In some cases, the scanner will flag a possible vulnerability that, upon examination, is found to indeed be a correctly identified issue, but for business or other reasons the concern is not relevant in the specific situation. As an example, the scanner may find a pattern matching an email address on a web page and flag it as a risk. Upon review, it is seen that the pattern actually is an email address. The scanner is correct. This is not a false positive. However, this may not be a pertinent concern. Perhaps the webpage is a "Contact Us" page. In situations like this, the security posture being evaluated by the scanner does not match the security posture desired by CSUSB.

4.4. Mitigation Occasionally, a vulnerability is discovered for which no corrective action is available. As an example, historically applications have linked against a Microsoft XML library that is no longer supported by Microsoft. In such cases, mitigating controls, such as limiting firewall access or requiring a second factor for authentication, may be appropriate. 5. References Sensitive Data Questionnaire -- https://iso.csusb.edu/policies Example checklist for regulated data: http://www.healthit.gov/providersprofessionals/security-risk-assessment-tool

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information