SlideShare une entreprise Scribd logo

The Security Vulnerability Assessment Process & Best Practices

Télécharger en tant que PPT, PDF
Kellep Charles
Kellep Charles

Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls. Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page. This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.

Technologie
1  sur  32
The Security Vulnerability Assessment Process, Best Practices & Challenges 1 Kellep A. Charles, CISA, CISSP www.SecurityOrb.com
Agenda 2 About Me Topic Introduction The Process The Best Practices/Challenges Conclusion www.SecurityOrb.com
About Me 3 Kellep Charles but you can call me K.C. Government contractor in the DC area Served as an adjunct professor Doctoral Student  Research area:  Human Computer Interaction-Security HCI-Sec  Honeypot & Artificial Neural Networks Operate SecurityOrb.com www.SecurityOrb.com
Introduction 4 Security vulnerability assessments have become an imperative part of any organization’s computer and network security posture. Many organizations consist of:  Heterogeneous computing environments  Windows, Mac OS X, Linux/Unix  Multiple Applications  Distributed computing  Internet-enabled information access systems.  The need to understand the state of an organization’s overall information system is ever more important now. www.SecurityOrb.com
Introduction 5 Best practices in information security acknowledge  a defensive only approach to securing an enterprise does not suffice  at times is considered inadequate. Frequently these defensive security devices such as firewalls and intrusion detection systems (IDS)  often not configured properly  not capable of locating all the vulnerabilities and threats on the network, especially at the node level. www.SecurityOrb.com
Introduction 6 Performing regular security vulnerability assessment helps bridge that gap Allows an organization to take a proactive stance towards protecting their information computing environment. The bottom line objective is to safeguard the core intellectual and electronic assets of the organization, and to ensure compliance with appropriate regulations www.SecurityOrb.com
Why Is It So Vital? 7 Most Systems are unpatched  Lazy, overworked or misinformed system administrators Most compromises are from unpatched systems with patches or work around available Some systems cannot be patched (allow for alternate defense) Proactive and offensive posture towards security Compliance www.SecurityOrb.com
Assessment Levels 8  Basic Security Assessment - The objective for this assessment is to give the responsible party a basic understanding of the security of the business as a whole in three key areas: Administrative, Physical and Technical Safeguards. It is meant to point out possible areas of weakness with a walk through of the facility and a Q&A session. It is not an in-depth study, rather, a basic first step in protecting information.  In-depth Security Assessment - This is a comprehensive study of the security of your business. We will analyze all policies and procedures, router access lists, Firewall configurations and policies, PC and server configurations, complete Website review, complete mail server review. We will then present the client with a written report of our findings. This type of assessment will give you a thorough understanding of how your company measures up to "Industry Best Practices". www.SecurityOrb.com
Assessment Levels 9 External Vulnerability Testing - We will test your network from the outside from a "hacker's point-of-view". We will use the same tools criminals use to try and compromise your network and servers. Internal Vulnerability Testing - These are the same tools used in the External test. This type of assessment is essential in understanding how and why hackers, viruses and worms spread so quickly through an organization. www.SecurityOrb.com
Assessment Process 10  To effectively conduct a security assessment so it is beneficial to an organization  a proven methodology must be followed so the assessors and assesses are on the same page.  Using a proven security assessment methodology supplies a blueprint of events from start-to-finish that can be examined, tracked and replicated.  Reports that are constructed from the security assessments are used to provide a snap shot view of information system deficiencies for short-term analysis as well as trending data for long-term evaluation  Allowing the organization to understand their vulnerabilities so they can better protect themselves from current and future threats. www.SecurityOrb.com
Security Assessment Process 11 The process includes the following 6 phases  Pre Security Assessment Process  Security Assessment In-Brief  Security Assessment Field Work  Security Assessment Report Analysis & Preparation  Security Assessment Out-Brief  Post Security Assessment Process www.SecurityOrb.com
Security Assessment Process 12 Pre-Security Assessment Process  The pre-security assessment process entails one of the most important aspects of conducting a security assessment. Obtaining an engagement letter grants the assessment team the authority to commence with the formal processes of creating documentation to support the security assessment, permission for the onsite visit and the overall authority to conduct the security assessment. www.SecurityOrb.com
Security Assessment Process 13 Security Assessment In-Brief  Once the team has arrived at the assessment location, a security assessment in-brief is required. In the in-brief, both the security assessment team and the organizational staff members will introduce themselves and the roles they will have during the security assessment process. www.SecurityOrb.com
Security Assessment Process 14 Security Assessment Field Work (Scanning, Interview, Walk-Thru and Doc Review)  Once the in brief has been review, discussed, completed and agreed upon, the security assessment fieldwork can commence. The security assessment field-work process consist of conducting vulnerability scans, facility walkthrough, manual system checks, staff interview and various document reviews. www.SecurityOrb.com
Security Assessment Process 15 Security Assessment Report Analysis & Preparation  Towards the end of the security assessment, once all of the security assessment fieldwork has been completed, the security assessment team will review and process the information in preparation of the final report. During this phase, the security assessment team will address any false positive, document any variances and findings that will be included in the final report. www.SecurityOrb.com
Security Assessment Process 16 Security Assessment Report Analysis & Preparation www.SecurityOrb.com
Security Assessment Process 17  Security Assessment Report Analysis & Preparation www.SecurityOrb.com
Security Assessment Process 18 Security Assessment Out-Brief  The security assessment team will provide recommendations as well.  Contact information will be on the out-brief.  This process should be interactive were questions are taken through out the security assessment out-brief.  At the end of the security assessment out-brief, both parties will have to sign the pages of the out-brief and discuss what will be occurring in the post security assessment process. www.SecurityOrb.com
Security Assessment Process 19 Security Assessment Out-Brief  The security assessment team will provide recommendations as well.  Contact information will be on the out-brief.  This process should be interactive were questions are taken through out the security assessment out-brief.  At the end of the security assessment out-brief, both parties will have to sign the pages of the out-brief and discuss what will be occurring in the post security assessment process. www.SecurityOrb.com
Security Assessment Process 20 Post Security Assessment Process  The post security assessment process is where the security assessment team securely files all documentation and electronic data pertaining to the organization in which the security assessment was conducted on.  In addition, a team meeting with all members of the assessment team should be conducted to review and lessons learned to add any improvements or deficiencies to the process. www.SecurityOrb.com
Vulnerability Assessment, Penetration Test & Security Audit 21  A vulnerability assessment is a practice used to identify all potential vulnerabilities that could be exploited in an environment.  The assessment can be used to evaluate physical security, personnel (testing through social engineering and such), or system and network security.  While a vulnerability assessment's goal is to identify all vulnerabilities in an environment, a penetration test has the goal of "breaking into the network."  only needs to exploit one or two vulnerabilities to actually penetrate the environment.  Penetration testing is also referred to as ethical hacking  A security audit is basically someone going around with a criteria checklist of things that should be done or in place to ensure that the company is in compliance with its security policy, regulations and legal responsibilities. www.SecurityOrb.com
Credential Scans vs Un-credential Scans 22 Credentialed scanning allows for a much more accurate and thorough picture of the system.  Mechanic and doctor example Part of vulnerability scanning is to identify missing patches that leave a machine open to compromise.  Test of a Windows 7 system  The results speak for themselves: first scan without credentials, then with credentials – What do you think you will see? www.SecurityOrb.com
Credential Scans vs Un-credential Scans 23  Test of a Windows 7 system  The results speak for themselves: without credentials, the scan identified highs=0; meds=0; lows=1. With credentials: highs=7; meds=8; lows=5  Guess which one is more accurate. www.SecurityOrb.com
Credential Scans vs Un-credential Scans 24 www.SecurityOrb.com
Credential Scans vs. Un-credential Scans 25 www.SecurityOrb.com
System Hardening 26  Center for Internet Security (CIS) Benchmarks  provides standards and metrics that dramatically raise the level of security to ensure the integrity of the public and private Internet-based functions on which society increasingly depends.  Federal Desktop Core Configuration (FDCC)  A list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.  Security Technical Implementation Guide (STIG)  DISA’s methodology for standardized secure installation and maintenance of computer software and hardware.  Security Content Automation Protocol (SCAP)  a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.  Some items may have to be changed to obtain credential scans www.SecurityOrb.com
Vulnerability Management 27  The repeated practice of identifying, classifying, remediating, and mitigating  Prioritize  Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.  Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, vulnerability management is an ongoing process rather than a point-in-time event. www.SecurityOrb.com
Compliance 28  Regulatory Bodies www.SecurityOrb.com
Other Things to Consider 29 Virtualization Cloud Computing Politics Reoccurring Scans Distributed Scanning Patch Management Penetration Testing www.SecurityOrb.com
What Vulnerability Scanning Can’t Do 30 Find Zero-Days and malware Eliminates the most obvious and known security threats. Can’t Patch Determine the difference between False Positive/Negative www.SecurityOrb.com
Conclusion The art of defending an organizational network takes many approaches to be done successfully. No one control can assure that the network is safe. Firewalls are great for prevention, IDS offer the ability for detection, Security Awareness briefing provides for user knowledge and Security Assessments assist with a proactive posture towards security. It also helps prove you've done "due diligence" in performing basic system patches and fixing the well- known problems in case a security breach causes financial, legal or regulatory problems.
32 Thank You… @kellepc @securityorb www.SecurityOrb.com

Recommandé

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

Recommandé

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 

Contenu connexe

Tendances

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyKarthikeyan Dhayalan
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 

Tendances (20)

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranets
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 

Similaire à The Security Vulnerability Assessment Process & Best Practices

New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit ProcessRam Srivastava
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report exampleIhor Uzhvenko
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxAfour tech
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 

Similaire à The Security Vulnerability Assessment Process & Best Practices (20)

New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
It Security Audit Process
It Security Audit ProcessIt Security Audit Process
It Security Audit Process
 
ByteCode pentest report example
ByteCode pentest report exampleByteCode pentest report example
ByteCode pentest report example
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
PACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment ToolsPACE-IT, Security+3.7: Overview of Security Assessment Tools
PACE-IT, Security+3.7: Overview of Security Assessment Tools
 
R1
R1R1
R1
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 

Dernier

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

The Security Vulnerability Assessment Process & Best Practices

  • 1. The Security Vulnerability Assessment Process, Best Practices & Challenges 1 Kellep A. Charles, CISA, CISSP www.SecurityOrb.com
  • 2. Agenda 2 About Me Topic Introduction The Process The Best Practices/Challenges Conclusion www.SecurityOrb.com
  • 3. About Me 3 Kellep Charles but you can call me K.C. Government contractor in the DC area Served as an adjunct professor Doctoral Student  Research area:  Human Computer Interaction-Security HCI-Sec  Honeypot & Artificial Neural Networks Operate SecurityOrb.com www.SecurityOrb.com
  • 4. Introduction 4 Security vulnerability assessments have become an imperative part of any organization’s computer and network security posture. Many organizations consist of:  Heterogeneous computing environments  Windows, Mac OS X, Linux/Unix  Multiple Applications  Distributed computing  Internet-enabled information access systems.  The need to understand the state of an organization’s overall information system is ever more important now. www.SecurityOrb.com
  • 5. Introduction 5 Best practices in information security acknowledge  a defensive only approach to securing an enterprise does not suffice  at times is considered inadequate. Frequently these defensive security devices such as firewalls and intrusion detection systems (IDS)  often not configured properly  not capable of locating all the vulnerabilities and threats on the network, especially at the node level. www.SecurityOrb.com
  • 6. Introduction 6 Performing regular security vulnerability assessment helps bridge that gap Allows an organization to take a proactive stance towards protecting their information computing environment. The bottom line objective is to safeguard the core intellectual and electronic assets of the organization, and to ensure compliance with appropriate regulations www.SecurityOrb.com
  • 7. Why Is It So Vital? 7 Most Systems are unpatched  Lazy, overworked or misinformed system administrators Most compromises are from unpatched systems with patches or work around available Some systems cannot be patched (allow for alternate defense) Proactive and offensive posture towards security Compliance www.SecurityOrb.com
  • 8. Assessment Levels 8  Basic Security Assessment - The objective for this assessment is to give the responsible party a basic understanding of the security of the business as a whole in three key areas: Administrative, Physical and Technical Safeguards. It is meant to point out possible areas of weakness with a walk through of the facility and a Q&A session. It is not an in-depth study, rather, a basic first step in protecting information.  In-depth Security Assessment - This is a comprehensive study of the security of your business. We will analyze all policies and procedures, router access lists, Firewall configurations and policies, PC and server configurations, complete Website review, complete mail server review. We will then present the client with a written report of our findings. This type of assessment will give you a thorough understanding of how your company measures up to "Industry Best Practices". www.SecurityOrb.com
  • 9. Assessment Levels 9 External Vulnerability Testing - We will test your network from the outside from a "hacker's point-of-view". We will use the same tools criminals use to try and compromise your network and servers. Internal Vulnerability Testing - These are the same tools used in the External test. This type of assessment is essential in understanding how and why hackers, viruses and worms spread so quickly through an organization. www.SecurityOrb.com
  • 10. Assessment Process 10  To effectively conduct a security assessment so it is beneficial to an organization  a proven methodology must be followed so the assessors and assesses are on the same page.  Using a proven security assessment methodology supplies a blueprint of events from start-to-finish that can be examined, tracked and replicated.  Reports that are constructed from the security assessments are used to provide a snap shot view of information system deficiencies for short-term analysis as well as trending data for long-term evaluation  Allowing the organization to understand their vulnerabilities so they can better protect themselves from current and future threats. www.SecurityOrb.com
  • 11. Security Assessment Process 11 The process includes the following 6 phases  Pre Security Assessment Process  Security Assessment In-Brief  Security Assessment Field Work  Security Assessment Report Analysis & Preparation  Security Assessment Out-Brief  Post Security Assessment Process www.SecurityOrb.com
  • 12. Security Assessment Process 12 Pre-Security Assessment Process  The pre-security assessment process entails one of the most important aspects of conducting a security assessment. Obtaining an engagement letter grants the assessment team the authority to commence with the formal processes of creating documentation to support the security assessment, permission for the onsite visit and the overall authority to conduct the security assessment. www.SecurityOrb.com
  • 13. Security Assessment Process 13 Security Assessment In-Brief  Once the team has arrived at the assessment location, a security assessment in-brief is required. In the in-brief, both the security assessment team and the organizational staff members will introduce themselves and the roles they will have during the security assessment process. www.SecurityOrb.com
  • 14. Security Assessment Process 14 Security Assessment Field Work (Scanning, Interview, Walk-Thru and Doc Review)  Once the in brief has been review, discussed, completed and agreed upon, the security assessment fieldwork can commence. The security assessment field-work process consist of conducting vulnerability scans, facility walkthrough, manual system checks, staff interview and various document reviews. www.SecurityOrb.com
  • 15. Security Assessment Process 15 Security Assessment Report Analysis & Preparation  Towards the end of the security assessment, once all of the security assessment fieldwork has been completed, the security assessment team will review and process the information in preparation of the final report. During this phase, the security assessment team will address any false positive, document any variances and findings that will be included in the final report. www.SecurityOrb.com
  • 16. Security Assessment Process 16 Security Assessment Report Analysis & Preparation www.SecurityOrb.com
  • 17. Security Assessment Process 17  Security Assessment Report Analysis & Preparation www.SecurityOrb.com
  • 18. Security Assessment Process 18 Security Assessment Out-Brief  The security assessment team will provide recommendations as well.  Contact information will be on the out-brief.  This process should be interactive were questions are taken through out the security assessment out-brief.  At the end of the security assessment out-brief, both parties will have to sign the pages of the out-brief and discuss what will be occurring in the post security assessment process. www.SecurityOrb.com
  • 19. Security Assessment Process 19 Security Assessment Out-Brief  The security assessment team will provide recommendations as well.  Contact information will be on the out-brief.  This process should be interactive were questions are taken through out the security assessment out-brief.  At the end of the security assessment out-brief, both parties will have to sign the pages of the out-brief and discuss what will be occurring in the post security assessment process. www.SecurityOrb.com
  • 20. Security Assessment Process 20 Post Security Assessment Process  The post security assessment process is where the security assessment team securely files all documentation and electronic data pertaining to the organization in which the security assessment was conducted on.  In addition, a team meeting with all members of the assessment team should be conducted to review and lessons learned to add any improvements or deficiencies to the process. www.SecurityOrb.com
  • 21. Vulnerability Assessment, Penetration Test & Security Audit 21  A vulnerability assessment is a practice used to identify all potential vulnerabilities that could be exploited in an environment.  The assessment can be used to evaluate physical security, personnel (testing through social engineering and such), or system and network security.  While a vulnerability assessment's goal is to identify all vulnerabilities in an environment, a penetration test has the goal of "breaking into the network."  only needs to exploit one or two vulnerabilities to actually penetrate the environment.  Penetration testing is also referred to as ethical hacking  A security audit is basically someone going around with a criteria checklist of things that should be done or in place to ensure that the company is in compliance with its security policy, regulations and legal responsibilities. www.SecurityOrb.com
  • 22. Credential Scans vs Un-credential Scans 22 Credentialed scanning allows for a much more accurate and thorough picture of the system.  Mechanic and doctor example Part of vulnerability scanning is to identify missing patches that leave a machine open to compromise.  Test of a Windows 7 system  The results speak for themselves: first scan without credentials, then with credentials – What do you think you will see? www.SecurityOrb.com
  • 23. Credential Scans vs Un-credential Scans 23  Test of a Windows 7 system  The results speak for themselves: without credentials, the scan identified highs=0; meds=0; lows=1. With credentials: highs=7; meds=8; lows=5  Guess which one is more accurate. www.SecurityOrb.com
  • 24. Credential Scans vs Un-credential Scans 24 www.SecurityOrb.com
  • 25. Credential Scans vs. Un-credential Scans 25 www.SecurityOrb.com
  • 26. System Hardening 26  Center for Internet Security (CIS) Benchmarks  provides standards and metrics that dramatically raise the level of security to ensure the integrity of the public and private Internet-based functions on which society increasingly depends.  Federal Desktop Core Configuration (FDCC)  A list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.  Security Technical Implementation Guide (STIG)  DISA’s methodology for standardized secure installation and maintenance of computer software and hardware.  Security Content Automation Protocol (SCAP)  a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.  Some items may have to be changed to obtain credential scans www.SecurityOrb.com
  • 27. Vulnerability Management 27  The repeated practice of identifying, classifying, remediating, and mitigating  Prioritize  Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.  Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, vulnerability management is an ongoing process rather than a point-in-time event. www.SecurityOrb.com
  • 28. Compliance 28  Regulatory Bodies www.SecurityOrb.com
  • 29. Other Things to Consider 29 Virtualization Cloud Computing Politics Reoccurring Scans Distributed Scanning Patch Management Penetration Testing www.SecurityOrb.com
  • 30. What Vulnerability Scanning Can’t Do 30 Find Zero-Days and malware Eliminates the most obvious and known security threats. Can’t Patch Determine the difference between False Positive/Negative www.SecurityOrb.com
  • 31. Conclusion The art of defending an organizational network takes many approaches to be done successfully. No one control can assure that the network is safe. Firewalls are great for prevention, IDS offer the ability for detection, Security Awareness briefing provides for user knowledge and Security Assessments assist with a proactive posture towards security. It also helps prove you've done "due diligence" in performing basic system patches and fixing the well- known problems in case a security breach causes financial, legal or regulatory problems.
  • 32. 32 Thank You… @kellepc @securityorb www.SecurityOrb.com