4. Definitions
• Vulnerability: A flaw or weakness in system security procedures, design,
implementation, or internal controls that may result in a security breach or
a violation of the system's security policy.
• Threat: The potential for a specific vulnerability to be exercised either
intentionally or accidentally
• Control: Measures taken to prevent, detect, minimize, or eliminate risk to
protect the Integrity, Confidentiality, and Availability of information.
• Vulnerability Assessment: The process of identifying, quantifying, and
prioritizing (or ranking) the vulnerabilities in a system.
13 April 2014 Mostafa Moraad - SecNet L.L C. 4
5. Concepts
• Vulnerabilities come from many things including
i. Flaws in software
ii. Faulty configuration
iii. Weak passwords
iv. Human error
• Inappropriately assigned permission levels
• System inappropriately placed in infrastructure/environment
• Vulnerability Assessment is the most important subset of
Vulnerability Management
• Attackers have a natural advantage over the defenders. they are
smart, dedicated and persistent thus No single security approach
can be sufficient to stop them
• New Vulnerabilities come out everyday and they don’t go away by
themselves
13 April 2014 Mostafa Moraad - SecNet L.L C. 5
7. Best Practice
• Proactive VS. Reactive
• Vulnerability Management is a repetitive process
• Create official purpose and procedures
• Decide on schedule
• Think in terms of risk
• Document everything
• Know your environment
• Always be prepared
13 April 2014 Mostafa Moraad - SecNet L.L C. 7
8. PCI-DSS INTRODUCTION
(Payment Card Industry Data Security Standard)
13 April 2014 Mostafa Moraad - SecNet L.L C. 8
How to Apply this in Financial organizations?
9. PCI-DSS is…
• A security standard that includes requirements for security
management (Vulnerability management), policies,
procedures, network architecture, software design and other
critical protective measures to help organizations proactively
protect customer account data.
• Primarily concerned with the Processing, Storage and
Transmission of the Primary Account Number (PAN) on the
front of every Debit and Credit Card, and its protection
• A joint effort of (VISA International, MasterCard Worldwide,
American Express, Discover Financial Services, JCB)
• Meant for Systems (H/W, S/W), Merchants, Service Providers
and any organization that Stores, Transmits or Processes
cardholder data in any kind of transaction
13 April 2014 Mostafa Moraad - SecNet L.L C. 9
11. Requirements (1)
12 Requirements divided into 6 Categories
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and
other security parameters.
Protect Cardholder Data
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive
information across public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications
13 April 2014 Mostafa Moraad - SecNet L.L C. 11
12. Requirements (2)
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data.
11. Routinely test security systems and processes.
Maintain an Information Security Policy.
12. Establish high-level security principles and procedures.
13 April 2014 Mostafa Moraad - SecNet L.L C. 12
13. Validation Challenges
• Annual Assessment Questionnaire
• Security Vulnerability Scan – Quarterly
• Fully understand and document the processes and payment environment
• Tracking and monitoring of access to payments card systems and data
• Controlling logical access to systems containing payment card data
• Security event monitoring across a various environment
• Limited security capabilities (authentication, monitoring etc…) of legacy
systems
• Remediation of controls across large (legacy) distributed environments
• Encryption of payment card data
• Putting PCI language in place for third party service providers
13 April 2014 Mostafa Moraad - SecNet L.L C. 13
15. Qualys at a Glance
• Founded in 1999
Build as a Software as a Service (SaaS) implementation from inception
• Financials
$65M in Funding - Last round of funding in Dec 2004
• Subscriber Base
4,000+ active subscribers (very diversified customer base)
42% Fortune 100, 22% Fortune 1000 and 15% Global Forbes Global 2000
Americas 70% - EMEA 25% - Asia Pacific 5%
• Global Strategic Partnerships
MSSPs: Symantec, IBM, BT, SecureWorks, Savvis, Verizon Business, Tata, NTT, Telus, Orange Business Systems
Security Consulting Organizations: IBM, HP, Cisco, HCL, Wipro , Fishnet, Accuvant, Deloitte, PwC, Computacenter
13 April 2014 Mostafa Moraad - SecNet L.L C. 16
16. QualysGuard
IT Security & Compliance Suite
13 April 2014 Mostafa Moraad - SecNet L.L C. 17
• QualysGuard Vulnerability Management
- Globally Deployable, Scalable Security Risk and Vulnerability
Management
• QualysGuard Policy Compliance
- Define, Audit, and Document IT Security Compliance
• QualysGuard PCI Compliance
- Automated PCI Compliance Validation for Merchants and
Acquiring Institutions
• QualysGuard Web Application Scanning
- Automated Web Application Security Assessment and
Reporting that Scales with your Business
• QualysGuard Malware Detection (New)
- Free Malware Detection Service for Web Sites
• Qualys GO SECURE (New)
- Web Site Security Testing Service and Security Seal that
Scans for Vulnerabilities, Malware and SSL Certificate
Validation
17. Software-as-a-Service (SaaS)
13 April 2014 Mostafa Moraad - SecNet L.L C. 18
• SaaS applications can easily be deployed globally
• SaaS simplifies security
• SaaS enables a shorter time from development to delivery of
application enhancements
• SaaS allows for easier integration between point solutions and
transparent delivery for the user
• SaaS business model has security built-in
• SaaS Model allows short Sales Cycle with extremely quick PoC
Turnaround time.
18. QualysGuard Global Infrastructure
13 April 2014 Mostafa Moraad - SecNet L.L C. 19
Annual Volume of Scans: 200+ million IP audit scans (maps and scans) with 7,000 scanner appliances in over 85 countries
with 6 Sigma scanning accuracy (less than 3.4 defects per million scans)
The world's largest VM enterprise deployment: at a Forbes Global 50 with 223 scanner appliances deployed in 52
countries scanning over 750,000 IPs
19. 13 April 2014 Mostafa Moraad - SecNet L.L C. 20
IT Security + Compliance Posture
Actionable Reporting for all Stakeholders
SECURITYAUDITORS
MANAGEMENT
OPERATIONS
20. QualysGuard
Vulnerability Management
13 April 2014 Mostafa Moraad - SecNet L.L C. 21
Reduce Security Risks to the Business by
Operationalizing the Management of
Network Vulnerabilities
–Discover and prioritize all network
assets with no software to install
or maintain
–Identify security vulnerabilities
–Distribute and audit remediation
–Integrate with 3rd party and
customer applications
21. QualysGuard
Policy Compliance
13 April 2014 Mostafa Moraad - SecNet L.L C. 22
Provides a Comprehensive
Compliance Posture of the Global IT
Infrastructure – Distributes and
Audits Remediation
–Identify policy violations remotely across all
network assets
–Supports multiple regulatory initiatives
and mandates
–Controls Library mapped directly to
frameworks such as COBIT, ISO, HIPAA, Basel II,
etc.
–Detailed reporting tailored to the unique needs
of auditors, IT security and compliance users
22. QualysGuard® Policy
Compliance(Audit Results & Reports)
13 April 2014 Mostafa Moraad - SecNet L.L C. 23
• Automated Compliance Reporting
– Report Templates
– Compliance to Policy by Asset Group or by
Host
– Trend of remediation efforts
– Effectiveness of compliance programs
– Identify areas that need to be addressed
quickly
• Built-in Exception Management
– Create and manage exceptions
– Track remediation SLA
23. QualysGuard® PCI
13 April 2014 Mostafa Moraad - SecNet L.L C. 24
SaaS Platform for ASVs and QSAs to perform PCI DSS
Certification
and for Acquiring Banks to audit
their merchants
–Complete annual PCI DSS
“Self-Assessment Questionnaire”
–Pass network security scans every
90 days by an approved scanning
vendor
–Document and submit proof of
compliance to acquiring banks
–Meet requirement 6.6 by performing
automated Web Application Scanning
24. QualysGuard in the Market
13 April 2014 Mostafa Moraad - SecNet L.L C. 25
Financial Services ChemicalInsurance
Portals/Internet Retail Technology Consulting
Financial Services
26. About Tenable (Nessus)
13 April 2014 Mostafa Moraad - SecNet L.L C. 27
Growth Capital
Tenable receives $50M in growth
capital from Accel Partners to
accelerate company growth.
ACAS
Tenable receives the ACAS
award from DISA to become the
standard for active and passive
monitoring across the DOD and
Intelligence Community
Seamless Solution
Tenable is the only vendor to
deliver real-time vulnerability,
threat and compliance
management for mobile, cloud and
virtual infrastructure by combining
active scanning, patented passive
monitoring.
PCI Approved
Scanning Vendor
(PCI ASV)
Tenable becomes a PCI ASV,
allowing Nessus Perimeter Service
customers to scan their perimeter
networks and submit PCI scans for
quarterly validation.
• Founded in 2002
• Creator of Nessus®, de facto standard for
vulnerability management
– Over 15,000 customers
– Over 2 million Nessus users
• Highest Gartner rating
• Profitable with 19 consecutive quarters
of growth
4 years 552% Annual
Revenue Growth
27. Security Center
13 April 2014 Mostafa Moraad - SecNet L.L C. 28
Enterprise Level
Vulnerability Scanning and
Configuration Auditing
> Vulnerability and Patch Auditing
> Web Application auditing
> Configuration Auditing
> Botnet detection
28. SC Continuous View
13 April 2014 Mostafa Moraad - SecNet L.L C. 29
System
Analysis
> Continuous Asset
Discovery
> Server Vulnerabilities
> Client Side Vulnerabilities
> SSL Certificate Auditing
> File Share Listings
> Social Network Application
> Trust Relationships
> Mobile Device Identification
Create New Logs
That Don’t Exist
> Log administration sessions
for SSH, VNC and Windows
Remote Desktop
> Log all SSL sessions
> Log all files transferred
via HTTP, SMB, NFS,
FTP and SMTP
> Log all DNS queries and
web requests
> Convert SQL queries to
log statements
> Identify new hosts and new
ports in real-time
> Identify interactive and encrypted
network sessions
Events Sources
> System
Logs
> Firewalls
> NIDS
> File Integrity
> Mainframes
> Netflow
> Anti Virus
> Web Logs
> Logins
> Honeypots
> Email Logs
Correlations
> Threatlist connections
> Intrusion Events that target
Vulnerabilities
> Tracking all events by User ID
> Statistical increases in events
> First time seen events
> Continuous event stream
Active System
Analysis
> Asset Discovery
> Vulnerability Auditing
> Web Application Testing
> Patch Auditing
> Configuration Auditing
> Sensitive Data At Rest
> Botnet Identification
> Software Enumeration
> User Enumeration
> Anti Virus Agent Auditing
32. Benefits & ROI
• Protect customers’ personal data
• Boost customer confidence through a higher level of data security
• Lower exposure to financial losses and remediation costs
• Maintain customer trust and safeguard the reputation of the brand
• Provide a complete “health check” for any business that stores or transmit
customer information
13 April 2014 Mostafa Moraad - SecNet L.L C. 33
Challenge is to provide actionable reports to all stakeholder:Management needs to see high-level reports that show progress of remediation and state of complianceIT Admins or security teams needs to see technical reports with details information about vulnerabilities and level of riskOperations speaks in patch is wants to see reports that help them expedite and track patchingAuditors need to be able to collect compliance data and use it in compliance documentation
If you are 90% compliant what if you were 98% last week In large networks say 100k assets this means a drop of 8% of assets is 8k hosts. If this changes over a few days that’s a major concern