Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Vulnerability Assessment      Marcelo B. Silva       Systems Engineer
Agenda•   What is a Penetration Test?•   What is a Vulnerability Assessment (VA)•   The difference between a Pentest & a V...
What is a Penetration Test?• There are two types of penetration (pen) tests  – Black Box & White Box• Analyzing assets for...
What is a Penetration Test?Which components are the targets?•Operating Systems•Directory Services•Backend Applications•Ser...
What is Penetration Test?The intruder could seek unauthorized access for:•Staging•Information Disclosure (Confidentiality)...
What is a Vulnerability           Assessment (VA)?  “Security exercises that aid business leaders,security professionals, ...
What is a Vulnerability          Assessment (VA)?The Vulnerability Assessment detectsvulnerabilities via:•Security Technol...
Penetration Test vs. VAPenetration Test:               Vulnerability Assessment:• Confirm the vulnerabilities   • Identify...
Penetration Test vs. VAPenetration Test:              Vulnerability Assessment:To be used when:               To be used w...
Vulnerability Assessment              The 3 steps1. Information Gathering and Discovery   Example of tools: NMAP1. Enumer...
Vulnerability Assessment              The 3 steps1. Information Gathering and Discovery  – Network Scanning  – Ports Scann...
Vulnerability Assessment              The 3 steps2. Enumeration  – Hosts and OSs  – Ports (including the well-known: 0-102...
Vulnerability Assessment              The 3 steps3. Detection  – Weakness  – Vulnerabilities  – Reports are generated  – R...
Risks on an internal VA• Unavailability of the systems and applications• Impact on the network and systems  performance• R...
Vulnerability Assessment Steps             with a 3rd Party• The outsourcing company must follow the FISMA requirements, b...
VA Steps with a 3rd Party             Legal considerations and justification• The 3rd parties are required to meet the sam...
References:Snedaker, S. (2007). The Best Damn IT Security management Book Period, Syngress publishing.National Institute o...
Prochain SlideShare
Chargement dans…5
×

Info Security - Vulnerability Assessment

Simple deck about Vulnerability Assessment and Penetration Test.
Please download it if you want to see the presentation notes as well. :-)

  • Identifiez-vous pour voir les commentaires

Info Security - Vulnerability Assessment

  1. 1. Vulnerability Assessment Marcelo B. Silva Systems Engineer
  2. 2. Agenda• What is a Penetration Test?• What is a Vulnerability Assessment (VA)• The difference between a Pentest & a VA• Vulnerability Assessment Steps• Risks on an internal VA• Vulnerability Assessment steps with a 3rd Party• Legal considerations and justification• References
  3. 3. What is a Penetration Test?• There are two types of penetration (pen) tests – Black Box & White Box• Analyzing assets for any weaknesses, weak configuration, or vulnerabilities• Perspective of a potential attacker and leverages exploitation of known and unknown security vulnerabilities• Validate information security programs• Ensure security controls
  4. 4. What is a Penetration Test?Which components are the targets?•Operating Systems•Directory Services•Backend Applications•Server firmware and Remote Control software•Network devices (Routers, Switches, Firewalls)
  5. 5. What is Penetration Test?The intruder could seek unauthorized access for:•Staging•Information Disclosure (Confidentiality)•Bots/Zombies (Availability)
  6. 6. What is a Vulnerability Assessment (VA)? “Security exercises that aid business leaders,security professionals, and hackers in identifyingsecurity liabilities within networks, applications, and systems.” (Snedaker, 2007)
  7. 7. What is a Vulnerability Assessment (VA)?The Vulnerability Assessment detectsvulnerabilities via:•Security Technologies – VA Scanners Appliances and Software•Remediation Technologies – Patch management systems (WSUS, SCCM, LanDesk, VMware Update Manager)
  8. 8. Penetration Test vs. VAPenetration Test: Vulnerability Assessment:• Confirm the vulnerabilities • Identify weaknesses• Scan the network • Identify and enumerates• Identify OS, Services and Vulnerabilities TCP/UDP Ports on the hosts • Report on discoveries• Performs attacks and penetration• Works to gain non- authorized access
  9. 9. Penetration Test vs. VAPenetration Test: Vulnerability Assessment:To be used when: To be used when:•We have a limited number of •Time is a constraintassets •Cost is an issue•Confirmation is needed •Validating•We are fiscally flexible •Trending•Time is not of the essence
  10. 10. Vulnerability Assessment The 3 steps1. Information Gathering and Discovery  Example of tools: NMAP1. Enumeration  Example of tools: NMAP1. Detection  Example of tools: Retina
  11. 11. Vulnerability Assessment The 3 steps1. Information Gathering and Discovery – Network Scanning – Ports Scanning – Directory Service – DNS Zones and Registers
  12. 12. Vulnerability Assessment The 3 steps2. Enumeration – Hosts and OSs – Ports (including the well-known: 0-1023) – Services and their versions info – SNMP Communities
  13. 13. Vulnerability Assessment The 3 steps3. Detection – Weakness – Vulnerabilities – Reports are generated – Remediation Tools
  14. 14. Risks on an internal VA• Unavailability of the systems and applications• Impact on the network and systems performance• Reaction from the IT staff as if some real attack was taking place
  15. 15. Vulnerability Assessment Steps with a 3rd Party• The outsourcing company must follow the FISMA requirements, by applying the NIST standards and guidelines• Establish an Information Security Assessment Policy to be followed• Determine the objectives of each security assessment• The consulting firm should be accountable for any damage caused by errors on during the exercise• Sign a formal agreement for the Vulnerability Assessment• Non-disclosure information externally• The 3rd party should provide an Analyze findings, and develop risk mitigation techniques accordingly and report security Incidents (FISMA 3544(b)(7))• The 3rd party should periodically testing and evaluating the security controls and techniques (FISMA section 3544(a)(2)(D))
  16. 16. VA Steps with a 3rd Party Legal considerations and justification• The 3rd parties are required to meet the same security requirements as federal agencies (FISMA and OMB policy)• As part of the contract and the service-level agreements, the consulting firm requires the use of the security controls in NIST Special Publication 800-53 and 800-53A• Evaluate potential legal concerns before starting an assessment (The assessments that involve intrusive tests - Pentest)• Legal Department may review the assessment plan developed by the 3rd party• The Legal Department should address privacy concerns, and perform other functions in support of assessment planning. (FISMA, section 3542(a)(1)(B))
  17. 17. References:Snedaker, S. (2007). The Best Damn IT Security management Book Period, Syngress publishing.National Institute of Standards and Technology. (2009). Recommended Security Controls forFederal Information Systems and Organizations (NIST Special Publication 800-53, 2009 Edition).Gaithersburg, MD.National Institute of Standards and Technology. (2010). Guide for Applying the Risk ManagementFramework to Federal Information Systems (NIST Special Publication 800-37, revision 1).Gaithersburg, MD.National Institute of Standards and Technology. (2010a). Guide for Assessing the Security Controlsin Federal Information Systems and Organizations (NIST Special Publication 800-53A).Gaithersburg, MD.Federal Information Security Management Act (FISMA). (2002). P.L. 107-347. Retrieved August07, 2012, from http://csrc.nist.gov/drivers/documents/FISMA-final.pdf

×