Vulnerability Management Program: Design - PowerPoint PPT Presentation
1 / 15
Title:
Vulnerability Management Program: Design
Description:
More than patch management. Logical. Physical. Procedural. Information management. Dissemination ... Remediation/patching still done by sysadmins (sorry NIST) ... – PowerPoint PPT presentation
Number of Views:441
Avg rating:3.0/5.0
Title: Vulnerability Management Program: Design
1
Vulnerability Management Program Design
Expectations
Chuck Geigner CEH, ECSA CITES Security May 19,
2009 Hilton Garden Inn, Champaign
2
What is Vulnerability Management?
- Discovery and Measurement of Risk
- More than patch management
- Logical
- Physical
- Procedural
- Information management
- Dissemination
- Tracking
- Awareness
- Enable informed decisions
- Ensure compliance
3
The Problem
- Unknown risk!
- Reactive vs. proactive security
- Known risks casually accepted
- (Oh, and we're required to...)?
4
Da Plan
- Roll-out at CITES
- Offer services externally
- Refine process
- If successful, then expand slowly to other parts
- Add resource-intensive services
World domination?
5
Goals
- Identify evaluate vulnerabilities
- Calculate risk
- Disseminate vulnerability information
- (Reduce Risk)?
6
Due Diligence VMP Services
7
Threat Research
- Information-gathering on subject technology
- Policies and procedures reviewed to ensure best
practices - May not qualify as acceptable due diligence in
certain circumstances.
8
Scanning Services
- Polling, interrogating, and gathering information
- Use scanning tools, passive/active reconnaissance
techniques, and manual validation - Does not seek to exploit vulnerabilities
- May need authentication or firewall rules changes
9
Vulnerability Assessment
- More than scanning assets, but not a full pen
test - Test document
- Physical security
- Logical security
- Procedural security
- Policy adherence
- systemic security controls and weaknesses
10
Penetration Testing
- Intrusive!
- Expensive!
- Goal All your data...
- ROE
- Required in some cases
- Last to implement (see 2)?
11
Patch Management
- Detection/tracking of patch-related
vulnerabilities - gtgt Advisory only ltlt
- Remediation/patching still done by sysadmins
(sorry NIST)! - Component to be added to VMP when resources
available
12
Ownership Escalation
- Hot potato problem!
- 4 outcomes
- Remediation
- Mitigation/ Compensating controls
- Challenge
- Risk Acceptance
- Manager ownership
- Upper management sign off on critical acceptance
(CIO/Dean/Chancellor)?
13
Additional Services
- Consulting services
- Educational services
- Tracking of findings and responses
14
OK Fine...What Can I Expect?
No, not this..
- Coordination
- Communication
- Information
- Follow-up
15
Questions Discussion Flame War Goes Here
Recommended
CrystalGraphics Presentations
