Vulnerability Management Training 8

1
SECURIUM FOX offers cyber security consultancy
services with its expert and experienced team. We
are providing consulting services to prevent
cyber attacks, data leak and to ensure that our
customers are ready and safe against cyber
attacks, with more than 15 years of
experience.In addition to pentests and
consulting services, SECURIUM FOX prepares its
customers and field enthusiasts for real life
scenarios by providing trainings in the lab
environment which was prepared by themselves,
with its young, dynamic and constantly following
team.Everytime that hackers are in our lives,
there are always risks that we can face with a
cyber attack. Over the years cyber security has
become a critical precaution for all
organizations and companies after the effects and
number of attacks. SECURIUM FOX tests the weak
points of customers for possible attacks and
provides consulting services to eliminate these
weak points.SECURIUM FOX team also offers
support for the development of our country in
this field by supporting free events being
organized as a volunteer by the Octosec team.
ABOUT US
2

• VULNERABILITY MANAGEMENT

3
Vulnerability management policy and processes

• The first step of vulnerability management
  process is to develop a policy and necessary
  processes. Your policy should dictate the scope
  and frequency of scans. Processes are essential
  piece of the program and you might consider a
  zero-day vulnerability process where you would
  establish a team that would be brought together
  every time there is a zero-day vulnerability
  announced to analyze it. The process would be
  assembled of components such as the notification,
  assessment, analysis and action. You should also
  adopt a process to scan each new server for
  misconfigurations and vulnerabilities before you
  allow it to be in the production.

4

• Tip 1 Ensure your security team is subscribed to
  known vulnerability alerts, so that they can be
  notified immediately upon a vulnerability
  release.
• Tip 2 If your organization utilizes the public
  cloud, ensure your policy covers it.

5
Vulnerability scanning

• Hackers scan our external assets on a daily basis
  free of charge we just dont get to see the
  reports. Vulnerability scanning is a one piece of
  vulnerability management process, but an
  extremely important one. It is an automated
  process that assesses your system, network or
  application for vulnerabilities and weaknesses.
  It is essential to conduct both internal and
  external vulnerability scanning. If your
  organization hosts a web application, perform a
  web application vulnerability scanning to
  discover any web application vulnerabilities such
  as SQL Injection and Cross Site Scripting.

6

• Good vulnerability management process will
  require you to perform both authenticated
  (credential) and unauthenticated (non-credential)
  vulnerability scans. Authenticated scans are more
  intense and will find vulnerabilities that
  otherwise you would not be able to discover with
  unauthenticated scans such as the missing patches
  and configuration issues. An unauthenticated scan
  typically discovers open ports, operating system
  versions, listening services, etc.

7

• As an organization, you can compare the results
  from both scans (authenticated Vs.
  unauthenticated) to determine the risk surface as
  unauthenticated scan presents an attackers view
  of your network. You might consider authenticated
  scans on high risk assets and unauthenticated on
  low-risk assets. Your vulnerability management
  program should dictate that balance, but
  typically organizations run unauthenticated
  external scans and authenticated internal scans.
  Scans are ongoing activity and must be run at
  least quarterly and after major changes to your
  network. Also, you might adopt an approach where
  you scan your high-risk assets once a month and
  medium and low risk assets once per quarter.

8
Penetration testing

• We all encounter situations where a vulnerability
  scan is sold as a penetration test. On a few
  occasions, I have been handed a 100 pages
  penetration test listing only vulnerabilities
  identified during the vulnerability scan. A
  penetration test is designed to exploit
  weaknesses and vulnerabilities within an
  organization and requires both automated and
  manual testing.
• Penetration testing is another important piece of
  vulnerability management program that needs to be
  performed at least annually. Be sure to integrate
  physical testing and social engineering into your
  penetration testing. Furthermore, if you host a
  web application, you should conduct a web
  application penetration testing.

9
Vulnerability assessments

• You might ask, What is the difference between a
  vulnerability scan and vulnerability assessment?
  The short answer is the scope. Vulnerability
  assessment will include vulnerability scanning as
  well as vulnerabilities not particular to
  technology such as policies, processes and
  standards.
• Consider an organization with a weak password
  policy that does not require the complexity
  requirements due to the use of weak passwords
  this organization becomes a victim of cybercrime.
  Consider also the same organization with the
  cryptography standard that allows the usage of
  SSLv2. The vulnerability assessment is an ongoing
  process and should be conducted at least annually.

10
Tracking, metrics and reporting

• Tracking, metrics and reporting are key for
  demonstrating the value and effectiveness of
  vulnerability management program to executive
  management. It is important that tracking,
  metrics and reporting of vulnerabilities are
  risk-based, rather than just comparing the number
  of vulnerabilities over the certain period of
  time.
• An effective vulnerability management program is
  much more than scanning and patching your
  systems. Multiple regulatory compliance standards
  such as the PCI DSS and HIPAA require creation
  and implementation of the program. Vulnerability
  management is a living process that is a part of
  your overall information security program
  lifecycle and requires continuous monitoring,
  improvement and assessment.

11
You can always contact with SECURIUM FOX. You can
contact us through our email addresses or by
using the contact form on the side.

• INFO
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,
• Gurunanak Nagar,Patamata,Vijyawada,
• Andhra Pradesh -520010
• 9652038194
• 08666678997
• info_at_securiumfoxtechnologies.com

12

• info_at_securiumfoxtechnologies.com
• Andhra Pradesh Office
• 91 8666678997,91 91652038194
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,Gurunanak Nagar,Patamata,Vijaya
  wada,
• info_at_securiumfoxtechnologies.com
• UK Office
• 44 2030263164
• Velevate, Kemp House, 152 - 160,City Road,EC1V
  2NX
• London
• info_at_securiumfoxtechnologies.com
• Tamil Nadu Office
• 91 9566884661
• Kailash Nagar, Nagar, Tiruchirappalli, Tamil Nadu
  620019
• info_at_securiumfoxtechnologies.com

• Noida Office
• 91 (120) 4291672, 91 9319918771
• A-25, Block A,
• Second Floor,Sector - 3,
• Noida, India
• info_at_securiumfoxtechnologies.com
• USA Office
• 1 (315)933-3016
• 33 West,17th Street,
• New York,
• NY-10011, USA
• info_at_securiumfoxtechnologies.com
• Dubai Office
• 971 545391952
• Al Ansari Exchange, Ansar Gallery - Karama
  Branch, Hamsah-A Building - 3 A St - Dubai -
  United Arab Emirates