Vulnerability Management is a thankless and continuous process. We are going to discuss the process and ways to achieve the goal of being patched and secure that constantly moves.
What do we mean by the M&M analogy as it applies to IT Security?Overall, IT organizations are doing a reasonable job at securing servers in DMZs, with the exception of web applicationsUnfortunately we witness a completely different scenario when we investigate assets beyond the DMZ. Internal assets are way out-dating on patching, end-of-lifed O/S, no hardening, weak passwords etc.Attackers have moved away from attacking services in the DMZ to client-side applications
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
For targeted orgs, signatures will do very little to stop attacks.Also, you don’t have to be a bank or big retail to be subject to attack, 28% are purely random opportunistic.28% were specifically targeted by attackers. Another 28% drive by – happened to surf to site and saw a vulnerability present. Fishing websites etc.The 44% are not fully targeting, but if they find a target that is easy. They stumble upon the opportunity. Cast a wide net looking for easy to pluck targets. Then focus their attention on exploiting the vulnerability found.Opportunistic Random – Searching for websites vulnerable to SQL Injection, I’ll take any that respondOpportunistic Directed – Searching for websites vulnerable to SQL Injection, refine list to direct exploit to a defined listRandom Opportunistic: Attacker(s) identified the victim whilesearching randomly or widely for weaknesses (i.e., scanning largeaddress spaces) and then exploited the weakness.Directed Opportunistic: Although the victim was specificallyselected, it was because they were known to have a particularweakness that the attacker(s) could exploit.Fully Targeted: The victim was first chosen as the target and thenthe attacker(s) determined a way to exploit them.Found at the Verizon Business Report
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
Today’s environment has changed. More people will need to be involved to effectively manage vulnerabilitiesEnter the idea of Vulnerability Management, enabling more people to work together on a common goal, efficiently and effectively eliminating vulnerabilities
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
Discuss vulnerability SCANNING vs. vulnerability MANAGEMENT the value is in organizing, tracking, reporting, delegating, prioritizing, and efficient remediating vulnerabilities
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update serversAmazing when you show an executive their email, company crown jewels, and playback phone conversations of his/hers how much they listen.
What is Managements perception of vulnerability management?Typical responses – we’d like to do it but we don’t have time/staffWe would like a solution in place but we don’t have the budgetWe don’t have the skillsManagement doesn’t see the riskThat will never happen to usThat’s why we have a FWWe have windows update servers
Commercial Solutions are Affordable even for SMB!A entry level package of for a solution we promote is $3000 for unlimited scanning for up to 30 internal IP’s and 6 external.To have a consultant scan periodically would cost ~$20 per IPIf you don’t purchase a full solution, at least a quarterly scan would let you prioritize remediation efforts every 3 months.
Rate Vulnerabilities by potential and criticality Categorize risks based on technology and importance of asset Simple to track progress of remediation Ability to group assetsFrequent updates Authenticated scansCustom ReportingThe Bottom Line:How to find it, confirm it, fix it and prioritize it
Vulnerability Management is a thankless and continuous process. We are going to discuss the process and ways to achieve the goal of being patched and secure that constantly moves.