an introduction to vulnerability management
DESCRIPTION
An Introduction to Vulnerability Management. Garrett Lanzy, Information Security Specialist Information Security Office Minnesota State Colleges and Universities g [email protected] March 28 th , 2012 Presentation can be downloaded from http:// home.comcast.net /~ lanzyg. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/1.jpg)
An Introduction to Vulnerability Management
Garrett Lanzy, Information Security SpecialistInformation Security OfficeMinnesota State Colleges and [email protected]
March 28th, 2012
Presentation can be downloaded from http://home.comcast.net/~lanzyg
![Page 2: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/2.jpg)
Slide 2
Ground Rules• Lectures are boring
– I don’t do lectures for a living– I don’t want to put you to sleep (let alone
myself!)– I’d rather have an interactive presentation
• All questions are welcome!– feel free to ask during the presentation– long(er) answers may be deferred to end
• Feel free to contact me anytime with any further questions/comments
• Examples are from several different scans, so they don’t all “match”
![Page 3: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/3.jpg)
Slide 3
Professional history
• B.S. degrees in EE and CS from Michigan Tech
• 22 year career at IBM– 5 years hardware performance analysis– 3 years software change management– 14 years TCP/IP application
development• 2 years at Metropolitan State
University– Network/server/storage administration
(1 year)– Interim Director of IT Operations (1
year)• 2 years at MnSCU system office
– Information security/vulnerability management
![Page 4: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/4.jpg)
Slide 4
Outline
• Introduction to Vulnerabilities• Evaluating Vulnerabilities• Identifying Vulnerabilities• Fundamentals of Vulnerability
Management• Vulnerability Management at
MnSCU• nCircle IP360 Deep Dive
![Page 5: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/5.jpg)
Slide 5
VULNERABILITIESAn introduction to
![Page 6: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/6.jpg)
Slide 6
Definition: Vulnerability• Wikipedia: “a weakness which allows an
attacker to reduce a system’s information assurance.”
• ISO 27005: “A weakness of an asset or group of assets that can be exploited by one or more threats.”
• RFC 2828: “A flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.”
![Page 7: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/7.jpg)
Slide 7
Examples of vulnerabilities
• Software bug allows unrestricted access to network share
• Network switch installed without changing the default administrator password
• Server application’s configuration file is writable by anyone
• Web application allows database contents to be “dumped”
![Page 8: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/8.jpg)
Slide 8
CIA Triad
CIA = Confidentiality, Integrity, Availability
How can vulnerabilities affect the CIA triad?• Confidentiality: a vulnerability
might allow access to private or protected data
• Integrity: a vulnerability might allow unauthorized modification of data
• Availability: a vulnerability might cause a system to crash
![Page 9: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/9.jpg)
Slide 9
(ISC)2
(ISC)2 = International Information Systems Security Certification Consortium
CBK = Common Body of Knowledge
(ISC)2 Certifications:• SSCP = Systems Security Certified
Professional• CAP = Certified Authorization Professional• CSSLP = Certified Secure Software Lifecycle
Professional• CISSP = Certified Information Systems
Security Professional
![Page 10: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/10.jpg)
Slide 10
(ISC)2 CBK Domains• Access Control• Telecommunications and Network Security• Information Security Governance and Risk
Management • Software Development Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery
Planning • Legal, Regulations, Investigations and Compliance • Physical (Environmental) Security
Which domains may be affected by a vulnerability?
![Page 11: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/11.jpg)
Slide 11
How are vulnerabilities found?• “Something is wrong”• Formal testing/techniques
– Fuzzing– Bounds checking
• Automated tools• Security research/ethical hackers
(“White hats”)• Unethical hackers (“Black hats”)• “Grey hats”
![Page 12: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/12.jpg)
Slide 12
Vulnerability Disclosure• “Responsible disclosure” (White hat)
– Discovered vulnerability first reported to vendor
– Disclosed to CERT later (2 weeks)• CERT = Computer Emergency Response
Team– Full disclosure to the public much later
• Quick disclosure (Grey hat)– Discovered vulnerability immediately (or
quickly) disclosed publically• No disclosure (Black hat)
– Remains a “zero-day” attack until someone else finds it
![Page 13: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/13.jpg)
Slide 13
Vulnerability inventory databases• CVE = Common Vulnerabilities and Exposures
http://cve.mitre.org• SecurityFocus/BugTraq
http://www.securityfocus.com/• OSVDB = Open Source Vulnerability Database
http://www.osvdb.org/• OWASP = Open Web Application Security Project
https://www.owasp.org/index.php/Category:Vulnerability
• https://www.owasp.org/index.php/OWASP_Top_Ten_Project
• Vendor-specific databases (Microsoft, Apple, Adobe, RedHat, SuSE, Cisco, …)
![Page 14: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/14.jpg)
Slide 14
Sample CVE entry
![Page 15: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/15.jpg)
Slide 15
OWASP Top 10
OWASP Top 10 Application Security Risks:1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards
![Page 16: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/16.jpg)
Slide 16
VULNERABILITIESEvaluating
![Page 17: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/17.jpg)
Slide 17
Vulnerability evaluation
• Many different ways to evaluate vulnerabilities
• Many different “scoring” systems• CVSS = Common Vulnerability
Scoring System– 3 values: Base, Temporal,
Environmental– Each ranges from 0 to 10– Each value calculated from a formula
based on criteria– Nobody “owns” the CVSS values,
therefore numeric values should be accompanied by the scoring criteria (“vector”)
![Page 18: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/18.jpg)
Slide 18
CVSS Scoring
• Base metric: Constant with time and users• What damage is possible?
• Temporal Metric: Varies with time• What is the current state of the vulnerability?
• Environmental metric: Varies by environment• How could the vulnerability affect me?
![Page 19: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/19.jpg)
Slide 19
CVSS Base Metric Example
CVE-2012-0002 example – base metric (NIST)
CVSS Base Score : 9.3CVSS Base Vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Access Vector = Network (can be exploited from anywhere)Access Complexity = Medium (it takes some work but not a PhD)Authentication = None (required) Confidentiality Impact = Complete (attacker can get data at will)Integrity Impact = Complete (attacker can change data at will)Availability Impact = Complete (attacker can crash system)
![Page 20: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/20.jpg)
Slide 20
CVSS Temporal Metric Example
CVE-2012-0002 example – temporal metric (nCircle, on 3/13/12)
nCircle CVSS Temporal Score : 6.9nCircle CVSS Temporal Vector : (E:U/RL:OF/RC:C)
Exploitability = Unproven (but now at least POC, probably Functional)Remediation = Official fix (Microsoft has released a patch)Report Confidence = Confirmed (it’s really out there)
My take: Exploitability should now be “Functional”, which raises the score from 6.9 to 7.9
![Page 21: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/21.jpg)
Slide 21
CVSS Environmental Metric Example
CVE-2012-0002 example – environmental metric (MnSCU before remediation)
MnSCU CVSS Environmental Score : 6.3MnSCU CVSS Environmental Vector : (CDP:MH/TD:M/CR:M/IR:H/AR:M)
Collateral Damage Potential: Medium-High (significant productivity loss)Target Distribution: Medium (26%-75% of environment at risk)Confidentiality Requirement: MediumIntegrity Requirement: HighAvailability Requirement: Low
![Page 22: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/22.jpg)
Slide 22
Another scoring formula: nCircle
![Page 23: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/23.jpg)
Slide 23
VULNERABILITIESIdentifying
![Page 24: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/24.jpg)
Slide 24
Tools for Finding Vulnerabilities• Port scanners/Network enumerators• Penetration testing tools• Web application scanners• Network vulnerability scanners• Specialized scanners
– Database, ERP, etc.
![Page 25: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/25.jpg)
Slide 25
Port scanners/Network enumerators• Scan networks to find systems• Scan ports on a system for
applications/services• Scan TCP/IP stack behavior to
determine OS– Stack fingerprinting
• Scan for other system information– Open shares, application banners, etc.
• Example: Nmap (Network mapper)http://www.nmap.org– open source tool
![Page 26: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/26.jpg)
Slide 26
Penetration Testing Tools
• Allow vulnerabilities to be found• Allow vulnerabilities to be
exploited• Many different techniques used• Example: Metasploit
http://www.metasploit.com– Open-source version: Metasplolit
Framework– Proprietary “free” : Metasploit
Community Edition– Paid versions: Metasploit Express,
Metasploit Pro– Proprietary versions developed by
Rapid7
![Page 27: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/27.jpg)
Slide 27
Network vulnerability scanners• Start with network enumeration/port
scanning• Add additional function for finding
specific vulnerabilities• Agent vs. agentless:
– Scanners need to “see inside” system to find some vulnerabilities
– Some require software “agent” installed on systems to be scanned
– Agentless requires ability to “log in” to systems to discover these vulnerabilities
![Page 28: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/28.jpg)
Slide 28
Vulnerability scanners• Nexpose
– Commercial, developed by Rapid7– Free and paid versions
• Nessus– Originally open-source, became commercial– Developed by Tenable Network Security
• OpenVAS = Open Vulnerability Assessment System– Open source, based on Nessus– Supported by German Federal Office for
Information Security• SAINT
– Commercial product• QualysGuard
– Commercial, SaaS (“cloud”) solution
![Page 29: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/29.jpg)
Slide 29
IP360• Commercial vulnerability scanning product
from nCircle• Distributed, agentless vulnerability scanner
– Agentless: no software installed on devices scanned for vulnerabilities
– Distributed: local campus scanning appliances (device profilers) reduce network load
– Distributed: authorization model allows each campus to maintain own network and scan definitions
• Works with nCircle Security Intelligence Hub (SIH) product for reporting
• Limited web application scanning capability
![Page 30: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/30.jpg)
Slide 30
IP360 Supported Credentials• SMB-DRT: [domain/]username/password
– Gives access to Windows systems• SSH-DRT username/private key or
username/password– Gives access to Linux/OS X/Unix/ESX/network
devices• SNMP-DRT: SNMP Community String
– Gives access to SNMP MIB data (printers, network devices, …
• Web applications (HTTP and web forms)DRT = Deep Reflex Testing
![Page 31: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/31.jpg)
Slide 31
VULNERABILITY MANAGEMENT
Some fundamentals of
![Page 32: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/32.jpg)
Slide 32
What is the basis of Information Security?• Governance: Policies, Procedures,
and Processes– Who
• Defines roles and responsibilities– What
• Defines how data is classified• Defines what needs to be protected
– Why• Defines how risk is assessed & managed
![Page 33: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/33.jpg)
Slide 33
Vulnerability Management Process
Classify Assets
Identify Vulnerabilities
Classify (prioritize)
Vulnerabilities
Remediate/Mitigate
Vulnerabilities
Identify Assets Define Policy
• 5.23.1.5 – Security Patch Mgmt.• 5.23.1.6 – Vulnerability Scanning• 5.23.1.8 – Anti-malware Installation
and Management
![Page 34: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/34.jpg)
Slide 34
Vulnerability Management Process vs. Tools
InventoryManagement
VulnerabilityScanner
Patching Firewalls
Identify Assets
X X
Classify Assets
X
Identify Vulnerabilities
X X
Classify/Prioritize Vulnerabilities
X X X
Remediate/MitigateVulnerabilities
X X
![Page 35: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/35.jpg)
Slide 35
Vulnerability Mitigation/Remediation• Patching• Fixing configuration• Remove program/service
– Do we need it?• Disable program/service
– Can we live without it?• Block access to program/service
– Access controls– Firewalls
![Page 36: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/36.jpg)
Slide 36
MNSCUVulnerability Management at
![Page 37: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/37.jpg)
Slide 37
Information Security Program
• To protect information resources against unauthorized use, disclosure, modification, damage or loss
• Policies, procedures & guidelines• Risk analysis & assessment• Secure development & procurement practices• Incident response• Enterprise Access Management (new)
![Page 38: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/38.jpg)
Slide 38
Vulnerability Management Infrastructure
• Regularly check every network device for actual or potential security problems– 30,000 devices scanned at least quarterly– 9,000 “visible” from Internet also scanned monthly– Problems found are prioritized for remediation
• 30% reduction of Internet-visible vulnerabilities in past 3 months
• Cost: $3.55/device scanned/year
![Page 39: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/39.jpg)
Slide 39
Vulnerability Management System Guideline
![Page 40: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/40.jpg)
Slide 40
VMI Roles & Responsibilities
• MnSCU Information Security Office– Contract administration & payment– System administration & maintenance– Hardware configuration– User assistance– Reporting to institution CIOs/campus
VMI contacts– “Institution IT” activities for system
data centers• Institution IT (“hamster wheel”)
– Campus scanning definition & configuration
– Vulnerability prioritization & remediation
![Page 41: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/41.jpg)
Slide 41
IP360 architecture
2 types of systems:• VnE = Vulnerability Enumerator
– “command and control” server– User interface (via browser)– Configuration and scan data storage
• Device profiler– Appliance which performs scans– Configuration for local network– No data storage after scan is complete
![Page 42: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/42.jpg)
Slide 42
VMI Architecture
![Page 43: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/43.jpg)
Slide 43
IP360 DEEP DIVEnCircle
![Page 44: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/44.jpg)
Slide 44
IP360 configuration objects
3 objects tied together define a “scan”:• Scan profile• Network profile• Device profiler
![Page 45: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/45.jpg)
Slide 45
IP360 Scan Profile
• Options for discovering systems– ICMP (ping), port scans (TCP and/or
UDP)• Types of scanning to perform
– Stack fingerprinting?– Application detection?– Vulnerability scanning?– Web application scanning?– Configuration checks?– Use credentials?
• Schedules for scanning
![Page 46: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/46.jpg)
Slide 46
IP360 Network Profile
• Address range(s) to scan• How systems are correlated between
scans– e.g., a system’s IP address may change
between scans– Need to be able to track changes to
same system• Asset value: relative “importance” of
a system– Sample criteria:
• 1 = printers and IP Phones• 3 = lab workstations• 5 = staff workstations• 10 = servers
![Page 47: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/47.jpg)
Slide 47
Scanning process
Scans are controlled by the VnE, which sends commands to the device profiler. Depending on options chosen in scan profile, the following operations are performed during a scan:• Host discovery• Port scanning• Application discovery• Stack fingerprinting• Vulnerability checking• Configuration checking
![Page 48: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/48.jpg)
Slide 48
Anatomy of a VnE Scan
![Page 49: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/49.jpg)
Slide 49
Host Discovery
Each IP address in the range specified by the network object is checked with the discovery options specified by the scan profile:• ICMP (ping)• TCP port scan on specified ports• UDP port scan on specified ports
Up to 150 devices can be scanned simultaneously by a device profiler (to improve performance).
![Page 50: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/50.jpg)
Slide 50
Host Discovery Example
![Page 51: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/51.jpg)
Slide 51
Port Scanning Example
![Page 52: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/52.jpg)
Slide 52
Application Discovery
Device profiler scan to determine what applications/versions are available:• Port scans and application-layer
network checks• If credentials are configured:
– Registry checks– File checks
![Page 53: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/53.jpg)
Slide 53
Application Discovery Example
![Page 54: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/54.jpg)
Slide 54
Stack Fingerprinting
The profiler runs tests of sending various network and transport layer (IP, ICMP, TCP, and UDP) protocol options and checks responses to identify the operating system of the device• Different OSs behave differently• “Voting” algorithm used to
determine most likely OS• Useful if not able to scan device with
credentials
![Page 55: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/55.jpg)
Slide 55
Stack Fingerprinting Example
![Page 56: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/56.jpg)
Slide 56
Stack Fingerprinting Vote Example
![Page 57: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/57.jpg)
Slide 57
Vulnerability Checks
For each application found, checks are performed for each known/detectable vulnerability. These use the same techniques as application discovery, but go into more detail.• May have completely different
checks for the same vulnerability in different versions of an application
• May have multiple checks for the same vulnerability
![Page 58: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/58.jpg)
Slide 58
Vulnerability Check Example
![Page 59: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/59.jpg)
Slide 59
Configuration Checks
If selected, specific checks are made to determine and report on configuration options. The available checks are highly dependent on each OS/application and whether or not credentialed scanning is being done.
![Page 60: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/60.jpg)
Slide 60
Configuration Check Example
![Page 61: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/61.jpg)
Slide 61
Reporting
• Many types of reports are available• Can “drill down” to extreme levels of
detail• Can aggregate data for management
reports and trend analysis
![Page 62: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/62.jpg)
Slide 62
Sample Scan Report – Summary (pt. 1)
![Page 63: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/63.jpg)
Slide 63
Sample Scan Report – Summary (pt. 2)
![Page 64: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/64.jpg)
Slide 64
Sample Scan Report – Summary (pt. 3)
![Page 65: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/65.jpg)
Slide 65
Vulnerabilities Report
![Page 66: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/66.jpg)
Slide 66
Specific vulnerability (pt. 1)
![Page 67: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/67.jpg)
Slide 67
Specific vulnerability (pt. 2)
![Page 68: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/68.jpg)
Slide 68
Risk Matrix report
![Page 69: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/69.jpg)
Slide 69
Summary
• Vulnerability Management is an important component of any Information Security program
• Need to start with policies and procedures so we know what to protect
• Variety of tools available, both free and $
• Tools give much more information that just what vulnerabilities are found
• Remediation ties into other IS processes
![Page 70: An Introduction to Vulnerability Management](https://reader033.vdocuments.site/reader033/viewer/2022061610/56815e31550346895dcc8da5/html5/thumbnails/70.jpg)
Slide 70
Questions?
• Presentation can be downloaded from:– http://home.comcast.net/~lanzyg
• Your time!