National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Transcription

1 Office of the Legislative Auditor State of Minnesota National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018 Christopher Buse Deputy Legislative Auditor

2 Boot Camp Setting the Bar Assessment Strategy Agenda

3 Boot Camp

4 Vulnerabilities: The Food Hackers Eat

5 Time is of the Essence 90% Hacks perpetrated by external actors 60% Systems compromised within minutes 75% Initial compromises spread within 24 hours 50% New vulnerabilities became full exploits in less than 30 days 70 90% Malware samples are unique to an entity More Threats More Targeted More Sophisticated

6 Find and fix vulnerabilities before they get found and exploited Goal

7 Building Blocks People VM Team (Finders) IT Operations (Fixers) Policies and Processes Scan frequency and methodology Remediation timeliness Tools Network and application Scanners Threat intelligence feeds

8 There will always be a massive inventory of vulnerabilities Assess Assets The art of VM involves Understanding the inventory Prioritizing remediation Closely monitoring enterprise-wide risk metrics Generate Metrics Vulnerability Posture Remediate A Continuous Process

9 Technical Lens

10 Setting the Bar

11 Everything Must Be Assessed Desktops & laptops Servers Networking equipment Databases Applications IOT devices IAAS & PAAS environments Internal and external networks Issue: Incomplete IT Inventory Records

12 All Entities Must Be In Scope Big agencies Mid and small size entities Weak links provide an entry point for hackers Issue: Historical Underinvestment in Tools and Security Specialists

13 Assessments Must be Frequent Hackers discover new vulnerabilities daily High risk assets may require a daily or weekly scan schedule Quarterly scans are not an appropriate bar Compliance Security Issue: Check the PCI Compliance Box Mentality

14 Assessments Must Be Credentialed Uncredentialed scans only identify a fraction of the vulnerabilities Tools must have root access Issue: System Administrator Pushback on Sharing Root Credentials

15 Remediation Must Be Timely Ongoing communication between security team and system administrators Known timelines to fix issues, based on criticality Issue: Risks to System Availability

16 Results Must Be Measured Detailed metrics for system administrators Various levels of rollup metrics CISO IT and business leaders Issue: Lack of Program Maturity Average Host Score Jan Feb Mar Apr May Jun

17 Threat Intelligence is Vital Most security tools are reactive New vulnerabilities daily Vulnerability checks often lag a week or more Threat intelligence provides a means to assess the impact of zero day vulnerabilities Issue: Costly Feeds Were Never Part of the IT Budget

18 Applications Require Special Attention Security must be baked into apps by developers Training to understand common app vulnerabilities Tools to find and fix code issues Security team should provide secondary validation The Software Engineering Institute estimates that 90% of reported security incidents result from exploits against defects in the design or code of software.

19 Assessment Strategy

20 Coverage All IT All Entities Assessments Risk-based Scan Schedule Credentialed Scans Policies and Standards Remediation Risk-based Fix Timelines Ongoing Communication Metrics Detail Roll-up (Management) Program Foundation Clearly Defined?

21

22 Scan profiles defined for all networks All agencies in scope Coverage All-Inclusive?

23 Scan profiles use privileged credentials Scan profiles comply with timeliness policies and standards Special processes in place to continuously assess application code Assessments Strategies Align with Standards?

24 Agency Score Trend Health 75,000 Transportation 44,000 Prisons 118,000 Administration 25,000 Capability to measure actual vulnerability posture Improvement in overall vulnerability posture results Detailed metrics down to the IT system level Roll-up metrics to help leaders understand risk Vulnerability Inventory Effectively Managed?

25 References

26