Vulnerability Management

Similar documents
How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity

Third Party Security Review Process

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Development Authority of the North Country Governance Policies

HIPAA RISK ADVISOR SAMPLE REPORT

Policy. London School of Economics & Political Science. Patch Management. Jethro Perkins IMT. Information Security Manager.

Standard for Security of Information Technology Resources

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Unified Security Management Nuclear Cyber Security. the.compliance.daemon. USM Methodology Education

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Information Security Policy

MIS Week 9 Host Hardening

Security Management Seminar

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Information Security Awareness

HIPAA Compliance Assessment Module

01.0 Policy Responsibilities and Oversight

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

WELCOME TO THE 21 ST ANNUAL DEFENSE SECURITY SERVICE JULY 21, 2017 ALEXANDRIA, VIRGINIA. Partnering with Industry to Protect National Security

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Juniper Vendor Security Requirements

Ensuring System Protection throughout the Operational Lifecycle

CYSE 411/AIT 681 Secure Software Engineering Topic #3. Risk Management

Server Security Checklist

Protecting your data. EY s approach to data privacy and information security

DEFINITIONS AND REFERENCES

ACM Retreat - Today s Topics:

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Cyber Security For Business

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

ITG. Information Security Management System Manual

ITG. Information Security Management System Manual

Cyber Security Program

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Exhibit A1-1. Risk Management Framework

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Standard CIP Cyber Security Systems Security Management

Cyber Hygiene: A Baseline Set of Practices

Department of Management Services REQUEST FOR INFORMATION

Unit Compliance to the HIPAA Security Rule

WHO AM I? Been working in IT Security since 1992

11/14/2018. Istanbul Governance, risk, and compliance (GRC)

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

FDIC InTREx What Documentation Are You Expected to Have?

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Information Technology Branch Organization of Cyber Security Technical Standard

Vulnerability Management Policy

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

ASSURANCE PENETRATION TESTING

Standard: Vulnerability Management & Standard

How to construct a sustainable vulnerability management program

TEL2813/IS2820 Security Management

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

CompTIA Cybersecurity Analyst+

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

PTA. Practical Threat Analysis Calculative Tool

Best Practices for Campus Security. January 26, 2017

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Managed Security Services - Endpoint Managed Security on Cloud

Security Management Models And Practices Feb 5, 2008

Standard CIP 007 3a Cyber Security Systems Security Management

A SPACE MISSION CYBER-SECURITY STUDY

Certification Report

Threat and Vulnerability Assessment Tool

FDA & Medical Device Cybersecurity

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

NEN The Education Network

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Information Security Office. Server Vulnerability Management Standards

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

z/os Operating System Vulnerabilities ( )

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Information Security Office. Information Security Server Vulnerability Management Standards

Navigating the PCI DSS Challenge. 29 April 2011

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Notification of Issuance of Binding Operational Directive and Establishment of. AGENCY: National Protection and Programs Directorate, DHS.

2008 National Ag Safety School. Richard Gupton Vice President, Legislative Policy & Counsel Agricultural Retailers Association

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

Information Security Continuous Monitoring (ISCM) Program Evaluation

Contracting for an IT General Controls Audit

SECURITY RISK METRICS: THE VIEW FROM THE TRENCHES. Alain Mayer CTO, RedSeal Systems

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

The Common Controls Framework BY ADOBE

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Standard CIP Cyber Security Critical Cyber Asset Identification

Transcription:

Vulnerability Management When you just can t patch richard dahl founder and ceo

Agenda Who am I When Can t You Patch Typical Vulnerability Process Four Options Resource Characteristics

Agenda Control Inheritance Vulnerability Analysis Risk Analysis Remediating Controls Vulnerability Documentation

Who am I? Founder and CEO of cmplid:// Inc. Security Management Automation solution Security professional with more than 23 years in security First 5 years as Counterintelligence Agent in US Army Consulting experience with many industries Security management methodology zealot Passion for repeatable and consistent processes that produce high quality security programs

Sounds like: Counterintelligence Agent

Looks like: Counterintelligence Agent

When you just can t patch NOT When patching is difficult When patching is inconvenient When you assume you can t patch When patching interferes with you time

When you just can t patch

When you just can t patch

Patch When You Can Set very high-bar for not patching Document the specific criteria Consistently follow guidance

Criteria For Not Patching Just Say No Vendor comes from the Nancy Reagan School of Patch Management

Criteria For Not Patching Vulnerability is not relevant

Criteria For Not Patching Vulnerability is Mitigated through alternate means AND Affected system is functioning properly AND Affected system is not normally administered

Normal Vulnerability Response Process

got vuln?

Four Options 1. Work with vendor to support patching

Four Options 2. Upgrade and support production system yourself

3. Replace Vulnerable Product Four Options

4. Do nothing (and hope for the best) Four Options

Resource Characterization Technical Resources Hardware Software Source Code Networks Media

Resource Characterization Business Resources Information Locations Personnel Organizations

Resource Attributes Define the characteristics necessary to disposition security requirements WHEN requirements are necessary HOW requirements will be fulfilled

Security Objectives Technical statement of purpose for each security control within program Corellate to indicating attributes

Consequence of failure or absence of control Simple statement of effect

Vulnerability Defined A Vulnerability is essentially: a condition that allows a security control to be bypassed.

Control Inheritance Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.

Control Inheritance Security controls are deemed inheritable [ ] when the systems or components receive protection from [ ] controls [that] are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components Security capabilities [ ] can be inherited from many sources including, for example, [ ] other information systems.

Inheritance Examples Hardware inherits protection from: Firewalls on the network Locked doors of cabinets/rooms Users (Personnel) Managing organizations

Inheritance Examples Software inherits protection from: Hardware installed on Users (Personnel) Managing organizations

Vulnerability Analysis Classification Remediation Process Mitigation

Classification CVSS Base Score Temporal Score Environmental Score Impact of Functionality Risk Informed

Scoring

Scoring

Scoring

Remediation Usually one of two processes: Reconfigure Software OR Patch Software Eliminates Vulnerability

Mitigation Usually relies on control inheritance or Absence of consequence Limits Effect of Vulnerability

Risk Provides context Must tie to business process or system function

Risk Analysis Methods Many defined Choose one Apply consistently Simpler is better, but only as simple as possible

Vulnerability Documentation Correlate vulnerability to affected resources within the context of: Affected business process or system function Affected security objectives/ consequence of exploitation Mitigating controls Executive approval

Summary Document patch criteria Know your resources Embrace control inheritance Consistently apply guidance Document analysis Get approval

Thank You Questions? Comments. Concerns!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback