![Page 1: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/1.jpg)
HP WorldSeptember 2002
Scott S. Blake, CISSPVice President, Information Security
BindView Corporation
Vulnerability Assessment and Action
![Page 2: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/2.jpg)
Agenda
• Introduction• Analyzing a Vulnerability• Types of Assessment Programs
– Basic Vulnerability Assessment– Advanced Vulnerability Assessment– Application Vulnerability Assessment
• Understanding the Limitations of Technology• Conclusion
![Page 3: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/3.jpg)
Introduction• Fear, Uncertainty, and Doubt
– 90% report security breach, up from 42% in 1996
– 74% cite the Internet as a frequent source of attack, up from 59%
– Reported Losses totaled over $455 million
– Fraud and theft cost the most, 55 respondents reported losses of over $286 million
– 34% reported breaches to law enforcement, up from 16% in 1996
– 21% didn’t know if their web server had been attacked
• From the 2002 CSI/FBI Survey
![Page 4: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/4.jpg)
Introduction
• The Risk Management Equation:
Risk = (Threat + Vulnerability) * Value
![Page 5: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/5.jpg)
Introduction• Understand your Threat Model
– Insider Fraud
– External Thieves, Spies, etc.
– Customers
– Ankle-Biters
• Design an Appropriate Security Policy– Identify Key Assets
– Identify Risks and Threats
– Build and Maintain Countermeasures
– Continually Re-assess
![Page 6: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/6.jpg)
Introduction• Vulnerability Assessment Technologies
– Network-Based• Mostly Non-Credentialed• Inferential v. “Live Fire”• Generally Does Not Play Well with Others• Sometimes Finds Things Host-based cannot
– Host-based• Depends on Administrative Access• Often Requires Code on Box• Generally More Accurate than Network-based• Sometimes Finds Things Network-based cannot
– Issues• Scalability, Reliability, Manageability
![Page 7: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/7.jpg)
Analyzing a Vulnerability
• Notifications– Monitor Open Sources
• Triage Function– Affected Platforms– Impact of Exploit– Map Vulnerability to Risk– Prioritize
• Determine Action– Apply Patch?– Shut down service?– Reconfigure?– Emergency or Regular Procedure?
![Page 8: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/8.jpg)
Analyzing a Vulnerability
• Consider Organizational/Functional Issues– Who found the vulnerability?– Who needs to take the action?– Have business continuity issues been
considered while analyzing the priority?
![Page 9: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/9.jpg)
Basic Vulnerability Assessment
• Goal: Stop the Ankle-Biters
• Network Assessment of Internet-facing systems– Find and close the Big Holes
• Actions:– Strip out unnecessary services– Apply the important patches– Minimize user accounts– Tighten ACLs
![Page 10: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/10.jpg)
Basic Vulnerability Assessment
• How To:– Consider Outsourcing– Run a network scanner daily or weekly– Keep the scanner up to date– Establish baseline configuration– Alert staff when there are exceptions
![Page 11: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/11.jpg)
Advanced Vulnerability Assessment
• Goal: Stop External Attackers and Insider Fraud
• Mostly Host-based Assessment
• Actions:– Minimize user privileges– Maintain security standards on workstations
and servers– Automate vulnerability discovery
![Page 12: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/12.jpg)
Advanced Vulnerability Assessment
• How To:– Define security policies and standards– Scan regularly (at least monthly) for exceptions– Respond swiftly to exceptions on a tiered basis– Maintain a test lab for patches, verify them quickly– Keep the scanner up to date– Consider Outsourcing the scans – Distribute the information load
![Page 13: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/13.jpg)
Application Vulnerability Assessment
• Goal: Stop Customers and Attackers
• Usually a consulting engagement
• Actions:– Design for Security in the Beginning– Code Review– Ethical Hacking, aka Adversary Testing
![Page 14: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/14.jpg)
Application Vulnerability Assessment
• How To:– Consider Outsourcing– Involve security staff in earliest design
phases– Use peer code review within development– Use outside experts for security code review– Engage reputable firm for adversary testing
![Page 15: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/15.jpg)
Understanding the Limitations of Technology
• Firewalls– Must have holes to function
• Intrusion Detection– Limited to known signatures– May be subject to attack/evasion
• Anti-Virus– Limited to known signatures– Must be kept constantly updated
• Encryption– VPN/SSL only provide transmission security, not endpoint– Data storage encryption good, but key management is the bottleneck
• Vulnerability Assessment– Limited to known signatures– Balance reliability v. impact on targets
![Page 16: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/16.jpg)
Conclusion
• Understand the Threat Model
• Constantly Search for Vulnerabilities
• Combine Threat and Vulnerability to Manage Risk
• Use Technology, but Know the Limits
![Page 17: HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649f4f5503460f94c70879/html5/thumbnails/17.jpg)
Q&A
Questions?