Download - Vulnerability Management - BILLSLATER.COM
![Page 1: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/1.jpg)
Vulnerability Management - William Favre Slater, III 1
Vulnerability Management
August 17, 2016
A Practitioner’s PerspectiveWilliam Favre Slater, III
M.S., MBA, PMP, CISSP, SSCP, CISA, ITIL, IPv6Senior IT Consultant in Cybersecurity
Chicago, IllinoisUnited States of America
[email protected]://billslater.com/interview
![Page 2: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/2.jpg)
Agenda• Introduction
• What are Vulnerabilities?
• What are Threats?
• Quick Story about David Brewer, Michael Nash, and the "Brewer Events".
• Tools
• Planning Your Scanning
• Vulnerability Management & Reporting
• Remediation Management & Reporting
• Vulnerability Aging Reporting
• Personal Insights from Experience
• Summary
• Conclusion
• Questions
• Resources
August 17, 2016 Vulnerability Management - William Favre Slater, III 2
![Page 3: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/3.jpg)
Introduction• Vulnerability Management
– Is an essential part of any modern Security Management Program
– Is required now by all Security Frameworks
– Requires careful planning, rigor, and discipline
– Requires Diplomacy
– Requires Strong Management Support
– Is required to keep you out of lawsuits
– Is required to help protect your organization from deadly attacks and data breaches
August 17, 2016 Vulnerability Management - William Favre Slater, III 3
![Page 4: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/4.jpg)
Information Security is a Continuous Process
August 17, 2016 Vulnerability Management - William Favre Slater, III 4
![Page 5: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/5.jpg)
Information Security is a Continuous Process
August 17, 2016 Vulnerability Management - William Favre Slater, III 5
![Page 6: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/6.jpg)
Vulnerability Management Life Cycle
August 17, 2016 Vulnerability Management - William Favre Slater, III 6
![Page 7: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/7.jpg)
Vulnerability ManagementSecurity Management
August 17, 2016 Vulnerability Management - William Favre Slater, III 7
![Page 8: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/8.jpg)
Vulnerability ManagementSecurity Management
August 17, 2016 Vulnerability Management - William Favre Slater, III 8
![Page 9: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/9.jpg)
Computer Network Defense (CND)
The Four Pillars
Forensics Threat Analysis
Vulnerability Assessment
Network Defense
Operations (NDO)
August 17, 2016 Vulnerability Management - William Favre Slater, III 9
![Page 10: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/10.jpg)
Security Architecture & Management
August 17, 2016 Vulnerability Management - William Favre Slater, III 10
![Page 11: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/11.jpg)
Measuring and Reporting onSecurity Architecture & Management
August 17, 2016 Vulnerability Management - William Favre Slater, III 11
![Page 12: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/12.jpg)
Is There a Capability Maturity Model for Threat and Vulnerability Management?
August 17, 2016 Vulnerability Management - William Favre Slater, III 12
Source: https://blog.coresecurity.com/2014/10/21/the-threat-and-vulnerability-management-maturity-model/
![Page 13: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/13.jpg)
WHAT ARE VULNERABILITIES?
August 17, 2016 Vulnerability Management - William Favre Slater, III 13
![Page 14: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/14.jpg)
Vulnerabilities
• Vulnerability – definition
• Vulnerability examples
14August 17, 2016 Vulnerability Management - William Favre Slater, III
Thetis dipping Achilles
into the River Styx
![Page 15: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/15.jpg)
Vulnerabilities
• What is a “vulnerability”?
– A situation or condition that represents an opportunity for a threat to damage or for information to be stolen from the organization, IT Systems or network.
– Comes from the Latin word, “vulnus”, meaning “wound”
– Sometimes called, “The Achilles Heel.”
15August 17, 2016 Vulnerability Management - William Favre Slater, III
Thetis dipping Achilles
into the River Styx
![Page 16: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/16.jpg)
The Death of Achilles
August 17, 2016 Vulnerability Management - William Favre Slater, III 16
Achilles was mortally wounded in the
one place he was vulnerable: his heel.
![Page 17: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/17.jpg)
Some Sources of Vulnerabilities• Complicated user interface
• Default passwords not changed
• Disposal of storage media without deleting data
• Equipment sensitivity to changes in voltage
• Equipment sensitivity to moisture and contaminants
• Equipment sensitivity to temperature
• Inadequate cabling security
• Inadequate capacity management
• Inadequate change management
• Inadequate classification of information
• Inadequate control of physical access
• Inadequate maintenance
• Inadequate network management
• Inadequate or irregular backup
• Inadequate password management
• Inadequate physical protection
17August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 18: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/18.jpg)
Some Sources of Vulnerabilities• Inadequate protection of cryptographic keys
• Inadequate replacement of older equipment
• Inadequate security awareness
• Inadequate segregation of duties
• Inadequate segregation of operational and testing facilities
• Inadequate supervision of employees
• Inadequate supervision of vendors
• Inadequate training of employees
• Incomplete specification for software development
• Insufficient software testing
• Lack of access control policy
• Lack of clean desk and clear screen policy
• Lack of control over the input and output data
• Lack of internal documentation
• Lack of or poor implementation of internal audit
• Lack of policy for the use of cryptography
18August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 19: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/19.jpg)
Some Sources of Vulnerabilities• Lack of procedure for removing access rights upon termination of employment
• Lack of protection for mobile equipment
• Lack of redundancy
• Lack of systems for identification and authentication
• Lack of validation of the processed data
• Location vulnerable to flooding
• Poor selection of test data
• Single copy
• Too much power in one person
• Uncontrolled copying of data
• Uncontrolled download from the Internet
• Uncontrolled use of information systems
• Undocumented software
• Unmotivated employees
• Unprotected public network connections
• User rights are not reviewed regularly
19August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 20: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/20.jpg)
WHAT ARE THREATS?
August 17, 2016 Vulnerability Management - William Favre Slater, III 20
![Page 21: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/21.jpg)
Threats
• Threat – definition
• Some sources of threats
• More threat examples
21August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 22: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/22.jpg)
Threats
• What is a “threat”?
– Something that can potentially cause damage or theft to the organization, IT Systems or network.
22August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 23: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/23.jpg)
Some Sources of Threats• Misguided Employees
• Mistakes by careless Employees
• External Parties
• Low awareness of security issues
• Lack of or lapse in security policy compliance
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking
tools and viruses
• Natural disasters e.g. fire, flood, earthquake
23August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 24: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/24.jpg)
Typical Threats that Represent Business Risks
August 17, 2016 Vulnerability Management - William Favre Slater, III 24
![Page 25: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/25.jpg)
QUICK STORY ABOUT DAVID BREWER AND THE "BREWER EVENTS".
August 17, 2016 Vulnerability Management - William Favre Slater, III 25
![Page 26: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/26.jpg)
So Let’s Simplify This StuffAnd Make it Easier, Achievable and More Manageable
26
Co-author of the ISO 27001 standard security framework, October 2005
Co-author of ISO 27001 Annex A Insights, December 2010
Director, Gamma Secure Systems Limited
ISO/IEC 27001 and ISO 9001 Certified for the
Provision of Information Security Consultancy
www.gammassl.co.uk
Note: with clients – he had to start using the Word, “EVENT”, because he learnedExecutive Management got upsetAbout the connotation of Words like ASSETS, THREATS and VULNERABILITIES
Vulnerability Management - William Favre Slater, III
http://www.gammassl.co.uk/research/27001annexAinsights.pdfSource:
![Page 27: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/27.jpg)
An “Event” is
• When Threat Meets Vulnerability or
• When a Threat EXPLOITS a Vulnerability
August 17, 2016 Vulnerability Management - William Favre Slater, III 27
![Page 28: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/28.jpg)
Brewer Event List
28August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 29: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/29.jpg)
Risk Management Strategies
29ISMS Project Update Meeting - Information Asset & Information Security Discussion – June 10, 2011August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 30: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/30.jpg)
Applying the Brewer Events withRisk Management Strategies
30August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 31: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/31.jpg)
TOOLS
August 17, 2016 Vulnerability Management - William Favre Slater, III 31
![Page 32: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/32.jpg)
Tools:
• Scanners
– Nexpose
– IBM VMS
– Nessus
– Netcat
August 17, 2016 Vulnerability Management - William Favre Slater, III 32
![Page 33: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/33.jpg)
Tools:• Nexpose
August 17, 2016 Vulnerability Management - William Favre Slater, III 33
Source: Rapid7
![Page 34: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/34.jpg)
Tools: Generic Vulnerability Scanning
August 17, 2016 Vulnerability Management - William Favre Slater, III 34
Source: Skoudis, E. (2006), Counter Hack Reloaded.
Target Servers
Vulnerability
Database
User
Configuration
Tool
Scanning
Engine
Knowledge
Base of
Current Active
Scan
Results
Repository
and Report
Generation
Generic Vulnerability
Scanner Architecture on
A Scanning Server
SwitchRouterFirewall
Technical Notes:
1) It is standard practice to white list the IP address of your
scanner at the Firewall and other IDPS Devices.
2) The scanner probes for active IP addresses and open
ports, and associates them with what it finds with the
Vulnerability Database.
Data Center
![Page 35: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/35.jpg)
PLANNING YOUR SCANNING
August 17, 2016 Vulnerability Management - William Favre Slater, III 35
![Page 36: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/36.jpg)
Planning Your Scanning
• Get Management Support
• Create a Project Plan
• Change Management Request and Approval
• Examples available upon request
• Publish organization-wide announcements before and after the scans complete.
• Do the Vulnerability Scan during the approved change window.
• Note: If a server or network device goes down during or shortly after your scanning, YOU WILL BE BLAMED FOR IT, so document EVERYTHING.
August 17, 2016 Vulnerability Management - William Favre Slater, III 36
![Page 37: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/37.jpg)
VULNERABILITY MANAGEMENT & REPORTING
August 17, 2016 Vulnerability Management - William Favre Slater, III 37
![Page 38: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/38.jpg)
Vulnerability Management
• Get Management Support
• Create a good Vulnerability Management Policy
• Create a good Vulnerability Management Program
• Create a good Remediation Management Program
August 17, 2016 Vulnerability Management - William Favre Slater, III 38
![Page 39: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/39.jpg)
August 17, 2016 Vulnerability Management - William Favre Slater, III 39
Vulnerability ManagementIT
Op
erat
ion
sIT
Sec
uri
tyPhase
Scope and Identify IT Assets and Areas to be
Scanned
Scan and Monitor for
Vulnerabilities
Assess Risk & Prioritize
VulnerabilitiesStart
CriticalVulnerability?
Post-Implementation Review; Audit and Validate the Work Associated with the Patching
Change Request
Patching Team Performs the Patching Activity using Big Fix, or
in the case of non-supported platforms, using Best Method
Build, Test, and Plan Release. Hand Off to Patching Team
Review Change Request and the Designated
Team(s) will Complete the Actual Work
Validate Findings
Change Management
Perform the Patching Activity
Release Management
Change Management
Create Emergency Change Request
Incident Management
Execute Emergency Change Request and
Contact the Designated Team(s) to Completed the
Actual Work
Change Management
YesNo
Stop
September 11, 2015William Slater
Security Liaison / DPEJLL Consultant
![Page 40: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/40.jpg)
August 17, 2016 Vulnerability Management - William Favre Slater, III 40
![Page 41: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/41.jpg)
August 17, 2016 Vulnerability Management - William Favre Slater, III 41
![Page 42: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/42.jpg)
Vulnerability Reports
• Detail reports– To operations groups (Network Teams, and Server Teams)
• Summary by region, device, and severity– (To operations groups (Network Teams, and Server Teams)
• Monthly Executive Summaries (to Global CTO, Global CISO, Regional CIOs, CTOs, and CISOs)
• Ad Hoc Reports – for Auditors, Managers, etc.
• Strong Advice: Keep all your Data, Queries, Reports, E-mails, Meeting Requests, Meeting Minutes, etc. And have naming standards so you can easily find stuff.
August 17, 2016 Vulnerability Management - William Favre Slater, III 42
![Page 43: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/43.jpg)
Vulnerability Reports
• Summary by region, device, and severity
– (To operations groups (Network Teams, and Server Teams)
August 17, 2016 Vulnerability Management - William Favre Slater, III 43
![Page 44: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/44.jpg)
Vulnerability Reports
• Summary by region, device, and severity
– To operations groups (Network Teams, and Server Teams)
– SQL Statement (from MS Access):
August 17, 2016 Vulnerability Management - William Favre Slater, III 44
SELECT DISTINCT AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level], Count(AM_Servers_Combined_2016_0520_VULN.[Vulnerability ID]) AS [CountOfVulnerability ID]FROM AM_Servers_Combined_2016_0520_VULNGROUP BY AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level]ORDER BY AM_Servers_Combined_2016_0520_VULN.[Vulnerability Severity Level] DESC;
Query name: AM_Servers_with_VULN_Summary_Counts_2016_0520
![Page 45: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/45.jpg)
Vulnerability Reports
• Executive Summaries (to CIO, CTO, CISO, etc. )
August 17, 2016 Vulnerability Management - William Favre Slater, III 45
![Page 46: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/46.jpg)
Vulnerability Reports• Executive Summaries (to CIO, CTO, CISO, etc. )
August 17, 2016 Vulnerability Management - William Favre Slater, III 46
![Page 47: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/47.jpg)
Vulnerability Reports• Executive Summaries
August 17, 2016 Vulnerability Management - William Favre Slater, III 47
![Page 48: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/48.jpg)
Vulnerability Reports• Executive Summaries
August 17, 2016 Vulnerability Management - William Favre Slater, III 48
![Page 49: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/49.jpg)
REMEDIATION MANAGEMENT & REPORTING
August 17, 2016 Vulnerability Management - William Favre Slater, III 49
![Page 50: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/50.jpg)
Remediation Management & Reporting
• Vulnerabilities are remediated by:
– Patching
– Firmware updates
– Hardening devices
– Software Upgrades
– Recommended Settings on Operating Systems and/or Applications
– Retirement of a vulnerable device
August 17, 2016 Vulnerability Management - William Favre Slater, III 50
![Page 51: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/51.jpg)
Remediation Management & Reporting
• Remediation reports show what Summaries and Details of what vulnerabilities are getting remediated and how long, on average, it is taking from time of notification to remediation.
• Used to track Security Performance:– Critical = 30 days
– Severe = 60 days
– Moderate = 90 days
• Alternative to remediation: Have management review and accept the risk of not remediating. This is usually a formal process and must be requested and granted in writing.
August 17, 2016 Vulnerability Management - William Favre Slater, III 51
![Page 52: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/52.jpg)
Remediation Management & Reporting
• Detail reports
– To operations groups (Network Teams, and Server Teams)
• Summary by region, device, and severity
– (To operations groups (Network Teams, and Server Teams)
• Monthly Executive Summaries (to Global CTO, Global CISO, Regional CIOs, CTOs, and CISOs)
• Ad Hoc Reports – for Auditors, Managers, etc.
• Strong Advice: Keep all your Data, Queries, Reports, E-mails, Meeting Requests, Meeting Minutes, etc. And have naming standards so you can easily find stuff.
August 17, 2016 Vulnerability Management - William Favre Slater, III 52
![Page 53: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/53.jpg)
Remediation Management Guiding Principles – ( 1 of 5)
• Run Vulnerability Scans AFTER the Patch Updating Process
• Highest Risk: Confidential Data hosted
• Your Team should use and track metrics (i.e. how many vulnerabilities are getting fixed, etc.)
• You only need to go to the level of granularity where you can easily report
• Your Team needs to define what is “acceptable risk”
• Your Team needs to define its timelines for vulnerability scanning and remediation
• Your Team needs a vulnerability processes created and processes that are repeatable across sites, and easily implemented in the other Regions
• Create a Vulnerability Program Roadmap with a Remediation Plan that will extend into 2017 Q2
• Establish Roles and Responsibilities in the Vulnerability Management Program
August 17, 2016 Vulnerability Management - William Favre Slater, III 53
![Page 54: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/54.jpg)
Remediation Management Guiding Principles – ( 2 of 5)
• Create, use and maintain a RACI Chart
• Assign Patching and ensure that competent engineers are doing the patching
• Always review the Patching Cycle Results and the VMS Scan Results
• Find Missing Configurations and Unpatched devices
• Poor Governance and Oversight constitutes high risk
• You want Centralized Oversight with very closed loops (weekly, then semi-monthly)
• Hold engineers that patch servers accountable
• Use VMS to track the vulnerabilities for the Baseline
• Bottom Line: You have visibility so SHOW STEADY PROGRESS
• If possible, correspond attack history and patterns with vulnerabilities
August 17, 2016 Vulnerability Management - William Favre Slater, III 54
![Page 55: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/55.jpg)
Remediation Management Guiding Principles – ( 3 of 5)
• Group your VMS Policies by
– Vendor
– Servers
– Routers
– Switches
– ASA
– IDS/IPS
– Wintel machines
• Add VMS Triage and Priorities because you will not be able to fix everything at once
August 17, 2016 Vulnerability Management - William Favre Slater, III 55
![Page 56: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/56.jpg)
Remediation Management Guiding Principles – ( 4 of 5)
• Your goals
– To Manage Risk
– Improve Your Information Security Management Posture
• Nothing is EASY, especially when everything is MANUAL
• Learn how to Leverage for Reporting and more Management Vulnerability Management Processes
• Learn how to develop and maintain Vulnerability Management Tool Policies
• You will have problems with Bandwidth in terms of being able to manage the efforts that result in Vulnerability Remediation. It requires thoughtful planning and strategic use of resources, because the Enterprise and the Quantity of things to get done are both huge
August 17, 2016 Vulnerability Management - William Favre Slater, III 56
![Page 57: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/57.jpg)
Remediation Management Guiding Principles – ( 5 of 5)
• Go for the “Low Hanging Fruit” and get as much done as possible with single consoles like using Group Policy Objects to manage known critical vulnerabilities
• Create a Project for the Vulnerability Remediations, and get a tough Sponsor –someone with the authority and influence to get results.
• Have a well-designed Tactical Plan to go fix the vulnerabilities – make it easy to consume
• Make sure the Vulnerability Management Program reflects a well-designed Strategy – make it easy to consume
August 17, 2016 Vulnerability Management - William Favre Slater, III 57
![Page 58: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/58.jpg)
RACI Chart
August 17, 2016 Vulnerability Management - William Favre Slater, III 58
![Page 59: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/59.jpg)
VULNERABILITY AGING REPORTING
August 17, 2016 Vulnerability Management - William Favre Slater, III 59
![Page 60: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/60.jpg)
Vulnerability Aging Reporting
• Vulnerability Aging Reporting tracks an organization security performance and shows how long, on the average, Teams are taking to remediate their vulnerabilities, by Region, Device Type, and Severity
August 17, 2016 Vulnerability Management - William Favre Slater, III 60
Example:
![Page 61: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/61.jpg)
PERSONAL INSIGHTS FROM EXPERIENCE
August 17, 2016 Vulnerability Management - William Favre Slater, III 61
![Page 62: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/62.jpg)
Personal Insights from Experience
• A Vulnerability Management Program requires a strong project sponsor and continuous strong management report
• Be extremely organized, and set your own artifact naming standards.
• Be disciplined, reliable, accurate, and always conduct yourself with integrity.
• Stay cool, calm, and collected.
• Save everything.
August 17, 2016 Vulnerability Management - William Favre Slater, III 62
![Page 63: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/63.jpg)
Personal Insights from Experience
• If you want to quickly get up to speed on port scanning, read this paper, Angry IP – An IP Scanner Tool - A Product Analysis and User Tutorial (well documented and fun!)
• Use Tools like Angry IP Scanner and Nexpose to attack your own home network.
August 17, 2016 Vulnerability Management - William Favre Slater, III 63
Source: http://www.billslater.com/writing/Angry_IP__Scanner_W_F_Slater_2007_0716_.pdf
![Page 64: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/64.jpg)
Personal Insights from Experience• Angry IP – An IP Scanner Tool - A Product Analysis and User
Tutorial
August 17, 2016 Vulnerability Management - William Favre Slater, III 64
Source: http://www.billslater.com/writing/Angry_IP__Scanner_W_F_Slater_2007_0716_.pdf
![Page 65: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/65.jpg)
Summary
• Vulnerability Management is an essential part of information security.
• It is as much of a political task as it is a technical task.
• Keep up with your tasks, your schedule, and reporting.
• The ideas in this presentation will help you get on the right track and stay there.
• You will never have a dull day.
August 17, 2016 Vulnerability Management - William Favre Slater, III 65
![Page 66: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/66.jpg)
Conclusions• Use ideas from this presentation to create or improve
your own Vulnerability Management Program
• If you aren’t identifying Vulnerabilities and methodically remediating them, you are leaving your organization exposed to many potential cybersecurity threats.
• Using a mature, organized approach, you can successfully improve your organization’s security posture with a well-organized, well-executed Vulnerability Management Program and Remediation Management Program.
• Build strong Teams that will support your efforts in Vulnerability Management and Remediation Management.
• Keep everything because Management AND Auditors will definitely ask for your artifacts and data and documentation, and when you least expect it.
August 17, 2016 Vulnerability Management - William Favre Slater, III 66
![Page 67: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/67.jpg)
Questions?
Vulnerability Management - William Favre Slater, III
![Page 68: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/68.jpg)
REFERENCES
Vulnerability Management - William Favre Slater, III 68August 17, 2016
![Page 69: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/69.jpg)
References• AngryIP.org. (2016). Home of Angry IP Scanner. Retrieved from http://angryip.org/ on August 2017.
• Core Security. (2014). The Threat & Vulnerability Management Maturity Model. Retrieved from
https://blog.coresecurity.com/2014/10/21/the-threat-and-vulnerability-management-maturity-model/ on
September 15, 2015.
• Forrester Group. (2010). The Forrester Wave™: Vulnerability Management, Q2 2010. retrieved from
https://www.qualys.com/docs/wave_vulnerability_management_q2_2010.pdf on September 15, 2015.
• Foreman, P. (2009). Vulnerability Management. Auerbach Publications, Boca Raton, FL.
• Gartner Group. (2014). Vulnerability Assessment Technology and Vulnerability Management Practices.
Retrieved from https://www.gartner.com/doc/2664022/vulnerability-assessment-technology-vulnerability-
management on September 15, 2015.
• Mitre. (2016). Common Vulnerabilities and Exposures. Retrieved from https://cve.mitre.org/ on August
16, 2016.
• NIST. (2013). NIST SP 800-40r3 - Guide to Enterprise Patch Management Technologies. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf on September 13, 2015.
Vulnerability Management - William Favre Slater, III 69August 17, 2016
![Page 70: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/70.jpg)
References• Old Dominion University. (2011). Vulnerability Scanning and Management Procedure. Retrieved from
http://www.odu.edu/content/dam/odu/offices/occs/docs/procedures/vulnerability-scanning-management-
procedure.pdf on September 15, 2015.
• OWASP. (2016). OWASP Appendix_A: Testing Tools Retrieved from
https://www.owasp.org/index.php/Appendix_A:_Testing_Tools August 16, 2016.
• Pondurance. (2011). SVM Part 1 – What is Security Vulnerability Management? Retrieved from
https://www.pondurance.com/what-is-svm/ on August 16, 2016.
• Qualsys. (2013). Best Practices For Selecting A Vulnerability Management (VM) Solution.
https://www.qualys.com/forms/whitepapers/best-practices-selecting-vulnerability-management-solution/
on September 13, 2015.
• SANS. (2013). Implementing a Vulnerability Management Process. Retrieved from
https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-
process-34180 on August 16, 2016.
• SANS. (2003). Vulnerability Management: Tools, Challenges and Best Bractices. Retrieved from
https://www.sans.org/reading-room/whitepapers/threats/vulnerability-management-tools-challenges-
practices-1267 on August 16, 2016.
Vulnerability Management - William Favre Slater, III 70August 17, 2016
![Page 71: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/71.jpg)
References
• Skoudis, E. and Liston, T. (2006). Counter Hack Reloaded, second edition. Prentice Hall. Upper
Saddle River, NJ.
• Skybox. (2014). Next Generation Vulnerability Management. Retrieved from
https://www.skyboxsecurity.com/sites/default/files/Whitepaper_Next-Gen_Vulnerability_Management.pdf
on August 16, 2016.
• Skybox. (2015). The State of Vulnerability Management Policy. Retrieved from
http://blog.skyboxsecurity.com/vulnerability-threat-management/the-state-of-vulnerability-management-
policy/ on August 16, 2016.
• Slater, W. F. (2007). Angry IP – An IP Scanner Tool - A Product Analysis and User Tutorial Retrieved
from http://www.billslater.com/writing/Angry_IP__Scanner_W_F_Slater_2007_0716_.pdf on August 17,
2016.
• TechTarget. (2014). Vulnerability Management Programs: A Handbook for Security Pros. Retrieved from
http://searchsecurity.techtarget.com/ehandbook/Vulnerability-management-programs-A-handbook-for-
security-pros on September 13, 2015.
Vulnerability Management - William Favre Slater, III 71August 17, 2016
![Page 72: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/72.jpg)
SUPPLEMENTAL SLIDES
August 17, 2016 Vulnerability Management - William Favre Slater, III 72
![Page 73: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/73.jpg)
August 17, 2016 Vulnerability Management - William Favre Slater, III 73
![Page 74: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/74.jpg)
August 17, 2016 Vulnerability Management - William Favre Slater, III 74
![Page 75: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/75.jpg)
Logical Model for IT Security Management Controls – Level 1
August 17, 2016 Vulnerability Management - William Favre Slater, III 75
![Page 76: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/76.jpg)
Logical Model for IT Security Management Controls – Level 2
August 17, 2016 Vulnerability Management - William Favre Slater, III 76
![Page 77: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/77.jpg)
Planning for Information Security Implementation
Figure 2-8 Information security governance responsibilities
Source: Information Security Governance: A Call to ActionVulnerability Management - William Favre Slater, IIIAugust 17, 2016 77
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 78: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/78.jpg)
Planning For Information Security Implementation (cont’d.)
• Implementation can begin
– After plan has been translated into IT and information security objectives and tactical and operational plans
• Methods of implementation
– Bottom-up
– Top-down
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 78
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 79: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/79.jpg)
Introduction to the Security Systems Development Life Cycle
• An SDLC is a methodology for the design and implementation of an information system
• SDLC-based projects may be initiated by events or planned
• At the end of each phase, a review occurs to determine if the project should be continued, discontinued, outsourced, or postponed
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 79
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 80: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/80.jpg)
Introduction to the Security SystemsDevelopment Life Cycle (cont’d.)
• SecSDLC methodology is similar to SDLC
– Identification of specific threats and the risks they represent
– Design and implementation of specific controls to counter those threats and manage risks posed to the organization
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 80
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)c
![Page 81: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/81.jpg)
Introduction to the Security SystemsDevelopment Life Cycle (cont’d.)
Figure 2-10 Phases of the SecSDLC
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 81
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)c
![Page 82: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/82.jpg)
• Analysis in the SecSDLC
• Analyze relevant legal issues that could affect the design of the security solution
– Risk management begins in this stage• The process of identifying, assessing, and evaluating the levels of
risk facing the organization, specifically the threats to the information stored and processed by the organization
• A threat is an object, person, or other entity that represents a constant danger to an asset
Introduction to the Security Systems
Development Life Cycle
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 82
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 83: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/83.jpg)
• An attack
– A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
– Accomplished by a threat agent that damages or steals an organization’s information or physical assets
• An exploit
– A technique or mechanism used to compromise a system
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 83
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 84: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/84.jpg)
• A vulnerability
– An identified weakness of a controlled system in which necessary controls that are not present or are no longer effective
Introduction to the Security SystemsDevelopment Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 84
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 85: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/85.jpg)
Table 2-1 Threats to Information Security
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 85
![Page 86: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/86.jpg)
• Some common attacks
– Malicious code
– Hoaxes
– Back doors
– Password crack
– Brute force
– Dictionary
– Denial-of-service (DoS) and distributed denial-of-service (DDoS)
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 86
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 87: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/87.jpg)
• Some common attacks (cont’d.)
– Spoofing
– Man-in-the-middle
– Spam
– Mail bombing
– Sniffer
– Social engineering
– Buffer overflow
– Timing
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 87
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 88: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/88.jpg)
• Investigation in the SecSDLC
– Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget
– Frequently begins with the affirmation or creation of security policies
– Teams assembled to analyze problems, define scope, specify goals and identify constraints
Introduction to the Security SystemsDevelopment Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 88
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 89: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/89.jpg)
• Investigation in the SecSDLC (cont’d.)
– Feasibility analysis
• Determines whether the organization has the resources and commitment to conduct a successful security analysis and design
• Analysis in the SecSDLC
– Prepare analysis of existing security policies and programs, along with known threats and current controls
Introduction to the Security SystemsDevelopment Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 89
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 90: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/90.jpg)
• Prioritize the risk posed by each category of threat
• Identify and assess the value of your information assets– Assign a comparative risk rating or score to each
specific information asset
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Vulnerability Management - William Favre Slater, IIIAugust 17, 2016 90
Source: Course Technology/Cengage Learning (adapted from Whitman, 2013)
![Page 91: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/91.jpg)
U.S. Department of Veterans Affairs Computer Network Defense Workflows
![Page 92: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/92.jpg)
92
Computer Network Defense (CND)
Four Pillars
– Forensics
– Threat Analysis
– Vulnerability Assessment
– Network Defense Operations (NDO)
– NSSS Team
– Enterprise Technical Security Officers
August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 93: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/93.jpg)
Challenges• The new Custer Support Center – Network Security
Support Services (Tier 3) Cooperative Workflow must be approved.HIPS/NIPS Monitoring Process - for the VA Computer Network Defense - Network Security Operations Center - Network Security Support Services Team
CS
C
Tie
r 1
/Tie
r 2
ND
O
(Tie
r 3
– N
SS
S)
TM
SIS
O
Analyze
DataCriteria
Query HIPS/NIPS Export to Excel
Add 2 Columns:
1. Ticket #
2. Status..
Update Excel.v2D-Dup Remedy
Ticket
Analyze
Excel.v2
Update Excel.v3
2 Sheets:
1. Create Ticket(s)
2 False PosItives
Create Remedy
Ticket(s)
Update False
Positive
Repository
Remediation
Procedure
Manage
Ticket(s)
Additional
Remediation/
Request Close
Prepare Ticket
for Close
QA TicketsVerify the
Remediation
Fix Ticket(s)
Information
Escalate
Procedure
Comply with
Reporting
Requirements
Fail 1
Fail 2
Success
Provide Tier 3
Support
Start
Close
Ticket(s)
Stop
August 17, 2016 Vulnerability Management - William Favre Slater, III 93
![Page 94: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/94.jpg)
The Critical Infrastructure Protection Service, through the VA Network
and Security Operations Center (NSOC), defends, manages, and
monitors the network operating status and cyber security posture of the
Department by providing the day to day management, operation and
configuration of the enterprise network infrastructure, internet
gateways, the delivery of enterprise security systems and services, the
monitoring and reporting of security incidents, the conduct of threat and
vulnerability analysis, the validation of adequate security controls within
the enterprise and the full range of functions across the spectrum of
activities relating to incident management, incident response and
enterprise network management.
94
Network Security Operations Center (NSOC) Mission Statement
August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 95: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/95.jpg)
Computer Network Defense (CND)
The Four Pillars
Forensics Threat Analysis
Vulnerability Assessment
Network Defense
Operations (NDO)
August 17, 2016 Vulnerability Management - William Favre Slater, III 95
![Page 96: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/96.jpg)
VA-NSOC
US-CERT Incident Notification Ticket Processing
August 17, 2016 Vulnerability Management - William Favre Slater, III 96
![Page 97: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/97.jpg)
CND Network Defense Operations
Provide reports as requested by TMSOpen tickets for the field on IP addresses
provided by TMS
CND Threat Management
Review Remedy TicketAssign tasks for reports and remediation as appropriate
Notify US-CERT of Progress
CSC
Receive US-CERT Notification Open / Update Remedy Ticket
![Page 98: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/98.jpg)
CSC
• Review notification to determine if this is a new notification or an update to an existing notification– If New : A new ticket will be opened
– If Update: Existing ticket will be updated
• Assign the ticket to Computer Network Defense: Threat Management
• Input the US-CERT Incident Number field on the CSC Incident Management tab
• Ticket Priority set to HIGH
August 17, 2016 Vulnerability Management - William Favre Slater, III 98
![Page 99: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/99.jpg)
CND Threat Management• TMS will review ticket
– TMS will request reports as needed from NDO– TMS will notify US-CERT of VA ticket number
• TMS will analyze the log events and correlate to other sensor logs as necessary
• TMS will keep US-CERT updated on progress• TMS will send a list of internal IP addresses to NDO for
ticket creation and remediation activity• TMS will maintain parent ticket through remediation of all
child tickets managed by NDO• TMS will close the parent ticket after successful closure of
all child tickets by NDO
August 17, 2016 Vulnerability Management - William Favre Slater, III 99
![Page 100: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/100.jpg)
CND Network Defense Operations
• NDO will run reports as requested to support the TMS analysis
• NDO will open tickets for field operations remediation activities– Tickets will be linked to the original ticket as child
tickets allowing TMS to track progress of activity
• NDO will follow up and track all field tickets through remediation as per normal NDO SOP
• NDO will manage all child tickets to the field and close them as appropriate.
August 17, 2016 Vulnerability Management - William Favre Slater, III 100
![Page 101: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/101.jpg)
Computer Network Defense
101August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 102: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/102.jpg)
NDO Flows
102August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 103: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/103.jpg)
103
Mo
nito
rin
g
Pre
ve
ntio
n a
nd
Pre
pa
ratio
n
De
tectio
n
An
aly
sis
,
Ca
teg
oriza
tio
n,
Prio
ritiza
tio
n
(Im
pa
ct to
th
e V
A
En
terp
rise
)
M
on
ito
rin
g a
nd
An
aly
sis
- O
wn
ers
hip
, T
rackin
g, a
nd
Mo
nito
rin
g (
ND
O?
)
Mo
nito
rin
g
Syste
m
A B
Co
mp
ute
r S
erv
ice
s
Ce
nte
r (
CS
C)
He
lp D
es
k
Ne
two
rk
De
fen
se
Op
era
tio
ns
(N
DO
)
Se
rv
ice
De
sk
CS
C
ND
O
CF
S
TM
S
Ca
teg
ory
0:
Exe
rcis
e /
Ne
two
rk D
efe
nse
Te
sti
ng
Ca
teg
ory
1:
Un
au
tho
rize
d A
cce
ss
Ca
teg
ory
2:
De
nia
l o
f S
erv
ice
Ca
teg
ory
3:
Ma
licio
us C
od
eC
ate
go
ry 4
: Im
pro
pe
r U
sa
ge
Ca
teg
ory
5:
Sca
ns/P
rob
es/A
tte
mp
ted
Acce
ss
Ca
teg
ory
6:
Inve
sti
ga
tio
nP
II/P
HI: D
ata
Bre
ach
VA
AS
Re
po
rta
ble
Eve
nt
or
Incid
en
t?
TS
O
ND
O
Re
me
dy T
icke
t
C
Ye
s
ND
O
Hig
h
Me
diu
m
Lo
w
Critica
l
Inc
ide
nt
Ty
pe
Re
me
dy T
icke
t
(Re
po
rts A
ll)
Clo
se
d
Re
me
dy T
icke
tN
O
ND
O
ND
O
ISO
ISO
Re
me
dy T
icke
t
Up
da
te
TM
S
TS
O
Sta
rt
Co
lle
ct a
nd
Pre
se
rve
Da
ta
Prio
ritize,
Imp
lem
en
t a
nd
Ma
inta
in th
e R
isk
Re
du
cin
g C
on
tro
ls
Va
lid
ate
th
e
Effe
ctive
ne
ss o
f
the
Co
ntr
ols
via
a
Ris
k A
sse
ssm
en
t
Esca
late
th
e
Incid
en
t to
TM
S
As N
ece
ssa
ry
Co
nd
uct A
Po
st
Mo
rtu
m A
na
lysis
an
d R
evie
w
Me
etin
g
Pre
pa
re S
itu
atio
n
Re
po
rts fo
r S
r.
Ma
na
ge
me
nt
Re
vie
w a
nd
Re
vis
e S
ecu
rity
Pla
ns a
nd
Pro
ce
du
res
Ta
ke
a N
ew
Inve
nto
ry o
f th
e
Org
an
iza
tio
n’s
Asse
ts
Pa
rtic
ipa
te in
Inve
stig
atio
n a
nd
Pro
se
cu
tio
n.
De
ve
lop
Me
tric
s
Ba
se
d R
ep
ort
s
Pe
rfo
rm C
on
tin
ua
l
Mo
nito
rin
g a
nd
Me
asu
rin
g
Clo
se
th
e In
cid
en
t
Se
rvic
e R
eq
ue
st
with
Em
plo
ye
e
Ap
pro
va
l
Inve
stig
atio
n a
nd
Dia
gn
osis
Re
sp
on
se
Co
lle
ct a
nd
Pre
se
rve
Da
ta
Inve
stig
atio
n a
nd
Re
sp
on
se
- O
wn
ers
hip
, T
rackin
g,
an
d M
on
ito
rin
g (
TS
O is C
ritica
l/H
igh
an
d N
DO
is L
ow
an
d M
ed
ium
)
· In
cid
en
t C
ate
go
ry 0
-6/P
II/P
HI
· R
isk D
ete
rmin
atio
n (
L,M
,H,C
)
· R
ep
ort
ing
Re
qu
ire
me
nts
an
d V
eh
icle
s
Inc
ide
nt
Re
sp
on
se
DE
Init
ial R
ep
ort
Re
po
rti
ng
Tie
r
Ca
t 0
–E
xe
rcis
e /
Ne
two
rk D
efe
nse
Te
sti
ng
? H
rU
S C
ert
via
TM
S
Ca
t 1
– U
na
uth
ori
ze
d A
cce
ss
? H
rU
S C
ert
via
TM
S
Ca
t 2
– D
en
ial
of
Se
rvic
e?
Hrs
US
Ce
rt v
ia T
MS
Ca
t 3
– M
ali
cio
us C
od
e?
Mn
US
Ce
rt v
ia T
MS
Ca
t 4
– I
mp
rop
er
Usa
ge
? H
rsU
S C
ert
via
TM
S
Ca
t 5
– S
ca
ns/P
rob
es/A
tte
mp
ted
Acce
ss
? H
rsU
S C
ert
via
TM
S
Ca
t 6
– I
nve
sti
ga
tio
n?
Mn
US
Ce
rt v
ia T
MS
PII/P
HI: D
ata
Bre
ach
? H
rsU
S C
ert
via
TM
S
Re
po
rti
ng
Su
pp
ort
ISO
ND
OT
SO
CF
S
VA
AS
ISO
Clo
su
re a
nd
Fo
llo
w-u
p
En
d
G
Ye
s
Re
so
lutio
n a
nd
Clo
su
re -
Ow
ne
rsh
ip,
Tra
ckin
g, a
nd
Mo
nito
rin
g(T
SO
is C
ritica
l/H
igh
an
d N
DO
is L
ow
an
d M
ed
ium
)
Re
so
lutio
n a
nd
Re
co
ve
ry
F
Su
pp
ort
Inc
ide
nt
Re
sp
on
se
ISO
ND
OT
SO
Re
me
dy T
icke
t
Clo
su
re
Th
rea
t
Po
rtfo
lio
ND
ON
DO
TM
S
Issu
e
Re
so
lve
d?
No
G
ND
O
August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 104: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/104.jpg)
Controls
• Control – definition
• Information system controls
• More on Information systems, controls and security
• More examples of controls
104August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 105: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/105.jpg)
Controls
• What is a “control”?
– A control is something that provides some level of protection for an asset in order to prevent negative consequences of a threat.
105August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 106: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/106.jpg)
More on Information Systems and Security
• Passwords – safeguard them
• Use Virtual Private Network (VPN) for secure remote access
• Use Secure software for secure data transfers
• Use encrypted systems to avoid data compromise
• Encrypt portable storage media when possible
• Don’t store protected or restricted data onyour local computer disk storage
NEVER STORE PERSONAL OR PROTECTED DATA ON LOCAL MACHINES
106August 17, 2016 Vulnerability Management - William Favre Slater, III
![Page 107: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/107.jpg)
Examples of Information Security Controls
Source: http://www.johnsaunders.com/papers/riskcip/RiskConference.htm
August 17, 2016 107Vulnerability Management - William Favre Slater, III
![Page 108: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/108.jpg)
OTHER SPEAKER INFORMATION
August 17, 2016 Vulnerability Management - William Favre Slater, III 108
![Page 109: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/109.jpg)
William F. Slater, III❖ Current Positions –
Project Manager / Sr. IT Consultant, President & CEO of Slater
Technologies, Inc., and Adjunct Professor at the Illinois Institute of
Technology - Working on projects related to
▪ Lead Information Security Engineer at a Chicago-based FinTech
Company
▪ Subject Matter Expert in Risk Management and Security
▪ Security reviews and auditing
▪ ISO 27001 Project Implementations
▪ Global Cybersecurity Manager at a $4.5 Billion company
▪ Software Development and Migration
▪ Created an eBook with articles about Security, Risk Management,
Cyberwarfare, Project Management and Data Center Operations
▪ Providing subject matter expert services to Data Center product
vendors and other local businesses.
▪ Also Developing and presenting technical training materials for
undergraduate and graduate students at the Illinois Institute of
Technology in the areas of Data Center Operations, Data Center
Architecture, Cyber Security Management, and Information Technology
hardware and software.
Vulnerability Management - William Favre Slater, III 109August 17, 2016
![Page 110: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/110.jpg)
Contact Information &
Other Information
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, IP v6
Project Manager / Program Manager
Career Page: http://billslater.com/career
LinkedIn: https://www.linkedin.com/profile/in/billslater
Twitter: @billslater
SKYPE: billslater (by pre-arrangement reservation)
773 - 235 - 3080 - Home Office
312 - 758 - 0307 - Mobile
312 - 275 - 5757 - FAX
1337 N. Ashland Ave. No. 2
Chicago, IL 60622
United States of America
August 17, 2016 Vulnerability Management - William Favre Slater, III 110
![Page 111: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/111.jpg)
Then & Now
• A career Information Technology (IT) professional since
July 1977 , starting as a young computer systems staff
officer in the United States Air Force supporting the
command control information systems that provided real-
time war plan asset information to the Strategic Air
Command Battle Staff ( http://billslater.com/myusaf )
• Current a Sr. IT Consultant / Sr. IT Project Manager / Sr.
Program Manager in Cybersecurity, Compliance, Auditing,
and Data Centers
• Since October 2012, 18 published articles and one ebook
(http://billslater.com/ebook1)
July 1977
January 2013
August 17, 2016 Vulnerability Management - William Favre Slater, III 111
![Page 112: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/112.jpg)
1977 - First Job Out of College
2LT William F. Slater, IIIUnited States Air Force
Computer Systems Staff OfficerJuly 1977
Strategic Air Command HeadquartersOffutt Air Force Base, NE
Circa late 1970s – UNCLASSIFIED Configuration
August 17, 2016 112Vulnerability Management - William Favre Slater, III
![Page 113: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/113.jpg)
The Microsoft Chicago Data Center –
Microsoft’s Flagship Cloud Data Center
113
Microsoft Chicago Data Center in Northlake, IL. Actual street view photo from Google Maps
Microsoft Chicago Data Center in Northlake, IL. Actual architect’s drawing from 2007 - 2008
August 17, 2016
William F. Slater, III
was the first
Data Center
Manager of this
Facility in 2008
Vulnerability Management - William Favre Slater, III
US-294 Northbound.
Two miles south of
O'Hare International Airport
![Page 114: Vulnerability Management - BILLSLATER.COM](https://reader031.vdocuments.mx/reader031/viewer/2022012213/61df58990cbb2f7db6579ed4/html5/thumbnails/114.jpg)
The Microsoft Chicago Data Center –
Microsoft’s Flagship Cloud Data Center
114
Size: 705,000 square feetPower: 120 MW (enough to power 87,000 homes)Critical Load for IT Equipment: 60 MW No. of Physical Servers: > 330,000 Servers
601 Northwest Hwy, Northlake, IL
CH1
CH2
Microsoft Chicago DataCenterOperations TeamSummer 2008
August 17, 2016
William F. Slater, III
was the first
Data Center
Manager of this
Facility in 2008
Vulnerability Management - William Favre Slater, III