SlideShare a Scribd company logo

Vulenerability Management.pptx

Download as PPTX, PDF
T
ThavaselviMunusamy1

This document discusses vulnerability management and cybersecurity risks. It identifies various risks like staff risks, technology risks, and operational risks. It also discusses risk management frameworks and programs. Key aspects of vulnerability management are identified like asset identification, threat assessment, impact evaluation, and risk response. Common vulnerabilities are also listed. The document emphasizes that risk assessment and management is important to protect organizational assets and should be an ongoing process.

1 of 26
VULNERABILITY MANAGEMENT Prepared By:Thavaselvi Munusamy
RISKS RELATEDTO BUSINESS PROCESSES People related risks • Staff Technology related risks • Acquisition, Maintenance, Operational risk • Fraud Protection of Intellectual Property • Fraud
•Proper and effective management of risk is essential to protecting the assets of the organisation. Risk management is a never-ending process. IT risk and controls should be monitored continuously to ensure that they are adequate and effective RISK MANAGEMENT
RISK MANAGEMENT FRAMEWORK
IT - RISK MANAGEMENT PROGRAM Asset Identification • Identify resources or assets that are vulnerable to threats. Threat Assessment • Determine threats and vulnerabilities associated with the asset. Impact Evaluation • Describe what will happen should a vulnerability be exploited. Risk Calculation • Form an overall view of risk, based on the probability of occurrence and the magnitude of impact. Risk Response • Evaluate existing controls and implement new controls designed to bring residual risk into alignment with enterprise risk appetite. Objective: A cost-effective balance between significant threats and the application of controls to those threats. To establish a repeatable IT risk management process, a series of steps must be completed. Those shown here align with COBIT 5, APO12 Manage risk.
• A risk assessment assists in identifying risk and threats to an IT environment and IS system, and it helps in the evaluation of controls. • Risk assessments should identify, quantify and prioritize risk against criteria for risk acceptance and objectives relevant to the organization. • It supports risk-based audit decision making by considering variables, such as: • Technical complexity • Level of control procedures in place • Level of financial loss RISK ASSESSMENT
Examples of vulnerabilities • Insecure physical access • Application vulnerabilities • Unpatched systems • Exposed cabling • Unprotected sensitive data • Open ports or services VULNERABILITY ASSESSMENTS Vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation. Host Analysis Review Host Analysis results Reporting
VULNERABILITY IDENTIFICATION Network • Protocols • Ports Host • System Configurations • Monitoring • Runtime Service and Components • Platform Service and Components Application • Presentation Logic • Business Logic • Data Access Logic Operating System • Services • Accounts • Registry • Files and Directories Weaknesses, gaps, missing or ineffective controls Network vulnerabilities Buildings Staff inexperience Culture Applications Inefficient processes
InputValidation •Ensure that the input Web applications receives is valid and safe. Input validation refers to how an application filters, scrubs, or rejects input before additional processing. Authentication •Ensure proper authentication mechanisms are in place based on Policies. Authentication is the process that an entity user to identify another entity, •typically, through credentials such as a username and password. Authorization •Ensure proper restriction mechanisms in place based on Policies. These cover what a user can do a proper segmentation. Authorization is the process that an application uses to control access to resources and operations. Configuration Management •Look into the following areas: •Who does Web applications run as? •Which databases does it connect to? •How is Web application administered? •How are these settings secured? •Configuration management refers to how an application handles these operational issues. Sensitive Data •Sensitive data is information that must be protected either in memory, over the wire, •or in persistent stores. Validate if the developed application has a process for handling sensitive data. Session Management •A session refers to a series of related interactions between a user and developed application. Session management refers to how Web applications handles and protects these interactions. •Validate the session management mechanisms in place for the developed application. Cryptography •Cover security aspects of how Web applications is : •Protecting secret information (confidentiality) •Tamper – proofing the data or libraries (integrity) •Providing cryptographically keys. Parameter Manipulation •Validate the form fields, query string arguments, and cookie values are frequently used as parameters for an application. Parameter manipulation refers to •both how Web application safeguards tampering of these values and how Web applications processes input parameters. Exception Management •Verifying exception management. What does Web applications do: •How much does it reveal about the failure condition? •Does it return friendly error information to end users? •Does it pass valuable exception information back to the caller? •Do Web applications fail gracefully? Auditing and Logging •Ensure that auditing and logging are built into system. Who did what and when? Auditing and logging refer to how Web applications records security – related events. SECURING WEB APPLICATION WHATTO CONSIDER?
•Qualys •Rapid7 •Tenable •F-Secure •Syxsense •Tripwire •GFI •BreachLock •Greenbone •Saltstack •PositiveTechnologies •Beyond Security •Balbix •Intruder •Digital Defense •Outpost24 VULNERABILITY MANAGEMENT SOLUTIONS
PENETRATIONTESTING Seek out potential points of failure • Compare against known problems •Try to ‘break-in’ • Simulate the approach of an attacker •Test effectiveness of controls and response procedures
PENETRATIONTESTS Results of PenetrationTests Report provided to management • Identify test procedures • Identify any areas of concern • Provide recommendations for improvement • Prioritize risk according to severity
PENETRATIONTESTS Try to exploit a perceived vulnerability Often based on the results of a vulnerability assessment Test may include: • Applications • Networks • Physical • People • Incident management processes
Operationally CriticalThreat andVulnerability Evaluation OCTAVE Explores risk relationship between IT and operation processes. Evaluates: • Organisation • Technology • Strategy and plan development
��A threat is the potential for a negative security event to occur. A threat agent is the entity (i.e., natural event, accidental, or human) that can cause the threat to occur. A threat action is the realization of the threat. Vulnerabilities are weaknesses that enable the threat agent to actualize the threat. Attacks on critical infrastructure systems continue to evolve and multiply: Increased number of data integrity attacks MultipleAdvanced PersistentThreat (APT) actors on the system Compromised infrastructure Increased use of social engineering Growing attack surface with the Internet ofThings (IoT)
“Zero day” vulnerabilities. Sophistication of attack tools, requiring little knowledge or skill on the part of the attacker. System complexity. Smaller devices associated with growth of the “Internet ofThings.” Lack of vulnerability/patch management processes.
Devices do something there are not supposed to do Example: fridges / webcams used as part of a DDoS attack (Cf. Mirai botnet) Devices do exactly what they are intended to do but in a devious way Example: Nuclear power plant enrichment centrifuges rapidly speeding up and then suddenly slow down, potentially damaging them (Stuxnet) The degree to which an organization is exposed to the threat taking consideration the likelihood and impact of the threat being realized.
• Understanding who the threat actors (or attackers) are and the methods of attack is critical to effective cyber defense. An individual or group that acts, or has the power to, exploit a vulnerability or conduct other damaging activities.This is categorized, using a military term, as Tactics,Techniques, and Procedures (TTPs). • Tactics refer to the art or skill in achieving a goal.Techniques are the methods that are employed that are often unique to the attacker (e.g., specific “signatures” that might identify the writer of malware).The procedures are the actions that are taken during an attack (port scans, for instance). Threat actors may be internal, external, or partners with their target. Each of these actors have different motivations and potential targets.
• Attack vectors are the methods, or path, that the attacker (threat actor) will use to attack. It is the path that they will use to take advantage of a vulnerability. • E.g., attackers will often use social engineering techniques, such as phishing, to attack a network. Nation States Actors Nation state actors are cyber soldiers and agents with large budgets and sophisticated tools. They can perform intelligence- gathering on military objectives, or they may monitor (and if necessary) attack or interfere with an adversary country’s network. Sometimes they will place a trusted insider into an organization to steal classified, sensitive or proprietary information.
Hackers • unauthorized users who break into computer systems in order to steal, change or destroy information InsiderThreat • People within the organization, who have inside information, disrupt organization's security accidentally or due to revenge Hostile Countries • Attack enemy countries computers Terrorist • Attacks system for cause or ideology ATTACKER MAY UTILIZE EACH OTHER RESOURCES
•Most are facilitated through phishing and malware in emailed attachments. Some are facilitated through breaches of security policy; users loaded untrusted devices (USB thumb drives) or surfed unsafe websites. People are the “weak link”! WhatThe Attacks Have in Common
Vulenerability Management.pptx
ENSURE THAT CRITICAL INFRASTRUCTURES ARE PROTECTED TO A LEVEL THAT COMMENSURATE THE RISKS FACED ADDRESS THE RISKS TO THE CRITICAL NATIONAL INFORMATION INFRASTRUCTURES
Countermeasures to evict and recover Detection in real time Detection mechanism for embedded adversaries Detection mechanism for known threat KnownThreats Actors Triage detected unauthorized activities Detection Mechanism for unauthorized activity Establish visibility across assets Know all your assets
Elevate cybersecurity on the regional policy agenda • Steer the implementation of National Cybersecurity Framework • Elevate cybersecurity to the top of the agenda in economic dialogue Fortify the Ecosystem • Implement an active defense mindset in corporate sector • Instill a culture around sharing threat intelligence • Extend cyber resilience across the supply chain Build the next wave of cybersecurity capability • Develop the next generation of security professionals • Strengthen the local cybersecurity industry through deeper cooperation and collaboration with global players • Drive R&D around emerging threat vectors (AI, etc.) • Pursue a commitment to address the regional cybersecurity spending gap • Define and track impact-oriented cybersecurity metrics through a cyber- hygiene dashboard Secure sustained regional commitment for cybersecurity STAYING AHEAD OFTHE ATTACKS
Vulenerability Management.pptx

More Related Content

Vulenerability Management.pptx

  • 2. RISKS RELATEDTO BUSINESS PROCESSES People related risks • Staff Technology related risks • Acquisition, Maintenance, Operational risk • Fraud Protection of Intellectual Property • Fraud
  • 3. •Proper and effective management of risk is essential to protecting the assets of the organisation. Risk management is a never-ending process. IT risk and controls should be monitored continuously to ensure that they are adequate and effective RISK MANAGEMENT
  • 5. IT - RISK MANAGEMENT PROGRAM Asset Identification • Identify resources or assets that are vulnerable to threats. Threat Assessment • Determine threats and vulnerabilities associated with the asset. Impact Evaluation • Describe what will happen should a vulnerability be exploited. Risk Calculation • Form an overall view of risk, based on the probability of occurrence and the magnitude of impact. Risk Response • Evaluate existing controls and implement new controls designed to bring residual risk into alignment with enterprise risk appetite. Objective: A cost-effective balance between significant threats and the application of controls to those threats. To establish a repeatable IT risk management process, a series of steps must be completed. Those shown here align with COBIT 5, APO12 Manage risk.
  • 6. • A risk assessment assists in identifying risk and threats to an IT environment and IS system, and it helps in the evaluation of controls. • Risk assessments should identify, quantify and prioritize risk against criteria for risk acceptance and objectives relevant to the organization. • It supports risk-based audit decision making by considering variables, such as: • Technical complexity • Level of control procedures in place • Level of financial loss RISK ASSESSMENT
  • 7. Examples of vulnerabilities • Insecure physical access • Application vulnerabilities • Unpatched systems • Exposed cabling • Unprotected sensitive data • Open ports or services VULNERABILITY ASSESSMENTS Vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation. Host Analysis Review Host Analysis results Reporting
  • 8. VULNERABILITY IDENTIFICATION Network • Protocols • Ports Host • System Configurations • Monitoring • Runtime Service and Components • Platform Service and Components Application • Presentation Logic • Business Logic • Data Access Logic Operating System • Services • Accounts • Registry • Files and Directories Weaknesses, gaps, missing or ineffective controls Network vulnerabilities Buildings Staff inexperience Culture Applications Inefficient processes
  • 9. InputValidation •Ensure that the input Web applications receives is valid and safe. Input validation refers to how an application filters, scrubs, or rejects input before additional processing. Authentication •Ensure proper authentication mechanisms are in place based on Policies. Authentication is the process that an entity user to identify another entity, •typically, through credentials such as a username and password. Authorization •Ensure proper restriction mechanisms in place based on Policies. These cover what a user can do a proper segmentation. Authorization is the process that an application uses to control access to resources and operations. Configuration Management •Look into the following areas: •Who does Web applications run as? •Which databases does it connect to? •How is Web application administered? •How are these settings secured? •Configuration management refers to how an application handles these operational issues. Sensitive Data •Sensitive data is information that must be protected either in memory, over the wire, •or in persistent stores. Validate if the developed application has a process for handling sensitive data. Session Management •A session refers to a series of related interactions between a user and developed application. Session management refers to how Web applications handles and protects these interactions. •Validate the session management mechanisms in place for the developed application. Cryptography •Cover security aspects of how Web applications is : •Protecting secret information (confidentiality) •Tamper – proofing the data or libraries (integrity) •Providing cryptographically keys. Parameter Manipulation •Validate the form fields, query string arguments, and cookie values are frequently used as parameters for an application. Parameter manipulation refers to •both how Web application safeguards tampering of these values and how Web applications processes input parameters. Exception Management •Verifying exception management. What does Web applications do: •How much does it reveal about the failure condition? •Does it return friendly error information to end users? •Does it pass valuable exception information back to the caller? •Do Web applications fail gracefully? Auditing and Logging •Ensure that auditing and logging are built into system. Who did what and when? Auditing and logging refer to how Web applications records security – related events. SECURING WEB APPLICATION WHATTO CONSIDER?
  • 11. PENETRATIONTESTING Seek out potential points of failure • Compare against known problems •Try to ‘break-in’ • Simulate the approach of an attacker •Test effectiveness of controls and response procedures
  • 12. PENETRATIONTESTS Results of PenetrationTests Report provided to management • Identify test procedures • Identify any areas of concern • Provide recommendations for improvement • Prioritize risk according to severity
  • 13. PENETRATIONTESTS Try to exploit a perceived vulnerability Often based on the results of a vulnerability assessment Test may include: • Applications • Networks • Physical • People • Incident management processes
  • 14. Operationally CriticalThreat andVulnerability Evaluation OCTAVE Explores risk relationship between IT and operation processes. Evaluates: • Organisation • Technology • Strategy and plan development
  • 15. A threat is the potential for a negative security event to occur. A threat agent is the entity (i.e., natural event, accidental, or human) that can cause the threat to occur. A threat action is the realization of the threat. Vulnerabilities are weaknesses that enable the threat agent to actualize the threat. Attacks on critical infrastructure systems continue to evolve and multiply: Increased number of data integrity attacks MultipleAdvanced PersistentThreat (APT) actors on the system Compromised infrastructure Increased use of social engineering Growing attack surface with the Internet ofThings (IoT)
  • 16. “Zero day” vulnerabilities. Sophistication of attack tools, requiring little knowledge or skill on the part of the attacker. System complexity. Smaller devices associated with growth of the “Internet ofThings.” Lack of vulnerability/patch management processes.
  • 17. Devices do something there are not supposed to do Example: fridges / webcams used as part of a DDoS attack (Cf. Mirai botnet) Devices do exactly what they are intended to do but in a devious way Example: Nuclear power plant enrichment centrifuges rapidly speeding up and then suddenly slow down, potentially damaging them (Stuxnet) The degree to which an organization is exposed to the threat taking consideration the likelihood and impact of the threat being realized.
  • 18. • Understanding who the threat actors (or attackers) are and the methods of attack is critical to effective cyber defense. An individual or group that acts, or has the power to, exploit a vulnerability or conduct other damaging activities.This is categorized, using a military term, as Tactics,Techniques, and Procedures (TTPs). • Tactics refer to the art or skill in achieving a goal.Techniques are the methods that are employed that are often unique to the attacker (e.g., specific “signatures” that might identify the writer of malware).The procedures are the actions that are taken during an attack (port scans, for instance). Threat actors may be internal, external, or partners with their target. Each of these actors have different motivations and potential targets.
  • 19. • Attack vectors are the methods, or path, that the attacker (threat actor) will use to attack. It is the path that they will use to take advantage of a vulnerability. • E.g., attackers will often use social engineering techniques, such as phishing, to attack a network. Nation States Actors Nation state actors are cyber soldiers and agents with large budgets and sophisticated tools. They can perform intelligence- gathering on military objectives, or they may monitor (and if necessary) attack or interfere with an adversary country’s network. Sometimes they will place a trusted insider into an organization to steal classified, sensitive or proprietary information.
  • 20. Hackers • unauthorized users who break into computer systems in order to steal, change or destroy information InsiderThreat • People within the organization, who have inside information, disrupt organization's security accidentally or due to revenge Hostile Countries • Attack enemy countries computers Terrorist • Attacks system for cause or ideology ATTACKER MAY UTILIZE EACH OTHER RESOURCES
  • 21. •Most are facilitated through phishing and malware in emailed attachments. Some are facilitated through breaches of security policy; users loaded untrusted devices (USB thumb drives) or surfed unsafe websites. People are the “weak link”! WhatThe Attacks Have in Common
  • 23. ENSURE THAT CRITICAL INFRASTRUCTURES ARE PROTECTED TO A LEVEL THAT COMMENSURATE THE RISKS FACED ADDRESS THE RISKS TO THE CRITICAL NATIONAL INFORMATION INFRASTRUCTURES
  • 24. Countermeasures to evict and recover Detection in real time Detection mechanism for embedded adversaries Detection mechanism for known threat KnownThreats Actors Triage detected unauthorized activities Detection Mechanism for unauthorized activity Establish visibility across assets Know all your assets
  • 25. Elevate cybersecurity on the regional policy agenda • Steer the implementation of National Cybersecurity Framework • Elevate cybersecurity to the top of the agenda in economic dialogue Fortify the Ecosystem • Implement an active defense mindset in corporate sector • Instill a culture around sharing threat intelligence • Extend cyber resilience across the supply chain Build the next wave of cybersecurity capability • Develop the next generation of security professionals • Strengthen the local cybersecurity industry through deeper cooperation and collaboration with global players • Drive R&D around emerging threat vectors (AI, etc.) • Pursue a commitment to address the regional cybersecurity spending gap • Define and track impact-oriented cybersecurity metrics through a cyber- hygiene dashboard Secure sustained regional commitment for cybersecurity STAYING AHEAD OFTHE ATTACKS

Editor's Notes

  1. All these aspects are crucial for cyber security
  2. All these aspects are crucial for cyber security
  3. APO – Align , Plan & Organize Align, Plan, and Organize (APO) APO 1 — Define the management framework for IT. APO 2 — Manage strategy. APO 3 — Manage enterprise architecture. APO 4 — Manage innovation. APO 5 — Manage portfolio. APO 6 — Manage budget and cost. APO 7 — Manage human resources APO 8 — Manage relationships. APO 9 — Manage service agreements. APO 10 — Manage suppliers. APO 11 — Manage quality. APO 12 — Manage risk. APO 13 — Manage security. Five Processes Evaluate, Direct and Monitor (EDM); Align, Plan and Organize (APO); Build, Acquire and Implement (BAI); Deliver, Service and Support (DSS); and Monitor, Evaluate and Assess (MEA). ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS)
  4. All these aspects are crucial for cyber security
  5. All these aspects are crucial for cyber security
  6. All these aspects are crucial for cyber security
  7. All these aspects are crucial for cyber security
  8. All these aspects are crucial for cyber security
  9. All these aspects are crucial for cyber security
  10. and causes widespread panic and uncertainty. – driven by political motives -
  11. and causes widespread panic and uncertainty. – driven by political motives -
  12. and causes widespread panic and uncertainty. – driven by political motives -
  13. and causes widespread panic and uncertainty. – driven by political motives -
  14. and causes widespread panic and uncertainty. – driven by political motives -
  15. and causes widespread panic and uncertainty. – driven by political motives -
  16. and causes widespread panic and uncertainty. – driven by political motives -
  17. Political – state sponsored Hacktivist – Proof a point Cybercriminals are constantly finding new ways to exploit vulnerabilities in systems and networks. Most of these cyber attacks and threats have the intention of stealing sensitive information and/or money. With organizations facing an ever-growing number of cyber threats, it is critical that they have robust security solutions in place to counter these threats.