• No results found

Vulnerability Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Vulnerability Management"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

Dipl.-Ing. Lukas Memelauer, BSc

[email protected]

Vulnerability Management

The early bird catches the worm

(2)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 2  Definitions

 Vulnerability Management Process

 What/how to prepare for a pen test?

 CRISAM® Process Model

 CRISAM® Vulnerability Knowledge Pack

 Live-Demo (Tool, Reporting)

Agenda

(3)

“Vulnerability scanning consists of using a computer program to identify vulnerabilities in

networks, computer infrastructure or applications. Vulnerability management is the

process surrounding vulnerability scanning, in which vulnerabilities in IT are identified

and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting

the vulnerabilities and removing the risk or a formal risk acceptance by the management

of an organization (e.g. in case the impact of an attack would be low or the cost of

correction does not outweigh possible damages to the organization).”

source: SANS

Vulnerability Management / Vulnerability Scanning

Definitions

(4)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 4  Increasing growth of cyber-crime and associated risks

 Important to obtain a continuous overview of vulnerabilities and the associated risks

 Prevent attackers from boarding networks and stealing information

 Regular vulnerability scanning ensures faster detection and remediation of new vulnerabilities

 5 Steps

– Preparation

– Vulnerability scan

– Define remediating actions – Implement remediating actions – Rescan

(5)

 Define objective / goals

 Limit scope

 Conclude form of outcome

 Determine Type of pen test

 Identify machines, systems, networks, operational requirements, involved staff

 Coordinate timing and duration of pen test

 Define emergency procedure

 Decide third party handling procedure

 Legally approve pen testers

(6)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 6

Institute for Security and Open Methodologies (ISECOM)

Common practice to prepare and perform a pen-test

– “A methodology to test the operational security of physical locations, human interactions, and all forms communications such as wireless, wired, analog, and digital.”

Provide a scientific methodology for the accurate characterization of

operational security

(7)

“By failing to prepare, you are preparing to fail.”

Benjamin Franklin

(8)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 8

CRISAM® Process Model

An ISO 31000-compliant approach and process model for handling the IT-GRC process

Corporate Strategy, General Conditions

Risk management policy Risk Strategy and Risk-Target

Risk Strategy, Risk Models, Risk Inventory, Risk Limits

Risk Policy

Risk Strategy and Risk-Target Risk Coverage Requirements

Actual Risk Value, Actual Risk Coverage Value

Action plan,

Budget, resources, schedules

Risk Management Policy Risk Strategy and Risk-Target

Business Impact in the observed Scope

Risk Value, Risk Measures Risk Coverage Requirements

Implementation projects, Project plans, test steps for

action tracking Target-deviation Action plan, measures prioritization, Cost of Risk, RISK CONTROL MEASURE- PLANNING COST-BENEFIT ANALYSIS CONTEXT ESTABLISHMENT SCOPE ANALYSIS RISK ASSESSMENT IMPLEMENTATION

(9)

Capital-Costs

Market Supplier Rawmaterial Law

and Energy Information-technology Market of Human Resources The Company Business Risks Enterprise Business-Processes

The role of IT in the company‘s business

IT risks impact the companies business processes. Mayor losses rather occur at business

level than in IT departments

Sales Human Resources Finance and Controlling Corporate Services Manu-facturing Information-technology has im pac t on ->

(10)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 10  Bundled specialist knowledge

 Structure: – components – control objectives – weightings – evaluation guides – mappings to critera – mappings to sources

CRISAM® Knowledge Packs

in tegrit y av ai lab lit iy con fi den ti al it y compan y pr oce ss mode l

(11)

Addition to OSSTMM v3

– Organizational aspects

– Secure Software Development (e.g. Client- Server Apps)

– Webserver security

Organizational aspects

Based on BSI study

Secure Software Development

Reporting based on the OWASP Secure Coding Practices Quick Reference Guide

Webserver security

CRISAM® Vulnerability Knowledge Pack

Content / Sources

(12)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 12

Additional components

– Organizational aspects

– Secure Software Development

Modular design for further components

Additional control objectives

Reports

– Compliance report based on OSSTMM v3, OWASP and BSI studies

CRISAM® Vulnerability Knowledge Pack

Structure

(13)

 The department „Finance and Controlling” delegates a penetration test to a third-party supplier

 Scope is the Email application and the server(s) hosting the application

 Also in the scope is the corporate network

 To improve the test results the company uses CRISAM® to prepare for the test

 The following component are added:

– Pen-Test Documents (Pen-Test Organizational) – Pen-Test Exchange (Pen-Test Application)

– Pen-Test Node101, Pen-Test Node102 (Pen-Test Server) – Pen-Test Network (Pen-Test Network)

Live Demo - Example Scenario A

(14)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 14  The department „Research and Development“ is developing a tool for internal use and is

advised by management to consider security aspects

 The department uses CRISAM® for secure software development

 The following aspects are relevant: input validation, output encoding, access control, memory management

 The following component are added:

– Secure Tool (Individual Development) – Input Validation (SSD Input Validation) – Output Encoding (SSD Output Encoding) – Access Control (SSD Access Control)

– Memory Management (SSD Memory Management)

Live Demo - Example Scenario B

(15)

 To show where improvements should be made, a Phase 4: Compliance Analysis report for

Vulnerability Management can be created.

 All relevant components are categorized by “Penetration Test” and “Secure Software

Development“, which makes it easy to show possible improvements

Live Demo - Results / Report

(16)

® calpana business consulting gmbh einfach | präzise | wertorientiert | nachvollziehbar 16

calpana business consulting gmbh A-4020 Linz, Blumauerstraße 43 Tel: +43 (732) 601216-0

www.calpana.com, www.crisam.net

Copyright © 2013

einfach | präzise | wertorientiert | nachvollziehbar

www.crisam.net www.calpana.com

Key Findings

1. Components for deeper technical analysis

2. Reporting options based on OSSTMM v3, OWASP and BSI studies for optimizing pen-test results 3. CRISAM® for pen test preparation - spare yourself a rude awakening!

References

Download now ( PDF - 16 Page - 914.90 KB )

Related documents

The Development of a Parametric Real-Time Voice Source Model for use with Vocal Tract Modelling Synthesis on Portable Devices

1656 AudioStreamBasicDescription outputASBD; 1657 outputASBD.mFormatID = kAudioFormatLinearPCM; 1658 outputASBD.mFormatFlags

WRITING PROFESSIONAL LETTERS

Similar to a letter of application, the purpose of the letter is to highlight your qualifications and career interests to the employer.. Explain your purpose is

Political economy and life course patterns: the heterogeneity of occupational, family and household trajectories of young spaniards

There is a clear increase with age in the proportion of women in work, suggesting that in younger cohorts, Spanish women are more likely to consolidate their position in the

The Intersection of Big Data, Data Science, and The Internet of Things

• Machine2Machine data in the Internet of Things • Change in use - not just commercial data mining.. Today’s

Enhancing Senior High School Students Understanding of Chemicai Formulae and Nomenclature of Inorganic Compounds by the Use of Improvised Conceptual Models

The researcher adopted the type 1 developmental research design which aimed at developing teaching and learning materials (conceptual models) to improve the teaching of

Things As They Are

But after I had ordained and studied the Dhamma – and especially the life of the Buddha, which was the story of his great renunciation leading to his Awakening to the paths

Advertising Appeals and Willingness to Pay for a Music Streaming Service

In terms of music involvement, the guilt appeal produced higher purchase intention for both high and low musically involved respondents than the rational and fear

Creating a strong statistical machine translation system by combining different decoders

To answer the third and fourth research questions of the second research objectives namely: “Could post processing using another translation model built by an Arabic/Arabic