HO20110473 1© 2012 Fluor. All rights reserved.© 2012 Fluor. All rights reserved.

Quick Wins in Vulnerability Management

Classification: Confidential

Owner: Michael Holcomb

Approver: Phil Cirulli

Prepared: April 14th, 2014

HO20110473 2© 2012 Fluor. All rights reserved.

Agenda

The Need for Vulnerability Management Clarifications on Vulnerability Management SANS’ Top 20 Critical Controls Master the Basics Perform a Self Audit Continuous Scanning & Remediation Leverage Vulnerability Data in Incident Response Metrics That Count Secure Your ISP

HO20110473 3© 2012 Fluor. All rights reserved.

About Michael Holcomb

25+ years in Information Technology 15+ years dedicated to Information Security Sr. Information Security Manager at Fluor President of Upstate SC ISSA Chapter CISSP, GCIH, GCIA, etc.

HO20110473 4© 2012 Fluor. All rights reserved.

The Need for Vulnerability Management

The quicker we stop an attacker, the less it costs the business

An attacker today will gain access to your resources and they are on your network now

Proper vulnerability management reduces the attack vectors an attacker can exploit for spreading control through the environment

Gives intrusion detection capabilities times to detect intruder and response to eject from network

HO20110473 5© 2012 Fluor. All rights reserved.

Clarifications on Vulnerability Management

Vulnerability assessments and vulnerability management are two different things

Vulnerability assessments and penetration testing are two different things

Soft skills are more important than technical skills in vulnerability management

Successful vulnerability management is required to help secure an environment; successful vulnerability scans help ensure compliance

HO20110473 6© 2012 Fluor. All rights reserved.

SANS’ Top 20 Critical Controls

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

6. Application Software Security

7. Wireless Access Control

8. Data Recovery Capability

9. Security Skills Assessment and Appropriate Training to Fill Gaps

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11. Limitation and Control of Network Ports, Protocols, and Services

12. Controlled Use of Administrative Privileges

13. Boundary Defense

14. Maintenance, Monitoring, and Analysis of Audit Logs

15. Controlled Access Based on the Need to Know

16. Account Monitoring and Control

17. Data Protection

18. Incident Response and Management

19. Secure Network Engineering

20. Penetration Tests and Red Team Exercises

#4: Continuous Vulnerability Assessment and Remediation

HO20110473 7© 2012 Fluor. All rights reserved.

Master the Basics

HO20110473 8© 2012 Fluor. All rights reserved.

Perform a Self Audit

If you have no Vulnerability Management Program in place today, perform a self audit to discover what vulnerabilities you do have.

Before engaging an outside party to conduct a vulnerability assessment or penetration testing exercise, remediate as many issues as possible.

HO20110473 9© 2012 Fluor. All rights reserved.

Continuous Scanning & Remediation

Determine scanning schedule and “window threshold” based on your organization’s requirements– If a new vulnerability is introduced into your environment, how

long would it take you to discover and understand the vulnerability?

Compliance requirements, rather than the quest for security, often drive scanning schedules

SEIM solutions now integrating vulnerability scanning management capabilities with host detection capabilities

HO20110473 10© 2012 Fluor. All rights reserved.

Leverage Vulnerability Data in Incident Response

Correlate most current vulnerability data to focus intrusion detection response efforts– Identify alerts that can be closed due to inapplicability– Escalate alerts for response based on actual risk for an attack

against a specific existing vulnerability

HO20110473 11© 2012 Fluor. All rights reserved.

Metrics That Count

Metrics can be used to communicate to technical and non-technical parties the risks associated with existing vulnerabilities within the environment

Such metrics should measure items which can be controlled by the organization– Number of vulnerabilities by risk

• Critical, High, Medium/Severe, Low

– Average risk (CVSS) score– Remediation time– False remediation

HO20110473 12© 2012 Fluor. All rights reserved.

Metrics That Count (cont.)

Sample metrics can be simple, but meaningful Examples below* demonstrate that while, limited

progress is being made for remediating “backlog” of vulnerabilities, processes for addressing new vulnerabilities and patch releases are highly successful

*Not based on actual Fluor data

HO20110473 13© 2012 Fluor. All rights reserved.

Thank You!

If you have any questions, please don’t hesitate to contact me– Email: michael.holcomb@fluor.com– Phone: 864.281.5958