creating a vulnerability management program
TRANSCRIPT
3/11/2012
1
“When out of ammo, Reload”
Creating a
Vulnerability Management
Program
Ahmed Husain
Managing Director
Company overview
◦ Security Assessments
◦Compliance and Audits
◦ IT Projects Management
◦Cloud Security Services
◦Telecom Consultancy
3/11/2012
2
Agenda
Vulnerability Management Lifecycle
Risk Assessment Policies & Procedures
PT vs. VA
Names in the Market
3/11/2012
3
1. Discover • Automated process for accurate discovery of all hosts on
the network
• Enables to deliver a centralized repository of asset
inventory
Mapping report sample
3/11/2012
4
2. Asset Prioritisation
• Manage networks by categorising assets into groups or
business units
• Assign a business value to asset groups based on the
criticality of the assets to your business operation
3/11/2012
5
3/11/2012
6
3. Assessment & Analysis
• Accurately identify security vulnerabilities via a sufficient
knowledgebase of vulnerability checks (over 7000+ unique)
• Inference-based scan engine to improve accuracy and
scanning efficiency
• Proactively identify known issues before they can be
exploited. Perform a deep analysis and thorough OS,
application and security configuration vulnerability
assessments.
3/11/2012
7
is an Internet security audit, performed by experienced security
professionals. A key feature of the service, and one which cannot be
covered by relying solely on automated testing, is application testing.
•Typical Issues Discovered in an
Application Test
•Cross-site scripting
•SQL injection
•Server misconfigurations
•Form/hidden field
manipulation
•Command injection
•Cookie poisoning
•Well-known platform
vulnerabilities
•Insecure use of cryptography
•Back doors and debug options
•Errors triggering sensitive
information leak
•Broken ACLs/Weak passwords
•Weak session management
•Buffer overflows
3/11/2012
8
4. Report
• Template-based reporting to enable
technical and executive level analysis
• Enable trend analysis of overall security
and compliance posture
Types of Reports: Executive, Technical, Patch,
Differential
3/11/2012
9
Reports sample
3/11/2012
10
3/11/2012
11
5. Remediation Workflow
• Prioritise and remediate vulnerabilities
according to business risk
• deploy patches to an entire network.
3/11/2012
12
6. Verification
• Verify the elimination of threats through follow-up
audits
• Establish appropriate security policies, processes and
standards that support regulatory and organisational
compliance
3/11/2012
13
Simplify the process of
maintaining a secure
environment by continuously
monitoring, detecting and
remediating policy-driven
environments across all major
platforms and applications.
Risk Assessment
Number of External Tests per year
Number of Internal Tests per year
Web Application Tests
Vendor Alternate Practices
Risk Treatment
Patch Management and Upgrades
Deployment of technologies and solutions to fix the gap
Implement Controls
3/11/2012
14
3/11/2012
15
3/11/2012
16