《IT 漏洞管理的綜合方法 (David Frier).pdf》由會員分享,可在線閱讀,更多相關《IT 漏洞管理的綜合方法 (David Frier).pdf(23頁珍藏版)》請在三個皮匠報告上搜索。
1、PATCH YOUR SH!(Or,as it appears on the program:A Comprehensive Approach to IT Vulnerability ManagementA Comprehensive Approach to IT Vulnerability ManagementIn case you were wondering if you came to the wrong room)David C.Frier,RIMSDavid C.Frier,RIMS-CRMP,CISM,etc.CRMP,CISM,etc.Rochester Security Su
2、mmit 2024Rochester Security Summit 2024overviewThis is an Introduction to Vulnerability ManagementSpiced with some tips from my sliver of experience with VMVM is a continuous,proactive processabout this guyDavid C Frier,RIMS-CRMP,CISM,CISSP,CRISC,CCSKvCISO and Senior Cybersecurity Program Manager at
3、 Sedara.but Ibut I speak only for myself,speak only for myself,not fornot for SedaraSedara!0 x2d years into IT,0 x13 years into InfosecAvid player of poker.Orioles and Cubs fan.enthusiastic-if-slow rider of a Trek.None of the“usual”social media aside from LinkeDin,but I can be sighted in the Fediver
4、se(#checkin)about.me or wheretofind.megeekosaurussteps in vulnerability managementAsset InventoryNetwork ScopingInternal and External ScanningClassifying ResultsPrioritizing VulnerabilitiesRemediation AssignmentMeasuring&Reportingasset inventory(1/2)Identify all hardware and softwareDocument asset t
5、ypes and locationsAsset discovery toolsCMDBNmap,etc.Discovery scansasset inventory(2/2)Criticality ranking(business impact)Regular updates for accuracyEnsuring full scope for scanningnetwork scoping(1/2)Define internal/external network boundariesIdentify critical systems for scanningInclude servers,
6、endpoints,network devicesSegment your network however it makes sense for your orgStaff/team scope,or locations,or functionsnetwork scoping(2/2)Avoid unnecessary scans(non-critical assets)About end-user computersConsider network segments,subnets,firewallsMake sure your scanner can access everythingKe
7、y decisions:what to scan and wheninternal scanningFocus on vulnerabilities within the internal networkDetect misconfigurations,outdated software,missing patchesRegular scans(weekly/monthly)external scanningAssess external-facing assets(e.g.,web servers)Look for rogue connectionsVerify firewall effec
8、tiveness and correct rule-setscanning toolsExamples:Nessus/Tenable,Qualys,OpenVASMustMust be able to emit well-formed,fully-detailed CSVs of scan resultsAutomation for continuous scanningSet schedules for regular scans and changesclassifying scan results(1/3)Categorize by risk level(high,medium,low)
9、Use CVSS(Common Vulnerability Scoring System)Enrich with EPSS,KEV(more about this in a sec)Factors:exploitability,impact,asset criticalityGood idea:database of results over timeclassifying scan results(2/3)EnrichingEnriching scan results helps with prioritizationEPSS(see:https:/www.first.org/epss/)E
10、xploit Probability Scoring SystemGives a measure of how likely each CVE is to get an exploit developed against itChanges over timeHas an easy-to-use APIKEV(see:https:/www.cisa.gov/known-exploited-vulnerabilities-catalog)Known Exploited Vulnerability Answers:Has this been used in a reported attack?Wa
11、s it ransomware?List is small-ishWith these elements,you can build a risk score formula to suitA*CVSS+B*EPSS+C if KEV is“Yes”+D if KEV is“Ransomware”classifying scan results(3/3)Vulnerability types:bugs,misconfigurations,patchesDefine risk impact(business vs.operational)Streamline classification for
12、 faster remediationQuick way to do this:Excel pivot table!prioritizing vulnerabilities(1/2)Rank vulnerabilities based on urgency,opportunityUse enrichment results if you have themBuild and use your own risk-score formulaFocus on severity and critical asset impactUse risk scores and asset importancep
13、rioritizing vulnerabilities(2/2)Factors:threat landscape,active exploitsCompliance requirementse.g.,PCI,HIPAAMore generally,business requirementsProduction schedulesAutomate prioritization if possibleassigning remediation tasksDelegating tasks to teams(IT,security)If scan jobs align to team responsi
14、bilities,this is a natural splitUse your ticketing systems(e.g.,JIRA,ServiceNow)Accountability for each vulnerabilitySet deadlines based on priority Use SLAs where possibleCommunication of criticality of vulnerabilities to stakeholdersAutomate workflows for patching and updatesmeasuring results Metr
15、ics:vulnerabilities found vs.remediatedTime to remediation(MTTR)Percentage of high-risk vulnerabilities closed within SLAsTrack aggregate risk scores and%age reduction reporting resultsTailor reports for different audiences(IT vs.execs)Trends:reduction in vulnerabilities and aggregate risk over time
16、But make sure to point out,new vulns pop up almost continuouslyVisualize data(charts,graphs)for clarityBut dont obfuscate with themcontinuous improvementVulnerability management is an ongoing processAdjust processes based on:New threatsNew technology New techniquesChanging business requirementsRegul
17、ar re-assessment and improvementconclusionRemember key steps in the Remember key steps in the vulnerability vulnerability managementmanagement cyclecycleAsset InventoryNetwork ScopingInternal and External ScanningClassifying ResultsPrioritizing VulnerabilitiesRemediation AssignmentMeasuring&Reportin
18、gImportance of Importance of prioritizationprioritization using riskusing riskAutomation where possibleAutomation where possibleContinuing ImprovementContinuing ImprovementQ&AYes,these slides will be available after the conference,on the RSS websiteI can be reached at$FIRST.$LAST(at)rocinfosec(dot)com