IT 漏洞管理的綜合方法 （David Frier）.pdf

1、PATCH YOUR SH!(Or,as it appears on the program:A Comprehensive Approach to IT Vulnerability ManagementA Comprehensive Approach to IT Vulnerability ManagementIn case you were wondering if you came to the wrong room)David C.Frier,RIMSDavid C.Frier,RIMS-CRMP,CISM,etc.CRMP,CISM,etc.Rochester Security Su

2、mmit 2024Rochester Security Summit 2024overviewThis is an Introduction to Vulnerability ManagementSpiced with some tips from my sliver of experience with VMVM is a continuous,proactive processabout this guyDavid C Frier,RIMS-CRMP,CISM,CISSP,CRISC,CCSKvCISO and Senior Cybersecurity Program Manager at

3、 Sedara.but Ibut I speak only for myself,speak only for myself,not fornot for SedaraSedara!0 x2d years into IT,0 x13 years into InfosecAvid player of poker.Orioles and Cubs fan.enthusiastic-if-slow rider of a Trek.None of the“usual”social media aside from LinkeDin,but I can be sighted in the Fediver

4、se(#checkin)about.me or wheretofind.megeekosaurussteps in vulnerability managementAsset InventoryNetwork ScopingInternal and External ScanningClassifying ResultsPrioritizing VulnerabilitiesRemediation AssignmentMeasuring&Reportingasset inventory(1/2)Identify all hardware and softwareDocument asset t

5、ypes and locationsAsset discovery toolsCMDBNmap,etc.Discovery scansasset inventory(2/2)Criticality ranking(business impact)Regular updates for accuracyEnsuring full scope for scanningnetwork scoping(1/2)Define internal/external network boundariesIdentify critical systems for scanningInclude servers,

6、endpoints,network devicesSegment your network however it makes sense for your orgStaff/team scope,or locations,or functionsnetwork scoping(2/2)Avoid unnecessary scans(non-critical assets)About end-user computersConsider network segments,subnets,firewallsMake sure your scanner can access everythingKe

7、y decisions:what to scan and wheninternal scanningFocus on vulnerabilities within the internal networkDetect misconfigurations,outdated software,missing patchesRegular scans(weekly/monthly)external scanningAssess external-facing assets(e.g.,web servers)Look for rogue connectionsVerify firewall effec

8、tiveness and correct rule-setscanning toolsExamples:Nessus/Tenable,Qualys,OpenVASMustMust be able to emit well-formed,fully-detailed CSVs of scan resultsAutomation for continuous scanningSet schedules for regular scans and changesclassifying scan results(1/3)Categorize by risk level(high,medium,low)

9、Use CVSS(Common Vulnerability Scoring System)Enrich with EPSS,KEV(more about this in a sec)Factors:exploitability,impact,asset criticalityGood idea:database of results over timeclassifying scan results(2/3)EnrichingEnriching scan results helps with prioritizationEPSS(see:https:/www.first.org/epss/)E

10、xploit Probability Scoring SystemGives a measure of how likely each CVE is to get an exploit developed against itChanges over timeHas an easy-to-use APIKEV(see:https:/www.cisa.gov/known-exploited-vulnerabilities-catalog)Known Exploited Vulnerability Answers:Has this been used in a reported attack?Wa

11、s it ransomware?List is small-ishWith these elements,you can build a risk score formula to suitA*CVSS+B*EPSS+C if KEV is“Yes”+D if KEV is“Ransomware”classifying scan results(3/3)Vulnerability types:bugs,misconfigurations,patchesDefine risk impact(business vs.operational)Streamline classification for

12、 faster remediationQuick way to do this:Excel pivot table!prioritizing vulnerabilities(1/2)Rank vulnerabilities based on urgency,opportunityUse enrichment results if you have themBuild and use your own risk-score formulaFocus on severity and critical asset impactUse risk scores and asset importancep

13、rioritizing vulnerabilities(2/2)Factors:threat landscape,active exploitsCompliance requirementse.g.,PCI,HIPAAMore generally,business requirementsProduction schedulesAutomate prioritization if possibleassigning remediation tasksDelegating tasks to teams(IT,security)If scan jobs align to team responsi

14、bilities,this is a natural splitUse your ticketing systems(e.g.,JIRA,ServiceNow)Accountability for each vulnerabilitySet deadlines based on priority Use SLAs where possibleCommunication of criticality of vulnerabilities to stakeholdersAutomate workflows for patching and updatesmeasuring results Metr

15、ics:vulnerabilities found vs.remediatedTime to remediation(MTTR)Percentage of high-risk vulnerabilities closed within SLAsTrack aggregate risk scores and%age reduction reporting resultsTailor reports for different audiences(IT vs.execs)Trends:reduction in vulnerabilities and aggregate risk over time

16、But make sure to point out,new vulns pop up almost continuouslyVisualize data(charts,graphs)for clarityBut dont obfuscate with themcontinuous improvementVulnerability management is an ongoing processAdjust processes based on:New threatsNew technology New techniquesChanging business requirementsRegul

17、ar re-assessment and improvementconclusionRemember key steps in the Remember key steps in the vulnerability vulnerability managementmanagement cyclecycleAsset InventoryNetwork ScopingInternal and External ScanningClassifying ResultsPrioritizing VulnerabilitiesRemediation AssignmentMeasuring&Reportin

18、gImportance of Importance of prioritizationprioritization using riskusing riskAutomation where possibleAutomation where possibleContinuing ImprovementContinuing ImprovementQ&AYes,these slides will be available after the conference,on the RSS websiteI can be reached at$FIRST.$LAST(at)rocinfosec(dot)com