Vulnerability Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Vulnerability management.
00:00
The learning objectives for this lesson are to
00:00
define vulnerabilities and vulnerability management,
00:00
to discuss the importance of patch management,
00:00
and to utilize vulnerability scanners
00:00
in vulnerability management.
00:00
Let's get started. What is a vulnerability?
00:00
A vulnerability is any area of
00:00
your enterprise where you are not
00:00
fully protected and that this
00:00
could be exploited by an attacker.
00:00
A lot of times people tend to
00:00
think of these as bugs in software,
00:00
but this isn't the case.
00:00
It could be anything in your environment that
00:00
allows an attacker the opportunity to exploit.
00:00
We'll go over some specific examples in the next slide,
00:00
but what I want you to take away from now is
00:00
that it doesn't have to be about software only.
00:00
Here are some examples.
00:00
The first one we'll go over his staff not being
00:00
trained and then they click on phishing links.
00:00
We need to train our staff because they are not
00:00
keeping up with the latest techniques
00:00
that attackers are using.
00:00
We can't expect them to know or even understand those.
00:00
It's our job to help teach
00:00
them so that they know these things.
00:00
If we're not teaching them,
00:00
then that's why they're clicking on these links.
00:00
The next is having Ethernet ports
00:00
in common areas that are live.
00:00
Company moves into a new building,
00:00
buys it all up,
00:00
has everything plugged into a switch,
00:00
then they have drops in common areas or
00:00
maybe offices that are not occupied yet.
00:00
They're all live, but this gives
00:00
an opportunity for an attacker to come in,
00:00
plugin, and be on your network.
00:00
If you're not using those ports, we need to disable them.
00:00
You'd be surprised how many companies
00:00
don't have alarm systems.
00:00
After spending tens of thousands
00:00
or hundreds of thousands of dollars on
00:00
IT infrastructure and not to
00:00
mention the value of the data they have,
00:00
you would think they would consider
00:00
having an alarm system.
00:00
Next is having servers or other
00:00
critical systems that are not access controlled.
00:00
Ideally you want your server and
00:00
your networking infrastructure to
00:00
be in its own locked room.
00:00
However, we have seen cases where
00:00
someone had a server that was sitting
00:00
in the corner of a small office.
00:00
Anyone could have access to it.
00:00
If it contains important data
00:00
and it needs to be protected,
00:00
it needs to be separated.
00:00
Next is having laptops that have
00:00
VPN access to your office or they
00:00
contain sensitive data but they're not encrypted.
00:00
We'll get into this a little bit deeper when we
00:00
get into compliance frameworks like HIPAA,
00:00
but if you want to see examples of
00:00
companies that have paid a lot of
00:00
money in fines for violations like this,
00:00
go to the HIPAA wall of shame.
00:00
There have been several cases where laptops that
00:00
contain patient information were either
00:00
lost or stolen and companies or
00:00
practices had to pay out large sums for that.
00:00
If we're going to have our laptops
00:00
going out of the office they
00:00
need to be encrypted at all times.
00:00
Finally, we have outdated
00:00
software or software that's
00:00
no longer supported by the vendor.
00:00
A good example of this is Windows
00:00
7 or Windows Server 2008.
00:00
It's no longer supported by Microsoft,
00:00
so it's not getting those updates for
00:00
any new bugs or security flaws that are found.
00:00
Vulnerability management activities.
00:00
Here are some ways we can go about managing
00:00
our vulnerabilities in our environment.
00:00
The first common way is to use a vulnerability scanner.
00:00
We'll go over that in more detail in the next slide.
00:00
The next is patch management.
00:00
We want to make sure we deploy
00:00
all the patches that are available for
00:00
the devices and the operating systems in our environment.
00:00
Finally we can perform a risk assessment to help us find
00:00
areas that maybe we weren't
00:00
thinking about that we're vulnerable in.
00:00
Vulnerability scanners are software products
00:00
that will scan our network
00:00
to see where we might be vulnerable.
00:00
They're going to test devices or
00:00
operating systems against known exploits,
00:00
but they're also going to look for missing patches,
00:00
any misconfigurations, or maybe if we
00:00
left things in a default
00:00
setting and these need to be changed.
00:00
Two examples of a vulnerability scanner
00:00
will be Nitko and Nessus.
00:00
These are some critical components
00:00
of a vulnerability scanner.
00:00
We need to consider if we're going to
00:00
use credentials when we perform a scan.
00:00
The reason we might not want to use
00:00
credentials is if we want to
00:00
emulate an attacker in our environment,
00:00
an attacker wouldn't yet have
00:00
access to a system that they're scanning,
00:00
because of that, they were not going to be able to get
00:00
the full details back from a vulnerability scanner.
00:00
However, for the purposes of vulnerability management,
00:00
we are going to want to scan with credentials
00:00
so that we get back the full amount of information.
00:00
We also need to decide if we're going to
00:00
use agent or agentless.
00:00
Do we want to install a component on
00:00
each endpoint before it's scanned?
00:00
We also need to make sure that we
00:00
get a criticality ranking.
00:00
This will show the result of the scan with
00:00
the highest urgency at
00:00
the top so that we can make sure those are addressed.
00:00
Then finally we want to decide if
00:00
we're going to use active versus passive.
00:00
An active scan will go
00:00
through each device and scan them directly
00:00
whereas a passive scan is going to collect
00:00
information in a more indirect way.
00:00
Instructor side note. Nessus scanner
00:00
is a great vulnerability scanner.
00:00
Unfortunately, it's a little expensive,
00:00
but they do offer a free trial that will
00:00
allow you to scan up to 16 IP addresses.
00:00
That's 16 total not 16 per scan.
00:00
It's highly recommended that you download this.
00:00
You can get your feet wet with a vulnerability scanner.
00:00
You can go to the website on the slide
00:00
here, get your free scanner.
00:00
Maybe scan a couple of devices on
00:00
your network, see what it finds.
00:00
That way you can get an understanding of how these work
00:00
and then how they would be used
00:00
in a business environment.
00:00
Patch management. This is about identifying
00:00
the missing patches or
00:00
updates for every device on our network.
00:00
It's not limited to just operating systems.
00:00
For example, devices like switches and firewalls and
00:00
access points all have
00:00
new firmware that's released from time to time.
00:00
These will patch holes found in those devices.
00:00
We want to make sure that we deploy those too.
00:00
Installing missing patches keeps our systems fully
00:00
up-to-date but also closes those security holes.
00:00
Instructor side note. This is probably not on the test,
00:00
but I wanted you to be aware of it.
00:00
Ideally before you go
00:00
deploying patches on your critical systems,
00:00
you want to test them first.
00:00
Maybe have a test environment setup,
00:00
even a virtual machine that you
00:00
can install it on to make sure.
00:00
Because we've seen in the past where
00:00
sometimes for example,
00:00
Microsoft releases an update
00:00
that the side effect is blue screens.
00:00
We want to be able to test those before deploying it.
00:00
Some organizations actually use
00:00
change management that would
00:00
require us to test those
00:00
and then document them before deploying.
00:00
Vulnerability information sources.
00:00
Where do we find out about these vulnerabilities?
00:00
The first place we would go to are advisories.
00:00
These contain specific data
00:00
on the identified vulnerability.
00:00
This would include how
00:00
the vulnerability is identified, what it does,
00:00
sometimes a proof-of-concept, and then
00:00
maybe any mitigations if there are any available.
00:00
Next would be bulletins.
00:00
These are summaries or a
00:00
newsletter listing of advisories.
00:00
After that we have information sharing
00:00
and analysis center or ISACs,
00:00
is a non-profit group that usually specialize on
00:00
a specific sector such as finance or health care.
00:00
Finally we have news reports.
00:00
You may end up hearing about it in the news.
00:00
Large cases that hinge
00:00
on specific exploits are very common in the news lately.
00:00
Security Content Automation Protocol.
00:00
This is a suite of
00:00
interoperable specs that are designed to standardize
00:00
the naming conventions and the formatting
00:00
used to identify and report on software flaws.
00:00
It's made up of open standards and these enumerate
00:00
the software flaws and
00:00
the security-related configuration issues.
00:00
SCAP languages.
00:00
The first we're going to discuss is
00:00
the Open Vulnerability and Assessment Language or OVAL.
00:00
This provides a consistent way to collect and
00:00
assess the three main aspects of evaluated systems.
00:00
These are the system information,
00:00
the machine state, and reporting.
00:00
Next we have Asset Reporting Format or ARF.
00:00
This correlates to reporting
00:00
formats to device information.
00:00
Next is the Extensible Configuration Checklist
00:00
Description Format or XCCDF.
00:00
This is written in XML and it's designed to provide
00:00
a consistent way to define
00:00
the benchmarks and
00:00
the checks performed during assessments.
00:00
SCAP identification schemes.
00:00
First we have the Common Platform Enumeration or CPE.
00:00
These are standardized naming formats to
00:00
help us identify systems and software.
00:00
Then we have Common Vulnerabilities
00:00
and Exposures or CVEs.
00:00
This is a list of known
00:00
vulnerabilities and they're formatted with
00:00
CVE then the year and then
00:00
the actual number that's assigned to that.
00:00
From there we have the Common
00:00
Configuration Enumeration or CCE.
00:00
It's similar to CVE but it focuses on
00:00
the configuration issues that
00:00
may potentially lead to a vulnerability.
00:00
This is how it all comes together.
00:00
You can see the four main areas
00:00
that we're looking to address.
00:00
Software vulnerability management,
00:00
configuration management,
00:00
compliance management, and then asset management.
00:00
All of these circles overlap
00:00
each other in different areas.
00:00
However, each part plays
00:00
its own role in the overall method.
00:00
For example, if we're going to look at asset management,
00:00
we know that that's going to be CPE.
00:00
This identifies software and devices.
00:00
But if we're looking at configuration management,
00:00
we want CCE, this identifies configuration controls.
00:00
This is a good overview that can
00:00
help you understand how it all works together.
00:00
SCAP metrics.
00:00
The Common Vulnerability Scoring System or CVSS,
00:00
this is represented by
00:00
a numerical score to
00:00
show how severe the vulnerability is.
00:00
One thing to keep in mind is the vulnerability score
00:00
is not necessarily the same for every person.
00:00
You may have a different deployment of
00:00
a specific software product
00:00
that makes you more or less vulnerable,
00:00
but this is to give you a very
00:00
good guide on how this works.
00:00
You want to be able to know that anything in
00:00
the higher critical level needs to be addressed as
00:00
soon as possible and then work your way down from there.
00:00
Let's summarize. We discussed
00:00
vulnerabilities and vulnerability scanners.
00:00
We also went over vulnerability
00:00
management and patch management.
00:00
We also discussed SCAP,
00:00
the SCAP Languages,
00:00
the SCAP Identification Schemes, and SCAP Metrics.
00:00
Let's do some sample questions.
00:00
A blank is any weakness
00:00
that could be exploited and lead to a breach?
00:00
Vulnerability. Question 2.
00:00
Blank helps describe the three main aspects
00:00
to evaluate a system: system information,
00:00
machine state, and reporting.
00:00
Open Vulnerability and Assessment Language or OVAL.
00:00
Question 3, which identification scheme
00:00
is responsible for classifying configurations?
00:00
Common configuration enumeration or CCE.
00:00
Question 4, after
00:00
performing a scan with a vulnerability scanner,
00:00
the report shows that you have
00:00
one vulnerability with a score of 7.4,
00:00
what severity rating would this score represent?
00:00
7.0-8.9 is high.
00:00
I hope this was helpful for you and I hope you
00:00
learned something, and I'll see you in the next one.
Up Next
Instructed By
