Presentation is loading. Please wait.

Presentation is loading. Please wait.

VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.

Published byWendy Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK."— Presentation transcript:

1 VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK

2 Pen-Testing vs. Vulnerability Assessment The two terms are related but penetration testing has more of an emphasis on gaining as much access as possible. While vulnerability testing places the emphasis on identifying areas that are vulnerable to a computer attack.

3 An automated vulnerability scanner will often identify possible vulnerabilities based on service banners or other network responses that are not in fact what they seem. A vulnerability assessor will stop just before compromising a system, whereas a penetration tester will go as far as they can within the scope of the contract.

4 A penetration test is like any other test in the sense that it is a sampling of all possible systems and configurations. Unless the contractor is hired to test only a single system, they will be unable to identify and penetrate all possible systems using all possible vulnerabilities. As such, any Penetration Test is a sampling of the environment. Furthermore, most testers will go after the easiest targets first.

5 STEPS INVOLVED IN VULNERABILITY ASSESSMENT 1. Identify and understand your business processes. 2. Pinpoint the applications and data that underlie business processes. 3.Find hidden data sources.

6 4.Determine what hardware underlies applications and data. 5.Map the network infrastructure that connects the hardware. 6.Identify which controls are already in place.

7 7.Run vulnerability scans. 8.Apply business and technology context to scanner results.

8 RISKS INVOLVED IN CONDUCTING AN INTERNAL VULNERABILITY ASSESSMENT. 1.Vulnerability assessments can provide an overwhelming, incoherent amount of data. 2.They typically contain numerous false positives, especially for areas such as patch management and secure application development.

9 3.Due to lack of impact analysis, they have inadequate risk rankings often based on tool suggestions. 4.They are unable to chain together vulnerabilities to determine overall impact to the business. 5.They fail to identify logical attack vectors such as password reuse and application logic flaws. 6.Recommendations for remediation are often generic and based on tool output.

10 VULNERABILITY ASSESSMENT WITH A THIRD PARTY The outsourcing company must follow the FISMA requirements, by applying the NIST standards and guidelines. Establish an Information Security Assessment Policy to be followed. Determine the objectives of each security assessment

11 The consulting firm should be accountable for any damage caused by errors on during the exercise. Sign a formal agreement for the Vulnerability Assessment. Non-disclosure information externally.

12 The 3rd party should provide an Analyze findings, and develop risk mitigation techniques accordingly and report security Incidents (FISMA 3544(b)(7)). The 3rd party should periodically testing and evaluating the security controls and techniques (FISMA section 3544(a)(2)(D)).

13 LEGAL CONSIDERATIONS The 3' parties are required to meet the same security requirements as federal agencies (FISMA and OMB policy). As part of the contract and the service-level agreements, the consulting firm requires the use of the security controls in NIST Special Publication 800-53 and 800-53A

14 Evaluate potential legal concerns before starting an assessment (The assessments that involve intrusive tests - Pentest). Legal Department may review the assessment plan developed by the 3- party. The Legal Department should address privacy concerns, and perform other functions in support of assessment, planning. (FISMA, section 3542(a)(1)(B)).

15 REFERENCES Snedaker, S. (2007). The Best Damn IT Security management Book Period, Syngress publishing. National Institute of Standards and Technology. (2009). Recommended Security Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, 2009 Edition). Gaithersburg, MD. National Institute of Standards and Technology. (2010). Guide for Applying the Risk Mona Framework to Federal Information Systems (NIST Special Publication 800-37, revision 1). Gaithersburg, MD. National Institute of Standards and Technology. (2010a). Guide for Assessing the Security Con in Federal Information Systems and Organizations (NIST Special Publication 800-53A). Gaithersburg, MD.

Download ppt "VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435.

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.

9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Network security policy: best practices

Network security policy: best practices
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Similar presentations

Ads by Google