1. IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security

2.  “Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.” – Sun Tzu  “What to defend” is both technical and operational  Risk Management requires, at a minimum, awareness of risk IT Security & Risk Management 2

3.  Identify known vulnerabilities in networked devices  Provide an inventory of networked assets – identify “rogue” devices  Check for compliance with enterprise standard configurations  Determine the exposed attack surface Why Scan? 3

4. Why Scan? (part II) Verizon Data Breach Report 2015 99.9% of exploited vulnerabilities in 2014 were disclosed and given a CVE number more than a year prior. 4

5.  Public sector #1 in security incidents & breaches  79,790 security incidents evaluated  2,122 data breaches  70 contributors, including incident response forensics firms, government agencies, Computer Security Information Response Teams (CIRTs), security vendors, and others. Verizon Data Breach Report 2015 5

6. CSC 4: Continuous Vulnerability Assessment and Remediation  Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers Council on Cybersecurity “Critical Security Controls” 6

7. Integrated Systems From: “Critical Security Controls for Effective Cyber Defense”, Council on CyberSecurity 7

8.  Incorporate automated remediation / patching with scanning  Requires configuration baselines and asset inventory  Provides consistent application of enterprise standard configurations and postures  Allow for technical contingencies on critical business systems Automation 8

9.  Allows scanners to analyze networked assets for compliance with standards such as  HIPAA  PCI  DISA STIGs  Tenable Nessus – 450 advertised compliance templates Compliance Scanning 9

10.  Scanning and patching are critical parts of effective Risk Management  Monitoring, awareness training, other controls are required  23% of recipients open phishing messages (Verizon 2015)  11% click on attachment (Verizon 2015)  Lifecycle planning for systems  Windows Server 2000 – support ended Jan 2010  Windows Server 2003 – support ended Jul 2015 What Else Are You Doing? 10

11.  “If you don't know where you are going, you'll end up someplace else.”  You can observe a lot just by watching.” - Yogi Berra Yogi-isms for Cyber Security 11