IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.

Slides:

Advertisements

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Advertisements

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

Patch Management Strategy

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Security Trends & Industry Insights

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH.

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Information Security tools for records managers Frank Rankin.

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Tuesday March 15, 2016 Session 19-D Technology Forum David Finkelstein, CIO RiverSpring Health.

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

Defining your requirements for a successful security (and compliance

Vulnerability Management Programs & The Lessons Learned

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Your Partner for Superior Cybersecurity

Managing Compliance for All Departments

BruinTech Vendor Meet & Greet December 3, 2015

Your security risk is higher than ever.

Cybersecurity - What’s Next? June 2017

2016 Data Breach Investigations Report

Critical Security Controls

Automating Security Frameworks

Security Standard: “reasonable security”

THR2099 What to do BEFORE all hell breaks loose: Building a modern cybersecurity strategy.

Compliance with hardening standards

Putting It All Together

Putting It All Together

Introduction to the Federal Defense Acquisition Regulation

San Francisco IIA Fall Seminar

Steven Hartman State Information Security Officer State of Nebraska

I have many checklists: how do I get started with cyber security?

Building a Security Operations Center

IT Development Initiative: Status and Next Steps

Protective Security Advisor Program Brief

Cyber Exposure – The Next Frontier

Validating Your Information Security Program (ISP 3 of 3)

Shifting from “Incident” to “Continuous” Response

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

National Cyber Security

Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks,

Cybersecurity Threat Assessment

The MobileIron® Threat Detection difference:

Microsoft Data Insights Summit

IT Management Services Infrastructure Services

Presentation transcript:

IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security

 “Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack.” – Sun Tzu  “What to defend” is both technical and operational  Risk Management requires, at a minimum, awareness of risk IT Security & Risk Management 2

 Identify known vulnerabilities in networked devices  Provide an inventory of networked assets – identify “rogue” devices  Check for compliance with enterprise standard configurations  Determine the exposed attack surface Why Scan? 3

Why Scan? (part II) Verizon Data Breach Report % of exploited vulnerabilities in 2014 were disclosed and given a CVE number more than a year prior. 4

 Public sector #1 in security incidents & breaches  79,790 security incidents evaluated  2,122 data breaches  70 contributors, including incident response forensics firms, government agencies, Computer Security Information Response Teams (CIRTs), security vendors, and others. Verizon Data Breach Report

CSC 4: Continuous Vulnerability Assessment and Remediation  Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers Council on Cybersecurity “Critical Security Controls” 6

Integrated Systems From: “Critical Security Controls for Effective Cyber Defense”, Council on CyberSecurity 7

 Incorporate automated remediation / patching with scanning  Requires configuration baselines and asset inventory  Provides consistent application of enterprise standard configurations and postures  Allow for technical contingencies on critical business systems Automation 8

 Allows scanners to analyze networked assets for compliance with standards such as  HIPAA  PCI  DISA STIGs  Tenable Nessus – 450 advertised compliance templates Compliance Scanning 9

 Scanning and patching are critical parts of effective Risk Management  Monitoring, awareness training, other controls are required  23% of recipients open phishing messages (Verizon 2015)  11% click on attachment (Verizon 2015)  Lifecycle planning for systems  Windows Server 2000 – support ended Jan 2010  Windows Server 2003 – support ended Jul 2015 What Else Are You Doing? 10

 “If you don't know where you are going, you'll end up someplace else.”  You can observe a lot just by watching.” - Yogi Berra Yogi-isms for Cyber Security 11