VULNERABILITY MANAGEMENT

Darryle Justin M. Caparas

 WHOAMI

• Bachelor of Science in Information Technology Degree Holder

• Holder of several information security related certifications

• More than 5 years of experience in Information Security

• Information System Analyst of CERT-PH under the Digital Forensic

Section

• Highly experienced in the conduct of vulnerability assessment and

penetration testing

• Cybersecurity Advocate in the PHCYBERUNITS

TOPICS TO BE COVERED

▪ Basic Computer Networking

▪ Vulnerability, Threat, and Risk
▪ Vulnerability Management
▪ Inventory of Asset
▪ Identify Asset Vulnerability
▪ Analyze Detected Vulnerabilities
▪ Fix Detected Vulnerability
▪ Cyber Kill Chain
Network Communication
What do you need to
receive information?
• An interface to the
information system
• An address in the
information system
 Network Interface Card / Device

• An NIC connects the device (computer) to a

network.

• All NICs require a unique hardware address

number called a media access control (MAC)
address. 00-16-74-3F-C2-56
MAC Address
• The MAC address allows multiple network
devices to remain unique on networks.
 Media Access Control (MAC) Address

• Example MAC address: 00-21-BC-4F-A5-CE

• Consists of six pairs of hexadecimal digits (48 bits)

• Hexadecimal values: 0-9, A-F

• First three hex pairs = vendor; next three hex pairs = ID for the card

• Vendor = 00-21-BC; Unique ID for card 4F-A5-CE

• Designed to be a unique number – duplicates rare

• Configured to the card by the vendor / manufacturer

 View the MAC Address via Windows

• Start a command prompt (Start…Run…CMD).

• Type: ipconfig /all (don’t forget the space)

• Look for the Physical Address (the MAC address).

View the MAC Address via Windows
 Routers

• Devices that connect networks

• Connects the local area network (LAN) to INTERNET

the Internet or to other internal or external Router A Router B

networks
Switch Switch

• Has at least two ports – one on the LAN

side and one on the other network side
` ` ` ` ` ` ` `

(often called the wide area network [WAN])

Routers
 Routing on the Internet

Originating Address
144.217.166.26

Destination Address
112.53.112.38
Network Address Translation (NAT)

Originating Address

Destination Address
112.53.112.38
Attn: Your Computer
(192.168.1.20)
Network Address Translation (NAT)
Sample Network Address
Translation Table
Common Ports

• FTP (21) • DNS (53)

• SSH (22) • HTTP (80)

• Telnet (23) • HTTPS (443)

• SMPT (25) • SMB (445)

 What is Vulnerability?

• Weakness of a system

• Inherent in complex systems; they will always be present

• Resulted from poor coding practice

• Gateway for threats to manifest

• Could be known or unknown (0-day)

 What is Threat?

• Potential danger to an asset

• Danger can be thought of as anything that would negatively affect the

confidentiality, integrity, or availability of your systems or services
 THREE ELEMENTS OF RISK

THREATS • Man-made Threats

IMPACT Internal

External
PROBABILITY
 EXTERNAL VS. INTERNAL THREATS

• The fundamental difference between an external and internal threat is the

identity of the attacker

• INSIDERS vs INVADERS

• External threats, or invaders, act from outside the company and must overcome
your exterior defenses

• Internal threats, or insiders, work within the company and can thus bypass
exterior defenses
 THREE ELEMENTS OF RISK

THREATS • Technical

IMPACT Hardware Failure

Software Failure
PROBABILITY
Network Failure
 THREE ELEMENTS OF RISK

THREATS • Measure of Damage

IMPACT 5. Major
4. Serious
PROBABILITY 3. Moderate
2. Minor
1. Negligible
 THREE ELEMENTS OF RISK

THREATS • Likelihood
5. Probable
IMPACT 4. Likely
3. Possible
PROBABILITY 2. Unlikely
1. Very unlikely
Vulnerability Management

Security practice specifically designed to proactively mitigate or

prevent the exploitation of IT vulnerabilities which exist in a
system or organization.
 Inventory of Both Hardware and
Software

PROCEDURES IN
Identify Asset Vulnerability
HANDLING
VULNERABILITY
Analyze Detected Vulnerabilities
PROCEDURES IN Fix Detected Vulnerability
HANDLING
VULNERABILITY Repeat All Steps Regularly
IT Asset Management
Procedures in Handling Vulnerability

• Create a full IT inventory to gain visibility into all the IT assets that exist in
the organizational IT landscape – network, data center, remote sites, user
workstations, etc.
• Not all IT assets are created equal. Determine what constitutes a critical
asset. It may be a specific type of hardware. It may be certain software
titles.
• In terms of software audits, a key thing to keep in mind is to know what
you are entitled to have deployed. More often than not, organizations fall
short in their software audits for failing to do so.

DICT Cybersecurity | CERT-PH

Identify Asset Vulnerability
Procedures in Handling Vulnerability

• Monitor regular release of common vulnerabilities and

exposure (CVE)
• Conduct vulnerability scanning in your asset
• Vulnerability Scanning
• Scanning of services running on each hosts and
servers
• Enumeration of services
• Checking for system misconfiguration
DICT Cybersecurity | CERT-PH
Analyze Detected Vulnerabilities
Procedures in Handling Vulnerability

• Identify Impact of Vulnerability

• How long will it take to fix
• Common Vulnerability Scoring System

DICT Cybersecurity | CERT-PH

Common Vulnerability
Analyze Detected Vulnerabilities
Scoring System

• Attack Vector
• Network, Adjacent, Local, Physical
• Attack Complexity
• Low, High
• Privilege Required
• None, Low, High
• User Interaction
• None, Required

DICT Cybersecurity | CERT-PH

Common Vulnerability Scoring System
Analyze Detected Vulnerabilities

• Scope
• Unchanged, Changed
• Confidentiality
• None, Low, High
• Availability
• None, Low, High
• Integrity
• None, Low, High

DICT Cybersecurity | CERT-PH

Fix Detected Vulnerability
Procedures in Handling Vulnerability

• Fix based on prioritization

• Fix based on severity
• Fix based on capacity
• Application of temporary configuration to fix

DICT Cybersecurity | CERT-PH

Repeat All Steps Regularly
Procedures in Handling Vulnerability

• Monthly
• Quarterly
• Semestral
• Annual
Cyber Kill-Chain
Cyber Kill-Chain • A commonly used model in cyber-
security.

• Describes the main stages of a cyber

attack.

• Created by Lockheed Martin.

Cyber Kill-Chain
• Information gathering or acquiring
intelligence.

– Example:
➢ IP Address
➢ Domains
➢ Open ports
➢ Plugins and services
 Cyber Kill-Chain
• Preparing the malwares & hacking-
tools for the attack

– Example:
➢ Known malware
➢ Customized
malware
➢ 0 day
Cyber Kill-Chain
• Delivering the first stage of the malware to one
of the victim’s endpoints / servers

• Example:
➢ File attachment on email
➢ External devices
➢ Malicious website
Cyber Kill-Chain
• The action of making use of and
benefiting from vulnerabilities.

– Example:
➢Exploiting legacy system.
➢Exploiting old versions of
software.
Cyber Kill-Chain

• Other stages of the malware are

being deployed in the endpoint
• Installation of a backdoor
• the malware prepares itself to be
ready for taking orders
Cyber Kill-Chain
• The malware makes
communication to its Command
& Control server
• The communication is stealthy,
as it is blended in the
organization network.
Cyber Kill-Chain

• Intruder takes action to

achieve their goals, such as
data exfiltration, data
destruction, or encryption for
ransom
 EMAIL
cert-ph@dict.gov.ph

Thank you! PHONE

632-2-8-920-0101 loc. 2378

MAILING ADDRESS
49 Don A. Roces Ave.,
Brgy. Paligsahan, Diliman,
Quezon City