Professional Documents
Culture Documents
Vulnerability Management: Your Company Name
Vulnerability Management: Your Company Name
Vulnerability Management: Your Company Name
01. Introduction
›
›
Overview
Need for Vulnerability Management
› Vulnerability Management Model
› Vulnerability Management Levels
4
Overview
Vulnerabilities may exist on network devices, servers, PCs, mobile devices, applications, or any other elements connected
to the network
A typical organization’s network has many vulnerabilities per device or system. Therefore, even a small organization may
have tens of thousands of vulnerabilities
Vulnerability Management
is the term used for the process of finding, analyzing, and remediating vulnerabilities before they can be exploited
by malware or a human attacker
Implementing a vulnerability management program is a best practice recommendation and part of multiple compliance
requirements, including the PCI DDS.
› Vulnerability management is a standard process in most security organizations and part of the CISO’s defined responsibilities to
understand and lower overall risk and improve security by reducing the attack surface
Continuous monitoring mandates, require that the vulnerability management process be executed as often as major
changes in the threat landscape and the IT environment are made.
6
No Vulnerability Vulnerability Assessment Driven by Regulatory Attacker & Threat & risk aligned
Risk Focused
Scanning Solution in Place Framework Threat Focused with business goals
Manual Vulnerability Ad-Hoc Vulnerability Scheduled Scan Data Prioritized Multiple threat vectors All threat vectors
Assessments Scanning Vulnerability Scanning Through Analytics scanned & prioritized scanned & prioritized
Measurement
Little Measurability, Emerging Metrics Threat Driven
No Metrics Basic Metrics integrated to enterprise
Busy Metrics & Trends Metrics & Trends
risk management
Blissful Ignorance Awareness & Early Maturity Business Risk & Context
7
OPTIMAL SECURITY
Proactive Execution
Organizations operating at this level of vulnerability management have learned hard
Level 03
lessons from the previous level where they struggled in making progress in remediating the
very large set of findings identified by vulnerability scanning.
Primitive Operations
Level 01 Organizations operating at this level of vulnerability management have at
least set a goal which has motivated the evolution into this level.
Importance Acknowledged
Organizations operating at this level of vulnerability management
Level 00 have no risk policy or threshold set & have limited commitment to
the process from upper level management.
VULNERABLE TO A BREACH
8
Overview
INPUT
GUIDANCE
10
In this activity, the organization is primarily The operational environment defines the types of
focused on documenting all possible candidates exposure experienced by assets being monitored.
for assessment The environment should be defined by those
exposures to the threats of greatest concern
› Resource constraints will impact the assessment and monitoring › Detail both cyber and non-cyber vulnerabilities.
that the organization will be able to accomplish, which will be • Can the asset be affected by physical or cyber threats?
determined in later steps • Will those threats affect the asset’s function or role in cyber resilience?
› Stakeholder should be solicited for their input concerning their › Obtain stakeholder input concerning vulnerabilities in the operational
critical services and areas of concern. environment of their services and assets.
• Are all stakeholder assets and services represented?
• Define the criticality of stakeholder assets and services.
11
Stakeholders include the people identified as having a role in authorization & also senior managers & executives of the units where the
assets reside
They must understand and agree to the need for remediation and the associated time frames for the corrective actions. These actions may
cause disruptions to the normal business operation of their unit
Effects on operations must be understood, and stakeholders must be given the opportunity to address their concerns
Determine a Budget
Overview
INPUT
GUIDANCE
15
Ideally, all discovered vulnerabilities should be placed into a central repository. This
will facilitate the tracking of remediation efforts and provide information of historical
Define how vulnerabilities should be documented relevance. Additionally, the information may be used as part of measuring
effectiveness.
Train Practitioners
This training focuses on educating the personnel responsible for vulnerability management on
the organization’s methods and tools. This could include
› How to use the approved tools
› Procedures for vulnerability management, including how they are tracked, time frames for
remediation, and others
› Roles and Responsibilities
17
› Research what tools or services can be used to meet the needs of each methodology
Identify Candidate Tools › Add Text Here
› Evaluate each of the candidate tools or services to determine if they are appropriate for the
environment. A key fact to determine is whether the tool fulfills all needs, or another tool is
Test Tools needed to fill the gaps.
› Add Text Here
› The finalized list of tools should be published so that anyone within the organization can ascertain
Publish Authorized Tool List what tools they are allowed to use
› Add Text Here
› Changing situations may necessitate the use of a new tool to meet a critical need such as
validating a new vulnerability or assisting in incident response. The organization should define a
Define the Exception Process process to authorize the use of a new tool for a period of time
› Add Text Here
› Review the tools periodically to determine if they are still meeting the needs of the organization.
Conduct Periodic Reviews Likewise, review new tools and services, which may provide a better solution than an existing tool
› Add Text Here
18
Source Information
Identify Sources of VULNERABILITY INFORMATION
Vendors Vendors & technology vendors in particular, often provide advisories along with patches for security
vulnerabilities.
Mailing Lists Lists such as Bugtraq & Full Disclosure provide vulnerability information about a wide range of
products, though, as a result, the email volume is quite heavy.
Department of US-CERT & ICS-CERT provide security advisories for IT assets. DHS also provides onsite facility
With the list of unique assets to be monitored in hand, Homeland Security (DHS) inspections through their regional PSA (Protective Security Advisor) program.
the organization must identify the sources of
Information Sharing & There are various ISACs that focus on particular sectors & provide their members various services
vulnerability information for each asset. Analysis Centers (ISACs) such as advisories & threat warnings tailored per sector.
User Groups User groups for a particular product can also provide information about threats & vulnerabilities in
The table identifies some potential sources, and an internet that product. User groups typically communicate through a mailing list & may not always contain
search for vulnerability information about a particular item security relevant information. However, it is likely that someone may be monitoring the list for
may reveal others support reasons, see a security advisory, & bring it to the vulnerability management’s team attention.
19
Monitoring Roles
These personnel are responsible for monitoring the various sources of
vulnerability information and taking the appropriate action. Monitoring roles
should be assigned to those who
› Analyze the relevance of vulnerabilities to the organization
› Log the vulnerability information into the vulnerability repository
› Alert the Remediation Team
Remediation Roles
Personnel from different parts of the organization may have responsibilities such as
› Analyze the impact of patches on the organization
› Develop in-house workarounds to the vulnerability if none are available
› Gain authorization to make the changes, possibly through change management (see the
configuration and change management resource guide, volume 3 of this series)
› Invoke the risk management process if the vulnerability needs to remain open past defined
thresholds
Authorization Roles
Personnel in this role are responsible for understanding their environments and
must review the corrective actions to determine if there may be any adverse
effects. They are part of the change management process and act accordingly
20
Overview
INPUT
GUIDANCE
23
Provide Training
The organization must ensure the personnel executing the process are fully
trained on the process itself as well as the planned tasks.
Personnel should possess the skills to appropriately execute the tasks defined.
Log the Vulnerability into the Repository Assure Access Control of the Repository
› To ensure that the vulnerability is tracked to closure, it › Remember that this information is highly sensitive: it is
should be logged into a repository. Some fields that the basically a road map of the organization’s exposures. Treat
organization may want to record in the repository are this information appropriately. Limit access to the
• Discovery Date and Time repository to those who have a need to know this
• Affected Assets information: primarily the vulnerability management team
• Priority and its management but possibly personnel from the risk
• Categorization management team as well.
• Add Text Here
26
Determine Responsibility
› The vulnerability management team may discover the vulnerabilities but is generally
not responsible for their mitigation or resolution
› Appropriate disposition of the vulnerabilities requires coordination with the
stakeholders for prioritization and planning
Prioritize
› When prioritizing vulnerabilities, the vulnerability team must coordinate with the risk
management team. In some organizations, the vulnerability and risk management teams
may be composed of the same personnel
› Add Text Here
27
It is important to understand whether or not the risk of the vulnerability has been either
lessened or removed. Depending on how the vulnerability was discovered, the organization
may be able to repeat the discovery method to validate the disposition of the vulnerability .
Overview
INPUT
GUIDANCE
32
Improvement is the act of rectifying the deficiencies › How much the organization invests in this part of the process depends on how much
found during the analysis of the process information it needs to improve.
› In a more mature process, the changes are subtle and require a more mature
› An appropriately defined process achieves the desired improvement process to make the appropriate measurements and relate them to the
goals efficiently and effectively. The organization will more subtle improvements.
have defined its desired effectiveness during the
planning process
35
This Slide Is 100% Editable. Adapt It To Your Needs And Capture Your Audience's Attention.
36
Additional Slides
37
Our Team
Name Here
Designation
This is a representative image, and should be replaced by your own image. Just right click and
replace image.
Name Here
Designation
This is a representative image, and should be replaced by your own image. Just right click and
replace image.
Name Here
Designation
This is a representative image, and should be replaced by your own image. Just right click and
replace image.
38
Our Mission
› This slide is 100% editable. Adapt it to › This slide is 100% editable. Adapt it to › This slide is 100% editable. Adapt it to
your needs and capture your your needs and capture your your needs and capture your
audience's attention. audience's attention. audience's attention.
39
Financial
Minimum
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
40%
90% Medium
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
65%
Maximum
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
40
Idea
Generation
Text Here
This slide is 100% editable. Adapt it to your needs and capture
your audience's attention.
Text Here
This slide is 100% editable. Adapt it to your needs and capture
your audience's attention.
Text Here
This slide is 100% editable. Adapt it to your needs and capture
your audience's attention.
41
Quotes
42
About Us
Value Clients
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
Target Audiences
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
Preferred by Many
This slide is 100% editable. Adapt it to your needs and
capture your audience's attention.
43
Mind Map
75% 60% 45%
Post It Notes
Our Target
01 02 03
This slide is 100% editable. Adapt it to your This slide is 100% editable. Adapt it to your This slide is 100% editable. Adapt it to your
needs and capture your audience's attention. needs and capture your audience's attention. needs and capture your audience's attention.
46
Thanks for
Watching
Address
# street number, city, state
Email Address
emailaddress123@gmail.com
Contact Number
0123456789