1 00:00:00,189 --> 00:00:02,088 Vulnerability management. 2 00:00:02,088 --> 00:00:05,280 A vulnerability assessment seeks to identify issues 3 00:00:05,280 --> 00:00:09,190 in a network, application, database, or other IT systems 4 00:00:09,190 --> 00:00:11,830 prior to it being inadvertently or purposely used 5 00:00:11,830 --> 00:00:13,480 to compromise a system. 6 00:00:13,480 --> 00:00:16,130 Vulnerability assessments are a formalized process 7 00:00:16,130 --> 00:00:19,520 that define, identify, and classify the security holes 8 00:00:19,520 --> 00:00:21,550 in an enterprise network architecture. 9 00:00:21,550 --> 00:00:23,590 It's also used to forecast the effectiveness 10 00:00:23,590 --> 00:00:24,880 of proposed countermeasures 11 00:00:24,880 --> 00:00:28,000 as part of your overall risk analysis process. 12 00:00:28,000 --> 00:00:30,500 Now once these countermeasures are put in place, 13 00:00:30,500 --> 00:00:32,070 a follow-up vulnerability assessment 14 00:00:32,070 --> 00:00:33,240 can help you to determine 15 00:00:33,240 --> 00:00:35,410 how effective your countermeasures truly are 16 00:00:35,410 --> 00:00:37,570 in protecting that network from attack. 17 00:00:37,570 --> 00:00:39,650 The management and oversight of this process 18 00:00:39,650 --> 00:00:42,130 is known as vulnerability management. 19 00:00:42,130 --> 00:00:43,710 Vulnerability management is the practice 20 00:00:43,710 --> 00:00:45,810 of finding and mitigating the vulnerabilities 21 00:00:45,810 --> 00:00:47,740 in your computers in your networks. 22 00:00:47,740 --> 00:00:49,810 This is a very cyclical process. 23 00:00:49,810 --> 00:00:53,200 Sometimes you'll hear this referred to as scan, patch, scan 24 00:00:53,200 --> 00:00:54,410 because you need to scan the network 25 00:00:54,410 --> 00:00:56,300 for vulnerabilities to identify them, 26 00:00:56,300 --> 00:00:58,430 then you're going to prioritize all these vulnerabilities, 27 00:00:58,430 --> 00:01:00,220 you're going to fix them and patch them, 28 00:01:00,220 --> 00:01:01,660 and then you're going to scan again, 29 00:01:01,660 --> 00:01:02,610 and you're going to keep doing this 30 00:01:02,610 --> 00:01:05,920 until hopefully one day, you have no vulnerabilities left. 31 00:01:05,920 --> 00:01:06,753 Good luck with that. 32 00:01:06,753 --> 00:01:08,790 It's never going to happen, but that's the idea. 33 00:01:08,790 --> 00:01:11,740 Now when you develop this process within your organization, 34 00:01:11,740 --> 00:01:13,090 you have to figure out what the goal 35 00:01:13,090 --> 00:01:14,900 of your vulnerability assessment is going to be 36 00:01:14,900 --> 00:01:16,240 because this is going to help you design 37 00:01:16,240 --> 00:01:18,120 a specific type of vulnerability assessment 38 00:01:18,120 --> 00:01:19,130 that you're going to utilize 39 00:01:19,130 --> 00:01:21,750 and help you scope the overall assessment. 40 00:01:21,750 --> 00:01:23,300 There are three main questions 41 00:01:23,300 --> 00:01:24,490 that you need to think about 42 00:01:24,490 --> 00:01:27,160 before you're going to design a vulnerability assessment. 43 00:01:27,160 --> 00:01:29,600 First, what is the value of the information 44 00:01:29,600 --> 00:01:32,380 that could be discovered through the system compromise? 45 00:01:32,380 --> 00:01:34,410 Second, what is the specific threat 46 00:01:34,410 --> 00:01:35,890 that your system is facing? 47 00:01:35,890 --> 00:01:38,840 And third, what mitigation strategies could be deployed 48 00:01:38,840 --> 00:01:40,950 to address the issues that are found? 49 00:01:40,950 --> 00:01:42,680 Let's consider the first question. 50 00:01:42,680 --> 00:01:45,180 What is the value of information that could be discovered 51 00:01:45,180 --> 00:01:47,160 through a compromise of the system? 52 00:01:47,160 --> 00:01:49,810 This is going to help me decide how much resources 53 00:01:49,810 --> 00:01:52,320 and what kind of resources I'm going to allocate 54 00:01:52,320 --> 00:01:54,940 to identifying and fixing possible issues. 55 00:01:54,940 --> 00:01:56,550 Let me give you a couple examples. 56 00:01:56,550 --> 00:01:57,770 If you're a Coca-Cola 57 00:01:57,770 --> 00:01:59,610 and you have a certain file server in your network 58 00:01:59,610 --> 00:02:01,460 that contains your proprietary formula 59 00:02:01,460 --> 00:02:03,490 for the best soft drink ever made, 60 00:02:03,490 --> 00:02:05,430 you'd want to dedicate a lot of resources 61 00:02:05,430 --> 00:02:07,040 to protecting that server. 62 00:02:07,040 --> 00:02:08,600 Now if you had another server 63 00:02:08,600 --> 00:02:10,010 that had all of your public affairs, 64 00:02:10,010 --> 00:02:12,330 things like your commercials for the past 10 years, 65 00:02:12,330 --> 00:02:14,660 you might not care about protecting that nearly as much 66 00:02:14,660 --> 00:02:17,220 because those are already out in the public domain. 67 00:02:17,220 --> 00:02:19,920 Next let's consider the question of the specific threats 68 00:02:19,920 --> 00:02:21,770 that are applicable to your system. 69 00:02:21,770 --> 00:02:24,660 Each type of computer is vulnerable to different attacks. 70 00:02:24,660 --> 00:02:26,470 A Linux web server running Apache 71 00:02:26,470 --> 00:02:28,000 has different vulnerabilities on it 72 00:02:28,000 --> 00:02:29,940 than a Microsoft Windows-based web server 73 00:02:29,940 --> 00:02:32,070 running Internet Information Services. 74 00:02:32,070 --> 00:02:34,880 Both of these servers have very different vulnerabilities 75 00:02:34,880 --> 00:02:36,760 than a Cisco router or switch. 76 00:02:36,760 --> 00:02:37,750 As you can see here, 77 00:02:37,750 --> 00:02:40,310 the differences in their operating system, configurations, 78 00:02:40,310 --> 00:02:42,900 and operational use case is going to make them prone 79 00:02:42,900 --> 00:02:44,190 to different vulnerabilities, 80 00:02:44,190 --> 00:02:46,490 and different threats are going to attack them. 81 00:02:46,490 --> 00:02:49,120 Now the final question is what mitigation strategies 82 00:02:49,120 --> 00:02:51,140 or security controls could we deploy 83 00:02:51,140 --> 00:02:53,200 to address the issues that we find? 84 00:02:53,200 --> 00:02:55,100 Well, let's look at another example. 85 00:02:55,100 --> 00:02:57,020 If you decide to perform a vulnerability scan 86 00:02:57,020 --> 00:02:58,540 of every client on the network 87 00:02:58,540 --> 00:03:01,910 and you found the same vulnerability on every single client, 88 00:03:01,910 --> 00:03:04,660 what mitigation strategy could you use to fix it? 89 00:03:04,660 --> 00:03:06,630 If it was me, I'd probably want to make sure 90 00:03:06,630 --> 00:03:08,820 that my patch server is working correctly, 91 00:03:08,820 --> 00:03:10,680 and I'd want to make sure that I'm pushing out a patch 92 00:03:10,680 --> 00:03:13,240 to every client from this centralized patch server 93 00:03:13,240 --> 00:03:16,170 to make sure that everyone gets the updated security fix. 94 00:03:16,170 --> 00:03:18,350 Now what if there's no patch available yet? 95 00:03:18,350 --> 00:03:20,230 Well, then we have to look at the exploit 96 00:03:20,230 --> 00:03:22,070 that the vulnerability is going after. 97 00:03:22,070 --> 00:03:24,560 Let's say that this vulnerability was being exploited 98 00:03:24,560 --> 00:03:27,090 because somebody is going over Port 445, 99 00:03:27,090 --> 00:03:28,360 what's that port again? 100 00:03:28,360 --> 00:03:29,193 That's right. 101 00:03:29,193 --> 00:03:31,460 It's the SMB service for file sharing. 102 00:03:31,460 --> 00:03:33,050 Well, you could then mitigate this 103 00:03:33,050 --> 00:03:35,810 by blocking that port at your network boundary's firewall 104 00:03:35,810 --> 00:03:37,480 as a compensating control. 105 00:03:37,480 --> 00:03:40,320 It's still going to have a vulnerability for people inside, 106 00:03:40,320 --> 00:03:41,440 but you're going to stop the attackers 107 00:03:41,440 --> 00:03:43,170 from the outside of getting in. 108 00:03:43,170 --> 00:03:45,110 That's the idea here as you start figuring out 109 00:03:45,110 --> 00:03:47,180 how you're going to solve your vulnerabilities. 110 00:03:47,180 --> 00:03:49,710 Now the point is you're going to have many different choices 111 00:03:49,710 --> 00:03:51,890 for mitigation, but your strategy is going to help you 112 00:03:51,890 --> 00:03:54,130 determine how you're going to solve these problems 113 00:03:54,130 --> 00:03:55,950 because you only have different things. 114 00:03:55,950 --> 00:03:57,990 If I'm more worried about inside threat, 115 00:03:57,990 --> 00:04:00,650 stopping it at the network firewall isn't going to help, 116 00:04:00,650 --> 00:04:03,110 but if I'm worried about outside threats, it would. 117 00:04:03,110 --> 00:04:04,730 So by answering these three questions, 118 00:04:04,730 --> 00:04:06,000 you're going to be able to better scope 119 00:04:06,000 --> 00:04:08,470 your vulnerability assessments to be more targeted 120 00:04:08,470 --> 00:04:10,380 and better address the issues you identify 121 00:04:10,380 --> 00:04:12,590 during your vulnerability assessments. 122 00:04:12,590 --> 00:04:15,460 So how is a vulnerability assessment even conducted? 123 00:04:15,460 --> 00:04:18,370 Well, most commonly, a vulnerability management program 124 00:04:18,370 --> 00:04:20,030 will be used inside of an organization 125 00:04:20,030 --> 00:04:22,200 and they'll choose what software you're going to use. 126 00:04:22,200 --> 00:04:24,220 Generally, the software will be centrally managed 127 00:04:24,220 --> 00:04:26,880 and perform these vulnerability assessments and scans. 128 00:04:26,880 --> 00:04:29,750 Common choices for scanning include things like Nessus, 129 00:04:29,750 --> 00:04:32,270 Qualysguard, and AlienVault software. 130 00:04:32,270 --> 00:04:33,840 Luckily though, you don't have to be familiar 131 00:04:33,840 --> 00:04:35,460 with any of these tools in detail 132 00:04:35,460 --> 00:04:37,420 for the Security+ Exam. 133 00:04:37,420 --> 00:04:39,290 Now when you use these programs, 134 00:04:39,290 --> 00:04:42,280 analysts are able to scan the network based on the scope 135 00:04:42,280 --> 00:04:43,530 and they can determine the priority 136 00:04:43,530 --> 00:04:45,340 they're going to use when they find issues, 137 00:04:45,340 --> 00:04:48,120 such as missing patches and misconfigurations. 138 00:04:48,120 --> 00:04:49,220 These are then reported up 139 00:04:49,220 --> 00:04:50,810 through the organizational process 140 00:04:50,810 --> 00:04:52,050 to your system administrators 141 00:04:52,050 --> 00:04:54,550 who will then patch and reconfigure them. 142 00:04:54,550 --> 00:04:56,600 Once these are corrected by the system admins, 143 00:04:56,600 --> 00:04:58,960 you then want to go back and re-scan the network 144 00:04:58,960 --> 00:05:01,270 to determine if the issue was really resolved. 145 00:05:01,270 --> 00:05:03,590 Did that security patch really patch the vulnerability 146 00:05:03,590 --> 00:05:05,110 you thought it was going to? 147 00:05:05,110 --> 00:05:06,803 It's important to note that vulnerability assessments 148 00:05:06,803 --> 00:05:09,020 are just a snapshot in time. 149 00:05:09,020 --> 00:05:10,920 For example, if I scan today 150 00:05:10,920 --> 00:05:13,490 and a new vulnerability is discovered tomorrow, 151 00:05:13,490 --> 00:05:16,090 then I'm not protected against it, I never looked for it. 152 00:05:16,090 --> 00:05:18,360 So if your organization is doing a monthly scan 153 00:05:18,360 --> 00:05:19,750 and a patch cycle that way, 154 00:05:19,750 --> 00:05:21,190 your network may have an issue 155 00:05:21,190 --> 00:05:22,530 that you're not even aware of 156 00:05:22,530 --> 00:05:25,700 for up to an entire month until the next scan. 157 00:05:25,700 --> 00:05:27,750 And if the issue is identified 158 00:05:27,750 --> 00:05:30,260 and the system administrator installed the patch improperly, 159 00:05:30,260 --> 00:05:31,820 it could take you another month 160 00:05:31,820 --> 00:05:34,270 before it's discovered in the next periodic scan. 161 00:05:34,270 --> 00:05:36,790 So determining how frequently you want to do these scans 162 00:05:36,790 --> 00:05:38,870 is really important to your security. 163 00:05:38,870 --> 00:05:41,610 Now to summarize the vulnerability management process 164 00:05:41,610 --> 00:05:42,930 in just five steps, 165 00:05:42,930 --> 00:05:45,070 here's the basic concepts you need to know. 166 00:05:45,070 --> 00:05:48,190 Step one, define the desired state of security. 167 00:05:48,190 --> 00:05:50,180 Your organization should determine exactly 168 00:05:50,180 --> 00:05:53,370 how safe it wants to be and that determines how much money, 169 00:05:53,370 --> 00:05:55,520 time and resources are going to be spent 170 00:05:55,520 --> 00:05:57,990 to dedicate to the vulnerability management program. 171 00:05:57,990 --> 00:06:00,560 After all, you're not going to be able to stop every threat 172 00:06:00,560 --> 00:06:03,440 and you can't protect yourself from everything equally. 173 00:06:03,440 --> 00:06:05,710 Step two, create a baseline. 174 00:06:05,710 --> 00:06:07,520 You need to understand what normal is 175 00:06:07,520 --> 00:06:09,870 and what the current state of your systems is. 176 00:06:09,870 --> 00:06:12,690 Back in step one, we're going to determine where we want to be, 177 00:06:12,690 --> 00:06:13,950 what our goal is. 178 00:06:13,950 --> 00:06:15,670 Here in step two, we need to determine 179 00:06:15,670 --> 00:06:18,233 where we currently are in terms of security. 180 00:06:18,233 --> 00:06:20,650 This brings us to step three, 181 00:06:20,650 --> 00:06:22,730 prioritize the vulnerabilities. 182 00:06:22,730 --> 00:06:24,420 You might run your first scan of the network 183 00:06:24,420 --> 00:06:26,640 and find 150 different issues. 184 00:06:26,640 --> 00:06:28,440 If you're the only security analyst, 185 00:06:28,440 --> 00:06:30,053 which one should you fix first? 186 00:06:30,053 --> 00:06:31,910 Well, this is why it's important 187 00:06:31,910 --> 00:06:33,740 to prioritize your strategy. 188 00:06:33,740 --> 00:06:36,780 I recommend fixing servers first over work stations 189 00:06:36,780 --> 00:06:39,360 and more critical issues like a remote code execution 190 00:06:39,360 --> 00:06:41,110 over more trivial vulnerability 191 00:06:41,110 --> 00:06:43,950 like an ability to conduct a null session connection. 192 00:06:43,950 --> 00:06:46,750 This is because servers hold lots of critical information, 193 00:06:46,750 --> 00:06:49,010 and critical vulnerabilities should always be addressed 194 00:06:49,010 --> 00:06:50,860 before lower risk items. 195 00:06:50,860 --> 00:06:53,420 Step four, you want to mitigate vulnerabilities. 196 00:06:53,420 --> 00:06:55,440 This is where you're actually going to install 197 00:06:55,440 --> 00:06:58,030 all those different controls, install those patches, 198 00:06:58,030 --> 00:06:59,370 do your change configurations 199 00:06:59,370 --> 00:07:01,240 to make your systems more secure. 200 00:07:01,240 --> 00:07:02,830 In step three, we prioritize, 201 00:07:02,830 --> 00:07:05,790 in step four, we actually put those things into place. 202 00:07:05,790 --> 00:07:07,770 And that brings us to step five, 203 00:07:07,770 --> 00:07:10,760 monitor the network and systems and conduct future scans. 204 00:07:10,760 --> 00:07:12,240 You now have a bunch of issues 205 00:07:12,240 --> 00:07:15,140 you hopefully fixed or mitigated all of those issues, 206 00:07:15,140 --> 00:07:18,070 and now we want to watch and ensure nothing bad happens. 207 00:07:18,070 --> 00:07:19,440 Or maybe some of those things 208 00:07:19,440 --> 00:07:20,710 are going to take months to fix 209 00:07:20,710 --> 00:07:21,720 because you need more money 210 00:07:21,720 --> 00:07:24,070 to buy a new server or a new operating system. 211 00:07:24,070 --> 00:07:26,510 If that's the case, you need to monitor those servers 212 00:07:26,510 --> 00:07:28,380 until you get them patched and fixed. 213 00:07:28,380 --> 00:07:30,220 Your job is not done with just scanning. 214 00:07:30,220 --> 00:07:32,130 You need to scan and follow through, 215 00:07:32,130 --> 00:07:34,180 and then start scanning again. 216 00:07:34,180 --> 00:07:39,070 Remember, scan, patch, scan over and over and over again. 217 00:07:39,070 --> 00:07:40,710 Our work is never done 218 00:07:40,710 --> 00:07:43,930 because new vulnerabilities are discovered every single day. 219 00:07:43,930 --> 00:07:45,030 The good news about that 220 00:07:45,030 --> 00:07:46,630 is it means you're going to have great job security 221 00:07:46,630 --> 00:07:48,470 because we always are going to have a job 222 00:07:48,470 --> 00:07:50,842 for people doing vulnerability assessment. 223 00:07:50,842 --> 00:07:53,049 (electronic music)