Download D1S1_TSV404_Course_Intro_2011_v1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Cross-site scripting wikipedia , lookup

Computer security wikipedia , lookup

Information security wikipedia , lookup

IT risk management wikipedia , lookup

Transcript 
Findings
Vulnerability Assessment Course
All materials are licensed under a Creative
Commons “Share Alike” license.
■ http://creativecommons.org/licenses/by-sa/3.0/
2
Agenda
■ Developing the perfect finding
■ Describing the Finding
■ Describing the Impact of the Vulnerability
■ Providing Actionable Recommendations
■ Characterizing the Finding
3
The Perfect Finding
■ Several different formats
■ All typically provide three essential elements
– Description
– Impact
– Recommendation
■ Optional characterizations
– Risk Level
– Ease of Fix
– Level of Effort
■ Other Information
4
Description
■ The observation
■ Describe the vulnerability, mis-configuration, or compliance
issue that was observed
■ How was the observation made?
– Analysis of script output
– Results of automated scanning
– Manipulation of parameters
■ Affected systems
■ Provide enough information that the finding can be
duplicated or retested
5
Impact
■ Provide enough information to define the risk to the system
or its components if the vulnerability is exploited
■ Address important information security concerns
– Confidentiality
– Integrity
– Availability
■ Dependency on other conditions
■ Transitive risk
■ Describe the negative affect if the finding is left uncorrected
6
Recommendation
■ Provide detailed actionable remediation
■ Eradication versus Mitigation
■ Provide alternatives if they are available
■ Only the System Approving Authority can accept risk
7
Characterizations
Characterizations provide a means for prioritization,
grouping, and management
■ Risk Level (or Severity Code)
■ Ease of Fix
■ Estimated Work Effort
■ Other useful descriptors and tags
8
Risk Level – Federal Civil Agencies
The Risk Level is, in actuality, an assessment of the priority
with which each Business Risk shall be viewed
The Risk Level takes into account many factors including
information at risk, ease of exploitation, exposure level of the
vulnerability, and other situational factors
■ High
■ Moderate
■ Low
9
High Risk Level
■ Exploitation of the technical or procedural vulnerability will
cause substantial harm
■ Significant political, financial, and/or legal damage is likely
to result
■ The threat exposure is high, thereby increasing the
likelihood of occurrence
■ Security controls are not effectively implemented to reduce
the severity of impact if the vulnerability was exploited
■ Vulnerabilities that allow an attacker immediate access into
a machine, allow privileged access, or bypass a firewall
■ Vulnerabilities that provide information that has a high
potential of giving access to an intruder
10
Moderate Risk Level
■ Exploitation of the technical or procedural vulnerability will
significantly impact the confidentiality, integrity, and/or
availability of the system, application, or data
■ Exploitation of the vulnerability may cause moderate
financial loss or public embarrassment
■ The threat exposure is moderate-to-high, thereby increasing
the likelihood of occurrence
■ Security controls are in place to contain the severity of
impact if the vulnerability were exploited, such that further
political, financial, or legal damage will not occur
■ Vulnerabilities that provide information that potentially
could lead to compromise
■ The vulnerability is such that it would otherwise be
considered High Risk, but the threat exposure is so limited
that the likelihood of occurrence is minimal
11
Low Risk Level
■ Exploitation of the technical or procedural vulnerability will
cause minimal impact to operations
■ The Confidentiality, Integrity and Availability (CIA) of
sensitive information are not at risk of compromise
■ Exploitation of the vulnerability may cause slight financial
loss or public embarrassment
■ The threat exposure is moderate-to-low
■ Security controls are in place to contain the severity of
impact if the vulnerability were exploited, such that further
political, financial, or legal damage will not occur
■ Vulnerabilities, when resolved, will prevent the possibility of
degraded security
■ The vulnerability is such that it would otherwise be
considered Moderate Risk, but the threat exposure is so
limited that the likelihood of occurrence is minimal
12
Ease of Fix
The Ease of Fix value is an assessment of how difficult or
easy it will be to complete reasonable and appropriate
corrective actions required to close or reduce the impact of
the vulnerability
■ Easy
■ Moderately Difficult
■ Very Difficult
■ No Known Fix
13
Estimated Work Effort
The Estimated Work Effort value is an assessment of the
extent of resources required to complete reasonable and
appropriate corrective actions
■ Minimal
■ Moderate
■ Substantial
■ Unknown
14
Other Information
■ Security Reference
■ Source of the finding
■ Numbering scheme
■ Status
15
Questions
16
Related documents
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
Climate Change and Health A Framework for Discussion
Climate Change and Health A Framework for Discussion
Acronyms abbreviations
Acronyms abbreviations
Document 8513629
Document 8513629
Findings and Recommendations
Findings and Recommendations
us-16-Price-Building-a-Product-Security-Incident
us-16-Price-Building-a-Product-Security-Incident
South Africa
South Africa
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices