وبلاگ بلیان

Asset Attack Vectors : Building Effective Vulnerability Management Strategies to Protect Organizations

جلد کتاب Asset Attack Vectors : Building Effective Vulnerability Management Strategies to Protect Organizations

معرفی کتاب «Asset Attack Vectors : Building Effective Vulnerability Management Strategies to Protect Organizations» نوشتهٔ Morey J. Haber, Brad Hibbert، منتشرشده توسط نشر Apress در سال 2018. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

Building effective defenses for your assets is a dark art. Mark my words; it is so much more than any regulation, standard, or policy. After 20 years in the information technology and security industry, it is easy to say implement a vulnerability management program. It is easy to say patch your operating systems and applications. Compliancy standards from PCI, HIPAA, ASD, and others all say do it. They tell you how you should measure risk and when you must comply with getting systems patched. In reality, it is difficult as hell to do. No one technology works, and no one vendor has a solution to cover the enterprise and all of the platforms and applications installed. It’s a difficult task when you consider you need to build an effective strategy to protect assets, applications, and data. Vulnerability management is more than just running a scan, too. It is a fundamental concept in building your strategy and the regulations tell you, you must do it, but not how you can actually get it done. What problems, pitfalls, and political pushback you may encounter stymies most teams. Yes, there are team members that will actually resist doing the right thing from vulnerability assessment scanning to deploying patches. We have seen it many times, all over the world. It is a cyber security issue and it is not naivety either. It is a simple fear of what you might discover, what it will take to fix it, what will break if you do, and the resistance to change. All human traits. Protecting your assets is fundamental security hygiene. In a modern enterprise, everything connected to the network from router, to printer, and camera is a target. This is above and beyond traditional servers, desktops, and applications. If it communicates on a LAN, WAN, or even PAN, it can be targeted. If it’s wired or wireless, a threat actor does not care xxii either; it can be leveraged. Knowing if it’s brand new versus end of life and no longer receiving patches helps evaluate the risk surface, but not even knowing what’s on your network makes it near impossible to prioritize and take effective action. This is completely outside of modern threats that are still your responsibility in the cloud and on mobile devices including BYOD. While I have painted a picture of doom and gloom, the reality is that you are still responsible for protecting these resources. Being on the front page of the newspaper is not an option. The regulations, contracts, and security best practices clearly highlight the need to do it. This book is dedicated to this dark art. How do you actually create an asset protection strategy through vulnerability management (and a lesser degree patch management) and accomplish these goals? We will explore years of experience, mistakes, threat analysis, risk measurement, and the regulations themselves to build an effective vulnerability management program that actually works. In addition, we will cover guidance on how to create a vulnerability management policy that has real-world service- level agreements that a business can actually implement. The primary goal is to rise above the threats and make something actually work, and work well, that team members can live with. Vulnerability management needs to be more than a check box for compliance. It should be a foundation block for cyber security within your organization. Together, we can figure out how to get there and how to improve even what you are doing today. After all, without self-improvement in cyber security, we will be doomed to another breach. Threat actors will always target the lowest hanging fruit. An unpatched resource is an easy target. Our goal is to make it as difficult as possible for an intruder to hack into our environment. If somebody has to be on the front page of the newspaper due to a breach, we would rather it be someone else’s name and business, not ours. —Morey J. Haber Table of Contents 5 About the Authors 15 About the Technical Reviewer 17 Acknowledgments 18 Preface 19 Introduction 21 Chapter 1: The Attack Chain 36 Chapter 2: The Vulnerability Landscape 39 Vulnerabilities 39 Configurations 43 Exploits 44 False Positives 45 False Negatives 46 Malware 47 Social Engineering 48 Phishing 53 Curiosity Killed the Cat 53 Nothing Bad Will Happen 54 Did You Know They Removed Gullible from the Dictionary? 55 It Can’t Happen to Me 56 How to Determine if Your Email Is a Phishing Attack 56 Ransomware 58 Insider Threats 60 External Threats 65 Vulnerability Disclosure 67 Chapter 3: Threat Intelligence 72 Chapter 4: Credential Asset Risks 78 Chapter 5: Vulnerability Assessment 82 Active Vulnerability Scanning 83 Passive Scanners 83 Intrusive Vulnerability Scanning 84 Nonintrusive Scanning 85 Vulnerability Scanning Limitations and Shortcomings 87 Chapter 6: Configuration Assessment 89 Regulations 90 Frameworks 90 Benchmarks 91 Configuration Assessment Tools 91 SCAP 97 Chapter 7: Risk Measurement 100 CVE 104 CVSS 104 STIG 106 OVAL 108 IAVA 109 Chapter 8: Vulnerability States 110 Vulnerability Risk Based on State 111 The Three Vulnerability States 113 Active Vulnerabilities 115 Dormant Vulnerabilities 115 Carrier Vulnerabilities 116 State Prioritization 117 Chapter 9: Vulnerability Authorities 119 Chapter 10: Penetration Testing 123 Chapter 11: Remediation 129 Microsoft 129 Apple 131 Cisco 133 Google 134 Oracle 135 Red Hat 136 Adobe 137 Open Source 137 Everyone Else 139 Chapter 12: The Vulnerability Management Program 141 Design 142 Develop 143 Deploy 143 Operate 144 Maturity 144 Maturity Categories 146 Descriptions 148 Chapter 13: Vulnerability Management Design 149 Crawl, Walk, Run, Sprint 151 Implement for Today, But Plan for Tomorrow 152 It’s All About Business Value 152 Chapter 14: Vulnerability Management Development 154 Vulnerability Management Scope 155 Operating Systems 156 Client Applications 157 Web Applications 158 Network Devices 160 Databases 161 Flat File Databases 161 Hypervisors 164 IaaS and PaaS 164 Mobile Devices 166 IoT 168 Industrial Control Systems (ICS) and SCADA 169 DevOps 170 Docker and Containers 171 Code Review 172 Tool Selection 173 The Vulnerability Management Process 175 Assessment 175 Measure 176 Remediation 177 Rinse and Repeat {Cycle} 177 End of Life 177 Common Vulnerability Lifecycle Mistakes 178 Mistake 1: Disjointed Vulnerability Management 178 Solution 179 Mistake 2: Relying on Remote Assessment Alone 180 Solution 180 Mistake 3: Unprotected Zero-Day Vulnerabilities 181 Solution 181 Mistake 4: Decentralized Visibility 182 Solution 182 Mistake 5: Compliance at the Expense of Security 183 Solution 183 Common Challenges 183 Aging Infrastructure 184 Depth and Breadth of the Program 185 Building the Plan 186 Step 1: What to Assess? 186 Step 2: Assessment Configuration 187 Step 3: Assessment Frequency 187 Step 4: Establish Ownership 188 Step 5: Data and Risk Prioritization 188 Step 6: Reporting 189 Step 7: Remediation Management 190 Step 8: Verification and Measurements 191 Step 9: Third-Party Integration 191 Chapter 15: Vulnerability Management Deployment 193 Approach 1: Critical and High-Risk Vulnerabilities Only 194 Approach 2: Statistical Sampling 195 Approach 3: Targeted Scanning Based on Business Function 197 Team Communications 199 Network Scanners 203 Firewalls 203 IPS/IDS 205 Packet Shaping 206 QoS 207 Tarpits 207 Honeypots 208 Authentication 209 Null Session 210 Credentials 211 Privileged Integration 213 Agents 215 Third-Party Integration 217 Patch Management 218 Virtual Patching 220 Threat Detection 221 Continuous Monitoring 222 Performance 224 Threads 226 Time to Complete 228 Bandwidth 230 Ports 230 Scan Windows 231 Scan Pooling 232 Target Randomization 232 Fault Tolerance 232 Scanner Locking 234 Chapter 16: Vulnerability Management Operations 235 Discovery 237 Analysis 237 Reporting 238 Remediation 238 Measurement 239 Chapter 17: Vulnerability Management Architecture 241 Chapter 18: Sample Vulnerability Plan 245 Vulnerability Management Solution and Remediation Service Levels 245 Vulnerability Scan Targets 247 Vulnerability Scan Frequency/Schedule 247 Vulnerability Reporting 248 Remediation Management 250 Exceptions Management 252 Exclude from Assessments 255 Chapter 19: Regulatory Compliance 256 Chapter 20: Risk Management Frameworks 267 Chapter 21: Making It All Work 274 Know What’s On Your Network 275 Automate Credentialed Scans 277 Spot What’s Lurking in the Shadows 279 See Your Data in High Definition 280 Find Which Threats Are Soft Targets 282 Mind Your Vulnerability Gaps 283 Unify Vulnerability and Privilege Intelligence 284 Threat Analytics 285 Streamline Your Patch Process 286 Share and Collaborate 287 Chapter 22: Tales from the Trenches 291 A Lost Enterprise Client 291 Just a Win 294 Just Too Much to Manage 296 Obsolete 297 Complex Is Best 299 Forfeit the Game 300 Listening Skills 302 Contractors 304 The Rogue Device 305 The Big Fish 306 Rootkits Anyone? 307 Not the Only One 309 My Favorite Story 310 How Many Class B Networks? 311 The Blog from Hell 313 Nice Portal, Baby 314 Online Banking 315 Lies 317 Speaking of Comparisons 318 Getting Your Facts Straight 320 Conformal Coating 321 Dependencies 322 Odds and Ends 324 Chapter 23: Final Recommendations 328 Chapter 24: Conclusion 331 Appendix A: Sample Request for Proposal (RFP) 333 Invitation 333 Overview 334 RFP Response Process 336 RFP Response Format 337 RFP Response Contents 337 Missing Answers 338 Terms and Conditions 338 Supplementary 339 Unconditional Requirements 340 Functional Requirements 340 Technical Requirements 341 Supplementary Requirements 341 Vendor Technology and Experience 342 Company History 342 Financial Information 343 Customer Installations and References 344 Solution Functionality 344 Assessments 344 False Positive Mitigation 349 Risk Prioritization 350 Reporting 351 Third-Party Integrations 352 Data History 353 Configuration Management 354 Role-Based Access 354 Training and Professional Services 356 Technical Considerations 356 Product Licensing and Component Model 357 Required Hardware and Operating Systems 358 Data Integration 360 Network Impact 360 Reliability, Implementation, and Scalability 361 Security 362 Implementation Considerations 363 System Maintenance and Modification 364 User Support 365 Hardware Costs 366 Software License(s) 366 Support and Maintenance Costs 367 Training Costs 367 Professional Service Costs 367 Appendix B: Request for Proposal Spreadsheet 368 Index 379 Build an effective vulnerability management strategy to protect your organization's assets, applications, and data. Today's network environments are dynamic, requiring multiple defenses to mitigate vulnerabilities and stop data breaches. In the modern enterprise, everything connected to the network is a target. Attack surfaces are rapidly expanding to include not only traditional servers and desktops, but also routers, printers, cameras, and other IOT devices. It doesn't matter whether an organization uses LAN, WAN, wireless, or even a modern PAN—savvy criminals have more potential entry points than ever before. To stay ahead of these threats, IT and security leaders must be aware of exposures and understand their potential impact. Asset Attack Vectors will help you build a vulnerability management program designed to work in the modern threat environment. Drawing on years of combined experience, the authors detail the latest techniques for threat analysis, risk measurement, and regulatory reporting. They also outline practical service level agreements (SLAs) for vulnerability management and patch management. Vulnerability management needs to be more than a compliance check box; it should be the foundation of your organization's cybersecurity strategy. Read Asset Attack Vectors to get ahead of threats and protect your organization with an effective asset protection strategy. What You'll Learn Create comprehensive assessment and risk identification policies and procedures Implement a complete vulnerability management workflow in nine easy steps Understand the implications of active, dormant, and carrier vulnerability states Develop, deploy, and maintain custom and commercial vulnerability management programs Discover the best strategies for vulnerability remediation, mitigation, and removal Automate credentialed scans that leverage least-privilege access principles Read real-world case studies that share successful strategies and reveal potential pitfalls Who This Book Is For New and intermediate security management professionals, auditors, and information technology staff looking to build an effective vulnerability management program and defend against asset based cyberattacks
دانلود کتاب Asset Attack Vectors : Building Effective Vulnerability Management Strategies to Protect Organizations