I. Analysis and Planning A. Vulnerability Assessment
Requirements
In the interest of the faculty, students, guests and data within; the University of Maryland University College (UMUC) has expressed a need to secure all assets within the institution.
Herein we will identify the needs of UMUC where it applies to the existence of vulnerabilities within the environment. Detailed below are the proposed methods for the university to fulfill the requirements of performing a vulnerability assessment and then then justification of the need.
Proposed Solution
After having reviewed the latest in vulnerability assessment and management software, Teneable Nessus - Security Center Continuous View is the proposed solution for UMUC at this
…show more content…
This is an iterative process until all vulnerabilities have been remediated, mitigated or accepted as risk.
The results of the scan will show levels of criticality based on the type of vulnerability it has acquired. The criticality of found vulnerabilities on each server [4, Fig. A-1] are easily identified by color scale; red being most critical and blue the least [4, Fig. A-2].
Figure A- 1 Figure A- 2
Justification
Teneable Nessus has been rated by its users to be the best in preventative defense in addition to being low cost solution with free online training. Though the application suite requires profile configurations to start, it provides the necessary functions to support the requirements of software and system configuration vulnerability assessments and easily scales to accommodate future growth. Plugins are updated regularly and new plugins are added to account for new Common Vulnerabilities and Exposures (CVEs) as they arise. Security Center Continuous View simplifies the administrator’s role by integrating with other tools like Mobile Device Management (MDM) and a head to toe vulnerability detection and mitigation solution for any platform [3].
B. Security Policy
TestOut LabSim section 4 (Policies, Procedures, and Awareness),
Requirements
An effective security policy consists of many polices which address specific areas within the business. These policies are designed to
* Compare the results of the ZenMap GUI “Intense Scan” with a Nessus® vulnerability assessment scan
Nessus is a top-notch vulnerability scanner produced by Tenable and is used by home and corporate users. Basically, it looks for bugs in your software. It sets the standard for accuracy and scanning speed for vulnerability assessment. Nessus will test for security problems that a hacker may use to get into your system. The Tenable research staff constantly designs programs to detect new vulnerabilities called plugins. Plugins use a set of generic remediation actions and algorithms to test for vulnerabilities. (Tenable) It is written using Tenable’s own NASL, Nessus Attack Scripting Language. (TechTarget Network) The NASL language lets individual attacks be described simply by security professionals. Nessus administrators use the NASL to customize their own scans with the descriptions of the vulnerabilities. (TechTarget Network) It will ensure compliance and help reduce an organization’s attack surface. (Tenable) Nessus constantly
The network diagram of Global Finance, Inc. (GFI) depicts the layout of the company’s mission critical systems. The company has two servers (Email and the Oracle database) which are used more than any of their other systems. GFI heavily depend on their network to be stable because of their financial systems that are running and any outage would negatively affect their operations and financial situation. Like all other business, customer satisfaction and the security of GFI’s network is crucial. In order to ensure their network and data is secure,
Since the system/application domain involves business’s mission-critical systems and applications, as well as data, it is important to ensure security of this domain. Failure to do so can result in a large loss of information and can ultimately lead to the cease of productions. This will ensure the protection of confidential data and its integrity. By implementing monitoring software tools, this will analyze any potential vulnerability that may exist on the
Companies should develop a control that requires that routine vulnerability assessment of their customer facing web sites, network infrastructure, and associated systems (such as database systems). Vulnerability assessment can help identify potential weaknesses to systems and also provide a sort of feedback to the organization’s IT department on their current operational policy and security posture. The cost of performing a routine vulnerability assessment is considerably less than that of an actual data breach.
HTML5 will also allow pen-testers to review new scans, create new policies, and view scans from any device on the scanner, which means the entire network will be secure. This magnificent security tool is capable of providing any vulnerability within the IP address range, network or host located on the network. Within the configuration and compliance auditing, it can be compared to the Security Content Automation Protocol (SCAP), which is a method used to enable automated vulnerability management (National Institute of Standards and Technology, 2016). Nessus will also ensure the system is configured to be compliant within the security structure of Windows, Linux, Mac OS and applications. One more feature included is the integration of patch management, which allows patch information to be retrieved and to be included in the patch management report. Nessus will go one step further and check to ensure that patches have been properly installed, will audit mobile device weaknesses, gathering data and writing reports about potential threats for the devices connected to the network, whether it be iOS, Android, or Windows operating
As it applies to an IT environment, a vulnerability assessment is used to identify existing vulnerabilities giving the environment owner an awareness of what needs to be fixed (Who needs a Vulnerability Assessment, 2017). The assessment needs to be viewed for what it is, a onetime occurrence that in no way highlights all vulnerabilities. Multiple assessments of vulnerability must be conducted over time to ensure that as many possible avenues of weakness are explored, identified, and marked for improvement. As new systems are added, programs changed, or other changes to the system are made vulnerabilities might be created.
Windows Hardening Defense, starts with the basics, Log in with least amount of privileges. Always use Firewall and AV. Monitor channels for security advisories and alerts. Know your system(s). Patch early and patch often, Unpatched Systems are the lowest of low hanging fruit. Have a patch policy documented and stick with it. Review patches as they are released and determine criticality based on the exploit, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When possible, test patches before rolling out in production on servers. Most clients should have automatic updates enabled for the OS and any application listening
* Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure
A vulnerability assessment is a risk testing process which finds, quantity and rank possible vulnerabilities to threats in as many security defects as possible in a given timeframe. Depend upon organization scope there are many way to conduct vulnerability assessment. This assessment may involve automated and manual techniques.
9. When assessing the risk impact a threat or vulnerability has on your application and infrastructure, why must you align this assessment with both a server and application software vulnerability assessment and remediation plan? Because they may coincide with each other which
When it comes to the protection and mitigating of any structure or organization risk analysis and vulnerability assessments must be conducts so as to know what’s to be protected, the threats manmade or natural disaster, ranking the potential of threat as well as the probability. In terms of critical infrastructure the risk analysis and vulnerability assessment has guidelines from Homeland Security Presidential Directive Number 7(HSPD-7).
The Main Purpose of Security Management and Security Measures must be Commensurate with the Threat
Nessus is typically installed on a server and runs as a web-based application. Nessus uses plugins to determine if a vulnerability is present on a specified machine.
Application of context to scan results – to determine which infrastructure vulnerabilities should be targeted first and most aggressively.