Vulnerability and Configuration

Management Best Practices for State and

Local GovernmentsJonathan Trull, CISO, Qualys, Inc.

ATTACKS

80%

More than 80% of attacks target known vulnerabilities

79%

PATCHES

79% of vulnerabilities have patches available on day of

disclosure

Most Breaches Exploit Known Vulnerabilities

2

Threats vs. Vulnerabilities

3

Patch and Vulnerability Management

A security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The continuous process

of identifying, classifying, remediating, and mitigating

vulnerabilities.

4

Configuration Management

The process of evaluating, coordinating, approving, disapproving,

and implementing changes to systems and software.

Security Perspective: The process of ensuring systems are configured to prevent successful cyber attacks and stay that way.

5

Major Constraints on Security Teams

6

Attack-Defend Cycle (OODA Loop)

7

Laws of Vulnerabilities

• Half-Life – time interval for reducing occurrence of a vulnerability by half.

• Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year.

• Persistence – total lifespan of vulnerabilities

• Exploitation – time interval between an exploit announcement and the first attack

8

Half-Life

• 29.5 Days

9

Prevalence• 8 critical vulnerabilities retained a constant

presence in the Top 20

10

Persistence

• Indefinite• Stabilize at 5-10%

11

12

Exploitation

• Average: < 10 days

• Critical client vulnerabilities: < 48 hours– Exploit Kits offer money back guarantees /

Next day delivery

12

Cyber Hygiene Campaign

Multi-year effort that provides key recommendations for a low-cost security program

that any organization can adopt to achieve immediate and effective defenses against cyber

security attacks.

13

14

• Pilot of scanning baselines completed• Using Qualys, CIS provided a baseline network and app

scan, for 12 States, at the following key agencies: o healtho public safety o revenue

• Reports were sent to each State with the results and information to remediate; follow up discussions were available if needed

• Re-scans provided to remediate findings• Feedback from the pilot states has helped to improve the

process.• CIS is ready to offer the same baseline scans to other

governments, for further information, contact Kathleen

Patentreger at info@msisac.org

Cyber Hygiene Scans

15

Summary ResultsNetwork Based Vulnerabilities

16

Summary ResultsApplication Based Vulnerabilities

17

Summary ResultsTypes of Vulnerabilities

18

MS-ISAC Guidance

The goal of your security team is to reduce risk by identifying and eliminating weaknesses in your network assets. To do this, there are a few questions you need to ask about your organization.

19

MS-ISAC Guidance1. Do you maintain an asset inventory? Is it up to date?2. Manage the flow of information -- what machines have

access to critical information, how does that information get dispersed across your network?

3. Are your network assets classified? If not, assign them a position in a hierarchy. The systems at the top being the most critical.

4. Have you done a risk assessment on these systems? What level of risk is your organization okay with?

5. How often do you perform vulnerability assessments on these hosts?

6. How is the remediation of these hosts being tracked? How long does it take to remediate hosts on average?

7. If a host was compromised, how would you respond?

20

Case Studies

• State of New York

• University of Colorado

• State of Michigan

• State of Ohio

• Colorado Statewide Internet Portal Authority

21 21

The Great Divide

22 22

Vulnerability & Compliance

Scanning

Automated Remediation

SecOps integration

Vulnerability Information

Matched

vulnerabilities

and patches

SecOps Integration

If <trigger> then <action>

23

Best Practices• Vulnerability and configuration management

should be an essential part of any security program

• Obtain executive level support – Identify and obtain an executive level champion– Build partnerships with other execs who need the same

data– When selling security, keep it simple– Establish supporting written policies and procedures

• Communicate vertically and horizontally within your Organization– Essential to remove fear, uncertainty, and doubt

24

Best Practices Continued• Scan everything and scan often– Scan anything connected to your network– Scan your perimeter daily and servers and endpoints

weekly– Be prepared for zero days / use predictive analytics

• Use credentialed scanning

• Use metrics to drive risk reduction and program support

• Use tags to manage VM/CM processes / workflows– Use tags for business value, ownership, and

compliance

25

Best Practices Continued• Measure the security and ops teams’

performance by the half-life results & treatment of the persistence law

– Include results in HR performance reviews

• Use metrics to communicate with senior management

• Integrate VM/CM solution with patch management systems, asset inventory systems, ticketing systems, configuration systems (Chef / Puppet), and reporting systems for best results

26

Best Practices Continued• Focus patching on those things that will hurt you

most

• Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration

• Learn to speak the language of Ops staff / Ensure VM/CM data are reported in the most useful format

27

Question and Answers

28

jtrull@qualys.com @jonathantrull

Government Series Webcasts: https://lps.qualys.com/gov-webcast-series-1-2015.html

More Resources:Qualys Top 4 Security Controls

https://www.qualys.com/forms/top-4-security-controls/

Qualys Free Tools and Trialshttps://www.qualys.com/free-tools-trials/

Cyber Hygiene Toolkitshttps://www.cisecurity.org/about/CHToolkits.cfm