Details

Effective Vulnerability Management

Effective Vulnerability Management

Managing Risk in the Vulnerable Digital Ecosystem
1. Aufl.

von: Chris Hughes, Nikki Robinson

22,99 €

Verlag: Wiley
Format: EPUB
Veröffentl.: 22.03.2024
ISBN/EAN: 9781394221219
Sprache: englisch
Anzahl Seiten: 288

In den Warenkorb
Als Gutschein
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

Titelbeschreibung

<p><b>Infuse efficiency into risk mitigation practices by optimizing resource use with the latest best practices in vulnerability management</b> <p>Organizations spend tremendous time and resources addressing vulnerabilities to their technology, software, and organizations. But are those time and resources well spent? Often, the answer is no, because we rely on outdated practices and inefficient, scattershot approaches. <i>Effective Vulnerability Management</i> takes a fresh look at a core component of cybersecurity, revealing the practices, processes, and tools that can enable today's organizations to mitigate risk efficiently and expediently in the era of Cloud, DevSecOps and Zero Trust. <p>Every organization now relies on third-party software and services, ever-changing cloud technologies, and business practices that introduce tremendous potential for risk, requiring constant vigilance. It's more crucial than ever for organizations to successfully minimize the risk to the rest of the organization's success. This book describes the assessment, planning, monitoring, and resource allocation tasks each company must undertake for successful vulnerability management. And it enables readers to do away with unnecessary steps, streamlining the process of securing organizational data and operations. It also covers key emerging domains such as software supply chain security and human factors in cybersecurity. <ul> <li>Learn the important difference between asset management, patch management, and vulnerability management and how they need to function cohesively</li> <li>Build a real-time understanding of risk through secure configuration and continuous monitoring</li> <li>Implement best practices like vulnerability scoring, prioritization and design interactions to reduce risks from human psychology and behaviors</li> <li>Discover new types of attacks like vulnerability chaining, and find out how to secure your assets against them</li> </ul> <p><i>Effective Vulnerability Management</i> is a new and essential volume for executives, risk program leaders, engineers, systems administrators, and anyone involved in managing systems and software in our modern digitally-driven society.

Inhaltsverzeichnis

<p>Foreword xvii</p> <p>Introduction xix</p> <p><b>1 Asset Management 1</b></p> <p>Physical and Mobile Asset Management 3</p> <p>Consumer IoT Assets 4</p> <p>Software Assets 5</p> <p>Cloud Asset Management 6</p> <p>Multicloud Environments 7</p> <p>Hybrid Cloud Environments 7</p> <p>Third-Party Software and Open Source Software (OSS) 9</p> <p>Third-Party Software (and Risk) 10</p> <p>Accounting for Open Source Software 11</p> <p>On-Premises and Cloud Asset Inventories 11</p> <p>On-Premises Data Centers 12</p> <p>Tooling 13</p> <p>Asset Management Tools 13</p> <p>Vulnerability Scanning Tools 14</p> <p>Cloud Inventory Management Tools 15</p> <p>Ephemeral Assets 16</p> <p>Sources of Truth 17</p> <p>Asset Management Risk 18</p> <p>Log4j 18</p> <p>Missing and Unaccounted-for Assets 19</p> <p>Unknown Unknowns 20</p> <p>Patch Management 21</p> <p>Recommendations for Asset Management 22</p> <p>Asset Manager Responsibilities 22</p> <p>Asset Discovery 23</p> <p>Getting the Right Tooling 24</p> <p>Digital Transformation 25</p> <p>Establishing and Decommissioning Standard Operating Procedures 26</p> <p>Summary 27</p> <p><b>2 Patch Management 29</b></p> <p>Foundations of Patch Management 29</p> <p>Manual Patch Management 30</p> <p>Risks of Manual Patching 31</p> <p>Manual Patching Tooling 32</p> <p>Automated Patch Management 34</p> <p>Benefits of Automated vs Manual Patching 35</p> <p>Combination of Manual and Automated Patching 36</p> <p>Risks of Automated Patching 37</p> <p>Patch Management for Development Environments 38</p> <p>Open Source Patching 38</p> <p>Not All Software Is Equal 39</p> <p>Managing OSS Patches Internally 39</p> <p>Responsibilities of Infrastructure vs Operations Teams 40</p> <p>Who Owns Patch Management? 41</p> <p>Separation of Duties 42</p> <p>Tools and Reporting 43</p> <p>Patching Outdated Systems 43</p> <p>End-of-Life Software 44</p> <p>Unpatched Open Source Software 45</p> <p>Residual Risk 46</p> <p>Common Attacks for Unpatched Systems 47</p> <p>Prioritizing Patching Activities 48</p> <p>Risk Management and Patching 49</p> <p>Building a Patch Management Program 50</p> <p>People 50</p> <p>Process 51</p> <p>Technology 51</p> <p>Summary 52</p> <p><b>3 Secure Configuration 53</b></p> <p>Regulations, Frameworks, and Laws 53</p> <p>NSA and CISA Top Ten Cybersecurity Misconfigurations 54</p> <p>Default Configurations of Software and Applications 55</p> <p>Improper Separation of User/Administrator Privilege 57</p> <p>Insufficient Internal Network Monitoring 57</p> <p>Lack of Network Segmentation 58</p> <p>Poor Patch Management 58</p> <p>Bypass of System Access Controls 60</p> <p>Weak or Misconfigured Multifactor Authentication Methods 60</p> <p>Lack of Phishing-Resistant MFA 61</p> <p>Insufficient Access Control Lists on Network Shares and Services 61</p> <p>Poor Credential Hygiene 61</p> <p>Unrestricted Code Execution 62</p> <p>Mitigations 62</p> <p>Default Configurations of Software Applications 63</p> <p>Improper Separation of User/Administration Privilege 64</p> <p>Insufficient Network Monitoring 64</p> <p>Poor Patch Management 64</p> <p>Wrapping up the CIS Misconfigurations Guidance 65</p> <p>CIS Benchmarks 65</p> <p>DISA Security Technical Implementation Guides 66</p> <p>Summary 68</p> <p><b>4 Continuous Vulnerability Management 69</b></p> <p>CIS Control 7—Continuous Vulnerability Management 70</p> <p>Establish and Maintain a Vulnerability Management Process 70</p> <p>Establish and Maintain a Remediation Process 71</p> <p>Perform Automated Operating System Patch Management 71</p> <p>Perform Automated Application Patch Management 72</p> <p>Perform Automated Vulnerability Scans of Internal Enterprise Assets 73</p> <p>Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 73</p> <p>Remediate Detected Vulnerabilities 74</p> <p>Continuous Monitoring Practices 74</p> <p>Summary 77</p> <p><b>5 Vulnerability Scoring and Software Identification 79</b></p> <p>Common Vulnerability Scoring System 79</p> <p>CVSS 4.0 at a Glance 80</p> <p>Base Metrics 84</p> <p>Exploitability Metrics 84</p> <p>Threat Metrics 86</p> <p>Environmental Metrics 88</p> <p>Supplemental Metrics 89</p> <p>Qualitative Severity Rating Scale 91</p> <p>Vector String 92</p> <p>Exploit Prediction Scoring System 92</p> <p>EPSS 3.0—Prioritizing Through Prediction 92</p> <p>Epss 3.0 94</p> <p>Moving Forward 95</p> <p>Stakeholder-Specific Vulnerability Categorization 97</p> <p>CISA SSVC Guide 99</p> <p>Decision Tree Example 106</p> <p>Software Identification Formats 107</p> <p>Common Platform Enumeration 108</p> <p>Package URL 110</p> <p>Software Identification Tags 110</p> <p>Common Weaknesses and Enumerations 112</p> <p>Summary 114</p> <p><b>6 Vulnerability and Exploit Database Management 115</b></p> <p>National Vulnerability Database (NVD) 115</p> <p>Sonatype Open Source Software Index 118</p> <p>Open Source Vulnerabilities 119</p> <p>GitHub Advisory Database 120</p> <p>Exploit Databases 121</p> <p>Exploit-DB 122</p> <p>Metasploit 122</p> <p>GitHub 122</p> <p>Summary 123</p> <p><b>7 Vulnerability Chaining 125</b></p> <p>Vulnerability Chaining Attacks 125</p> <p>Exploit Chains 127</p> <p>Daisy Chains 128</p> <p>Vendor-Released Chains 129</p> <p>Microsoft Active Directory 129</p> <p>VMware vRealize Products 130</p> <p>iPhone Exploit Chain 130</p> <p>Vulnerability Chaining and Scoring 131</p> <p>Common Vulnerability Scoring System 132</p> <p>EPSS 132</p> <p>Gaps in the Industry 133</p> <p>Vulnerability Chaining Blindness 134</p> <p>Terminology 135</p> <p>Usage in Vulnerability Management Programs 136</p> <p>The Human Aspect of Vulnerability Chaining 138</p> <p>Phishing 138</p> <p>Business Email Compromise 139</p> <p>Social Engineering 140</p> <p>Integration into VMPs 141</p> <p>Leadership Principles 142</p> <p>Security Practitioner Integration 142</p> <p>IT and Development Usage 143</p> <p>Summary 144</p> <p><b>8 Vulnerability Threat Intelligence 145</b></p> <p>Why Is Threat Intel Important to VMPs? 145</p> <p>Where to Start 146</p> <p>Technical Threat Intelligence 146</p> <p>Tactical Threat Intelligence 147</p> <p>Strategic Threat Intelligence 148</p> <p>Operational Threat Intelligence 149</p> <p>Threat Hunting 150</p> <p>Integrating Threat Intel into VMPs 151</p> <p>People 151</p> <p>Process 152</p> <p>Technology 153</p> <p>Summary 154</p> <p><b>9 Cloud, DevSecOps, and Software Supply Chain Security 155</b></p> <p>Cloud Service Models and Shared Responsibility 156</p> <p>Hybrid and Multicloud Environments 158</p> <p>Containers 159</p> <p>Kubernetes 165</p> <p>Serverless 169</p> <p>DevSecOps 170</p> <p>Open Source Software 174</p> <p>Software-as-a-Service 182</p> <p>Systemic Risks 183</p> <p>Summary 186</p> <p><b>10 The Human Element in Vulnerability Management 187</b></p> <p>Human Factors Engineering 189</p> <p>Human Factors Security Engineering 191</p> <p>Context Switching 191</p> <p>Vulnerability Dashboards 193</p> <p>Vulnerability Reports 194</p> <p>Cognition and Metacognition 196</p> <p>Vulnerability Cognition 197</p> <p>The Art of Decision-.Making 197</p> <p>Decision Fatigue 198</p> <p>Alert Fatigue 199</p> <p>Volume of Vulnerabilities Released 199</p> <p>Required Patches and Configurations 200</p> <p>Vulnerability Management Fatigue 201</p> <p>Mental Workload 202</p> <p>Integration of Human Factors into a VMP 202</p> <p>Start Small 203</p> <p>Consider a Consultant 204</p> <p>Summary 205</p> <p><b>11 Secure-by-Design 207</b></p> <p>Secure-by-Design/Default 208</p> <p>Secure-by-Design 209</p> <p>Secure-by-Default 210</p> <p>Software Product Security Principles 211</p> <p>Principle 1: Take Ownership of Customer Security Outcomes 211</p> <p>Principle 2: Embrace Radical Transparency and Accountability 214</p> <p>Principle 3: Lead from the Top 216</p> <p>Secure-by-Design Tactics 217</p> <p>Secure-by-Default Tactics 218</p> <p>Hardening vs Loosening Guides 218</p> <p>Recommendations for Customers 219</p> <p>Threat Modeling 220</p> <p>Secure Software Development 222</p> <p>SSDF Details 223</p> <p>Prepare the Organization (PO) 223</p> <p>Protect Software (PS) 225</p> <p>Produce Well-Secured Software (PW) 226</p> <p>Respond to Vulnerabilities (RV) 227</p> <p>Security Chaos Engineering and Resilience 229</p> <p>Summary 231</p> <p><b>12 Vulnerability Management Maturity Model 233</b></p> <p>Step 1: Asset Management 234</p> <p>Step 2: Secure Configuration 236</p> <p>Step 3: Continuous Monitoring 238</p> <p>Step 4: Automated Vulnerability Management 240</p> <p>Step 5: Integrating Human Factors 242</p> <p>Step 6: Vulnerability Threat Intelligence 244</p> <p>Summary 245</p> <p>Acknowledgments 247</p> <p>About the Authors 249</p> <p>About the Technical Editor 251</p> <p>Index 253</p>

Autorenportrait

<p><B>CHRIS HUGHES, M.S., MBA, </B> currently serves as the Co-Founder and President at Aquia and has 20 years of IT/Cybersecurity experience in the public and private sectors. He is also an adjunct professor for M.S. Cybersecurity programs. Chris co-hosts the Resilient Cyber Podcast and also serves as a Cyber Innovation Fellow at CISA. <p><b>NIKKI ROBINSON, DSc, PhD, </b> is a Security Architect and Professor of Practice at Capitol Technology University. She holds a DSc in Cybersecurity and a PhD in Human Factors.

Back cover copy

<p> <B>SUPPORT ORGANIZATIONAL SUCCESS BY MINIMIZING IT RISK IN THE CLOUD ERA</B> <p>Modern businesses employ dozens of third-party, cloud-based tools to get work done. Technology managers need to be well versed in the holistic practice of knowing their systems, their interconnections, and the resulting risk exposure. Armed with that knowledge, it becomes possible to plan and prioritize limited budgets to mobilize a cost-effective vulnerability management program. From two leading minds in cybersecurity, <i>Effective Vulnerability Management </i>explores the multifaceted approach that today’s organizations must take to effectively mitigate risk introduced by complex software ecosystems. <p>With this book, readers will learn why it isn’t enough to simply “apply a patch” to fix known software flaws. True vulnerability management requires consistently monitoring systems and vulnerability databases. It also requires addressing the human element, identifying and addressing psychological factors that interact with software ecosystems to create emergent vulnerabilities. Authors Chris Hughes and Nikki Robinson provide a comprehensive discussion of these issues and their solutions. <p>It is essential to dedicate time and resources to preventing attacks and exploitations, yet it can be challenging to justify these expenditures, and indeed many outdated and disengaged vulnerability management practices offer inadequate protection. <i>Effective Vulnerability Management </i>shows the way toward more efficient, more effective strategies that respond to today’s unique threats.

Country of final manufacture

US

Diese Produkte könnten Sie auch interessieren: