Explore the vast range of titles available.

This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks. This is unique in that it details both the management and technical skill and tools required to develop an effective vulnerability management system. Business case studies and real world vulnerabilities are used through the book. It starts by introducing the reader to the concepts of a vulnerability management system. Readers will be provided detailed timelines of exploit development, vendors’ time to patch, and corporate path installations. Next, the differences between security assessment s and penetration tests will be clearly explained along with best practices for conducting both. Next, several case studies from different industries will illustrate the effectiveness of varying vulnerability assessment methodologies. The next several chapters will define the steps of a vulnerability assessment including: defining objectives, identifying and classifying assets, defining rules of engagement, scanning hosts, and identifying operating systems and applications. The next several chapters provide detailed instructions and examples for differentiating vulnerabilities from configuration problems, validating vulnerabilities through penetration testing. The last section of the book provides best practices for vulnerability management and remediation.* Unique coverage detailing both the management and technical skill and tools required to develop an effective vulnerability management system* Vulnerability management is rated the #2 most pressing concern for security professionals in a poll conducted by Information Security Magazine* Covers in the detail the vulnerability management lifecycle from discovery through patch.

This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks.

This chapter focuses on the process of remediating vulnerabilities. Dealing effectively with vulnerabilities in today's networks includes not only managing and dealing with the vulnerability process itself, but also integrating the previous approach toward vulnerability assessment (leveraging scanners to discovery vulnerabilities) into the correlative frameworks and processes of patch management, configuration management, and change control. Patching a system is as much an art as it is a science. Patches can be software or hardware related, and the results of one patch can often affect the operation of both the primary and secondary functions of another patch. One of the most crucial components of a vulnerability management framework lies in the establishment of a patch management program. Patches can be deployed in several ways, such as Push technology, Pull technology, and Sneakernet. The principles behind configuration management are very similar to those of patch management. All patch installations and configuration change should comply with the existing change control procedures.

Numerous tools are available that assist in vulnerability management. However, determining which tool(s) to leverage is not easy, because no one product can address all of the aspects of vulnerability management. Therefore, when deciding which vulnerability management tool(s) to use, it is important that you understand each tool's capabilities, and how the available tools work with each other. This chapter discusses the evaluation of vulnerability management tools along with several popular commercial tools (eEye Digital Security, Symantec (BindView), Attachmate (NetlQ), StillSecure, and McAfee) and open source tools (Information Resource Manager, Nmap, and Nessus). The perfect vulnerability management tool possesses capabilities for asset management, vulnerability assessment, configuration management, patch management, remediation, reporting, and monitoring, all working well together, and it would integrate well with third-party technologies. Ideally, the tool's asset management, vulnerability management, and patch management capabilities would work particularly well together. The chapter concludes with a discussion on some of the pros and cons of leveraging an outsourcer to manage parts of a vulnerability management program.

Vulnerability assessments (VAs) and penetration tests (pen tests) have long been major components of information security programs. This chapter discusses the impact that regulations have had on vulnerability assessment and pen testing, as well as several was of drafting an information security program to meet an ever-changing business environment. In an effort to address the liabilities associated with credit card theft, credit card companies, beginning with Visa in 2001 with its Cardholder Information Security Program (CISP), began enacting data protection standards governing the processing, transmission, and storage of credit card data. By standardizing the transmission of billing and claims data, the potential for theft and abuse of patient health information (PHI) increased. To lessen this threat Congress introduced Health Insurance Portability and Accountability Act (HIPAA) and included safeguards to protect the confidentiality and security of patient data. The Sarbanes-Oxley Act (SOX) has fundamentally changed the business, regulatory, and information technology environments. SOX strengthens internal checks and balances, corporate accountability, and ultimately, corporate financial reporting. Payment Card Industry (PCI), HIPPA, and SOX reflect the first wave of compliance statutes that organizations are subject to. The next wave may include state, and possibly federal, notification and disclosure statutes governing the organization's responsibility to publicly disclose security breaches to our constituents. Drafting an information security program that is modular, flexible, and focused on risk mitigation and common-sense security will go a long way toward tackling the ever-evolving compliance landscape.