Explore the vast range of titles available.

This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks. This is unique in that it details both the management and technical skill and tools required to develop an effective vulnerability management system. Business case studies and real world vulnerabilities are used through the book. It starts by introducing the reader to the concepts of a vulnerability management system. Readers will be provided detailed timelines of exploit development, vendors’ time to patch, and corporate path installations. Next, the differences between security assessment s and penetration tests will be clearly explained along with best practices for conducting both. Next, several case studies from different industries will illustrate the effectiveness of varying vulnerability assessment methodologies. The next several chapters will define the steps of a vulnerability assessment including: defining objectives, identifying and classifying assets, defining rules of engagement, scanning hosts, and identifying operating systems and applications. The next several chapters provide detailed instructions and examples for differentiating vulnerabilities from configuration problems, validating vulnerabilities through penetration testing. The last section of the book provides best practices for vulnerability management and remediation.* Unique coverage detailing both the management and technical skill and tools required to develop an effective vulnerability management system* Vulnerability management is rated the #2 most pressing concern for security professionals in a poll conducted by Information Security Magazine* Covers in the detail the vulnerability management lifecycle from discovery through patch.

This book will take readers from the discovery of vulnerabilities and the creation of the corresponding exploits, through a complete security assessment, all the way through deploying patches against these vulnerabilities to protect their networks.

Vulnerability assessment (VA) represents a key element of an organization s information security program. A VA highlights an organization's security liabilities and helps asset owners, security managers, and business leaders determine information security risk. VAs only report vulnerabilities, though. They do not substantiate that vulnerabilities actually exist; penetration tests do that. This chapter assimilates the information on tools, methodologies, and concepts that go into VA and continues with penetration testing. Penetration testing is the process of evaluating the security posture of a computer system, network, or application (assets).The process involves analyzing assets for any weaknesses, configuration flaws, or vulnerabilities. The analysis is carried out from the perspective of a potential attacker and leverages exploitation of known and possibly unknown security vulnerabilities. There are two types of penetration tests: black box and white box tests. Black box testing assumes no prior knowledge of the environment to be tested and the testers must first determine the location and extent of the assets before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the environment to be tested; often including network diagrams, source code and Internet Protocol (IP) addressing information.

Vulnerability assessments (VAs) and penetration tests (pen tests) have long been major components of information security programs. This chapter discusses the impact that regulations have had on vulnerability assessment and pen testing, as well as several was of drafting an information security program to meet an ever-changing business environment. In an effort to address the liabilities associated with credit card theft, credit card companies, beginning with Visa in 2001 with its Cardholder Information Security Program (CISP), began enacting data protection standards governing the processing, transmission, and storage of credit card data. By standardizing the transmission of billing and claims data, the potential for theft and abuse of patient health information (PHI) increased. To lessen this threat Congress introduced Health Insurance Portability and Accountability Act (HIPAA) and included safeguards to protect the confidentiality and security of patient data. The Sarbanes-Oxley Act (SOX) has fundamentally changed the business, regulatory, and information technology environments. SOX strengthens internal checks and balances, corporate accountability, and ultimately, corporate financial reporting. Payment Card Industry (PCI), HIPPA, and SOX reflect the first wave of compliance statutes that organizations are subject to. The next wave may include state, and possibly federal, notification and disclosure statutes governing the organization's responsibility to publicly disclose security breaches to our constituents. Drafting an information security program that is modular, flexible, and focused on risk mitigation and common-sense security will go a long way toward tackling the ever-evolving compliance landscape.