WEBVTT

00:00.850 --> 00:06.370
A vulnerability assessment is a critical part of any I.T. infrastructure.

00:06.520 --> 00:12.760
It's not something that we do willy nilly you don't just go grab a copy iness and run a security scan

00:12.760 --> 00:14.290
and look for stuff.

00:14.290 --> 00:16.920
Normally this is going to be handled by management.

00:16.990 --> 00:22.900
Management is going to authorize your department to perform vulnerability scans.

00:22.930 --> 00:26.740
Now these can be done on an annual basis on a quarterly basis monthly.

00:26.740 --> 00:30.120
In some organizations it's literally done perpetually.

00:30.130 --> 00:32.210
They never ever turn it off.

00:32.230 --> 00:36.280
So the most important thing that's going to happen with a vulnerability assessment is you're going to

00:36.280 --> 00:37.500
get authorization.

00:37.510 --> 00:43.150
I know in some organizations it's literally required for a manager to provide a signed piece of paper

00:43.150 --> 00:45.290
before they get started with any of this stuff.

00:46.550 --> 00:53.210
Now once you get that process going you certainly are going to be using your tools but you have a couple

00:53.210 --> 00:54.330
of options here.

00:54.350 --> 01:00.950
One of the big options is credentialed versus non credentialed a credentialed vulnerability assessment

01:00.980 --> 01:06.530
basically means you've got user names and passwords of the stuff that's part of your assessment.

01:06.560 --> 01:12.260
So it really gives you more of an insider's view of what's going to be taking place non credential you

01:12.260 --> 01:16.640
don't have user names and passwords so you're more seeing it as an outsider.

01:16.640 --> 01:21.980
So both of these assessments are very very powerful because you definitely see your infrastructure from

01:21.980 --> 01:23.870
two very different ways.

01:23.870 --> 01:29.900
Along with that you can do an intrusive or a non-intrusive almost all vulnerability assessments that

01:29.900 --> 01:32.170
I run into our nonintrusive.

01:32.210 --> 01:37.670
Basically we're looking at the vulnerabilities you're scanning the system you're gathering information

01:38.000 --> 01:42.650
but you're not actually doing anything with that you're not actually going.

01:42.660 --> 01:47.750
Ah here's a vulnerability in a sequel database let's corrupt the database because as you can imagine

01:47.750 --> 01:49.280
that might cause trouble.

01:49.280 --> 01:55.640
So generally when we're talking about vulnerability assessments we're talking about a non intrusive

01:55.670 --> 01:56.860
type of event.

01:57.050 --> 01:58.880
So as you're going through there.

01:58.880 --> 02:03.000
Keep in mind with your jobs Arbi number one you're there to identify vulnerabilities.

02:03.080 --> 02:09.170
And as we saw in other episodes there are nice tools out there that give you a good listing of what

02:09.170 --> 02:11.060
those vulnerabilities are.

02:11.150 --> 02:15.360
Also along with that you might want to consider the idea of misconfiguration.

02:15.410 --> 02:22.310
A lot of times a misconfiguration will present a vulnerability in and of itself simply well for example

02:22.520 --> 02:27.920
using default username and password would be a great misconfiguration example using default IP addresses

02:27.920 --> 02:29.090
that type of thing.

02:29.770 --> 02:33.970
The challenge you've got to watch out for in your vulnerability assessment more than anything else are

02:33.970 --> 02:41.070
what are known as false positives a false positive is simply when a vulnerability assessment goes here's

02:41.070 --> 02:41.780
a problem.

02:41.850 --> 02:44.210
And the reality is it isn't a problem.

02:44.430 --> 02:48.510
It is part and parcel of any good vulnerability assessment tool.

02:48.570 --> 02:53.610
But the more false positives you have that you have to deal with the less time you have to deal with

02:53.760 --> 02:55.470
real vulnerabilities.

02:55.530 --> 03:00.930
And it's kind of a balancing act between turning your sensors up to the point where you get too many

03:00.930 --> 03:03.120
false positives versus turning them down.

03:03.120 --> 03:04.560
Were you miss real problems.

03:04.560 --> 03:11.400
Just be aware of the term false positive the other interesting thing that takes place during a vulnerability

03:11.400 --> 03:17.250
assessment really has nothing to do with the vulnerabilities what we're talking about is compliance.

03:17.580 --> 03:24.420
We have all kinds of laws and organizations out there that different people have to deal with when it

03:24.420 --> 03:25.830
comes to compliance.

03:25.830 --> 03:29.360
Probably one of the biggest examples is PCI DSS.

03:29.400 --> 03:37.770
These are the folks who monitor credit card usage and if you want to be a part of a credit card organization

03:37.950 --> 03:42.990
if you want to use credit cards or if you want to sell machinery that uses credit cards you have to

03:42.990 --> 03:45.450
go through their compliance rules.

03:45.510 --> 03:52.310
Now it's actually not that big of a deal because a lot of tools in fact this is where Nessus in particular

03:52.340 --> 03:53.500
does a great job.

03:53.540 --> 04:00.530
You can take that same vulnerability scanner and you can plug in what's called a PCI DSS compliance

04:00.530 --> 04:01.140
package.

04:01.250 --> 04:05.560
So it's not looking at a national vulnerability database anymore.

04:05.570 --> 04:12.620
Instead what it's looking at is a rule set for PCI DSS compliance and it can be a very very powerful

04:12.620 --> 04:13.360
tool.

04:13.370 --> 04:15.770
So when you're going to do a vulnerability assessment.

04:15.830 --> 04:21.470
Just keep in mind that you've got a few basic tools and for crying out loud get authorized before you

04:21.470 --> 04:22.540
start anything.