{"id":223,"date":"2014-09-03T02:24:35","date_gmt":"2014-09-02T19:24:35","guid":{"rendered":"http:\/\/www.seven-stones.biz\/blog\/?p=223"},"modified":"2014-09-03T02:24:35","modified_gmt":"2014-09-02T19:24:35","slug":"windows-vulnerability-management-a-cheat-sheet","status":"publish","type":"post","link":"https:\/\/www.seven-stones.biz\/blog\/windows-vulnerability-management-a-cheat-sheet\/","title":{"rendered":"Windows Vulnerability Management: A Cheat Sheet"},"content":{"rendered":"

So its been a long time since my last post. In fact it is almost an entire calendar year. But if we ask our delusional\/non-cynical (delete\u00a0as appropriate)\u00a0colleagues, we discover that we should try to look to the positive. The last post was on 10th September 2013. So do not focus on the fact that its nearly 1 year since my last post, focus on the 1 week between this post and the 1 year mark. That is quite something! Remember people: positivity is key. 51 weeks instead of 52. All is good.<\/p>\n

And to make up for the proportional short-fall of pearls of wisdom, I am hereby making freely available<\/strong> <\/em>a spreadsheet I developed: its a compendium of information with regard to Windows 2008 Server vulnerabilities.\u00a0In vulnerability management, the tool (McAfee VM 7.5 in this case, but it could be any tool) produces long lists of vulnerability. Some of these can be false positives. Others will be bona fide. Then, where there is vulnerability, there is risk, and the level of that risk to the business needs to be deduced.<\/p>\n

The response of the organisation to the above-mentioned list of vulnerability is usually an IT response – a collaboration between security and operations, or at least it should be. Security typically is not in a position to deduce the risk and \/ or the remedial actions by themselves. This is where the spreadsheet comes in. All of the information is in one document and the information that is needed to deduce factors such as impact, ease of exploit, risk, false positive, etc…its all there.<\/p>\n

Operating system security checklists are\u00a0as thin on\u00a0the ground (and in their content) as they are critical in the prevention (and also\u00a0detection) world.\u00a0Work in this\u00a0area is seen as boring and unsexy. It doesn’t involve anything that could get\u00a0you a place as a speaker at a Black Hat conference. There is nothing in this realm that involves some\u00a0fanciful breach technique.<\/p>\n

Overall, forget perimeter firewalls and anti-virus – operating system security is now the front line in the battle against unauthorised access<\/em><\/strong>.<\/p>\n

The CIS Benchmarks<\/a>\u00a0are quoted by many as a source of operating system configuration security check items and fair play to the folks at CIS for producing these documents.<\/p>\n

The columns are as such:<\/p>\n