Attackers are winning the battle. The frequency, number, and severity of compromises continue to grow. The enterprise IT environment has become easy to attack as the number of devices, applications, users, and data assets continue to increase. A dominating trend that compounds this issue is the mass migration of valuable assets into cloud-based services. This often puts the enterprise at an unknown or much greater level of risk.
Many enterprises are completely unaware of the growing menace they face, while others have recognized the need to improve the practices and procedures they use to perform risk and vulnerability management. Across the board, enterprises are in a more difficult position than ever when it comes to understanding the risks and vulnerabilities of the use of cloud services. Giving control of your valuable assets to a third party, losing visibility of those assets, being unable to test and verify the security and vulnerability status of those assets - as well as facing a host of other cloud-specific vulnerabilities, AKA "the treacherous twelve" threats - puts enterprises in a weakened position.
Our MGT516 course is designed to present students with an effective and comprehensive methodology commonly used to manage the risks and vulnerabilities inherent in an enterprise. Additional emphasis on vulnerability management for those using or planning on using cloud services is provided. Practical step-by-step procedures flow from one phase of the vulnerability management lifecycle to the next. We'll walk through each phase of that lifecycle so that students will be able to accurately recognize and manage the vulnerabilities all along the way.
The course is based on the Prepare, Identify, Assess, Communicate, and Treat (PIACT) Model:
The course first walks students through this model from the perspective of managing vulnerabilities within the enterprise IT environment, ensuring a strong understanding of each phase. We then focus squarely on the risks and vulnerabilities specific to the use of cloud services, beginning by introducing those services and then turning to justifying the business need to use them, vetting the prospective cloud service provider(s), conducting risk/vulnerability assessments, managing cloud use, preparing for the migration of assets into the cloud, implementing the migration process, maintaining assets securely and monitoring them within the cloud, and detecting violations, incidents, and breaches and responding to those loss events.
The course also walks through issues and considerations for cyber liability and data breach insurance, as well as special issues that should be considered within the cloud services agreement.
The primary objective of the course is to help enterprises improve their vision and understanding of the vulnerabilities present in their IT environments, and to develop a straightforward approach to manage those vulnerabilities, avoiding or minimizing unnecessary loss events.
A capstone lab performed on the last day of the course features a business scenario based on the enterprise and the cloud-based environment. The lab forces students to employ their newly developed skills in order to perform prudent vulnerability management of the assets. The case study is then reviewed in class.
Course Syllabus
MGT516.1: Introduction to Enterprise Vulnerability Management: Prepare and Identify Phases
Overview
Day 1 provides an introduction to the elements of risk, the relationships between those elements that produce risk, and those elements that provide indicators of the severity of each risk used to prioritize risk response. After this introduction, we walk through the Prepare, Identify, Assess, Communicate, Treat (PIACT) Model in the enterprise by examining the first two phases.
The Prepare phase describes how an enterprise establishes its framework of governance and its security program. It is within this security program that risk management and vulnerability management practices and procedures are born.
The Identify phase describes the various types of vulnerabilities an enterprise should anticipate, and the tools and techniques used to identify which vulnerabilities exist and where.
Exercises
CPE/CMU Credits: 6
Topics
Course Introduction
Vulnerability Management Process - Prepare
Vulnerability Management Process - Identify
MGT516.2: Enterprise Vulnerability Management: Assess, Communicate, and Treat Phases
Overview
Day 2 picks up with the Assess, Communicate, and Treat phases of the PIACT Model in the enterprise. The Assess phase shows students how to recognize the severity of the various risks identified in order to prioritize the risks and establish the proper level of response to them. With an understanding of the potential loss expected from a given risk situation, appropriately cost-justified controls can be identified as the basis for the risk report and proposed countermeasures provided to senior management in the Communicate phase for approval. To improve the success of the proposals to management, students are shown how to present the information in terms that management will understand by avoiding technical jargon and speaking in terms of costs, benefits, and return on investment (ROI). The desired outcome of this phase is the approval of multiple security controls that will reduce the vulnerabilities and overall risk levels of the enterprise. With these approvals from management, the Treat phase is initiated, during which the approved controls are acquired and properly implemented.
Exercises
CPE/CMU Credits: 6
Topics
Vulnerability Management Process - Assess
Vulnerability Management Process - Communicate
Vulnerability Management Process - Treat
MGT516.3: Introduction to Cloud Vulnerability Management: Cloud Services, Prepare, and Identify Phases
Overview
Day 3 begins with an introduction to cloud services, describing the cloud deployment and service models, the various roles of entities in cloud services, statistics of current cloud use, and cloud services based on virtualization technology.
Day 3 then runs through a quick review of the Prepare, Identify, Assess, Communicate, Treat (PIACT) Model for cloud services, followed by cloud-specific elements of vulnerability management for the Prepare and Identify phases. The Prepare phase includes justifying the business need to migrate into the cloud, and choosing an appropriate cloud service provider (CSP). The Identify phase provides the students with a list of new and common cloud-specific vulnerabilities many enterprises have yet to recognize or deal with effectively, as well as techniques used to reveal these new cloud-specific vulnerabilities.
Exercises
CPE/CMU Credits: 6
Topics
Introduction to Cloud Services
Prepare for Cloud-specific Vulnerability Management
Identify - Cloud-specific Vulnerabilities
MGT516.4: Managing Cloud Vulnerabilities: Assess, Communicate, and Treat Phases
Overview
Day 4 picks up with the Assess, Communicate, and Treat phases of the PIACT Model for cloud services. The Assess phase revisits the procedures used to determine the severity level of the individual cloud-specific vulnerabilities, in part by assessing the security posture of the cloud service provider (CSP) through a review of its policies, industry-recognized certifications, and industry-based best practices and recommendations. Next, the Assess phase reviews the cost-justification procedures used to determine appropriate controls to mitigate or eliminate the vulnerabilities. Two controls are singled out and reviewed and should be considered when planning to migrate assets into the cloud: cyber liability and data breach insurance, and a customized cloud services agreement. The Communicate phase once again pulls the appropriate material into a report to management using the language of business managers - little or no technical jargon and using cost/benefit/ROI statements. The Treat phase includes implementation of the approved cloud-specific vulnerability management controls, along with the verification of the performance and effectiveness of these new controls. The Treat phase also includes the careful migration of assets into the cloud and the ongoing maintenance, monitoring, and verification of the performance and effectiveness of controls looking forward. Day 4 wraps up with a summary review of the course.
Exercises
CPE/CMU Credits: 6
Topics
Assess - Cloud-specific Vulnerabilities and Cost-justified Controls
Communicate Findings with Management
Treat - Cloud-specific Vulnerabilities and Approved Controls
Summary
MGT516.5: Managing Vulnerabilities: Capstone Lab Exercise
Overview
Day 5 begins with a review of an enterprise and cloud-based scenario that triggers a case study exercise for the students. Students will work in teams and be required to work through the PIACT Model of performing vulnerability management. The instructor will roam the classroom to provide guidance as needed to keep the teams moving towards acceptable conclusions on the vulnerability management process for the case study. A review of findings and conclusions will follow, allowing each team to present and critique the solutions of the other teams. The instructor will also present a version of an acceptable vulnerability management solution as the course wrap-up.
Exercises
CPE/CMU Credits: 6
Who Should Attend
Prerequisites
What You Will Receive
This Course Will Prepare You To