PENETRATION TESTING GUIDE. 1

Size: px
Start display at page:

Download "PENETRATION TESTING GUIDE. www.tbgsecurity.com 1"

Transcription

1 PENETRATION TESTING GUIDE 1

2 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a penetration test differ from an automated vulnerability scan?... 3 What are the goals of a... 3 Why should we have a penetration test performed?... 3 What should we expect from the penetration testing process?... 4 Is testing disruptive to our environment? Will our systems go down?... 4 How often should we do a... 4 How is the scope defined for a... 4 What qualifications should the penetration testing team possess?... 5 What documentation should I expect to receive when the testing is complete?... 5 How do we prepare for a... 5 We have our website hosted with a third party. Should we test it?... 5 Should we fix all of the vulnerabilities that are reported?... 5 What are typical costs for a... 6 How much time is needed to perform a typical... 6 Can we do our own penetration testing?... 6 My customer wants to see the results of our penetration test. Should I share the results with outside parties?... 7 What are the different kinds of penetration tests?

3 What is a A penetration test is a study of the effect of vulnerability against a target or targets. The targets can consist of systems, networks, applications or people or any combination of these. During a penetration test, we assume the identity of an attacker and attempt to gain unauthorized access, and through a series of attacks, expand our influence over our target of evaluation. A penetration test measures the effectiveness of security controls while being flexible enough to adapt as obstacles present themselves. What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about? The terms Ethical Hacking and Penetration Testing are synonymous. Each refer to a sanctioned assessment of security controls through an active attempt to subvert said controls. Ethical Hackers are skilled in the same disciplines that actual cyber hackers (criminals) are skilled in. By leveraging this unique skill set it is possible to get a hackers eye view of your environment. How does a penetration test differ from an automated vulnerability scan? The main difference between vulnerability scans and penetration tests is that penetration tests are adaptive, contextual and multidimensional in approach where vulnerability scans are far less aware and non-adaptive. But where vulnerability scans lack in the way of context, they make up for in the form of comprehensiveness. If vulnerability scan data were available to a penetration test, this information could surely provide valuable intelligence that then could be used in more sophisticated attacks that would not be possible if a vulnerability scan were used alone. Both solutions are necessary for a truly mature approach. What are the goals of a The goals of a penetration test are not set in stone, but are instead determined on a case-by-case basis. The penetration tester will meet with the client before the onset of an engagement to gage the client s goals. At the most rudimentary level the goal is to gain access to some network, system or application, in a manner that is covert and ultimately proves a genuine risk to a loss of confidentiality or integrity of sensitive data. If no specific goals are set we will typically attempt to get in and escalate our influence to that of a Domain Admin (assuming the environment is a Microsoft Active Directory environment). Why should we have a penetration test performed? The information security threat landscape is ever evolving, and simple passive methods of protection can not possibly keep up with new and existing threats. A vulnerability scan is very good at finding known flaws, and anti-virus / anti-malware detection is likewise good at finding known threats, but modern day threat actors are very good at exploiting what is not known. Despite an organization's best efforts to implement security controls, those controls are only as good as the sum of all of their parts, and it's just as easy to mis-configurable any one of these parts as it is to properly configure it. The penetration test, in a sense, is looking for that proverbial needle in the haystack. We seek to find the 1 or 2 issues within the larger interconnected web of controls, and see where each successful execution will lead. A successful security program is a combination of controls. 3

4 Those mis-configurations are out there, and what the professional penetration test will tell you is how well the entire security program, with all of its controls, is situated to detect and detain these threats when they appear. What should we expect from the penetration testing process? A penetration test is an uncontrolled process in that the penetration testers typically do not plan to interact very much with the target in a controlled way. Most tasks are subversive and covert in nature, and therefore must remain as uncontrolled as possible. If the penetration test target is an internal network, then a staged system (a dropbox) is typically deployed. This too can be done in a covert manner as part of a physical penetration test, or could be placed on the network ahead of the initiation of the test by the customer. Testing will commence, and once all testing activities are completed, reports will be generated and delivered to the customer. There will typically be a debriefing and a chance for customer comments. Any changes to the draft reports will be made and delivered. Sometimes penetration testers will be asked to validate corrective action measures and sometimes a customer might commission a full retest after a full mitigation plan has been executed. Is testing disruptive to our environment? Will our systems go down? Because penetration testing is largely a manual process, the penetration tester has full control of what is done within the target of evaluation. It is generally not very useful to a penetration tester to introduce a denial of service condition since one of the primary goals of a penetration test is to be covert. The penetration test alone is extremely unlikely to cause any service disruptions unless that is something the client decides to include as part of the testing parameters (which is extremely rare). How often should we do a Network and Application penetration tests are often performed minimally once every year. Certain information security standards call for it to be done more often when major changes occur within the network, when application upgrades occur or when infrastructure or architecture changes significantly (see PCI requirement 11.3). Additionally, many of our customers require any newly acquired software be tested before being put into production. This includes cloud based SaaS and PaaS model applications. This is a very important point since much of our sensitive data is moving into the the cloud. This move might remove some responsibility, but it does not automatically remove the threats to the asset, and might even introduce new threats. How is the scope defined for a Scope is mutually agreed upon between the client and the penetration tester and can vary significantly in size anywhere between 1 system to 1 network or a number of networks. The scope will be contingent on the goals the client is set for the penetration test. 4

5 What qualifications should the penetration testing team possess? Penetration testing teams should contain multiple disciplines but most commonly a strong networking and program focus is necessary to achieve the desired results. Much of what separates a good penetration test from a mediocre one is mindset. A penetration tester has a unique perspective when presented with a set of facts. Most people see what is meant to be seen while the penetration tester is capable of seeing what is there, but hidden. Since these soft-skills are hard to quantify it is necessary to interview the penetration tester to gain a feel for the breadth of his/her experience. Check their resume and their references before you buy. What documentation should I expect to receive when the testing is complete? At a minimum the penetration tester should deliver an executive summary of findings which includes an overview of what was accomplished and what if any major issues were uncovered. This should be followed by a detailed summary report that outlines each issue uncovered, an assessment of risk for each issue with some context explaining how the risk rating was chosen and with recommended corrective actions clearly outlined. A full walkthrough of the penetration exercise should be included where relevant. Oftentimes additional reports might also be delivered to support the findings in the summary reports. For instance, it is common to run vulnerability scans during a penetration test, and those scan reports might be delivered under separate cover. How do we prepare for a How Much or how little you prepare for a penetration test will again depend on the goals and scope defined for a specific test. We typically recommend that you use the penetration test to validate your incident preparedness and therefore the less you prepare the better. That said, there are certainly some tests that call for a greater amount of preparation. For instance if the target is a web application, there will be a need to provision accounts and it probably makes sense to provide a demonstration of the functionality of the application. We have our website hosted with a third party. Should we test it? Unequivocally Yes! The fact that the web site is hosted at a third party means that there are potential threats outside of your control. What if an attacker could access the web server management interface? Without question you should test your hosted applications. Should we fix all of the vulnerabilities that are reported? All vulnerabilities should be addressed. For any identified issue there will be a degree of risk associated with the finding. We attempt to apply as much relevant context to each finding, and certainly high-risk issues should be addressed in an expedient manner. Sometimes there are a large number of findings, particularly when automated vulnerability scans are run as part of the penetration test. Once you receive all of your reports, a 5

6 mitigation plan should be put in place, and each of the reported vulnerabilities should be addressed as part of the plan. For any vulnerability there are only 5 possible ways to address the issue: (1) Apply a vendor patch, (2) reconfigure a piece of software, (3) turn the affected service or server off, (4) apply a mitigating control (such as a firewall) to reduce risk or (5) simply choose to accept the risk (which in some cases might be a perfectly reasonable option). What are typical costs for a The cost for penetration testing varies greatly. A number of factors are used to determine pricing including, but not limited to the scope of the project, the size of the environment, the quantity of systems, and the frequency of testing. It is critical to have a detailed scoping meeting to produce a very clear understanding of the needs, and develop a statement of work prior to engaging any penetration test. Ideally a penetration test should be performed on a xed-fee basis to eliminate any unexpected costs or unplanned expenditures. The quoted fee should include all labor and required testing tools. Statements of work that only provide estimates of the work effort should not be entertained. How much time is needed to perform a typical penetration test? Adequate time should be reserved in advance of testing for planning activities. Additional time should be allocated after testing for report development and subsequent review meetings including remediation discussions. The entire effort varies greatly based on the size and complexity of the penetration test. The larger or more complex the environment is, the more effort is required. The duration of the test, however, is very controllable. The duration of the test should be compressed to ensure a good, representative view of the environment at a given point in time. Generally speaking, two to four weeks is a good estimate for the duration of the entire engagement from planning through delivery. Can we do our own penetration testing? Typically, no, but it s not inconceivable. Many large organizations like major banks and the government agencies do their own internal penetration testing (often called Red Team testing or Red Team / Blue Team testing), but these organizations typically have information security budgets in excess of $1,000,000, and even these organizations will often augment their staff with 3rd party tests to gain a fresh perspective from time to time. The decision to insource or outsource the penetration test function typically comes down to if you have qualified individuals on staff to perform the test. Most professional penetration testers have a burden on them to remain current with modern attack techniques and this typically will require penetration testing to be a full time job, so to successfully conduct insourced penetration tests it is usually best to have dedicated staff whose only job is offensive security. 6

7 My customer wants to see the results of our penetration test. Should I share the results with outside parties? The penetration test can be a very powerful marketing tool. It shows your sense of due diligence, and can often help ease concerns your customers might have about cyber security. In this day and age there is a heightened awareness of cyber threats in the public. Hardly a day goes by that you don t read about some high-profile news story that involved some sort of cyber crime. It ultimately is a business decision as to whether you disclose the results of a penetration test, but if you do decide to provide a copy of the penetration test findings, the penetration testing firm should provide an executive summary that s high-level enough to be presented to interested 3rd parties without disclosing any sensitive information. What are the different kinds of penetration tests? There are several different flavors of penetration tests and each address different threats. External Network Penetration Test External network penetration tests are focused on the exposed network perimeter. This is typically the best defended as it is exposed to everyone on the Internet. A weakness here could expose the internal network to attack. Perimeter networks must be fully protected at all times as they are under constant pressure from adversaries. The goal of the external network penetration test is typically to gain a foothold inside the DMZ or corporate network or to find some method of exfiltrating data via the exposed services available from the Internet. Internal Network Penetration Test The Internal penetration test is focused on simulating what risk a rogue system would pose to the enterprise. This simulation would typically employ a dropbox (unsanctioned computer with lots of tools on it) but would also be able to simulate the potential exposure to a sophisticated piece of malware or an advanced persistent threat. The goal of the internal penetration test is to find weaknesses at the network or host level that will allow the penetration tester to establish a command and control and to ultimately gain full administrative rights over the networks and systems on the network. Application Penetration Test Application penetration tests look at the controls of an application (typically a web application) that houses sensitive information. When testing an application the penetration tester will want to assess the way the authentication and authorization is handled. The penetration tester will also be focused on how the application maintains session management and tenant segregation. Logic flaws will be identified and tested along with common web based attack vectors such as injection flaws and buffer overruns. Finally, a review of the web server itself will typically be included with specific emphasis on attacks against any content management software that might be exposed. Testing web applications will typically require 2 or more sets of credentials and careful coordination with application custodians before and sometimes during the test. 7

8 Physical Penetration Test During a physical penetration test the penetration tester will attempt to gain unauthorized access to an office space with the goal of testing physical controls such as doors, windows, security personnel and physical network connections. The ultimate goal of physical test is to install some device that can then be accessed externally and be used to initiate network and system attacks against the internal network; basically, the goal is to place the dropbox that can then be used to conduct the internal network penetration test. Social Engineering Test A Social Engineering test is an attempt to attack the weakest link in the the information security program: the user. During a social engineering test several methods could be deployed to either gain the trust of a user, or to simply trick them into doing something they should never do. The social engineering test is really a test of the corporate security awareness initiative. Some vectors of attack include: phishing s, spare phishing s, spoofing, phone calls, and USB drops. The goal of a social engineering campaign is typically to trick one or more users into relinquishing their credentials or to getting them to click and install malware. NOTE: malware is typically not installed, and instead click through rates are monitored. OUR TEAM OF ETHICAL HACKERS WILL SHOW YOU WHERE YOUR VULNERABILITIES ARE WHETHER IT S AT THE NETWORK OR APPLICATION LAYER. OUR TEAM HAS YEARS OF EXPERIENCE SUCCESSFULLY HACKING THE MOST COMPLEX SYSTEMS AND NETWORKS. 8

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

What is Penetration Testing?

What is Penetration Testing? White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

More information

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber

More information

Avoiding the Top 5 Vulnerability Management Mistakes

Avoiding the Top 5 Vulnerability Management Mistakes WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2 Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

More information

11th AMC Conference on Securely Connecting Communities for Improved Health

11th AMC Conference on Securely Connecting Communities for Improved Health 11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Continuous Network Monitoring

Continuous Network Monitoring Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Technical Testing. Network Testing DATA SHEET

Technical Testing. Network Testing DATA SHEET DATA SHEET Technical Testing Network Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance your security posture, reduce

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

Penetration Testing Services. Demonstrate Real-World Risk

Penetration Testing Services. Demonstrate Real-World Risk Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Vulnerability Assessment and Penetration Testing Across the Enterprise:

Vulnerability Assessment and Penetration Testing Across the Enterprise: White Paper Vulnerability Assessment and Penetration Testing Across the Enterprise: Can Organizations Afford Not To? Vulnerability Assessment and Penetration Testing Across the Enterprise Can Organizations

More information

Payment Card Industry (PCI) Penetration Testing Standard

Payment Card Industry (PCI) Penetration Testing Standard Payment Card Industry (PCI) Penetration Testing Standard Issued Date: 14 May 2015 Effective Date: 14 May 2015 Purpose This standard outlines penetration-testing requirements for the university's Payment

More information

I D C A N A L Y S T C O N N E C T I O N

I D C A N A L Y S T C O N N E C T I O N I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)

More information

Practical Steps To Securing Process Control Networks

Practical Steps To Securing Process Control Networks Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.

More information

Defending Against Cyber Attacks with SessionLevel Network Security

Defending Against Cyber Attacks with SessionLevel Network Security Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With

More information

The monsters under the bed are real... 2004 World Tour

The monsters under the bed are real... 2004 World Tour Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures

More information

A Simple Guide to Successful. Penetration Testing

A Simple Guide to Successful. Penetration Testing A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations

More information

locuz.com Professional Services Security Audit Services

locuz.com Professional Services Security Audit Services locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

Vulnerability management lifecycle: defining vulnerability management

Vulnerability management lifecycle: defining vulnerability management Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By

More information

PCI Compliance Updates

PCI Compliance Updates PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Cyber R &D Research Roundtable

Cyber R &D Research Roundtable Cyber R &D Research Roundtable 2 May 2013 N A T I O N A L S E C U R I T Y E N E R G Y & E N V I R O N M E N T H E A L T H C Y B E R S E C U R I T Y Changing Environment Rapidly Evolving Threat Changes

More information

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 SECURITY IS A PROCESS, NOT A STATE CARVE SYSTEMS LLC MIKE.ZUSMAN@CARVESYSTEMS.COM Carve s Roots (tl;dr)

More information

September 20, 2013 Senior IT Examiner Gene Lilienthal

September 20, 2013 Senior IT Examiner Gene Lilienthal Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank

More information

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report 28 September 2012 Submitted to: Donald Lafleur IS Audit Manager ND State Auditor

More information

IT Security Testing Services

IT Security Testing Services Context Information Security T +44 (0)207 537 7515 W www.contextis.com E gcloud@contextis.co.uk IT Security Testing Services Context Information Security Contents 1 Introduction to Context Information

More information

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape Protecting Applications on Microsoft Azure against an Evolving Threat Landscape So, your organization has chosen to move to Office 365. Good choice. But how do you implement it? Find out in this white

More information

900 Walt Whitman Road, Suite 304 Melville, NY 11747 Office: 631-230-5100

900 Walt Whitman Road, Suite 304 Melville, NY 11747 Office: 631-230-5100 W E P R O V I D E Cyber Safe Solutions was designed and built from the ground up to help organizations across multiple verticals to defend against modern day attacks. Unlike other security vendors that

More information

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software

More information

SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING

SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING WHITE PAPER SMART THINKING. DELIVERED. SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING WWW.SERVERCHOICE.COM INTRODUCTION Penetration testing, or pen tests, can be a confusing subject for many

More information

Fighting Advanced Threats

Fighting Advanced Threats Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.

More information

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance Principles of Information Security, Fourth Edition Chapter 12 Information Security Maintenance Learning Objectives Upon completion of this material, you should be able to: Discuss the need for ongoing

More information

Enterprise Computing Solutions

Enterprise Computing Solutions Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company

More information

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies

More information

Perspectives on Cybersecurity in Healthcare June 2015

Perspectives on Cybersecurity in Healthcare June 2015 SPONSORED BY Perspectives on Cybersecurity in Healthcare June 2015 Workgroup for Electronic Data Interchange 1984 Isaac Newton Square, Suite 304, Reston, VA. 20190 T: 202-618-8792/F: 202-684-7794 Copyright

More information

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives Information Security and Continuity Management Information Sharing Portal Category: Risk Management Initiatives Contact: Chip Moore, CISO State of North Carolina Office of Information Technology Services

More information

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Top Five Ways to Protect Your Network. A MainNerve Whitepaper A MainNerve Whitepaper Overview The data security challenges within the business world have never been as challenging as they are today. Not only must organizations providers comply with stringent State

More information

Who Controls Your Information in the Cloud?

Who Controls Your Information in the Cloud? Who Controls Your Information in the Cloud? threat protection compliance archiving & governance secure communication Contents Who Controls Your Information in the Cloud?...3 How Common Are Information

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense Enterprise Cybersecurity: Building an Effective Defense Chris Williams Oct 29, 2015 14 Leidos 0224 1135 About the Presenter Chris Williams is an Enterprise Cybersecurity Architect at Leidos, Inc. He has

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

Cyber Security. A professional qualification awarded in association with University of Manchester Business School

Cyber Security. A professional qualification awarded in association with University of Manchester Business School ICA Advanced Certificate in Cyber Security A professional qualification awarded in association with University of Manchester Business School An Introduction to the ICA Advanced Certificate In Cyber Security

More information

Incident Response 101: You ve been hacked, now what?

Incident Response 101: You ve been hacked, now what? Incident Response 101: You ve been hacked, now what? Gary Perkins, MBA, CISSP Chief Information Security Officer (CISO) Information Security Branch Government of British Columbia Agenda: threat landscape

More information

Guideline on Vulnerability and Patch Management

Guideline on Vulnerability and Patch Management CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board

More information

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION THE NEXT (FRONT) TIER IN SECURITY When conventional security falls short, breach detection systems and other tier 2 technologies can bolster your network s defenses. By John Pirc THREAT HAS moved beyond

More information

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

More information

Integrated Threat & Security Management.

Integrated Threat & Security Management. Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate

More information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Cloud Assurance: Ensuring Security and Compliance for your IT Environment Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware

More information

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015 Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are

More information

Secure Web Applications. The front line defense

Secure Web Applications. The front line defense Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security

More information

8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT.

8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT. 8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT. INTRODUCTION It used to be so simple. The threat was hackers. Their method was burrowing into your network through open ports on your firewall or exploiting

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

IT Risk Management: Guide to Software Risk Assessments and Audits

IT Risk Management: Guide to Software Risk Assessments and Audits IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen 14th Annual Risk Management Convention New York, New York March 13, 2013 Today s Presentation 1)

More information

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Cyber Defense Operation Center (CDOC) Ensuring that Experts are allways watching

Cyber Defense Operation Center (CDOC) Ensuring that Experts are allways watching (CDOC) Ensuring that Experts are allways watching Data Sheet Introduction CyberHat CDOC is an intelligent security operation center; which combines cutting edge technologies and innovative processes ensuring

More information

N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016

N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016 N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016 INTRODUCTION N4Secure is a Threat Intelligence managed service. By monitoring network traffic, server traffic, scanning for internal

More information

Penetration Testing of control systems, is it a good idea?

Penetration Testing of control systems, is it a good idea? SANS Amsterdam, Netherlands September 8, 2008 Penetration Testing of control systems, is it a good idea? Managing Consultant Roelof.Klein@capgemini.com http://www.linkedin.com/in/roelofklein Definition

More information

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide

More information

Agenda. 1. Do You Need to Be Concerned? 2. What organizations can do to better protect. 3. What you can do personally to better protect. 4.

Agenda. 1. Do You Need to Be Concerned? 2. What organizations can do to better protect. 3. What you can do personally to better protect. 4. Agenda 1. Do You Need to Be Concerned? 2. What organizations can do to better protect 3. What you can do personally to better protect 4. Questions 1 Do You Need to Be Concerned? Video Data from September

More information

Metasploit The Elixir of Network Security

Metasploit The Elixir of Network Security Metasploit The Elixir of Network Security Harish Chowdhary Software Quality Engineer, Aricent Technologies Shubham Mittal Penetration Testing Engineer, Iviz Security And Your Situation Would Be Main Goal

More information

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG) CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG) Extending automated penetration testing to develop an intelligent and cost-efficient security strategy for enterprise-scale information systems CAG

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information