Vulnerability Management
|
|
- Sheila Gilmore
- 8 years ago
- Views:
Transcription
1 Quelle: fotolia Vulnerability Management The early bird catches the worm Dipl.-Ing. Lukas Memelauer, BSc calpana business consulting gmbh Blumauerstraße 43, 4020 Linz 1
2 Agenda Definitions Vulnerability Management Process What/how to prepare for a pen test? CRISAM Process Model CRISAM Vulnerability Knowledge Pack Live-Demo (Tool, Reporting) 2
3 Vulnerability Management / Vulnerability Scanning Definitions Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). source: SANS 3
4 Vulnerability Management Process Increasing growth of cyber-crime and associated risks Important to obtain a continuous overview of vulnerabilities and the associated risks Prevent attackers from boarding networks and stealing information Regular vulnerability scanning ensures faster detection and remediation of new vulnerabilities 5 Steps Preparation Vulnerability scan Define remediating actions Implement remediating actions Rescan 4
5 What to prepare for a vulnerability scan / pen-test? Define objective / goals Limit scope Conclude form of outcome Determine Type of pen test Identify machines, systems, networks, operational requirements, involved staff Coordinate timing and duration of pen test Define emergency procedure Decide third party handling procedure Legally approve pen testers 5
6 How to prepare for a vulnerability scan / pen-test? Institute for Security and Open Methodologies (ISECOM) Common practice to prepare and perform a pen-test A methodology to test the operational security of physical locations, human interactions, and all forms communications such as wireless, wired, analog, and digital. Provide a scientific methodology for the accurate characterization of operational security 6
7 How to prepare for a vulnerability scan / pen-test? By failing to prepare, you are preparing to fail. Benjamin Franklin 7
8 CRISAM Process Model An ISO compliant approach and process model for handling the IT-GRC process Corporate Strategy, General Conditions CONTEXT ESTABLISHMENT Risk Management Policy Risk Strategy and Risk-Target Risk management policy Risk Strategy and Risk-Target SCOPE ANALYSIS Business Impact in the observed Scope Risk Strategy, Risk Models, Risk Inventory, Risk Limits RISK ASSESSMENT Risk Value, Risk Measures Risk Coverage Requirements Risk Policy Risk Strategy and Risk-Target Risk Coverage Requirements Actual Risk Value, Actual Risk Coverage Value RISK CONTROL MEASURE- PLANNING COST-BENEFIT ANALYSIS Target-deviation Action plan, measures prioritization, Cost of Risk, Action plan, Budget, resources, schedules IMPLEMENTATION Implementation projects, Project plans, test steps for action tracking (CRISAM... Corporate Risk Application Method) 8
9 has impact on -> The role of IT in the company s business IT risks impact the companies business processes. Mayor losses rather occur at business level than in IT departments The Company Enterprise Sales Human Resources Finance and Controlling Corporate Services Manufacturing Business-Processes Market of Informationtechnology and Energy Rawmaterial Market Supplier Human Law Resources Capital-Costs Business Risks 9
10 company process model integrity availablitiy confidentiality CRISAM Knowledge Packs Bundled specialist knowledge Structure: components control objectives weightings evaluation guides mappings to critera mappings to sources 10
11 CRISAM Vulnerability Knowledge Pack Content / Sources Addition to OSSTMM v3 Organizational aspects Secure Software Development (e.g. Client- Server Apps) Webserver security Organizational aspects Based on BSI study Secure Software Development Reporting based on the OWASP Secure Coding Practices Quick Reference Guide Webserver security CRISAM RV ÖNORM A7700 Pack 11
12 CRISAM Vulnerability Knowledge Pack Structure Additional components Organizational aspects Secure Software Development Modular design for further components Additional control objectives Reports Compliance report based on OSSTMM v3, OWASP and BSI studies 12
13 Live Demo - Example Scenario A This example is implemented in a CRISAM sample project The department Finance and Controlling delegates a penetration test to a third-party supplier Scope is the application and the server(s) hosting the application Also in the scope is the corporate network To improve the test results the company uses CRISAM to prepare for the test The following component are added: Pen-Test Documents (Pen-Test Organizational) Pen-Test Exchange (Pen-Test Application) Pen-Test Node101, Pen-Test Node102 (Pen-Test Server) Pen-Test Network (Pen-Test Network) 13
14 Live Demo - Example Scenario B This example is implemented in a CRISAM sample project The department Research and Development is developing a tool for internal use and is advised by management to consider security aspects The department uses CRISAM for secure software development The following aspects are relevant: input validation, output encoding, access control, memory management The following component are added: Secure Tool (Individual Development) Input Validation (SSD Input Validation) Output Encoding (SSD Output Encoding) Access Control (SSD Access Control) Memory Management (SSD Memory Management) 14
15 Live Demo - Results / Report This example is implemented in a CRISAM sample project To show where improvements should be made, a Phase 4: Compliance Analysis report for Vulnerability Management can be created. All relevant components are categorized by Penetration Test and Secure Software Development, which makes it easy to show possible improvements 15
16 Key Findings 1. Components for deeper technical analysis 2. Reporting options based on OSSTMM v3, OWASP and BSI studies for optimizing pen-test results 3. CRISAM for pen test preparation - spare yourself a rude awakening! Thank you for your attention! einfach präzise wertorientiert nachvollziehbar calpana business consulting gmbh A-4020 Linz, Blumauerstraße 43 Tel: +43 (732) Copyright
Checklist for Vulnerability Assessment
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
More informationSecurity Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014
Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion
More informationLegal Notice Knowledge Consulting Group All rights reserved 2013
Application Remediation Test Executive Summary Report 10/22/2013 1 Legal Notice Knowledge Consulting Group All rights reserved 2013 This document contains confidential and proprietary information. It is
More informationCRYPTOGEDDON: HEALTH CARE COMPROMISE. Todd Dow, CISA, PMP Founder, cryptogeddon.com @toddhdow, toddhdow@gmail.com
CRYPTOGEDDON: HEALTH CARE COMPROMISE Todd Dow, CISA, PMP Founder, cryptogeddon.com @toddhdow, toddhdow@gmail.com WHAT IS CRYPTOGEDDON? An online scavenger hunt using hacker tools Use infosec tools to solve
More informationNovell. ZENworks Patch Management Design, Deployment and Best Practices. Allen McCurdy Sr. Technical Specialist amccurdy@novell.
Novell ZENworks Patch Management Design, Deployment and Best Practices Steve Broadwell Sr. Solutions Architect sbroadwell@novell.com Allen McCurdy Sr. Technical Specialist amccurdy@novell.com Agenda General
More informationPenetration Testing in Romania
Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the
More informationNetwork Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients
Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com
More informationWEB Penetration Testing
FTA Annual Conference WEB Penetration Testing and Vulnerability Analysis June 10, 2008 Timothy R. Blevins, KDOR Chief Information Officer 1 WEB Penetration Testing What is WEB Penetration Testing? When
More informationThreat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform
Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform Sebastian Zabala Senior Systems Engineer 2013 Trustwave Holdings, Inc. 1 THREAT MANAGEMENT
More informationPenetration Testing - a way for improving our cyber security
OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org Penetration Testing - a way for improving our cyber security Adrian Furtunǎ, PhD, OSCP, CEH adif2k8@gmail.com Copyright The OWASP
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationIntroduction to Penetration Testing Graham Weston
Introduction to Penetration Testing Graham Weston March 2014 Agenda Introduction and background Why do penetration testing? Aims and objectives Approaches Types of penetration test What can be penetration
More informationWeb Maniac Hacking Trust. Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security
Web Maniac Hacking Trust Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security Disclaimer Web Maniac - Hacking Trust Pentesting web applications in a hacker s way. Attack surface varies from application
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationPKF Avant Edge. Penetration Testing. Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP
PKF Avant Edge Penetration Testing Stevie Heong CISSP, CISA, CISM, CGEIT, CCNP What is Penetration Testing (PenTest)? A way to identify vulnerabilities that exists in a system/network that has existing
More informationDemystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur
Demystifying Penetration Testing for the Enterprise Presented by Pravesh Gaonjur Pravesh Gaonjur Founder and Executive Director of TYLERS Information Security Consultant Certified Ethical Hacker (CEHv8Beta)
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security
More informationPentests more than just using the proper tools
Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationBest Practices - Remediation of Application Vulnerabilities
DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys
More informationYour company protected against cybercrime
Your company protected against cybercrime SMEs are easy prey for cyber criminals Which entrepreneur doesn t sometimes become aware of the trouble a burglary in his company would cause? Solid locks on doors
More informationNew Zealand Company Six full time technical staff Offices in Auckland and Wellington
INCREASING THE VALUE OF PENETRATION TESTING ABOUT YOUR PRESENTER Brett Moore Insomnia Security New Zealand Company Six full time technical staff Offices in Auckland and Wellington Penetration Testing Web
More informationPenetration Testing and Its Methodologies
Penetration Testing and Its Methodologies By Bhashit Pandya Web Security Researcher Penetration Testing and Methodologies is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
More informationManaged Services For Business FAQ Blue Saffron IT Resource Management
Managed service Vendor evaluation is a process that should not be taken lightly. We thought it useful to publish a number of topics that Blue Saffron regularly discuss during customer engagements. 1. What
More informationKnow your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.
Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1
More informationGreat Now We Have to Secure an Internet of Things. John Pescatore SANS Director, Emerging Security Trends @John_Pescatore
Great Now We Have to Secure an Internet of Things John Pescatore SANS Director, Emerging Security Trends @John_Pescatore 1 What the Heck is That?? 2 Different Views of the Internet of Things 3 Different
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationResearch Topic: Christian Proschinger (Speaker) Severin Winkler
Research Topic: Collaborative Penetration Testing David Huemer David Huemer Christian Proschinger (Speaker) Severin Winkler Introduction Raiffeisen Informatik Definition Collaborative Penetration Testing
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationCompliance Services CONSULTING. Gap Analysis. Internal Audit
Compliance Services Gap Analysis The gap analysis is a fast track assessment to establish understanding on an organization s current capabilities. The purpose of this step is to evaluate the current capabilities
More informationHands-On Ethical Hacking and Network Defense - Second Edition Chapter 1. After reading this chapter and completing the exercises, you will be able to:
Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you can
More informationProtecting against cyber threats and security breaches
Protecting against cyber threats and security breaches IBM APT Survival Kit Alberto Benavente Martínez abenaventem@es.ibm.com IBM Security Services Jun 11, 2015 (Madrid, Spain) 12015 IBM Corporation So
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationPCI Data Security Standard 3.0
SECURELY ENABLING BUSINESS PCI Data Security Standard 3.0 Training Strategies That Work Presented by Doug Hall May 20, 2014 AGENDA PCI DSS 3.0 Training Strategies That Work PCI DSS 3.0 Overview PCI Training
More informationPCI DSS v3.0 Vulnerability & Penetration Testing
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
More informationGetting software security Right
Getting software security Right Haiyun Xu, Theodoor Scholte April 24 2015 Table of contents 2 I 23 1. Who is SIG? 2. SIG software maintainability model 3. Getting software security Right: security by design
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationApplication Security Testing How to find software vulnerabilities before you ship or procure code
Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security
More informationApplication Security 101. A primer on Application Security best practices
Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationPenetration Testing Services. Demonstrate Real-World Risk
Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled
More informationTechnical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments
DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance
More informationDigital Pathways. Penetration Testing
Penetration Testing inftouch@digitalpathwyas.co.uk Penetration testing, vulnerability tests, assurance projects, ethical hacking it all means broadly the same thing; testing a corporate network to determine
More informationData Security on Every Network Layer. Internet Security Days 2015, Phantasialand Brühl ADVA Optical Networking SE
Data Security on Every Network Layer Internet Security Days 2015, Phantasialand Brühl ADVA Optical Networking SE Agenda Impact of Cyber Crime and Data Theft Financial Service Sector Production Industry
More informationThe need for Security Testing An Introduction to the OSSTMM 3.0
The need for Security Testing An Introduction to the OSSTMM 3.0 Charles W. Fullerton OPST,CISSP,CSS1,CCNP,CCDA,CNA,A+ Founder, CEO Charles W. Fullerton Institute of Analysis www.cia-sec.com The need for
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationGuide to Penetration Testing
What to consider when testing your network HALKYN CONSULTING 06 May 11 T Wake CEH CISSP CISM CEH CISSP CISM Introduction Security breaches are frequently in the news. Rarely does a week go by without a
More informationIntroduction Jim Rowland, Senior System Architect and Project Manager Daly
Introduction Jim Rowland, Senior System Architect and Project Manager Daly Stepping Up to Enterprise Vulnerability Management Keren Cummins, Director, Federal and MidAtlantic Markets ncircle Presentation
More informationFeeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN
Feeling Vulnerable? Jamie S. Herman, C CISO, CISM, CISSP Balazs Bucsay, OSCE, OSCP, GIAC, GPEN Balazs Bucsay A Little About Us Hungarian Hacker 14 years of experience in IT- Security Strictly technical
More informationInformation Security Management. Dipl.-Ing. (FH) Frank Wagner
Information Security Management Dipl.-Ing. (FH) Frank Wagner Agenda Importance of Information Security (IT-Security vs. Information Security) Information Security Policy Information Security Organization
More informationYour customers protected against cybercrime. New commercial opportunities for you
Your customers protected against cybercrime New commercial opportunities for you The vulnerability management solution for SMEs Through ThreadScan ThreadStone offers SMEs optimal security control of systems
More informationVulnerability Scanning & Management
Vulnerability Scanning & Management (An approach to managing the risk level of a vulnerability) Ziad Khalil 1, Mohamed Elammari 2 1 Higher Academy, 2 Rogue Wave Software Ottawa, Canada Abstract Vulnerability
More informationISO 9001 Quality Management System Lead Auditor Training (IRCA)
ISO 9001 Quality Management System Lead Auditor Training (IRCA) Course Description BSI s Quality Management Systems (QMS) Auditor/Lead Auditor Training Course (ISO 9001) course teaches the principles and
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationCyber Security Assessment of Enterprise-Wide Architectures
Cyber Security Assessment of Enterprise-Wide Architectures Mathias Ekstedt, Associate Prof. Industrial Information and Control Systems KTH Royal Institute of Technology Agenda Problem framing Management/design
More informationState of Software Security Report
VOLUME 2 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary September 22, 2010 Software Security Simplified Executive Summary The following are some of the
More informationOWASP Omaha. The Open Web Application Security Project Omaha Chapter
OWASP Omaha The Open Web Application Security Project Omaha Chapter What is OWASP? The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationGENERATING VALUE WITH CONTINUOUS SECURITY TESTING
GENERATING VALUE WITH CONTINUOUS SECURITY TESTING AND MEASUREMENT A Spire Research Report Sponsored by Core Security Technologies 2010-2011 Spire Security, LLC. All rights reserved. The Value of Continuous
More informationTECHNICAL VULNERABILITY & PATCH MANAGEMENT
INFORMATION SECURITY POLICY TECHNICAL VULNERABILITY & PATCH MANAGEMENT ISO 27002 12.6.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-12.6.1 Version No: 1.1 Date: 1 st
More informationIBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance
IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationInformation Security Office
Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix
More informationWeak Spots in Enterprise Mobility Management Dennis Schröder
Weak Spots in Enterprise Mobility Management Dennis Schröder Personal details TÜV Informationstechnik GmbH TÜV NORD GROUP Dennis Schröder, M. Sc. IT Security Business Security & Privacy Product Manager
More informationThe Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Changing Social-Engineering an Industry The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K Before we start Open discussion Shouldn t be
More informationHow To Manage A System Vulnerability Management Program
System Vulnerability Management Definitions White Paper October 12, 2005 2005 Altiris Inc. All rights reserved. ABOUT ALTIRIS Altiris, Inc. is a pioneer of IT lifecycle management software that allows
More informationExternal Scanning and Penetration Testing in PCI DSS 3.0. Gary Glover, Sr. Director of Security Assessments
External Scanning and Penetration Testing in PCI DSS 3.0 Gary Glover, Sr. Director of Security Assessments About SecurityMetrics Helping organizations comply with mandates, avoid security breaches, and
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationAcceptance Criteria for Penetration Tests According to PCI DSS
Acceptance Criteria for Penetration Tests According to PCI DSS Requirement 11.3 of the PCI DSS (Version 1.2.1, July 2009) defines the regular performance of penetration tests for all systems in scope as
More informationAUTOMATED PENETRATION TESTING PRODUCTS
AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate
More informationIf you know the enemy and know yourself, you need not fear the result of a hundred battles.
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group ruiper@wavefrontcg.com 1 (604) 961-0701 If you know the enemy and know yourself, you
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationSecurity solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.
Security solutions White paper Acquire a global view of your organization s security state: the importance of security assessments. April 2007 2 Contents 2 Overview 3 Why conduct security assessments?
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationPenetration Testing. I.T. Security Specialists. Penetration Testing 1
Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationCyber Security for Competitve Advantage: How SaaS Providers are Transforming their Business
Cyber Security for Competitve Advantage: How SaaS Providers are Transforming their Business The move from internal premises-based apps to the cloud is transforming the way organizations work and how they
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationPerforming Effective Risk Assessments Dos and Don ts
Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013 Introduction Who am I? Why Risk Management? Because you have to Because
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More informationPenetration Testing: Lessons from the Field
Penetration Testing: Lessons from the Field CORE SECURITY TECHNOLOGIES SCS SERVICES May 2009 1 Agenda: About me: Alberto Soliño Director of Security Consulting Services at Core Security One of first five
More informationCONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL
CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL Paper By: Chow, R; Golle, P; Jakobsson, M; Shai, E; Staddon, J From PARC & Masuoka, R And Mollina From Fujitsu Laboratories
More informationNEW PENETRATION TESTING REQUIREMENTS, EXPLAINED
White Paper NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED The most important clarifications made in the PCI Council s penetration testing informational supplement 2015 SecurityMetrics 1 NEW PENETRATION
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationThe reports in this appendix will give you a good idea of what security testers do and how they
DOCUMENTATION FORMS FOR PENETRATION TESTS The reports in this appendix will give you a good idea of what security testers do and how they should present findings to managers and IT personnel. The sample
More informationEC-Council. Program Brochure. EC-Council. Page 1
Program Brochure Page 1 Certified Ethical Hacker Version 7 Revolutionary Product releases the most advanced ethical hacking program in the world. This much anticipated version was designed by hackers and
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationBuilding Assurance Into Software Development Life- Cycle (SDLC)
Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant
More informationCourse Outline. Create and configure virtual hard disks. Create and configure virtual machines. Install and import virtual machines.
Server Virtualization with Windows Server Hyper-V and System Centre Duration 5 days Course Code SSM20409 Format Instructor Led Overview This five day course will provide you with the knowledge and skills
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationVulnerability and Threat Management and Prevention
A1 Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetration Tester/President Of Computer Security Association Of North Dakota Slide
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationTop PCI 3.0 Challenges for Chain Merchants. March 11, 2015
Top PCI 3.0 Challenges for Chain Merchants March 11, 2015 Webinar Program Wednesday, March 11, 2015 Presentations 3PM 3:45PM Eastern Questions & Answers 3:45PM 4:00PM Eastern Agenda Cybercrime PCI DSS
More information