The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) Twitter: Dave_ReL1K
|
|
- Shannon Parks
- 8 years ago
- Views:
Transcription
1 Changing Social-Engineering an Industry The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) Twitter: Dave_ReL1K
2 Before we start Open discussion Shouldn t be me driving this presentation Community collaboration Community driven
3 History PTES started officially at ShmooCon 2010 however it was an idea we ve all had for years. Penetration Testing is a fundamental principle in security. Something that is required to mature and advance a security program. Something that s tangible.
4 The Goal Fix Security. Define penetration testing.
5 Not all is wrong Security is actually going better than expected for such a young industry. We have people dedicated to security, this room is filled with people passionate about security. As an immature industry, we have our share of problems.
6 Penetration Testing Who has had a penetration test? Everyones hands should have been raised by now But who here has really had a penetration test?
7 Lets share our thoughts on a pentest Let s go around the room and share thoughts on what is a penetration test. Not a trick question, everyone is right on this.
8 A pentest to me The ability to identify exposures within the organization that represents a true breach simulation and the ability to hinder the companies ability to generate revenue. The baseline analysis of how well the overall security program is functioning and to test the effectiveness of controls. Only true testament to what exposures exist and how to prioritize via risk management on what to remediate.
9 That s just me Others may view it as a way to become compliant with regulations and standards. Others may view it as a way to tactically fix all vulnerabilities found. Others may view it as a way to test controls. Other may view it as a vulnerability scan with validation.
10 But that s just it Going around the room, we may have heard some similar ideas of what a pentest is, but were they all the same? Are they the same in the industry?
11 Welcome to PTES PTES was designed to take industry leaders, people in the field, people just starting off. Listen, learn, and come up with something that identifies what a penetration test is. What is was designed to be, what it should have always been.
12 I m selling this to you.. I am selling this to you. You are the only way PTES will be successful. Through adoption. Think about an industry that s united in its views on how to tackle security issues, fix them. Instead of..
13 GRC
14 APT
15 DLP
16 CIA
17 MSB
18 MSB
19 ISO
20 Things that don t work.
21 They can work The concepts are strong and noble. But they lack the fundamental principles of why we re here. This is my personal opinion and mine only, but we have made an over-convoluted process of all of these terms.. Just for $$
22 Let s go around and discuss how we are doing in security and what s worked and what hasn t.
23 PTES Basics Penetration tests are the only tangible aspects in identifying and prioritizing true risks to the company. Foundational building block to a security program. Each company is different, and thus each penetration test must be different.
24 Methodologies
25 PTES-G Basics Technical guidelines on how to conduct a penetration test. This is more of the living document of the standard. Always needs work and always needs help. Contribute to what you re an expert in.
26 The Standard Draft form and undergoing a lot of work and additions. Sections have been completed. Industry is adding a ton of more things to make it solid. Already being discussed to be integrated into multiple regulatory requirements.
27 What this means A clear standard of what a penetration test is and the language that should be used. Ways for you as an organization or company to sell or procure pentesting services. To truly get to the root cause of a security program versus skimming the surface.
28 What this means (cont) Raises the bar for penetration testers and the dime a dozen ones out there. Hopefully throws out the cheapest bidder (big hope). Establishes criteria and expectations we have to abide by. Changes an industry to where we focus on fixing problems veruss convoluted terms.
29 Lets walk through the standard Phased approach Repeatable Methodical Still keeps true to the hacker mentality
30 Levels of Effort Not every company (99 percent aren t) is ready for a crazy pentest. Varying levels (something we re building into PTES) based on maturity model. Different levels of attackers, right now, noone needs an 0day.
31 Pre-Engagement Interaction This is probably one of the most important elements. Focus on understanding the purpose of the penetration test. What the struggles are of the company and what they need. Ability to gauge the penetration testers and outline what efforts will be performed.
32 Intelligence Gathering Learn about the company. Understand the company. How does it tick? Gather as much information as possible.
33 Threat Modeling Learning our best way to attack the organization.. Is it SE? Web app? Physical? Hugs? Finding the most successful, most impactful, and best route into the company.
34 Vulnerability Analysis After the threat modeling phase, identifying the best vulnerable way to penetrate the infrastructure or company. Identify what exposures exist through manual attack vectors and exploit the best method that will be most impactful to the company. Learn the overall company and attempt to circumvent controls without actually penetrating at this point.
35 Exploitation Precision hit. Targeted. Well thought out. Aimed at impacting the most damage.
36 Post-Exploitation This is where it really counts. Impact the company s ability to generate revenue (see a theme?!) Learn, understand, be careful spend time.
37 Reporting Take everything you ve learned and build something tangible. Don t focus on GRC, BIA, CIA, BCP..focus on the companies overall security program and ways on improving. Get to the root cause, focus less on tactical findings.
38 Think differently I urge you to think differently, to think outside of what you re taught. Throw away the vendor and consulting lingo, bring in common sense. We re trying it and doing it This will, can, and has worked.
39 Adoption It s you. Don t hire someone if they don t adopt PTES. Learn PTES and what you should be asking. Consulting companies: Offer this as an offering. Do something!
40
Social-Engineering. Hacking a mature security program. Strategic Penetration Testing
Social-Engineering Hacking a mature security program Strategic Penetration Testing Dave Kennedy (ReL1K) http://www.secmaniac.com twitter: Dave_ReL1K A Mature Security Program. Companies have invested a
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationHow To Use Powerhell For Security Research
PowerShell David Kennedy (ReL1K) Josh Kelley (Winfang) http://www.secmaniac.com Twitter: dave_rel1k winfang98 About Josh Security Analyst with a Fortune 1000 --- Works with Dave Heavy experience in penetration
More informationThe Social-Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) Putting the cool back into SE David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K Social-Engineering in the 21 st Century Social-Engineering attacks are
More informationHow To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.
Information you need to select the IT Security Testing vendor that is right for you. Netragard, Inc Main: 617-934- 0269 Email: sales@netragard.com Website: http://www.netragard.com Blog: http://pentest.netragard.com
More informationAre You Ready for PCI 3.1?
Are You Ready for PCI 3.1? Are You Ready for PCI 3.1? If your hotel is not PCI compliant, it should be. Every time a customer hands over their credit card, they trust your hotel to keep their information
More informationHacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K About the speaker Wrote the Social-Engineer Toolkit (SET),
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationMAXIMIZING THE VALUE OF YOUR NETWORK PENETRATION TESTS. Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM
MAXIMIZING THE VALUE OF YOUR NETWORK PENETRATION TESTS Jay Ferron CEHi, CISSP, CHFIi, C)PTEi, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM jferron@interactivesecuritytraining.com blog.mir.net 203-675-8900
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationTHE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols
THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE
More informationBest Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.
Best Practices for Threat & Vulnerability Management Don t let vulnerabilities monopolize your organization. Table of Contents 1. Are You in the Lead? 2. A Winning Vulnerability Management Program 3. Vulnerability
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationWhy You Need to Test All Your Cloud, Mobile and Web Applications
Why You Need to Test All Your Cloud, Introduction In a recent survey of security executives, more than 70 percent of respondents acknowledged that they are performing vulnerability tests on fewer than
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationSocial-Engineering. Adaptive Pentesting. Kevin Mitnick (@kevinmitnick) Dave Kennedy (@Dave_ReL1K) http://mitnicksecurity.com. http://www.secmaniac.
Social-Engineering Adaptive Pentesting Kevin Mitnick (@kevinmitnick) http://mitnicksecurity.com Dave Kennedy (@Dave_ReL1K) http://www.secmaniac.com About Kevin Check out the new book Ghost in the wires
More informationPenetration Testing Services. Demonstrate Real-World Risk
Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationGuide to Penetration Testing
What to consider when testing your network HALKYN CONSULTING 06 May 11 T Wake CEH CISSP CISM CEH CISSP CISM Introduction Security breaches are frequently in the news. Rarely does a week go by without a
More informationRedhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.
Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July
More informationIs security awareness a waste of time?
Is security awareness a waste of time? New York State Cyber Security Conference June 5, 2013 Scott Gréaux Vice President Product Management and Services, PhishMe, Inc. They are exploiting human vulnerabilities
More informationEliminating Infrastructure Weaknesses with Vulnerability Management
A Guidance Consulting White Paper P.O. Box 3322 Suwanee, GA 30024 678-528-2681 http://www.guidance-consulting.com Eliminating Infrastructure Weaknesses with Vulnerability Management By Guidance Consulting,
More informationPENETRATION TESTING GUIDE. www.tbgsecurity.com 1
PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a
More informationVulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War
Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent
More informationAn approach to Web Application Penetration Testing. By: Whiskah
An approach to Web Application Penetration Testing By: Whiskah #whiskah Security enthusiast NOT a CI$$P, CIS*, GIAC, MCS*, CCN* NOT Lulzsec or Anonymous :) Don t be confused Vulnerability assessment identify,
More informationPowerShell. It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) http://www.secmaniac.com Twitter: dave_rel1k
PowerShell It s time to own. David Kennedy (ReL1K) Josh Kelley (Winfang) http://www.secmaniac.com Twitter: dave_rel1k About Josh Security Analyst with a Fortune 1000 --- Works with Dave Heavy experience
More informationIntelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference
Intelligent Vulnerability Management The Art of Prioritizing Remediation An IANS Interactive Phone Conference SUMMARY OF FINDINGS F e b r u a ry 2010 Context Joel Scambray shared IANS point of view on
More information2011 Forrester Research, Inc. Reproduction Prohibited
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
More informationTesting Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies
Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE Jimmie Parson Checkpoint Technologies Welcome, Introductions Agenda Checkpoint Technologies Quick Corporate Overview Why do
More informationREPORT. 2015 State of Vulnerability Risk Management
REPORT 2015 State of Vulnerability Risk Management Table of Contents Introduction: A Very Vulnerable Landscape... 3 Security Vulnerabilities by Industry... 4 Remediation Trends: A Cross-Industry Perspective...
More informationCyber Security Management
Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies
More informationHobbled Penetration Testing: The Disconnect Between Testing and Real Attacks
Hobbled Penetration Testing: The Disconnect Between Testing and Real Attacks Jason Wood Principal Security Consultant Secure Ideas Background Info Principal Security Consultant at Secure Ideas Penetration
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More information2010 State of Virtualization Security Survey
2010 State of Virtualization Security Survey Current opinions, experiences and trends on the strategies and solutions for securing virtual environments 8815 Centre Park Drive Published: April, 2010 Columbia
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More informationPut into test the security of an environment and qualify its resistance to a certain level of attack.
Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationPenetration Testing and Its Methodologies
Penetration Testing and Its Methodologies By Bhashit Pandya Web Security Researcher Penetration Testing and Methodologies is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationTechnical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments
DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance
More informationRISK IDENTIFY SECURITY RISKS SERVICE CORE
BE FREE BE FREE OF RISK IDENTIFY SECURITY RISKS SERVICE CORE TALK TO OUR EXPERTS 1.877.222.8615 www.bestit.com Copyright 2013 BestIT.com Inc. IDENTIFY SECURITY RISKS Internal Governance Vulnerability Assessment
More informationENTERPRISE INFORMATION SECURITY
ANNUAL PLANNING TO OPTIMIZE ENTERPRISE INFORMATION SECURITY 60 Commerce Street, Suite 1100 Montgomery, AL 36104 USA www.icsinc.com T: 877.ICS.INC9 / 334.270.2892 F: 334.270.2896 info@icsinc.com A vital
More informationFighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012
Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data Dave Shackleford February, 2012 Agenda Attacks We ve Seen Advanced Threats what s that mean? A Simple Example What can we
More informationContinuous Penetration Testing
Continuous Penetration Testing SyCom Technologies 1.0 Continuous Penetration Testing Imagine a service that continuously monitors and reports on any new threats that emerge real time and provides a tactical
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationA Penetration Testing Maturity and Scoring Model
A Penetration Testing Maturity and Scoring Model SESSION ID: TECH-W02 Dave Shackleford Founder & Principal Consultant Voodoo Security @daveshackleford Introduction Most organizations conduct some variety
More informationCautela Labs Cloud Agile. Secured.
Cautela Labs Cloud Agile. Secured. Vulnerability Management Scanning and Assessment Service Vulnerability Management Services New network, application and database vulnerabilities emerge every day. Because
More informationPart Banker. Part Geek. All Security & Compliance.
Part Banker. Part Geek. All Security & Compliance. Your IT Security Assessment......begins with Vulnerability Scanning to identify and classify security weaknesses in your IT network. We look for weaknesses
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationAvoiding the Top 5 Vulnerability Management Mistakes
WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability
More information5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT
5 5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 1 Anatomy of a Security Assessment With data breaches making regular headlines, it s easy to understand why information security is critical.
More informationThe Influence of Software Vulnerabilities on Business Risks 1
The Influence of Software Vulnerabilities on Business Risks 1 Four sources of risk relevant for evaluating the influence of software vulnerabilities on business risks Authors Hilbrand Kramer, MSc (Royal
More informationHow to Justify Your Security Assessment Budget
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice
More informationInformation Security Organizations trends are becoming increasingly reliant upon information technology in
DATASHEET PENETRATION TESTING SERVICE Sales Inquiries: sales@spentera.com Visit us: http://www.spentera.com Protect Your Business. Get Your Service Quotations Today! Copyright 2011. PT. Spentera. All Rights
More informationSECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING
WHITE PAPER SMART THINKING. DELIVERED. SECURITY FIRST: AN ESSENTIAL GUIDE TO PENETRATION TESTING WWW.SERVERCHOICE.COM INTRODUCTION Penetration testing, or pen tests, can be a confusing subject for many
More informationESKISP6055.01 Manage security testing
Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationThreat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products
Threat Intelligence: The More You Know the Less Damage They Can Do Charles Kolodgy Research VP, Security Products IDC Visit us at IDC.com and follow us on Twitter: @IDC 2 Agenda Evolving Threat Environment
More informationPayment Card Industry (PCI) Penetration Testing Standard
Payment Card Industry (PCI) Penetration Testing Standard Issued Date: 14 May 2015 Effective Date: 14 May 2015 Purpose This standard outlines penetration-testing requirements for the university's Payment
More informationTHE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 2 EXECUTIVE SUMMARY The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively.
More informationHow Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER
WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and
More informationToday s Rundown 1. What is Red Teaming? 2. So it s just an awesome pen test? 3. Nuts & Bolts of Red Teaming 4. Why should we care? 5.
2 3 About Your Trainer Dakota State University faculty member Bank pen testers in a former life Instructor at Secure Banking Solution s Institute (www.protectmybank.com) I m lucky; I don t have a real
More informationIBM QRadar Security Intelligence April 2013
IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence
More informationImplement Effective Penetration Testing
Implement Effective Penetration Testing Ed Verdurmen Visa - Moderator Navid Jam FireEye Rob Chahin & Kevin Dunn NCC Group Ryan Wakeham & Scott Sutherland netspi August 25, 2015 Notice of Disclaimer The
More informationDigital Infrastructure - A Model For Success
Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES Session 6 : Securing Your Fortress Best practices, standards, techniques and technologies secure your organization from cyber criminals.
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationIt s no wonder that a lot of us have a bad taste in our mouth when it comes to penetration testing.
1 As an IT auditor and management consultant, I sometimes have the opportunity to see the penetration test reports which various service providers have given to my clients. What the client often hands
More informationSecurity Services. 30 years of experience in IT business
Security Services 30 years of experience in IT business Table of Contents 1 Security Audit services!...!3 1.1 Audit of processes!...!3 1.1.1 Information security audit...3 1.1.2 Internal audit support...3
More informationKey Cyber Risks at the ERP Level
Key Cyber Risks at the ERP Level Process & Industrial Products (P&IP) Sector December, 2014 Today s presenters Bhavin Barot, Sr. Manager Deloitte & Touche LLP Goran Ristovski, Manager Deloitte & Touche
More informationHow to manage IT Risks and IT Compliance as a Service
How to manage IT Risks and IT Compliance as a Service in complex IS environment The Road Ahead in the Cloud Marek Skalický, CISM, CRISC Regional Account Manager for CAEE For SECURE 2012 Warsaw Agenda IT/Security
More informationDigital Pathways. Penetration Testing
Penetration Testing inftouch@digitalpathwyas.co.uk Penetration testing, vulnerability tests, assurance projects, ethical hacking it all means broadly the same thing; testing a corporate network to determine
More informationThe reports in this appendix will give you a good idea of what security testers do and how they
DOCUMENTATION FORMS FOR PENETRATION TESTS The reports in this appendix will give you a good idea of what security testers do and how they should present findings to managers and IT personnel. The sample
More informationMANAGING CYBER RISK IN THE SUPPLY CHAIN
MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO INTRODUCTION In today s highly competitive business world the speed at
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationBREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT
BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT Rashmi Knowles RSA, The Security Division of EMC Session ID: Session Classification: SPO-W07 Intermediate APT1 maintained access to
More informationFive reasons SecureData should manage your web application security
Five reasons SecureData should manage your web application security Introduction: The business critical web From online sales to customer self-service portals, web applications are now crucial to doing
More informationFree Guide: THE FACILITY MANAGER S DISASTER RECOVERY & RESPONSE ROADMAP
Free Guide: THE FACILITY MANAGER S DISASTER RECOVERY & RESPONSE ROADMAP In 2005, as the world surveyed the damage caused by Hurricane Katrina, an oft-overlooked area of impact was the various educational
More information11th AMC Conference on Securely Connecting Communities for Improved Health
11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationPanel: SwA Practices - Getting to Effectiveness in Implementation
Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,
More informationEXPOSING THE SECURITY WEAKNESSES WE TEND TO OVERLOOK
EXPOSING THE SECURITY WEAKNESSES WE TEND TO OVERLOOK As security analysts we often get asked the question: What threats and vulnerabilities do you expect we will see in the future? This is a very interesting
More informationLeveraging Network and Vulnerability metrics Using RedSeal
SOLUTION BRIEF Transforming IT Security Management Via Outcome-Oriented Metrics Leveraging Network and Vulnerability metrics Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop Small Agency Threat and Vulnerability Management Policy May 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationREAL SECURITY IS DIRTY
REAL SECURITY IS DIRTY INFORMATION SECURITY AND RISK MANAGEMENT ARE PURSUITS OF BRUTAL SELF- REFLECTION. The most logical business decisions come from facing ugly truths. Before any business spends a dime
More informationIntroduction to network penetration testing
Introduction to network penetration testing 25.04.2013, WrUT BAITSE guest lecture Bernhards Blumbergs, CERT.LV Outline Current IT security trends IT Security principles The need for IT security testing
More informationPenetration Testing. I.T. Security Specialists. Penetration Testing 1
Penetration I.T. Security Specialists ing 1 about us At Caretower, we help businesses to identify vulnerabilities within their security systems and provide an action plan to help prevent security breaches
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationAchieving Information Security
Achieving Information Security Beyond penetration testing and frameworks ISACA Athens Conference 25 November, 2014. All good information security presentations start with a Bruce Schneier quote - Not Bruce
More informationIMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation 2 ABSTRACT Enterprises today
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationTHE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE
THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter THE BLIND SPOT IN THREAT INTELLIGENCE
More informationTesting Your Security A Security Testing How To From Someone Who s Likely Broken Into An Organization Just Like Yours
Testing Your Security A Security Testing How To From Someone Who s Likely Broken Into An Organization Just Like Yours Tom Liston Senior Security Consultant InGuardians, Inc. Director InGuardians Labs tom@inguardians.com
More informationSecurity Awareness Campaigns Deliver Major, Ongoing ROI
Security Awareness Campaigns Deliver Major, Ongoing ROI CONTENTS 01 01 02 04 05 06 Introduction The Challenge Immediate Value Evaluating effectiveness Ongoing value Conclusion INTRODUCTION By this point,
More informationPresented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane "
Presented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane " Head Tail Hit Driven economy and retail market The limits of inventory The emergence of "everything" Key factors: Declining cost of inventory
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More information