Physical Security Assessments. Tom Eston Spylogic.net

Size: px
Start display at page:

Download "Physical Security Assessments. Tom Eston Spylogic.net"

Transcription

1 Physical Security Assessments Tom Eston Spylogic.net

2 Topics Convergence of Physical and Logical Assessment Methodologies Planning the Assessment Team Structure Reconnaissance Penetration Phase Walk Through Phase Lessons Learned

3 Penetration Test Definition Simulate the activities of a potential intruder Attempt to gain access without being detected Gain a realistic understanding of a site s security posture

4 Why conduct a physical security assessment? Assess the physical security of a location Test physical security procedures and user awareness Information assets can now be more valuable then physical ones (USB drives, customer info) Risks are changing (active shooters, disgruntled employees) Don t t forget! Objectives of Physical Security: Human Safety Confidentiality Integrity Availability Not limited by the size of an organization!

5 Convergence of Methodologies Network assessment methodology is identical (NIST ): Planning Objective and Scope Discovery Remote and On-site reconnaissance Attack Penetration test and walk through Reporting Final report and lessons learned OSSTMM ( OSSTMM (Open Source Security Testing Methodology Manual)

6 The Security Map Visual display of the security presence Six sections of the OSSTMM Sections overlap and contain elements of all other sections Proper testing of any one section must include the elements of all other sections, direct or indirect * Security Map Pete Herzog, ISECOM

7 Planning the Assessment Critical Tasks What are we trying to protect at the locations(s)? List the critical assets (these can be your objectives if applicable) Rank them (high, medium, low) What are the threats to the locations(s)? Weather, Fire, High Crime Rate, Employee turnover

8 Planning the Assessment Who will conduct the assessment? Third party involvement Team members What is the scope? Process and controls Security awareness- Is the team challenged for ID? Removal of confidential customer information Steal laptop, proprietary information Social engineering included? Target selection Regional location, size of facility, dates (schedule well in advance)

9 Planning the assessment Escalation contact list continued Include in the authorization to test letter Walk through contact (very important) Facility person, security guard, department head They should not know when you are on-site! Do not forgot! The Authorization to Test Letter (aka: Get out of jail free card- literally!)

10 Authorization to Test Letter Example

11 Assessment Team Structure - Identify a team leader! Team Leader Handles all coordination Sets up meetings Central point of contact for feedback and problems Compile and document results Put together the final report Should be your most senior member to start out To avoid burn out rotate the team leader position!

12 Assessment Team Structure - Team Members Maximum of three internal team members Dependent on scope Assist with all phases if required Document results and observations (photos..good for keeping a log) Communicate issues or problems to the team lead (cell phone required!) Decide on third-party involvement Comfort factor Anonymity of the testing team $$$

13 Remote Reconnaissance Gather as much information as possible off-site! Floor plans from company documents Google Maps satellite views Google searches for news and information about the target location(s) Better yet use Maltego! Number of employees at the locations(s) and listings Job functions, departments at the site (phone numbers) Security guards? Armed? Access Control - Card Readers? Photo ID s? Call or the city building department for blueprints seriously!

14 Maltego for Reconnaissance Can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files

15 On-site Reconnaissance 1/2 or 1 day is recommended for on-site recon At a remote location or region? Coordinate with the pen test team the night before to discuss the recon plan Two team members maximum Ensure you have authorization to test letters in hand! Things to observe: Building location, parking, traffic patterns Employee entrance procedures (smokers area?) Look for cameras and access control systems After hours procedures? Are things different at night?

16 Penetration Test Phase After on-site recon, determine the plan! Create multiple scenarios based on your objectives Some examples: Tailgate (easiest) Look like you belong (goes great with tailgating) Printer repair man I m late for a meeting! Chat with the smokers I I forgot my badge I m m here to see <INSERT NAME OF EXECUTIVE> Use a business card (faked) as ID Create a fake ID

17 Penetration Test Phase Continued Take photos if you can Use conference rooms to your advantage Be prepared to be compromised If you feel someone wants to challenge you quickly turn around and walk the other way! If you are asked for ID..fake it for a minute. If you think it s over, pull out the authorization letter. Be ready to make a phone call if needed Do not endanger yourself or others! (Beware of big dogs!)

18 Walk Through Phase Conducted after the penetration test Time frame depends on objectives and location One team member should be coordinating the walk through with the designated contact during the pen test Ensure you will have someone available No chance of pen test compromise Be prepared to escalate to management

19 Walk Through Phase Continued Conducted by at least two team members with the facility contact What are we looking for? Perimeter controls Confidentiality control of hard-copy data Internal access controls Cameras/Alarms Personnel practices (security awareness) Emergency procedures (evacuation) Fire extinguishers (expired?) OSSTMM is a good place to start for creating a physical security checklist No one standard, dependent on your organization

20 Walk Through Phase Continued Full Metal Jacket 1987 Warner Bros. Pictures Ask questions! Do you have any security concerns? Take notes and pictures Ask for permission prior to taking pictures Tell them about the penetration test Prepare for hostility! Put an awareness spin to it. Your not getting in trouble

21 Reporting and Lessons Learned Team Leader compiles notes and results from team members Prepare the final report ASAP Setup meetings shortly after the assessment with management of the facilities Don t t wait too long! You will loose the effectiveness of the assessment. Keep them in the loop Lessons learned with the assessment team! Setup a meeting include third-party if used What went well? What didn t?

22 Standards and Books OSSTMM Open-Source Security Testing Methodology Manual Version 2.2 isecom.org/osstmm/ org/osstmm/ NIST (Chapter 15 Physical Security) NIST (Guideline on Network Security Testing) Physical Security for IT Michael Erbschloe The Design and Evaluation of Physical Protection Systems Vulnerability Assessment of Physical Protection Systems Mary Lynn Garcia

23 Questions?

Targeted attacks: Tools and techniques

Targeted attacks: Tools and techniques Targeted attacks: Tools and techniques Performing «red-team» penetration tests Lessons learned Presented on 17/03/2014 For JSSI OSSIR 2014 By Renaud Feil Agenda Objective: Present tools techniques that

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

Introduction to Penetration Testing Graham Weston

Introduction to Penetration Testing Graham Weston Introduction to Penetration Testing Graham Weston March 2014 Agenda Introduction and background Why do penetration testing? Aims and objectives Approaches Types of penetration test What can be penetration

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

Facility XXXX Site Security Survey Date: 10/9-10/10/02. (A) Perimeter Security Feature Yes No Comments

Facility XXXX Site Security Survey Date: 10/9-10/10/02. (A) Perimeter Security Feature Yes No Comments Facility XXXX Site Security Survey Date: 10/9-10/10/02 (A) Perimeter Security DELAY/DETER Site Boundary None of the critical facilities have protective Fence (Height and Construction) fences. Outriggers

More information

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer

More information

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam

EXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Read this guide and you ll discover:

Read this guide and you ll discover: BUSINESS ADVISOR REPORT Provided as an educational service by: Rick Reynolds, General Manager Read this guide and you ll discover: What remote, offsite, or managed backups are, and why EVERY business should

More information

Jumpstarting Your Security Awareness Program

Jumpstarting Your Security Awareness Program Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb

More information

What is Penetration Testing?

What is Penetration Testing? White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

More information

NAS103: Essentials of Network

NAS103: Essentials of Network NAS103: Essentials of Network Penetration Testing Course Introduction Duration:1Day 3Sessions Objectives Introduce you to definitions involved in Penetration Testing Prepare you for a Network based Penetration

More information

Physical Security to mitigate Social Engineering Risks

Physical Security to mitigate Social Engineering Risks 2013 Cl iftonlar Physical Security to mitigate Social Engineering Risks cliftonlarsonallen.com Agenda Background and statistics of physical security Address social engineering risks associated with deficiencies

More information

Course Title: Penetration Testing: Network & Perimeter Testing

Course Title: Penetration Testing: Network & Perimeter Testing Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics

More information

Remote Access Securing Your Employees Out of the Office

Remote Access Securing Your Employees Out of the Office Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction

More information

HomeNet. Gateway User Guide

HomeNet. Gateway User Guide HomeNet Gateway User Guide Gateway User Guide Table of Contents HomeNet Gateway User Guide Gateway User Guide Table of Contents... 2 Introduction... 3 What is the HomeNet Gateway (Gateway)?... 3 How do

More information

Alternative Device Integration For Enhanced Security

Alternative Device Integration For Enhanced Security Alternative Device Integration For Enhanced Security Increase security and reduce risk by using existing technology in a non-traditional fashion White Paper Author John Carney, Senior Manager, Cisco Government

More information

Little-Known Facts and Insider Secrets Every Business Owner Should Know About Backing Up Their Data and Choosing a Remote Backup Service

Little-Known Facts and Insider Secrets Every Business Owner Should Know About Backing Up Their Data and Choosing a Remote Backup Service Little-Known Facts and Insider Secrets Every Business Owner Should Know About Backing Up Their Data and Choosing a Remote Backup Service If your data is important to your business and you cannot afford

More information

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1 Table of Contents 1. Operational Security 2. Physical Security 3. Network

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

The Importance of Cybersecurity Monitoring for Utilities

The Importance of Cybersecurity Monitoring for Utilities The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive

More information

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

on? Bill An d e r son, CIS S P In for m a t ion S e cu r ity S p e cia list In t e r h a ck Cor p or a tion http://web.interhack.

on? Bill An d e r son, CIS S P In for m a t ion S e cu r ity S p e cia list In t e r h a ck Cor p or a tion http://web.interhack. Securit y: Built -in or Bolt - on? Bill An d e r son, CIS S P In for m a t ion S e cu r ity S p e cia list In t e r h a ck Cor p or a tion h t tp ://w e b.in t e r h a ck.com / W hat do w e do? Information

More information

Cyber Security for SCADA/ICS Networks

Cyber Security for SCADA/ICS Networks Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Practical Steps To Securing Process Control Networks

Practical Steps To Securing Process Control Networks Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Image credits: Front cover: U.S. Army photo by Sgt. Brandon Little, Task Force XII PAO, MND-B Inside back cover: U.S Army photo by Staff Sgt.

Image credits: Front cover: U.S. Army photo by Sgt. Brandon Little, Task Force XII PAO, MND-B Inside back cover: U.S Army photo by Staff Sgt. Image credits: Front cover: U.S. Army photo by Sgt. Brandon Little, Task Force XII PAO, MND-B Inside back cover: U.S Army photo by Staff Sgt. Mike Pryor, 2nd BCT, 82nd Abn. Div. Public Affairs Operations

More information

Legal Notice Knowledge Consulting Group All rights reserved 2013

Legal Notice Knowledge Consulting Group All rights reserved 2013 Application Remediation Test Executive Summary Report 10/22/2013 1 Legal Notice Knowledge Consulting Group All rights reserved 2013 This document contains confidential and proprietary information. It is

More information

Identity Theft Prevention Committee Updates and Discussions: 3/15. Team,

Identity Theft Prevention Committee Updates and Discussions: 3/15. Team, Identity Theft Prevention Committee Updates and Discussions: 3/15 Team, We will be meeting on Monday, March 19 th to move forward with the Identity Theft Prevention Program. Please bring the packet that

More information

NCS490 Penetration Testing. Ronny L. Bull, MS Lecturer Computer Science Department. Spring 2014

NCS490 Penetration Testing. Ronny L. Bull, MS Lecturer Computer Science Department. Spring 2014 NCS490 Penetration Testing Ronny L. Bull, MS Lecturer Computer Science Department Spring 2014 Outline General Overview Target Selection OSINT Covert Gathering Foot-printing Identifying Protection Mechanisms

More information

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com

Incident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

More information

Emergency Planning Guideline

Emergency Planning Guideline www.hh.net.nz Essential Emergency and Security Systems Supporting and Complimenting the Home s Fire Evacuation Scheme POLICY: To optimise emergency readiness REFERENCE: NZS 8143: 2002 NB: Management is

More information

Network Security Forensics

Network Security Forensics Network Security Forensics As hacking and security threats grow in complexity and organizations face stringent requirements to document access to private data on the network, organizations require a new

More information

From the Lab to the Boardroom:

From the Lab to the Boardroom: From the Lab to the Boardroom: How to perform a Security Risk Assessment Like a Professional Doug Landoll, CISSP, CISA General Manager, Security Services En Pointe Technologies dlandoll@enpointe.com (512)

More information

11 Common Disaster Planning Mistakes

11 Common Disaster Planning Mistakes 11 Common Disaster Planning Mistakes The world is full of risk. Floods, fires, hurricanes, thefts, IT system failures and blackouts are just a few of the incredibly damaging disasters that can and do strike

More information

Does Your Local Business Need More Leads? Free Training Reveals How! By Nicole Munoz www.startrankingnow.com www.nicolemunoz.com

Does Your Local Business Need More Leads? Free Training Reveals How! By Nicole Munoz www.startrankingnow.com www.nicolemunoz.com Does Your Local Business Need More Leads? Free Training Reveals How! By Nicole Munoz www.startrankingnow.com www.nicolemunoz.com Does Your Website Make You Feel Like This? Over 600,000 daily searches for

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

Hackers are here. Where are you?

Hackers are here. Where are you? 1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.

More information

Managing Network-related Risk for SMEs

Managing Network-related Risk for SMEs Managing Network-related Risk for SMEs SANS Information Security Webcast 20 Mar 2012 Geneva, Switzerland version 1b Jim Herbeck Managing Partner, Nouvel Strategies JHerbeck@NouvelStrategies.com Member

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES

SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES SECURITY VULNERABILITY CHECKLIST FOR ACADEMIC AND SMALL CHEMICAL LABORATORY FACILITIES by the American Chemical Society, Committee on Chemical Safety, Safe Practices Subcommittee Introduction Terrorism

More information

Social Engineering: Hunt for the digital crown jewels using a door handle

Social Engineering: Hunt for the digital crown jewels using a door handle Social Engineering: Hunt for the digital crown jewels using a door handle TJ Dimkov Deloitte Netherlands 31 st of January 2012 A new member Defending my PhD thesis at University of Twente in February.

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them If your data is important to your business and you cannot afford to have your operations halted for days even weeks due to data loss or

More information

Penetration Testing Services. Demonstrate Real-World Risk

Penetration Testing Services. Demonstrate Real-World Risk Penetration Testing Services Demonstrate Real-World Risk Penetration Testing Services The best way to know how intruders will actually approach your network is to simulate a real-world attack under controlled

More information

CYBERSECURITY: Is Your Business Ready?

CYBERSECURITY: Is Your Business Ready? CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring

More information

Security and Data Center Overview

Security and Data Center Overview Security and Data Center Overview September, 2012 For more information, please contact: Matt McKinney mattm@canadianwebhosting.com 888-821-7888 x 7201 Canadian Web Hosting (www.canadianwebhosting.com)

More information

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com

More information

Penetration Testing as an Auditing Tool

Penetration Testing as an Auditing Tool Penetration Testing as an Auditing Tool March 1, 2011 ISACA Austin Chapter Luncheon Jeremy Powell, Consultant, atsec information security About the Speaker Security consultant Evaluates the security features

More information

Policy for Protecting Customer Data

Policy for Protecting Customer Data Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees

More information

INTRODUCTION TO PENETRATION TESTING

INTRODUCTION TO PENETRATION TESTING 82-02-67 DATA SECURITY MANAGEMENT INTRODUCTION TO PENETRATION TESTING Stephen Fried INSIDE What is Penetration Testing? Terminology; Why Test? Types of Penetration Testing; What Allows Penetration Testing

More information

WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business

WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business Business Name: Owner Name: Business Address: Officer: Survey No.: WESTERVILLE DIVISION OF POLICE Security Survey Checklist: Business "Being There When Needed" DOORS 1. Is the exterior doors solid core

More information

Penetration Testing - a way for improving our cyber security

Penetration Testing - a way for improving our cyber security OWASP EU Tour Bucharest 2013 The OWASP Foundation http://www.owasp.org Penetration Testing - a way for improving our cyber security Adrian Furtunǎ, PhD, OSCP, CEH adif2k8@gmail.com Copyright The OWASP

More information

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking Hacking Book 1: Attack Phases Chapter 1: Introduction to Ethical Hacking Objectives Understand the importance of information security in today s world Understand the elements of security Identify the phases

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004L Payment Card Industry (PCI) Physical Security (proposed) 01.1 Purpose The purpose

More information

Government Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials

Government Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials Government Worker Privacy Survey Improper Exposure of Official Use, Sensitive, and Classified Materials 1 Introduction Data privacy is a growing concern for the US government as employees conduct business

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

More information

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

New Zealand Company Six full time technical staff Offices in Auckland and Wellington INCREASING THE VALUE OF PENETRATION TESTING ABOUT YOUR PRESENTER Brett Moore Insomnia Security New Zealand Company Six full time technical staff Offices in Auckland and Wellington Penetration Testing Web

More information

UCS Level 2 Report Issued to

UCS Level 2 Report Issued to UCS Level 2 Report Issued to MSPAlliance Unified Certification Standard (UCS) Report Copyright 2014 www.mspalliance.com/ucs info@mspalliance.com Welcome to the UCS report which stands for Unified Certification

More information

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012 Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data Dave Shackleford February, 2012 Agenda Attacks We ve Seen Advanced Threats what s that mean? A Simple Example What can we

More information

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014 Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Best Practices Whitepaper June 18, 2014 2 Table of Contents LIVING UP TO THE SALES PITCH... 3 THE INITIAL PURCHASE AND SELECTION

More information

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Business Process: Documented By: PCI Data Security Breach Stephanie Breen Creation Date: 1/19/06 Updated 11/5/13

More information

REAL SECURITY IS DIRTY

REAL SECURITY IS DIRTY REAL SECURITY IS DIRTY INFORMATION SECURITY AND RISK MANAGEMENT ARE PURSUITS OF BRUTAL SELF- REFLECTION. The most logical business decisions come from facing ugly truths. Before any business spends a dime

More information

Security within a development lifecycle. Enhancing product security through development process improvement

Security within a development lifecycle. Enhancing product security through development process improvement Security within a development lifecycle Enhancing product security through development process improvement Who I am Working within a QA environment, with a focus on security for 10 years Primarily web

More information

Zoom Guide Book. The Office of Academic Technology http://academictech.ottawa.edu/ LEADER GUIDE

Zoom Guide Book. The Office of Academic Technology http://academictech.ottawa.edu/ LEADER GUIDE The Office of Academic Technology http://academictech.ottawa.edu/ Zoom Guide Book LEADER GUIDE Documentation and screenshots are based on Zoom version 2.5.XXXX About Zoom: Zoom is a cloud-based conferencing

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Taking Information Security Risk Management Beyond Smoke & Mirrors

Taking Information Security Risk Management Beyond Smoke & Mirrors Taking Information Security Risk Management Beyond Smoke & Mirrors Evan Wheeler Omgeo Session ID: GRC-107 Insert presenter logo here on slide master. See hidden slide 4 for directions Session Classification:

More information

Cyber Watch. Written by Peter Buxbaum

Cyber Watch. Written by Peter Buxbaum Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs

More information

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE: PENETRATION TESTING A SYSTEMATIC APPROACH INTRODUCTION: The basic idea behind writing this article was to put forward a systematic approach that needs to be followed to perform a successful penetration

More information

Commissioners Deanna Tanner Okun, Chairman Irving A. Williamson, Vice Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Dean A.

Commissioners Deanna Tanner Okun, Chairman Irving A. Williamson, Vice Chairman Charlotte R. Lane Daniel R. Pearson Shara L. Aranoff Dean A. The U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency that provides trade expertise to both the legislative and executive branches of government, determines

More information

SITECATALYST SECURITY

SITECATALYST SECURITY SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance

More information

Penetration Testing. Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014

Penetration Testing. Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014 Penetration Testing Presented by: Elham Hojati Advisor: Dr. Akbar Namin July 2014 Part one: the concept of penetration testing 2 What is a penetration test?(informal) Port scanning Vulnerability Scanning

More information

13 Ways Through A Firewall What you don t know will hurt you

13 Ways Through A Firewall What you don t know will hurt you Scientech 2013 Symposium: Managing Fleet Assets and Performance 13 Ways Through A Firewall What you don t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions andrew. ginter

More information

CCTV on IP Network. How Cisco IT Deploys Closed- Circuit TV Cameras over the Secure IP Network. A Cisco on Cisco Case Study: Inside Cisco IT

CCTV on IP Network. How Cisco IT Deploys Closed- Circuit TV Cameras over the Secure IP Network. A Cisco on Cisco Case Study: Inside Cisco IT CCTV on IP Network How Cisco IT Deploys Closed- Circuit TV Cameras over the Secure IP Network A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Security transitioned from analog closed-circuit

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

Course Title Penetration Testing: Procedures & Methodologies

Course Title Penetration Testing: Procedures & Methodologies Course Title Penetration Testing: Procedures & Methodologies Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics

More information

SECURITY SURVEY AND RISK ASSESSMENT. any trends or patterns in the incidents occurring at the school; the efficiency of the chosen security measures.

SECURITY SURVEY AND RISK ASSESSMENT. any trends or patterns in the incidents occurring at the school; the efficiency of the chosen security measures. SECURITY SURVEY AND RISK ASSESSMENT A security survey gives a rounded picture of the risks that your school faces and the security measures in existence. Without this information it is difficult to assess:-

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

Basic Computer Security Part 3

Basic Computer Security Part 3 Basic Computer Security Part 3 Presenter David Schaefer, MBA OCC Manager of Desktop Support Adjunct Security Instructor: Walsh College, Oakland Community College, Lawrence Technology University Welcome

More information

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST INFORMATION TECHNOLOGY & MANAGEMENT IT Checklist INTRODUCTION A small business is unlikely to have a dedicated IT Department or Help Desk. But all the tasks that a large organization requires of its IT

More information

Data Security Initiatives. The Layered Approach. Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010

Data Security Initiatives. The Layered Approach. Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 Data Security Initiatives The Layered Approach Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Intel Case Study Asia North

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

BlackRidge Technology Transport Access Control: Overview

BlackRidge Technology Transport Access Control: Overview 2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service

More information

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office 170 422 Richards Street, Vancouver BC, V6B 2Z4 E-mail: info@networktestlabs.com

More information

In the same spirit, our QuickBooks 2008 Software Installation Guide has been completely revised as well.

In the same spirit, our QuickBooks 2008 Software Installation Guide has been completely revised as well. QuickBooks 2008 Software Installation Guide Welcome 3/25/09; Ver. IMD-2.1 This guide is designed to support users installing QuickBooks: Pro or Premier 2008 financial accounting software, especially in

More information

Defensible Strategy To. Cyber Incident Response

Defensible Strategy To. Cyber Incident Response Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack

More information

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Security-as-a-Service (Sec-aaS) Framework. Service Introduction Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency

More information

Wireless Network Security

Wireless Network Security Wireless Network Security Bhavik Doshi Privacy and Security Winter 2008-09 Instructor: Prof. Warren R. Carithers Due on: February 5, 2009 Table of Contents Sr. No. Topic Page No. 1. Introduction 3 2. An

More information

13 Ways Through A Firewall

13 Ways Through A Firewall Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright

More information

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad Vulnerability Assessment and Penetration Testing CC Faculty ALTTC, Ghaziabad Need Vulnerabilities Vulnerabilities are transpiring in different platforms and applications regularly. Information Security

More information