IBM Security Services

Transcription

1 IBM Security Services - Penetration Testing - July 15, IBM Corporation

2 THE EVOLVING THREAT LANDSCAPE 2

3 Success in today s dynamic, data driven global marketplace requires effective enterprise IT security management 3

4 M O T I V A T I O N IBM Security Services Motivations and sophistication are rapidly evolving National Security, Economic Espionage Nation-state actors, APTs Stuxnet, Aurora, APT-1 Notoriety, Activism, Defamation Hacktivists Lulzsec, Anonymous Monetary Gain Organized crime Zeus, ZeroAccess, Blackhole Exploit Pack Nuisance, Curiosity Insiders, Spammers, Script-kiddies Nigerian 419 Scams, Code Red S O P H I S T I C A T I O N 4

5 Security Incidents are rising: Data from the IBM 2014 Cyber Security Index Security events Annual 91,765,453 Monthly 7,647,121 Weekly 1,764,121 Security attacks Annual 16,857 Monthly 1,405 Weekly 324 Security incidents Annual 109 Monthly 9 Weekly 2 Events: up 12% year on year to 91m Observable occurrences in a system or network Security Intelligence Correlation and analytics tools Attacks: Increased efficiencies achieved More efficiency in security processing to help clients focus on identified malicious events Security Intelligence Human security analysts Incidents: up 22% year on year Attacks deemed worthy of deeper investigation Source: IBM Security Services 2014 Cyber Security Intelligence Index 5

6 At the same time, according to Ponemon Institute, the cost of a data breach to global organizations is on the rise up 9% up 15% $145 Average cost per record compromised $3.5 million Average total cost per data breach 15% increase year-to-year in rate of customer churn NEW DATA from the 2014 Ponemon Institute Cost of Data Breach Study: United States, sponsored by IBM 6

7 According to 2014 Ponemon Institute the average cost of a data breach per record varies from country to country In Italy the cost of data breach increased from 95 in 2013 to 102 in 2014 for one compromised record In Italy the total organizational cost of data breach increased from 1.73 million to 1.93 million. Source 2014 Ponemon Institute Cost of Data Breach Study: Italy 7 IBM Confidential

8 What happens in Italy? - Data from latest Clusit Report - Hacktivism: Hacktivism is the act of hacking a website or computer network in an effort to convey a social or political message. The person who carries out the act of hacktivism is known as a hacktivist. 8 IBM Confidential

9 IT Security is a board-room discussion CEO CFO/COO CIO CHRO CMO Loss of market share and reputation Legal exposure Audit failure Fines and criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation Increasingly, companies are appointing CROs and CISOs with a direct line to the Audit Committee 9 Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series

10 IBM provides unmatched global coverage and security awareness 10

11 IBM has a commitment to security research, development, monitoring & analysis 4,300 strategic outsourcing security delivery resources 1,200 professional services security consultants 650 field security specialists 400 security operations analysts 10 security research centers 10 security operations centers (SOCs) 14 security development labs IBM X-Force Expertise 150M intrusion attempts monitored daily 46,000 documented vulnerabilities 40M unique phishing/spam attacks Millions of unique malware samples Billions of analyzed web pages security patents Managed Services Excellence Tens of thousands of devices under management Thousands of MSS clients worldwide Billions of events managed per day Countries monitored in all geographies Industry-leading research and reports 11

12 IBM is widely recognized as a leader in this market Security Consulting Managed Security IBM has the largest client base of the participants... Clients praised the flexibility, knowledge, and responsiveness while also noting the company s excellent documentation. Organizations looking for a high-quality vendor that can do it all and manage it afterwards should consider IBM. Sources: Forrester Research Inc. Forrester Wave TM : Information Security Consulting Services, Q Forester Wave: Managed Security Services providers Q1,

13 Penetration Test Overview 13

14 IBM Secuity Services Portfolio Overview Built to address the Security Essentials, within context of the integrated Security Framework IBM Security Services Portfolio = Channel Enabled Strategy, Risk & Compliance Security Maturity Benchmarking Security Strategy & Roadmap Development Security Risk Assessment & Program Design Industrial Controls (NIST, SCADA) PCI Advisory Cybersecurity Assessment & Response Threat Intelligence Advisory X-Force Threat Analysis Penetration Testing Incident Preparation Emergency Response Security Operations Security Intelligence Operations Center Design & Build Out Services People Data Applications Infrastructure Identity Assessment & Strategy Crown Jewels Discovery & Protection SDLC Program Development Security Optimization User Provisioning/Access Mgmt Database Security Dynamic and Static Testing Design, Deployment & Migration Total Authentication Solution Managed/Cloud Identity Encryption and Data Loss Prevention Embedded Device Testing Mobile Application Testing Staff Augmentation Firewall / Unified Threat Management Intrusion Detection & Prevention Cloud and Managed Services Web Protection & Managed DDoS Hosted & Web Vulnerability Mgmt Powered by IBM s Next Generation Threat Monitoring and Analytics Platform Managed SIEM & Log Management 14

15 Questo servizio effettua prove che mostrano le tecniche di attacco e identificano i sistemi vulnerabili Descrizione dei servizi: I servizi di penetration test dimostrano, per mezzo di scenari reali, il modo in cui gli attaccanti possono impattare significativamente sul business. Durante delle prove controllate, i consulenti degli IBM Professional Security Services (PSS) tentano di penetrare remotamente i dispositivi di rete e di fornire l evidenza che i sistemi e i dati critici possono essere compromessi. Si documentano le scoperture di sicurezza insieme alle soluzioni raccomandate per eliminarle o contenerle. Al di là di un semplice assessment di vulnerabilità (scan), un penetration test può mostrare l impatto reale delle vulnerabilità piuttosto che indicare delle debolezze teoriche. Soddisfare i requisiti normativi Requisiti dei clienti Validare l efficacia dei controlli di sicurezza implementati Aiutare a definire le priorità degli investimenti di sicurezza 15

16 I clienti comprendono meglio l impatto di un attacco sul proprio business e possono decidere di conseguenza le azioni a rimedio I benefici del penetration test possono includere: La dimostrazione di come degli attaccanti possano impattare in modo significativo sul business del Cliente La validazione dell efficacia della attuali contromisure di sicurezza del Cliente Estendere e approfondire la prospettiva sulle tecniche e le motivazioni degli hacker Incoraggiare il supporto del top management alla strategia e alle risorse di sicurezza Identificare la azioni raccomandate per ridurre efficacemente il rischio Facilitare la gestione della conformità alle normative industriali e statali 16

17 Penetration Test Activities Project Initiation The purpose of this activity is to finalize the project team members, develop a common understanding of the project objectives, roles and responsibilities, and assess your readiness to implement the Services by confirming that the appropriate information is documented. Network Discovery and Assessment The purpose of this activity is to identify active hosts and services within the target network range(s) and assess the security posture of those systems. Network Attack and Exploitation The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios for the target network range(s), IP addresses, and in-scope active Devices specified in the Schedule. Web Application Testing (Add-on) The purpose of this activity is to attempt to identify and exploit web application vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios against in-scope websites. Internal Network Exploitation (Add-on) The purpose of this activity is to utilize discovered successful attacks to initiate mutually agreed upon breach scenarios for the target network range(s). Network Vulnerability Assessment (Add-on) The purpose of this activity is to identify active host systems and associated services within the targeted network range, assess such systems for known vulnerabilities, and evaluate the identified vulnerabilities. Onsite Internal Penetration Test (Add-on) The purpose of this activity is to attempt to investigate weaknesses in the internal network by mimicking malicious behaviors that could be exhibited by a trusted user with access to the network. 17

18 Penetration Test Scope and Methodology Scope Identify active services, their nature and the published services Identify the current vulnerabilities Analyze Web security exposures Leverage the identified vulnerabilities to access the Client s systems and provide actual risks entity and evidence Document the possible countermeasures and exposures resolutions Phases* Discovery: get an overview of the tested systems and their usage Vulnerabilities assessment: perform network, host and port mapping, run vulnerability scanners to identify any existing network, operating system or service vulnerabilities, manual vulnerability mapping, application testing. Penetration (or exploiting): exploit vulnerabilities found Keep access: ensure constant access to exploited systems Cover tracks: hide presence on exploited systems Final reports: Executive summary, Main Observations, Vulnerabilities technical details, Recommendations 18 * Based on the scope of the engagement, the methodology can utilise all steps, a particular steps or a phase based approach

19 Penetration Test - Typical Exploit Sequence 1) Exploit 2) Crack local passwords 3) Exploit 4) Next: - crack passwords of domain users - Attack other domains Vulnerable Server Domain Controller DOMAIN COMPROMISED Domain Systems 19

20 Penetration Testing Summary Solution Overview IBM Penetration testing services perform safe and controlled exercises that demonstrate covert and hostile attack techniques designed to identity vulnerable systems. It validates existing security controls and quantifies real-world risks, providing clients with a detailed security roadmap that prioritizes the weaknesses in the network environment. Customer Pain Points Address and maintain security needs satisfying regulatory compliance Lack of skill and resources to build an efficient and effective security program Needs to protect business critical data Maintain network and application availability during hostile activities typical of malicious attackers Helps to prevent network compromise and downtime by identifying vulnerabilities, validating current safeguards and outlining steps for remediation Raises executive awareness of corporate liability to emphasize the importance of IT security efforts Validates effectiveness of the security measures currently in place Quantifies system and business critical data risk Provides recommendations to resolve identified security vulnerabilities to prevent network downtime. Helps to protect integrity of online assets Supports efforts and investiments to reach and maintain compliancy with security regulations and industry standards 20 Key Features Provides a detailed analysis of your network security, including demonstrated attacks and their effects on your online operations Delivers a quality service designed to be safely conducted by expert security professionals, through manual penetration techniques and automated scanning Conducts real-life simulations of covert and hostile activities typical of malicious attackers attempts to compromise perimeter devices and security controls Final reports show, for priorities, identified risks and set out the elements for immediate action to resolve identified vulnerabilities

21 GRAZIE 21