How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Similar documents
Application Security in the Software Development Lifecycle

What is Penetration Testing?

AUTOMATED PENETRATION TESTING PRODUCTS

SecurityMetrics Vision whitepaper

PCI Compliance for Healthcare

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Penetration Testing Service. By Comsec Information Security Consulting

GFI White Paper PCI-DSS compliance and GFI Software products

The Four-Step Guide to Understanding Cyber Risk

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

AUTOMATED PENETRATION TESTING PRODUCTS

Introduction: 1. Daily 360 Website Scanning for Malware

Certified Ethical Hacker Exam Version Comparison. Version Comparison

How To Test For Security On A Network Without Being Hacked

Information Security Services

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Hackers: Detection and Prevention

Cisco Security Optimization Service

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Things To Do After You ve Been Hacked

Defending Against Data Beaches: Internal Controls for Cybersecurity

INTRODUCTION TO PENETRATION TESTING

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Getting a Secure Intranet

NETWORK SECURITY. 3 Key Elements

Five keys to a more secure data environment

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

What Do You Mean My Cloud Data Isn t Secure?

Best Practices Top 10: Keep your e-marketing safe from threats

Computer Networks & Computer Security

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Reducing the Cost and Complexity of Web Vulnerability Management

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Hacking Book 1: Attack Phases. Chapter 1: Introduction to Ethical Hacking

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

SHARING BEST PRACTICES IN INFORMATION SECURITY PREVENTION TIPS & RESPONSE TECHNIQUES

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Beyond the Hype: Advanced Persistent Threats

Penetration Testing. Presented by

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Computer Viruses: How to Avoid Infection

Understanding PCI Compliance

DSL and Cable Modems: The Dangers of Having a Static IP Address

Common Cyber Threats. Common cyber threats include:

How to Justify Your Security Assessment Budget

Penetration Testing //Vulnerability Assessment //Remedy

Network and Host-based Vulnerability Assessment

Agenda , Palo Alto Networks. Confidential and Proprietary.

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Managed Security Monitoring: Network Security for the 21st Century

Global Partner Management Notice

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Making the leap to the cloud: IS my data private and secure?

Analyze. Secure. Defend. Do you hold ECSA credential?

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

PCI Compliance. Top 10 Questions & Answers

Digital Barracuda Information Security Reports that the Risk from Viruses and Worms is Only the Tip of the Iceberg FACT SHEET

Lessons from the DHS Cyber Test Bed Project

A Decision Maker s Guide to Securing an IT Infrastructure

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Network Incident Report

The Key to Secure Online Financial Transactions

Top Five Ways to Protect Your Network. A MainNerve Whitepaper

Ethical Hacking and Penetration Testing Presented by: Adam Baneth Managing director

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

Rational AppScan & Ounce Products

Eliminating Infrastructure Weaknesses with Vulnerability Management

Your company protected against cybercrime

Advanced & Persistent Threat Analysis - I

Conquering PCI DSS Compliance

Hackers are here. Where are you?

A Case for Managed Security

Managed Security Services

We ve been hacked! We did it! Rick Grandy Lockheed Martin Hanford Site

Breaking down silos of protection: An integrated approach to managing application security

I ve been breached! Now what?

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Cyber Security: Beginners Guide to Firewalls

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

End-user Security Analytics Strengthens Protection with ArcSight

Why The Security You Bought Yesterday, Won t Save You Today

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Transcription:

WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and Careers) with Penetration Testing Expertise TAKEAWAYS Why penetration testing is an extremely efficient way to improve your IT security How hackers are damaging companies and what it could be costing you What to look for in a penetration testing course How Your Current IT Security System Might Be Leaving You Exposed

What s in this paper? Introduction page 3 The Threat page 3 Countermeasures page 4 The Value of Penetration Testing page 5 Pen Testing vs. Hacking page 6 In-house vs. Outsourced Penetration Testing page 6 Becoming a Pen Tester page 7 What to Look for in a Course page 7 New and Old Methodologies page 8 Summary page 9 2

Introduction: The Need for Security Security in cyberspace is a necessary fact of life. It s big news when a hacker attacks a notable target TJX, Google, or a major bank or credit card company but in the same way that a major bank robbery makes the news and a mugging doesn t, there are constant low-level attacks against smaller organizations that are very harmful. Many low-level attacks go unreported, and a fair number of them go completely unnoticed. That doesn t mean they are any less damaging in fact, the attack you don t know about will do more damage, over the long term, than the one you do know about. Advanced Persistent Threats, a widely used term to describe these kinds of attacks, are attacks of varying degrees of sophistication that go unnoticed over a long time period. The cost of these breaches tends to be higher than initial estimates. This is due to greater cleanup and remediation costs, and possibly the loss of confidential, proprietary information that occurs over the extended period of time that the hacker has access to the victim s network. Estimates are that every record breached costs a company $40, a number that rises steeply when the records include credit card or social security numbers. And a single successful hacker attack might get thousands, or tens of thousands, of those records, potentially costing the company significant money, eroding customer trust and damaging brand equity. Your organization spends a considerable amount to defend against these threats, but the only proven way to gauge your effectiveness, is to test or audit the security with a procedure known as penetration testing. This whitepaper discusses the benefits of penetration testing and how developing a skill set in this critical and often-overlooked discipline will add value to your organization and enhance the effectiveness of your IT security spend. The best way to acquire that skill set the types of courses available, and what to look for in a good one will also be covered. The Threat Hackers attack in a number of ways for a number of reasons. Probably the most visible, and often the most harmless, hacker is simply in it for the notoriety by defacing a web page, for example. However, contemporary incidents are becoming fewer and farther between. 3

Considerably more dangerous to your organization are thieves, who won t break a system if they can help it, but will quietly steal credit card records, identity data, and proprietary information. They can be hired by a competitor or be motivated by their own economic interest. To break into systems, hackers employ a wide and constantly evolving range of approaches. Vulnerabilities are discovered every day, and most intrusion detection systems (IDS) or vulnerability scanners can keep up with that pace. However, techniques also evolve and attack trends change year over year. Your organization needs to protect itself against: Service detection and vulnerability scans: The attacker rapidly checks computers on your corporate network for known weaknesses and vulnerabilities that can be exploited to gain unauthorized access. Client side attacks: These are attacks to your employees workstations. Attacks like these are the rising trend of 2012, exploiting both human and software vulnerabilities. Attacks to your website: It is estimated that 70% of attacks begin with hacking attempts on the corporate website and its subdomains. SQL injection and similar vulnerabilities are still an easy way to retrieve data from corporate databases. Worms and viruses: Self-propagating programs that often create back-door access to servers and workstations within a network. Countermeasures Against these threats, your company employs a number of solutions. Some of these include: Anti-virus and anti-malware software, whose purpose is to detect (and remove) worms, viruses and trojan horses. Access control, which limits user privileges so that if a hacker gains access to a part of the system, their access is limited to only that part. Firewalls, which restrict the traffic that can pass through them, based on rule and permission sets. Encryption, to protect against packet-sniffing for passwords. 4

Intrusion detection systems, which scan a network for users that shouldn t be there, or who are behaving suspiciously. Although necessary, these systems are complex and expensive; according to Forrester Research, North American companies spent $31 billion on security in 2010. Hacking tools and techniques are constantly evolving, so security measures need to keep pace. The Value of Penetration Testing Data protection doesn t operate itself. System maintenance is necessary, to update patches and updates as new vulnerabilities are discovered. Incident response happens when an intruder does get in locking out a presently-in-system intruder, or dealing with the aftermath. A system looks different from the outside than it does from the inside. Considered much more thorough when compared to a security audit, penetration testing examines the system from the viewpoint of a potential attacker. Essentially, penetration testing lets you know of weaknesses in advance, allowing you to find and fix them before a hacker discovers and exploits them. This ranges (depending on the level of testing desired) from the most obvious and common approaches, for example, passwords that have been left as the default are very easy to change to more difficult passwords through complex attacks. Moreover, penetration testing is the most efficient way to understand the real risk to which your data is exposed. There s no way to accurately gauge this risk without mimicking an attacker with sophisticated skills. While a vulnerability scanner only scratches the surface, penetration testing is a methodical process of verifying actual exploitability of all weaknesses. The exploitation of each vulnerability will provide the penetration tester access to networks and computers to which a vulnerability scanner would never have access. In short, penetration testing ensures that you re getting value from your security spend. It allows you to deny hackers the low- and medium-hanging fruit that can severely compromise your security and prepares you to mitigate and avoid even the most advanced attacks. 5

Pen Testing vs. Hacking In years past, penetration testers were called ethical hackers. And on the surface, penetration testing does look a lot like hacking. However, the disciplines are distinct; much like a locksmith is from a lock-picking criminal. Penetration testers employ many of the same tools that a hacker does, but unlike hackers, penetration testers work under strict rules of engagement they go into specific areas only, and have limits on their actions. The purpose is to discover weaknesses, not break into the system for its own sake. Hackers operate with a view to getting into the system at all costs; a pen tester s role is to probe for correctible weaknesses in the system and improve its overall security. A penetration tester is a professional who can also suggest and advise the most appropriate and cost-effective countermeasures for each discovered vulnerability. A penetration testing report is the confidential document delivered to the corporation, showing executives as well as IT departments what needs to be done to solve the discovered security issues. In-house vs. Outsourced Penetration Testing There is ongoing a debate about whether a company should hire an external company over using internal staff to perform penetration testing. Both approaches have their pros and cons. An external company whose core business is penetration testing is surely specialized and can deliver a much better result if you don t have a trained staff. However, many privacy and data access issues arise from this approach. A security audit that simulates a hacking attack is likely to come across sensitive data. It could be customer records, credit card numbers or competitive information, but it s going to be data that hackers would seek. Because the outside penetration tester is under a contract doesn t mean you want them to have access to the information any more than you d want a trusted, but not cleared, internal employee to have that information. There are also political reasons - a security audit is going to bypass the protected elements of your security and discover those that aren t. Most security systems contain a hole or two, but it s going to be less embarrassing to have those revealed by an insider. 6

Finally, there s the element of cost. An externally run security audit will cost you anywhere from thousands to tens of thousands of dollars even for very small engagements. And audits will need to be performed regularly, as new capabilities (thus, potential security weaknesses) and upgrades are added to your network. In the long run, if you want to perform periodical penetration tests, the costs of external penetration testing can be difficult to justify. Having an in-house employee or a team of employees run the penetration testing will save the company a lot of money over the long run. Being an in-house employee who can run penetration testing will add meaningful value to your organization, as well as to your value within the company. Additionally, building in-house competencies can be cost-effective if properly done. Becoming a Pen Tester So how do you acquire the skills needed to become a penetration tester for your organization? Like any skill set, there are a number of ways: Books have been written on the subject. You can take courses at your local college. You can find an existing mentor and learn as an apprentice. You can take a specialized course in the subject. For a busy professional with other responsibilities, finding a mentor may be difficult and a college class isn t likely to be specific or action-oriented enough. Books are updated every two or three years, and are therefore often obsolete and missing any practical training. Your best approach is to go through a specialized course and earn a penetration testing certification. What to Look for in a Course Penetration testing is a hands-on skill set; you can t learn all of it, or even most of it, from a book. A competent pen tester uses a number of tools, techniques and skills in the course of his work. A good penetration testing course will give you the subject matter, but it will also allow you to apply that knowledge, turning academic understanding into hands-on expertise. Active exercises and sandboxed environments are important you want to 7

be able to test your skills with real tools, in a realistic virtual environment, before applying them in practice. But that expertise is only one element. You also need to gain a broader understanding of how hackers think; information security is about protecting assets from threats, and that s hard to do when you don t comprehend the threat in the first place. Also, computer security is a rapidly moving field. You ll need to stay ahead of the latest threats and defensive measures; a good penetration testing course will keep you engaged and updated even after completion, allowing its value to you and your organization to carry on well into the future. Finally, you want a comprehensive course. The actual penetration testing is an information-gathering exercise, and information is only actionable when it s reported usefully. Your course should teach you how to accurately and constructively report your findings I got in through a loose port is much more relevant and actionable when you can advise on how to tighten that port. A good penetration testing course provides a full end-to-end grounding in all aspects of a security audit. New and Old Methodologies A course that teaches only the latest approaches is good, but it s not sufficient. Hackers don t just use the latest approaches; they consistently breach networks and inflict damage through techniques that date back a decade or more. One of the most popular methods of the infamous hacker group Anonymous, for example, is called a SQL injection. That s been known since 1998, but modern networks are still falling victim to it. Don t make the mistake of learning to defend your systems against the equivalent of artillery and nuclear weapons while ignoring older and more primitive weapons. There are hackers out there still using the equivalent of catapults, and those people can cause as much damage to your system as someone using a more modern approach. An effective penetration testing course also needs to be comprehensive. You want to take a course that trains you to secure your organization against any threat, whether it s brand new or a decade and a half old. Your course should cover everything from SQL injection to the latest Wi-Fi cracking technologies. 8

Summary It s a dangerous world out there, and IT security is critical. Your organization spends a lot of money and time on IT security, and for good reason. But that spend may deliver value or it may not. You don t want to find out that your network is insecure only once you ve been hacked. Regular security audits and penetration testing are a necessary part of your defensive IT strategy, and it behooves you for a number of reasons to handle them in-house. Learning penetration testing can be done via coursework, and will enhance your value to the organization. But you need to choose the right course; you want one that gives you hands-on experience and a thorough understanding of where threats originate. You also want one that delivers a solid grounding in all the ways an attacker might breach your security, from the newest to oldest but still harmful techniques. About elearnsecurity Based in Pisa, Italy, elearnsecurity is a leading provider of IT security and penetration testing courses for IT professionals. elearnsecurity advances the career of the IT security professional by providing affordable top-level instruction. We use engaging elearning and the most effective mix of theory, practice and methodology in IT security all with real-world lessons that students can immediately apply to build relevant skills and keep their companies data and systems safe. For more information, visit http://www.elearnsecurity.com. 2012 elearnsecurity S.R.L Via Carnelutti 11 56124 Pisa, Italy For more information, please visit http://www.elearnsecurity.com. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information