PREPARED BY: Ms Irene Joseph Facilitator



Similar documents
About Effective Penetration Testing Methodology

National Cyber Security Policy -2013

Vinny Hoxha Vinny Hoxha 12/08/2009

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Penetration Testing Services. Demonstrate Real-World Risk

Security Testing for Web Applications and Network Resources. (Banking).

SCOPING QUESTIONNAIRE FOR PENETRATION TESTING

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Cybersecurity and internal audit. August 15, 2014

Scoping Questionnaire for Penetration Testing

GEARS Cyber-Security Services

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Microsoft Technologies

Protecting your business interests through intelligent IT security services, consultancy and training

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Metasploit The Elixir of Network Security

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Introduction to Penetration Testing Graham Weston

Middle Class Economics: Cybersecurity Updated August 7, 2015

Network Security Audit. Vulnerability Assessment (VA)

Information Technology Security Review April 16, 2012

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cyber Security Strategy

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing 2014

AUTOMATED PENETRATION TESTING PRODUCTS

Managing IT Security with Penetration Testing

Chapter 1 The Principles of Auditing 1

WHITEPAPER. Nessus Exploit Integration

Information Security Policy

Module 1: Facilitated e-learning

Linux Technologies QUARTER 1 DESKTOP APPLICATIONS - ESSENTIALS QUARTER 2 NETWORKING AND OPERATING SYSTEMS ESSENTIALS. Module 1 - Office Applications

EC-Council Certified Security Analyst (ECSA)

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

NETWORK PENETRATION TESTING

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Evaluation Report. Office of Inspector General

Vulnerability Scanning & Management

Procuring Penetration Testing Services

AUTOMATED PENETRATION TESTING PRODUCTS

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Keeping your data yours

INFORMATION TECHNOLOGY ENGINEER V

Web application security: automated scanning versus manual penetration testing.

Kerem Kocaer 2010/04/14

PCI DSS Overview and Solutions. Anwar McEntee

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Cyber Security for SCADA/ICS Networks

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Software Testing. Knowledge Base. Rajat Kumar Bal. Introduction

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Research Topics in the National Cyber Security Research Agenda

Chapter 7 Information System Security and Control

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

Ministerie van Toerisme, Economische Zaken, Verkeer en Telecommunicatie Ministry of Tourism, Economic Affairs, Transport and Telecommunication

The Value of Vulnerability Management*

Effective Software Security Management

Guide to Penetration Testing

Notes on Network Security - Introduction

Pass-the-Hash. Solution Brief

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

On Demand Penetration Testing Applications Networks Compliance.

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY AND DEFENCE SECTOR REFORM

NASCIO 2015 State IT Recognition Awards

ISO Information Security Management Systems Foundation

10 Hidden IT Risks That Might Threaten Your Business

Security and Vulnerability Testing How critical it is?

How To Protect A Web Application From Attack From A Trusted Environment

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Digital Pathways. Penetration Testing

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Certification Programs

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

SETTING UP AND USING A CYBER SECURITY LAB FOR EDUCATION PURPOSES *

What is Really Needed to Secure the Internet of Things?

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Using Skybox Solutions to Achieve PCI Compliance

Transcription:

REPORT ON CYBERSECURITY- CORPORATE INFORMATION, DATA LEAKAGE AND PENETRATION TESTING FORUM HELD ON 29 TH NOVEMBER, 2012 AT TANZANIA GLOBAL LEARNING AGENGY PREPARED BY: Ms Irene Joseph Facilitator 1

Contents PREAMBLE... 3 INTRODUCTION... 4 MAIN BODY... 6 ADVANTAGES OF PENETRATION TESTING... 6 PENETRATION TESTING STRATEGIES... 7 TESTING TYPES... 7 METHODOLOGIES OF PENETRATION TESTING... 7 PENETRATION TESTING COVERAGE... 8 TOOLS TO PERFORM PENETRATION TESTING... 8 PENETRATION TESTING... 9 DISCUSSIONS... 9 CONCLUSION... 10 RECOMMNENDATION... 11 WAY FORWARD... 11 REFERENCES... 11 2

PREAMBLE Many appreciation to Tanzania Country Level Knowledge Network (CLKNET) for organizing the session of Cyber-Security focusing on the Corporate Information, Data Leakage and Penetration Testing and for inviting Mr. Adil Ilyas who had vast knowledge on the issues concerning Cyber-Security. Mr. Adil Ilyas from the Technology Expedition Ltd & Cyber-Crime Consultant shared his knowledge on issues concerning the security of the information of Corporate Companies and means of how the organizations can prevent threats at early stages. The session was attended by participants representing different sectors: Government, Private Sectors, Entrepreneurs and Students. It was also observed that the session was male dominated. The session lasted for 3 hours from 1400 to 1700hrs. 3

INTRODUCTION The Government of Tanzania has greatly embraced the advantages brought by the Information and Communication Technology (ICT) in the sense that it has taken efforts to create a suitable environment for the deployment and usage of ICT for the realization of its socio-economic goals. Since the existence of the National ICT Policy (2003), the Government has implemented various projects such as the National ICT Backbone (NICTBB) so as to provide reliable connectivity throughout the country and our neighboring countries which makes Tanzania a hub of Infrastructure. This project has demonstrated the vision of the NICTP (2003) which stated Tanzania to become a hub of ICT Infrastructure and ICT Solutions that enhance sustainable social-economic development and accelerated poverty reduction both nationally and globally. Also the Government has established E-Government Agency which will work hand in hand with the ICT Units established in each Ministry to ensure effective use of ICT in respective Ministries. Currently almost every Ministry has an existing website, Accounting and Human Resource Systems and Internet Connection which facilitate the usage of ICT in communication and storage of the Information. This symbolizes that the Government is in the process of going digital in its operations. Other Government Institutions such as Tanzania Revenue Authority has implemented the Driving License System which stores information of all citizens owning a driver license, same as the Immigration offices which have information of all citizen having passports. Currently the National Identification Agency is in the process of developing digital Identification Cards for the citizens. Moreover the banks operate all the activities in digital manner. It has been observed that the usage if ICT has increased greatly in all spheres of economy. Governments, private sectors, NGOs, SMEs and others are currently implementing systems in their organizations so as to increase and ensure efficiency in their works and eventually provide reliable service delivery to individuals. But, the issue of security has not been observed in detail 4

which can lead to loss of money in mobile/bank payments, leakage of data from corporate organization and might lead to disaster if not handled well. The Government has observed the serious issue of security with the existence of cyber-crime and has decided to review the current National ICT Policy (2003) so as to ensure that the issue of security is capture well to ensure e-commerce, security of information at corporate to individual level and create awareness among individuals on the importance of Security which eventually will lead to secure usage of ICTs. 5

MAIN BODY The presentation focused on leakage of information from the corporate organization such as banks, Governments, NGOs and other large firms through data theft by Intruder and how to perform penetration testing. Since most organization currently store, process, retrieve and prepare reports digitally, hence all the information in relation to the organization is available on digital basis which if not safely stored intruders can get access and cause great loss to organization information. Data leakage can be defined as an authorized transmission of information from within the organization to an external destination or unauthorized recipients which can lead to harm. ADVANTAGES OF PENETRATION TESTING Penetration testing is a structured approach and series of activities undertaken to identify and exploit security vulnerabilities so as to ensure safety by realizing the effectiveness or ineffectiveness of the security measures that exist. Penetration testing has various advantages to an organization in regard to security of the information of that organization Helps safeguard the organization against failure through preventing financial loss; proving due diligence and compliance to regulators, customers, shareholders; preserving corporate image and rationalize information security investment. Evaluates the effectiveness of the existing security products and provides supporting arguments for future investments or upgrade security technologies. Provides a proof of issue and a solid case for proposal of investment to senior management. Helps shape information security strategy, through quick and accurate identification of vulnerabilities; proactive elimination of identified risks; implementation of corrective measures. Provides detailed information on actual exploitable security threats. 6

PENETRATION TESTING STRATEGIES If the organization decides to perform penetration testing, there are three methods that can be applied: 1. Black Box: In this method the tester is not aware of anything or does not have any knowledge/ information of the organization he/she is about to perform the task. The tester has to figure out everything from scratch. 2. White Box: The tester is given all the necessary information about the client s organization which will assist him to perform the testing task. 3. Grey Box: The tester gets less information and has to figure out the rest of the information so as to be able to perform the task. TESTING TYPES The tester performing the penetration testing has to consider 3 areas in order to identify the exploits and vulnerabilities in the scope of network, applications and social engineering: The physical structure of the system The logical structure of the system The response workflow of the system METHODOLOGIES OF PENETRATION TESTING In every penetrations testing there are two known testing methodologies which can be applied 1. ISSAF Penetration testing methodology which covers major information technology platforms most high level IT related operational processes and is intended to be applicable to major industry vector. 7

2. OSSTMM Open Source Security Testing Methodology is divided into five channel which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunication networks, wireless devices, mobile processes and physical location such as buildings, perimeters and military bases. PENETRATION TESTING COVERAGE The tester can choose either of the methodologies depending on the task provided but in both methodologies the following has to be covered: Test preparation phase Test phase Information gathering Vulnerability analysis Vulnerability exploits Test analysis phase/ Reporting TOOLS TO PERFORM PENETRATION TESTING There are so many tools available out there for performing penetration testing it could be open source or proprietary. Examples of the tools are as follows: Core impact- Commercial Skybox Security- Commercial CANVAS- Commercial Nessus- Commercial Open VAS, a fork of Nessus, still free and very powerful Immunity Canvas- Some versions are free, some are commercial Security Forest- Old but free Metasploit Framework Free BackTrack5 - Free and huge collection of tools within Nmap Free and powerful 8

PENETRATION TESTING The presentation was followed by a practical penetration testing of a website built using Joomla platform. The BackTrack5 tool was used for the testing and it was discovered that out of 600 the website had 5 vulnerabilities which could be accessed by hackers. DISCUSSIONS After the presentations and testing, Questions and Answers session followed whereby the participants had an opportunity to ask the presenter the questions. During the discussion it was concluded that: 1. Most of the threats in organizations occur through software or applications. 2. It is more save to do the penetration testing offline, only go online if it is an urgent need. 3. It was also observed that not all the time if the faults found during the penetration testing can be blocked by the pen- tester. At some point the vendor or developer of the system/application is asked to solve the threat. 4. It was also suggested that in an organization the employees to access the computer/internet form domain access. 5. It was also observed that most of the proprietary softwares are more secure. 6. The participants discussed on what could be done to ensure the safety of the Government s websites since most of them are built on Joomla platform. 7. Is it possible to be doing penetration testing activity as much as the way financial auditing is been done. Is there a need of regulation that will enforce the need for penetration testing to ensure the safety of information in Corporate Organizations. 8. It was also discussed that the penetration testing has to be conducted by a person/firm outside of that organization that need the testing. 9. To have a forum on discussion the EPOCA Law to understand the legal issues the Government has set in terms of usage of ICT. 9

CONCLUSION During the session it was concluded that pentesting is a professional task that assist the organization to identify exploits and find ways to secure them so as to ensure safety of the organization s information. Hence, it is essential for organizations to perform such tests often bearing in mind that it is not an alternative measure for security but a way to avoid threats at an early stage. The organization needs to hire an external organization to perform the penetration testing. 10

RECOMMNENDATION Penetration testing to be treated as part of the necessary procedure to be undertaken by corporate organsation so as to ensure the organization prevents itself from attackers sooner by identifying security exploits and vulnerabilities earlier. This will ensure that the organization is aware of any of the existing loopholes and takes measures against them. If penetration testing is done regularly then measures that can be taken soon to prevent security threats. WAY FORWARD To conduct technical/practical forums whereby experts in security perform different security measures using different tools to provide a more practical learning to students, clients and security officers of different organizations. REFERENCES 1. Ilyas,.A. (2012) Presentation on Corporate Information Security 2. National Information and Communication Technology Policy (2003) 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information