Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com

Similar documents
Best Practice Strategies for Managing and Mitigating Key Cyber Risks. Brendan Saunders, Principal Security Consultant - November 2015

Third Party Supplier Security

Information Security Services

IT Security Testing Services

Information Security for the Rest of Us

CREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved

NCC Group Managed Security Services Pricing

Presented by Evan Sylvester, CISSP

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Hackers are here. Where are you?

INFORMATION SECURITY TESTING

Spillemyndigheden s Certification Programme Instructions on Penetration Testing

A Guide to the Cyber Essentials Scheme

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

New Zealand Company Six full time technical staff Offices in Auckland and Wellington

Procuring Penetration Testing Services

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

I ve been breached! Now what?

CESG Certification of Cyber Security Training Courses

Passing PCI Compliance How to Address the Application Security Mandates

PCI Compliance: How to ensure customer cardholder data is handled with care

Penetration Testing in Romania

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

How To Test For Security On A Network Without Being Hacked

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Cyber Essentials Scheme

Hackers are here. Where are you?

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

CBEST FAQ February 2015

PwC s Advanced Threat and Vulnerability Management Services

Security Overview. BlackBerry Corporate Infrastructure

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Security Management. Keeping the IT Security Administrator Busy

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Procurement Policy Note Use of Cyber Essentials Scheme certification

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

INTELLIGENCE. RISK MITIGATION. RESPONSE. CONSULTANCY.

Digital Pathways. Penetration Testing

Cyber Essentials Scheme

Defending Against Data Beaches: Internal Controls for Cybersecurity

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Security and Privacy

Cybersecurity: Protecting Your Business. March 11, 2015

New PCI Standards Enhance Security of Cardholder Data

Resilience and Cyber Essentials

Enterprise Computing Solutions

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

PENETRATION TESTING GUIDE. 1

A Rackspace White Paper Spring 2010

Penetration Testing Services. Demonstrate Real-World Risk

Penetration Testing Services Procurement Guide VERSION 1.

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

CYBER SECURITY TRAINING SAFE AND SECURE

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Cyber Security Evolved

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Penetration testing & Ethical Hacking. Security Week 2014

Qualification Specification. Level 4 Certificate in Cyber Security and Intrusion For Business

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Caretower s SIEM Managed Security Services

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Cyber Essentials Scheme. Summary

OVERVIEW DEGREES & CERTIFICATES

Network Segmentation

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Top 20 Critical Security Controls

Cyber R &D Research Roundtable

Intelligent Security Design, Development and Acquisition

Secure Web Applications. The front line defense

ISO Information Security Management Services (Lot 4)

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Securing OS Legacy Systems Alexander Rau

CBEST Implementation Guide

High End Information Security Services

Attachment A. Identification of Risks/Cybersecurity Governance

Transcription:

Managing IT Fraud Using Ethical Hacking Paul Vlissidis Group Technical Director NCC Group plc paulv@nccgroup.com

Agenda Introductions Context for Ethical Hacking Effective use of ethical hacking in fraud scenarios Ensuring the ethical dimension

About NCC Group 400m business publically listed on LSE 20 offices across the UK, Europe, North America & Australia Over 15,000 customers worldwide Information assurance services Started security testing in 1997 now the largest single penetration/cybersecurity testing team in the world (by a considerable margin) Making the internet a safer place to be 3

Penetration Test Definition Authorised, adversary-based assessment for defensive purposes. Authorised means someone with legal control of the facility, system, or entity to be tested has agreed to the process. Adversary-based means that the activity is centred around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries knowledge, skills, commitment, resources, and culture. Assessment means one is making an expert, methodical and consistent judgement of security Defensive purposes we do what we do to help the good guys make decisions about business, about security, about computer systems, about control systems.

Why do we use ethical hacking? A regular risk-based assessment of cyber security To support assessment of compliance Pre/Post go-live for a new system/application As an independent check on external service providers/vendors To support audit requirements As part of an incident response To exercise incident detection and escalation processes

Categories of Penetration Test External network as viewed from the Internet Internal network as viewed by an internal user Web Application web application issues account for many successful attacks Database security Wireless network security Desktop the new front line Email/social media phishing Laptop/Mobile Mobile Applications Malware Procedural (social engineering) Red Team a holistic black box covert test of security posture 6

A test can be much more than just an audit Audits find issues but mostly the ones they expect to find Penetration tests offer a holistic test of complete security posture Simulate creative thinking by a motivated a capable threat actor A fair test that the security really works Allows exercise of multiple mechanisms :- Intrusion detection Host-based security Security event logging Password strength Incident response Security awareness Security processes Patching processes Coding standards adherance True risk often emerges from a combination of lesser vulnerabilities. 7

What can t it do You can t test everything, way too expensive Sampling and scope are essential to get best value It s a snapshot not a continuous process Security is a moving target You can t infringe people s rights or break the laws of the land It doesn t offer certainty that you are secure, just reduces uncertainty

Ethical hacking techniques applied to fraud scenarios Penetration tests often find :- Default accounts left active (often with default passwords) Shared passwords being used in departments Database security issues Evidence of data exfiltration through log analysis Account privilege abuses Malware deployment Penetration test reports often (always) contain information that informs auditors but often go unread By showing how it can be done ethical hacking can reveal how fraud was/is being done Ethical hackers determine what is possible and then construct fraud scenarios to demonstrate proof of concept.

Penetration testing during incident response Often used to reverse engineer the fraud/attack and answer the question how was it done? Can be used alongside other incident response services forensics, log analysis Can be deployed quickly and inform/direct the investigation.

The ethical dimension Formal rules of engagement Scope Definition System/network/data ownership Legal/regulatory issues Data allowed to be taken offsite (e.g. password hashes, configs) Destruction requirements for test data Escalation Path(s) If Fraud Is discovered what is the Process to Engage first responders Tester Credentials And Clearances CREST membership

Appropriate Accreditations ISO 9001:2008 The NCC Group s services are accredited to ISO 9001:2000 and have held ISO 9001 status since 1994.. ISO 27001:2005 NCC Group s Information Consultancy & Testing Solutions division is certified to ISO 27001:2005 (formerly BS7799 part 2). (LRQ 0963077) CESG CHECK We are accredited under the Government s CESG Check scheme for network penetration and testing services. We have been classed as a Green service provider continuously since 2001, this being the highest attainable standard. PCI Approved Scan Vendors/PCI Qualified Security Assessor NCC Group is a Qualified Security Assessor and an Approved Scan Vendor regulated by the PCI Standards Council. CREST Council of Registered Ethical Security Testers NCC Group is an active member of CREST, the standards-based organisation for penetration test suppliers aimed at ensuring the very highest standards of leading-edge security testing. 12

Who is CREST Council of Registered Ethical Security Testers Formed as a Company Limited by Guarantee Initial members were all from CHECK community Currently 38 member companies Additional support from CESG, CPNI 13

CREST Assurance Carry out stringent background checks on their staff Provide their staff with a structured framework covering awareness, education, research and career development Deploy rigorous testing methodologies and processes Produce clear, insightful reports for both technical and management audiences Protect client information in a professional manner Meet any legal, regulatory or business constraints on their testing Have signed company and individual codes of conduct Adhere to a signed memorandum of agreement on good practice Deal with complaints in a diligent fashion, with agreement that any conflict can be handled by an independent professional body.

Summary Penetration testing / Ethical Hacking is a powerful audit tool It addresses categories of risk not covered elsewhere It provides concrete evidence that your security investment is effective against many fraud scenarios It can assist in detecting fraud opportunities It can be used in a fraud incident response But. It cannot find everything It must be used properly as part of a mix of controls It needs proper specification, planning and execution to be effective Someone has to read the reports to realise the benefits 15

UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame European Offices Amsterdam - Netherlands Munich Germany Zurich - Switzerland North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information