Implement Effective Penetration Testing



Similar documents
Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Data Security Basics for Small Merchants

Webinar - Skimming and Fraud Protection for Petroleum Merchants. November 14 th 2013

MITIGATING LARGE MERCHANT DATA BREACHES

2015 Visa Payment Security Symposium Webinar

Visa PIN Security Program Webinar May Alan Low PIN Risk Representative AP and CEMEA. Visa Public

Effectively Managing Data Breaches

Third Party Risk Management Basics. Webinar. 26 February 2015

Payment Card Data and Protected Health Information Security Practices

Self Help Guides. Create a New User in a Domain

Identifying and Mitigating Threats to E-commerce Payment Processing

Quest vworkspace Virtual Desktop Extensions for Linux

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows InTune (October 2013 Release)

Streamlining Web and Security

Service Level Agreement (SLA) for Customer by. Cybersmart ISP. (Cloud Hosting Agreement)

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

PowerBroker for Windows

New PCI Standards Enhance Security of Cardholder Data

Self Help Guides. Setup Exchange with Outlook

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

formerly Help Desk Authority Quest Free Network Tools User Manual

BlackBerry Enterprise Server. BlackBerry Administration Service Roles and Permissions Version: 5.0 Service Pack: 4.

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Project Title slide Project: PCI. Are You At Risk?

43% Figure 1: Targeted Attack Campaign Diagram

HP Security Assessment Services

NCD ThinPATH Load Balancing Startup Guide

Application Note: GateManager Internet requirement and port settings

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

PCI PA-DSS Requirements. For hardware vendors

TERMS AND CONDITIONS

A PCI Journey with Wichita State University

PCI DSS and the A10 Solution

ENTERPRISE EPP COMPARATIVE REPORT

Product comparison. GFI LanGuard 2014 vs. Microsoft Windows Server Update Services 3.0 SP2

Tips and Best Practices for Managing a Private Cloud

Go beyond basic up/down monitoring

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Payment Card Industry Data Security Standards

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

CA SiteMinder SSO Agents for ERP Systems

4.0. Offline Folder Wizard. User Guide

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Privilege Gone Wild: The State of Privileged Account Management in 2015

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

How To Manage A Privileged Account Management

BlackBerry External Infrastructure Penetration Testing Service

BES10 Self-Service. Version: User Guide

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Your Reference Guide to EMV Integration: Understanding the Liability Shift

BlackBerry Business Cloud Services. Version: Release Notes

TERMS and CONDITIONS OF USE - NextSTEPS TM

Symantec ESM Agent For IBM iseries AS/400

RSA Two Factor Authentication

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

PCI Security Standards Council, LLC Payment Card Industry Vendor Release Agreement

ALL WEATHER, INC. SOFTWARE END USER LICENSE AGREEMENT

Integrating F5 BIG-IP load balancer administration with HP ProLiant Essentials Rapid Deployment Pack

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Copy Tool For Dynamics CRM 2013

An Introduction to Cyber Liability Insurance. Catherine Berry Senior Underwriter

GFI Product Comparison. GFI LanGuard 2011 vs Retina Network Security Scanner

Service Description: Dell Backup and Recovery Cloud Storage

MAGNAVIEW SOFTWARE SUPPORT & MAINTENANCE. TERMS & CONDITIONS September 3, 2015 version

Termulator II. for Windows. User s Guide. Termulator support is only available via tlsupport@givenhansco.com

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

GFI Product Comparison. GFI LanGuard 2011 vs Microsoft Baseline Security Analyzer 2.2

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

About Recovery Manager for Active

BlackBerry Enterprise Server Express. Version: 5.0 Service Pack: 4. Update Guide

Best Practices for Secure Mobile Access

Spotlight Management Pack for SCOM

Defender Delegated Administration. User Guide

Privilege Gone Wild: The State of Privileged Account Management in 2015

PCI Security Scan Procedures. Version 1.0 December 2004

Transcription:

Implement Effective Penetration Testing Ed Verdurmen Visa - Moderator Navid Jam FireEye Rob Chahin & Kevin Dunn NCC Group Ryan Wakeham & Scott Sutherland netspi August 25, 2015

Notice of Disclaimer The information, recommendations or best practices contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations, programs or best practices may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of noninfringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2

What s Changed in 2015? The PCI SSC Issued Pentest Guidance Q: How has the PCI guidance improved assessments? A: Alternate guidance is exhaustive (read: expensive), the previous PCI requirement set a low bar 3

What s Changed in the Past Five Years? Penetration testing has emerged as a mature market niche in the U.S, Western Europe, and parts of Asia Q: How do you find a top tier pentester? A: Good pentesters remain hard to identify. Examine the company s hiring process. It must include testing, and the company must be able to describe their approach to testing tools. 4

Q: How do I prepare for a pentest? A: People don t do this everyday, so: Start with an overview of the company, Ensure your QSA helps prepare your pentester, Set high-level goals, and Collaborate, Collaborate, Collaborate 5

Have a Threat Model Ready It needn t be detailed nor technical, cybercrime and POS malware may be sufficient Q: How do I prioritize my first technical pentest or first investment in a more expensive pentesting firm? A: Merchant breaches tend to exploit the POS and remote access, Fortune 500 breaches tend to exploit website vulnerabilities, and most breaches involve compromised privileged accounts. Start with these areas, share diagrams and access information, and suggest systems to use and examine Single linux\ AIX Console RDP Single Active Directory Domain 6

Large Companies Are Strict and Complex Q: How do I scope a test that provides system access to the tester without creating undue risk? A: REPEAT POINT: Use your QSA to help negotiate and provide appropriate detail to your pentester 7

Q: This sounds basic, do companies really struggle with performing detailed PCI penetration tests? A: Yes. Although Fortune 500 companies tend to have more experience, many firms set low standards for pentests 8

Q: Our company is deploying encryption, tokenization, and upgrading hardware between 2015 and 2017. How can a pentester help? A: A good pentester can help identify implementation errors. Implementation errors can render most technologies ineffective. 9

Q & A 10

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information