Goals. Understanding security testing



Similar documents
The Protection Mission a constant endeavor

Information Blue Valley Schools FEBRUARY 2015

Cybersecurity Health Check At A Glance

Presented By: Bryan Miller CCIE, CISSP

SANS Top 20 Critical Controls for Effective Cyber Defense

Patch and Vulnerability Management Program

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Client Security Risk Assessment Questionnaire

Critical Controls for Cyber Security.

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

THE TOP 4 CONTROLS.

INTOSAI EDP COMMITTEE PERFORMANCE AUDIT SEMINAR, SLOVENIA MAY 2001 COUNTRY PAPER OF THE OFFICE OF THE AUDITOR-GENERAL: REPUBLIC OF SOUTH AFRICA

External Supplier Control Requirements

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Cisco Advanced Services for Network Security

SAST, DAST and Vulnerability Assessments, = 4

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Vendor Questions and Answers

Penetration testing & Ethical Hacking. Security Week 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

STATE OF NEW JERSEY IT CIRCULAR

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Database Security Guide

Introduction to Cyber Security / Information Security

Medical Device Security Health Group Digital Output

Network Segmentation

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

State of South Carolina Policy Guidance and Training

Data Security and Healthcare

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Overcoming PCI Compliance Challenges

Top 20 Critical Security Controls

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Sygate Secure Enterprise and Alcatel

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Securing the Service Desk in the Cloud

Best Practices For Department Server and Enterprise System Checklist

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Response to Questions CML Managed Information Security

Attachment A. Identification of Risks/Cybersecurity Governance

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

FIVE PRACTICAL STEPS

Is your business prepared for Cyber Risks in 2016

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Locking down a Hitachi ID Suite server

PCI Requirements Coverage Summary Table

Host/Platform Security. Module 11

ABB s approach concerning IS Security for Automation Systems

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Directory and File Transfer Services. Chapter 7

1. Why is the customer having the penetration test performed against their environment?

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

FREQUENTLY ASKED QUESTIONS

Network Security Administrator

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Information Technology Security Review April 16, 2012

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Microsoft Technologies

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Intro to Firewalls. Summary

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Critical Security Controls

Penetration Testing //Vulnerability Assessment //Remedy

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Network/Cyber Security

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Work With Genesis Insurance Company

Response to Queries Received for RFP of Security Integrator - Tender No. 63

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Avoiding the Top 5 Vulnerability Management Mistakes

Secret Server Qualys Integration Guide

COMPREHENSIVE SECURITY AUDIT COMMERCIAL TAXES DEPARTMENT, KARNATAKA. Ashish Kirtikar

Jumpstarting Your Security Awareness Program

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Who is Watching You? Video Conferencing Security

Transcription:

Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3 0 t r u e d i g i t a l s e c u r i t y. c o m Goals Understanding security testing Penetration test Vulnerability scanning and analysis How to better scope and analyze the scope of a penetration test How to interpret the results of a penetration test 1

Many forms Vulnerability Scanning Vulnerability Assessment Red Teaming Penetration testing Threat models Block box, grey box, white box Scope, rules of engagement What does it all mean!? Vulnerability Scanning (most common) Identifies known vulnerabilities OS Patch Management Application Patch Management System Misconfiguration Ultimately a clean report assumes risk and makes assumptions 2

Problems with Vulnerability Scanning Limited control testing Patch management and known configuration issues Surface evaluation only Yes the building has windows Web applications and custom applications Mismanaged by IT and audit Typically don t address fundamental issues Scanning is the requirement not remediation Not aligned with business value (laptop versus server) Internal versus external viewpoints Credentialed versus unauthenticated 3

Penetration Testing Use this to verify: That configuration standards are adequate Assumptions made by the organization are correct To test the effectiveness of the internal control structure and procedures From the question: are procedures being completed are the procedures adequate Gaps in compliance Test a broader range of internal control procedures 4

Rise of Attacks Applications 2003 Platform 2000 Host 1995 Networking Infrastructure 1990 TCP/IP Penetration Testing Primer Black box, grey box, white box Noisy versus stealthy Disable security features (like IPS) Simulation versus real attacks Credentialed versus unauthenticated Specialized penetration testing Oracle, SCADA, etc. Custom applications or deployments Restricting penetration testing 5

Test what you can control From a real penetration test: JTAGs are sometime not blown Keys embedded in firmware C12.21 authenticated not implemented SNMP, DHCP, dynamic ARP, embedded NTP vulnerabilities Vendor Management is critical Focus on what you can control and validate those controls Assume compromised cellular network encrypted communication Leverage vendors documentation and implementation guides 6

RFP Preparation Number of machines, operating systems, architecture Target of the penetration test Credit card information, certain data set, internal access Specific system or custom application Rules of engagement Social engineering, actual exploit, communication plan Leverage the penetration testing team to build plan Time equals money Black box attack should be a white box attack Stealthy versus noisy IT versus Audit Report What You Need To Know Test the entire process not just response Can your team identify the initial scan? Can your team track the attack? System logs System configuration changes User administration Service up time Adequacy of your Incident Response Plan Map engagement to your security controls to evaluate effectiveness 7

Penetration Test Example Intrusion Detection System Incident Response Firewall Configuration Change Management 8

Intrusion Detection System Anti-Virus Software File Integrity Monitoring Log Management 9

Log Management Intrusion Detection System Anti-Virus Software 10

Log Management Anti-Virus Software File Integrity Monitoring Log Management User Access Control 11

Intrusion Detection System Incident Response Firewall Configuration Change Management Advice to IT Auditors Focus on scope of the test (Vulnerability or Pen) Are you scanning the correct systems? Are vulnerabilities being properly managed? What is the focus of the Pen Test, and what controls are actually being tested? Focus on what you can control SCADA Protocols (Research versus Practical) Vendor Systems Application (Vendor Management) Map engagement to your security controls to evaluate effectiveness Don t try to be a Cisco/Windows/IIS/Application expert! 12

Jerald Dawkins, Ph.D. jdawkins@trueds.com True Digital Security http://www.trueds.com 918-770-7700 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information