Penetration testing & Ethical Hacking. Security Week 2014

Similar documents
Hackers are here. Where are you?

A Decision Maker s Guide to Securing an IT Infrastructure

Hackers are here. Where are you?

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Goals. Understanding security testing

EC-Council Certified Security Analyst (ECSA)

Cisco Advanced Services for Network Security

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Security Services

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

PCI DATA SECURITY STANDARD OVERVIEW

Digi Device Cloud: Security You Can Trust

Network Segmentation

Penetration Testing in Romania

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Security Testing in Critical Systems

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Analyze. Secure. Defend. Do you hold ECSA credential?

Need for Database Security. Whitepaper

Achieving Compliance with the PCI Data Security Standard

Footprinting and Reconnaissance Tools

Penetration Testing Service. By Comsec Information Security Consulting

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

ICANWK406A Install, configure and test network security

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Guideline on Auditing and Log Management

Information Systems Security Certificate Program

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

SECURITY CONSIDERATIONS FOR LAW FIRMS

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

NETWORK SECURITY. 3 Key Elements

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

EC Council Certified Ethical Hacker V8

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Penetration Testing. Presented by

[CEH]: Ethical Hacking and Countermeasures

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI DSS Requirements - Security Controls and Processes

Course Title: Penetration Testing: Security Analysis

Security Management. Keeping the IT Security Administrator Busy

Penetration Testing - a way for improving our cyber security

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Network Security Audit. Vulnerability Assessment (VA)

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Payment Card Industry Self-Assessment Questionnaire

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Penetration Testing //Vulnerability Assessment //Remedy

Penetration Testing Services. Demonstrate Real-World Risk

Security Awareness. Wireless Network Security

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Josiah Wilkinson Internal Security Assessor. Nationwide

2012 Data Breach Investigations Report

SECURITY. Risk & Compliance Services

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PCI Requirements Coverage Summary Table

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Course Title: Penetration Testing: Network & Perimeter Testing

Achieving PCI-Compliance through Cyberoam

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Networking: EC Council Network Security Administrator NSA

InfoSec Academy Pen Testing & Hacking Track

CMS Operational Policy for Firewall Administration

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Understanding Security Testing

Detailed Description about course module wise:

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Transcription:

Penetration testing & Ethical Hacking Security Week 2014

Agenda Penetration Testing Vulnerability Scanning Social engineering Security Services offered by Endava 2

3 Who I am Catanoi Maxim Information Security Consultant at Endava Certifications: EC-Council, Certified Ethical Hacker EC-Council, Certified Security Analyst EC-Council, Licensed Penetration Tester SANS/GIAC Penetration Tester PCI-DSS, PCI Professional (Payment Card Industry) Over 10 years of experience in IT Security

4 What is a Penetration Testing? A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source

5 Why Penetration Testing? Find Holes Now Before Somebody Else Does To make a point to decision makers about the need for action or resources Real-world proof of need for action Report Problems to Management Evaluate efficiency of security protection Security Training For Network Staff Discover Gaps In Compliance Testing New Technology Adopt best practice by confirming to legal regulations

6 Penetration Testing types Network services test Client-side security test Application security test Passwords attack Wireless & Remote Access security test Social engineering test Physical security test

7 Penetration Testing area Data Application Host Internal network Perimeter Physical security Policies, procedures, and awareness Strong passwords, ACLs, backup and restore strategy Application hardening OS hardening, authentication, security update management, antivirus updates, auditing Network segments, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Guards, locks, tracking devices Security policies, procedures, and education

8 Penetration Testing profile Black Box White Box External Internal Grey Box Destructive None-destructive Announced Unannounced

9 Penetration Testing methodology Proprietary methodologies: IBM ISS Found Stone EC-Council LPT Open source and public methodologies: OSSTIMM CISSP CISA CHECK OWASP

10 Penetration Testing flow Scope/Goal Definition Information Gathering Vulnerability Detection/Scanning Information Analysis and Planning Attack& Penetration/Privilege Escalation Result Analysis & Reporting. Clean-up REPEAT

11 LPT Penetration Testing roadmap

12 LPT Penetration Testing roadmap (cont)

13 Who should perform a Penetration Test? This is a highly manual process Art of finding an open door An qualified expert from outside holding recognized certifications like CEH, ECSA, CISSP, CISA, CHECK Networking TCP/IP contepts, cabling techniques Routers, firewalls, IDS Ethical Hacking techniques exploits, hacking tools, etc Databases Oracle, MSSQL, mysql Operation Systems Windows, Linux, Mainframe, Mac Wireless protocols Wifi, Bluetooth Web servers, mail servers, access devices Programming languages other

14 What makes a good Penetration Test Establishing the parameter for penetration test such as objectives and limitation Hiring skilled and experienced professional to perform the test Choosing suitable set of tests that balance cost and benefits Following a methodology with proper planning and documentation Documenting the result carefully and making it comprehensible for the client Stating the potential risk and findings clearly in the final report

15 Vulnerability Scanning standalone service An established process for identifying vulnerabilities on internal and external systems Reduce the likelihood of a vulnerability being exploited and potential compromise of a system component Internal vulnerability scans should be performed at least quarterly

16 How often? On regular basis, at least annually Internal penetration test External penetration test Vulnerability scanning at least quarterly New network infrastructure or applications are added Significant upgrades or modifications are applied to infrastructure or applications New office locations are established Security patches are applied End user policies are modified

17 Social Engineering The art of manipulating people so they give up confidential information.

18 E-mail Spoofing Bank Domain SPF record comertbank.md v=spf1 mx -all socbank.md v=spf1 ip4:83.218.209.32 a mx victoriabank.md v=spf1 ip4:195.22.231.16/28 maib.md v=spf1 mx -all moldindconbank.com? bem.md v=spf1 mx ~all ecb.md? unibank.md v=spf1 a mx ip4:217.26.160.15/32 ~all fincombank.com? energbank.com v=spf1 mx ip4:217.12.112.18 ~all procreditbank.md v=spf1 mx mx:mail.procredit.md -all bcr.md v=spf1 mx ip4:91.220.94.0/24 -all eximbank.com v=spf1 ip4:212.56.207.34 ~all mobiasbanca.md v=spf1 ip4:194.247.52.237 a mx -all

19 SMS Spoofing SMS spoofing is a relatively new technology which uses the short message service (SMS), available on most mobile phones and personal digital assistants, to set who the message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company, product)

20 Call Spoofing Caller ID spoofing is the practice of causing the telephone network to indicate to the receiver of a call that the originator of the call is a station other than the true originating station

21 Security Services Offered by Endava Regular External and Internal Vulnerability Scans Regular Penetration Tests PCI-DSS Assessment Implementing ISO 27001 and/or ISO 9001 Standards Security Trainings Security Consultation Security Audits Custom Security Solution Intrusion Monitoring Solution 24/7 Incident responding team

22 Questions

23 The end Maxim Catanoi IT Security Consultant maxim.catanoi@endava.com Tel +373 797 02900 Skype en_mcatanoi thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information