Objectives Who I Am The Company I Interned With The Projects I Worked On Project Details How The Experience Relates To My Education Conclusions Drawn.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Ethical Hacking Introduction.  What is Ethical Hacking?  Types of Ethical Hacking  Responsibilities of a ethical hacker  Customer Expectations  Skills.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

Static Code Analysis and Governance Effectively Using Source Code Scanners.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

IT Job Roles Task 20. Software Engineer Job Description Software engineers are responsible for creating and maintaining software of various different.

Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA

Computer Careers Dr. Kip Irvine School of Computing and Information Sciences, Florida International University.

Introduction to Network Defense

Web Application Testing with AppScan Terry Labach.

Chapter 3 Ethics, Privacy & Security

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

Computers & Employment By Andrew Attard and Stephen Calleja.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Concepts of Database Management Sixth Edition

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

Security Assessments FITSP-A Module 5

Prepared by: Dinesh Bajracharya Nepal Security and Control.

Information Systems Development. Outline  Information System  Systems Development Project  Systems Development Life Cycle.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Can your team outwit, outplay and outlast your opponents to be the ultimate CyberSurvivor?

Chapter 6 of the Executive Guide manual Technology.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Auditing Information Systems (AIS)

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Prevent Data Breaches and PII from Walking Out the Door Jim Farrell, Senior Vice President Products Archive Systems 9/18/2015.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.

Access Control for Security Management BY: CONNOR TYGER.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

 December 2010 US Chief Information Officer Vivek Kundra released the Federal Cloud Computing Strategy. This became to be what is known as “Cloud First”

Defining your requirements for a successful security (and compliance

Securing Information Systems

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Managing Compliance for All Departments

CPA Gilberto Rivera, VP Compliance and Operational Risk

CompTIA Security+ Study Guide (SY0-401)

Cyber Security for Building Management

Security Policies.

Critical Security Controls

CompTIA Security+ SY0-401 Real Exam Question Answer

Third Party Risk Governance in a Diverse Environment

Security Policies.

Introduction to the Federal Defense Acquisition Regulation

Security of a Local Area Network

Securing Information Systems

COMPTIA CAS-003 Dumps VCE

AppExchange Security Certification

How to Mitigate the Consequences What are the Countermeasures?

Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.

CyberPaths Interdisciplinary Modules

Basic Systems Management Employing Security Policies

Presentation transcript:

Objectives Who I Am The Company I Interned With The Projects I Worked On Project Details How The Experience Relates To My Education Conclusions Drawn

PNC Financial Service Group Pittsburgh, Pa (Downtown) May 12, 2008 – Jan 9,2009 Corporate Information Security (Security Operations) Previously Interned In 2007 & 2008 In Their MIS Department

Projects Many Very Interesting Projects –A–Anti-Virus –P–Penetration Testing –E–Employee Monitoring –C–Cyber Crime Prevention –T–Technology Risk Evaluations –I–IBM RDZ Pilot

Penetration Testing Penetration Test – A test method where the security of a computer program or network is subjected to deliberate simulated attack. A common form of White Hat hacking –White Hat –Grey Hat –Black Hat Related to vulnerability scanning or assessments but not the same thing

Penetration Testing During my internship I categorized my penetration testing work in two ways –Manual (Traditional) Penetration Testing –Automated Penetration Testing

Penetration Testing There are many different types of penetration testing –Black Box –Grey Box –White Box –Authenticated –Partially Authenticated –Non-Authenticated –+ Many More

Penetration Testing Who does the penetration tests? –Internal Employees –2 nd or 3 rd Party Vendors –Business Partners –Outsiders? It is important to ensure the proper clearance before testing When a vendor is involved you should have a Mutual Discloser Agreement (MDA) in place before discussing any details. It is also important to thoroughly define the Rules of Engagement

Penetration Testing You may need corporate or governmental clearance Make sure your specific test is permitted, documented, and approved by the right people.

Penetration Testing What level are you testing –Network level –OS level –Application level You may be vulnerable at any level of the seven layer OSI model. – Physical, Data Link, Network, Transport, Session, Presentation, Application

Penetration Testing Since you can be vulnerable at any level it is important to test all levels to mitigate risk and maintain a positive security posture The criticality of the system should determine the depth of the testing

Penetration Testing There is a general work flow that typically surrounds penetration testing. –Planning –Approval –Execution –Reporting –Review –Remediation –Retest

Technology Risk Evaluations A business in PNC wants to take on a vendor as a business partner This opens up our systems to risks The goal is to ensure that the risk we take on is acceptable

Technology Risk Evaluations The level of security we require usually depends on the sensitivity of the data being passed between us and the vendor Sensitive Data –Personally Identifiable Information (PII) –Medical Data –Financial Information –User names –Passwords

Technology Risk Evaluations We consider the risk from every angle Examples –Authentication Mechanism –Data Encryption –Protocols Used (SSL) –Host Side Security –Client Side Security –Physical Security –Disaster Recovery (DR) Plan

Technology Risk Evaluations How is an organization’s level security Determined? Discussions with their security personal, administrators, technicians, business analysts (BA’s) Statement on Auditing Standards No. 70 (SAS 70) Type I & II Vulnerability Scans Penetration Tests

Technology Risk Evaluations Which organization changes when the security level is not satisfactory? Usually the smaller organization will make the change When two organizations are close in size they each have bend a little The idea is not to make unreasonable demands but to work with the organization to find a solution the makes sense for both

Classes That Were Helpful Crim 101 – Crime & Justice Systems Crim 102 – Survey of Criminology Crim 323 – Cybersecurity & the Law Cosc 316 – Host Computer Security Cosc 300 – Assembly Language Programming Cosc 319 – Software Engineering Concepts Math 219 – Discrete Math Math 216 – Probability & Stats for Natural Science and Mathematics Majors Cosc 220 – Applied Computer Programming (COBOL)

Classes I Wish I Had Taken Cosc 352 – LAN Design & Installation Cosc 356 – Network Security Cosc 427 – Intro to Cryptography Crim 403 – Dilemmas in Crime & Criminal Justice Crim 401 – Contemporary Issues in Criminology Engl 322 – Technical Writing I

Conclusions I learned what is involved in corporate information security I learned I would enjoy a career in the information assurance/information security field I learned a lot about project management I learned new areas I need to learn more about and improve in to prepare myself for this field.

Questions?