Penetration Testing in Financial Institutions

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Software Quality Assurance Plan
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
The Information Systems Audit Process
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Chapter 7 Database Auditing Models
The Business of Penetration Testing
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Website Hardening HUIT IT Security | Sep
BackTrack Penetration Testing Workshop Michael Holcomb, CISSP Upstate ISSA Chapter.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Ed Hudson, Systemwide Director, Information Security Gina Curry, Director, Student Financial Services Center & University Bursar, CSU Sacramento.
Information Systems Security Computer System Life Cycle Security.
Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
2012 CWAG Annual Meeting State Agency Data Breaches Loss prevention, response and remediation strategies.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Basic of Project and Project Management Presentation.
The Office of Information Technology Campus Network Upgrade A three year plan facilitating increased reliability, functionality and speed for the UTSA.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Penetration Test
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Scott Charney Cybercrime and Risk Management PwC.
Risk (Vulnerability) Assessment & Penetration Test Approach 1VA PT Approach Confidential.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
Albany Bank Corporation Security Incident Management Program.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
1 Presented by: Val Pennell, Test Tool Manager Date: March 9, 2004 Software Testing Tools – Load Testing.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
MARTA’s Road to PCI Compliance
Defining your requirements for a successful security (and compliance
Performing Risk Analysis and Testing: Outsource or In-house
Topic 5 Penetration Testing 滲透測試
OWASP ASVS for NFTaaS in Financial Services
BruinTech Vendor Meet & Greet December 3, 2015
Office 365 Security Assessment Workshop
Payment card industry data security standards
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Testing Methods
Introduction to the Federal Defense Acquisition Regulation
Making a Holiday Special For All The Right Reasons
Unauthorized Access Risk Mitigation Techniques
Description of Revision
I have many checklists: how do I get started with cyber security?
MARTA’s Road to PCI Compliance
National Cyber Security
Getting benefits of OWASP ASVS at initial phases
IS4680 Security Auditing for Compliance
Incident response and intrusion detection
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
Cyber Security in a Risk Management Framework
{Project Name} Organizational Chart, Roles and Responsibilities
Chapter 21 Successfully Implementing The Information System
Anatomy of a Common Cyber Attack
Presentation transcript:

Penetration Testing in Financial Institutions 27 November, 2016 Penetration Testing in Financial Institutions COINS Ph.D. student seminar 2016 Oleksandr kazymyrov, technical test analyst

How the SWIFT Hack Went Down and How to Benefit from the Lessons Learned Agenda of the webinar : The sophisticated techniques used during the SWIFT hack, affecting the network, operating system, application and database layer. Key strategies and technologies to put in place for attack prevention and proper response. How Carbon Black can help you to implement the right level of protection and monitoring for different classes of systems. Source: https://www.carbonblack.com/webinars/swift-attack/

Agenda Chapter I – Brief Introduction Chapter II – What Is Penetration Testing? Chapter III – Pentest in Financial Institutions Chapter IV – Security Incidents Chapter V – Summary

Brief Introduction Chapter I

Education Additional Job Who am I? Certificates Candidate of Engineering Sciences in Information Security KHNURE, Ukraine Ph.D. in Cryptology University of Bergen, Norway Additional Certificates Certified Ethical Hacker Certified Encryption Specialist Standards DSTU 7624:2014 DSTU 7564:2014 Job Technical Test Analyst at EVRY Penetration Tester in Financial Services at EVRY

EVRY 26% 39yrs – Nordic Champion Women Age Universum #4 100+ employees EVRY – Nordic Champion 50 towns and cities with capacity to deliver 11 regional offices with specialist competencies 10.000 employees Women Age Universum 26% 39yrs #4

EVRY GROUP - Geographic distribution Nordics Rest of the World (Global Delivery)

Performance Reliability Security NFT Department Front-end Load Endurance Stress Spike Reliability Failover Interruption Recoverability Load balancing Security Application layer Network layer Wireless PCI DSS

What Is Penetration Testing? Chapter II

Base Definitions Threat Vulnerability Exploit

Vulnerability Scanning vs Penetration Testing Corvin Castle in Transylvania Source: https://en.wikipedia.org/wiki/File:Hunyad_Castle_TB1.jpg

Types of Penetration Tests Technical Social Engineering Physical

Pre-Engagement Engagement Post-Engagement High-Level Overview Scoping Information Gathering Vulnerability Analysis Attack Modeling Exploitation Evidence Retention Cleaning up Reporting Remediation Mitigation Retesting Scoping Rules of Engagement Success Criteria Sign Off Pre-Engagement Engagement Post-Engagement

Timeline of a Penetration Test Finish Start Post-exploitation Service and operating system identification Internal External Information gathering Pivoting Exploitation Vulnerability scanning

Workflow of a Penetration Test Information Gathering Vulnerability Analysis Attack Modelling Attack Execution Reporting Retesting

Why conduct a penetration test? Prevent data breach Test security controls Ensure system security Get a base line Compliance

Pentest in Financial Institutions CHAPTER III

PCI DSS

PCI DSS: What? When? Requirement 11.3.1 “Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).” Requirement 11.3.1 “Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).” Requirement 11.3.2

Penetration testing Guidance: How? Penetration Testing Components Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network layer testing, segmentation checks, and social engineering Qualifications of a Penetration Tester Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications. Penetration Testing Methodologies Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement. Penetration Testing Reporting Guidelines Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.

PCI DSS Penetration Testing External AL NL Internal Segmentation Checks

Cardholder Data Environment (CDE) Source: https://www.securitymetrics.com/static/resources/orange/new-penetration-testing-requirements-explained.pdf

Scope for PCI DSS Pentest External Internal Segmentation Source: https://www.securitymetrics.com/static/resources/orange/new-penetration-testing-requirements-explained.pdf

Security Incidents CHAPTER IV

2016 Data Breach Investigations Report Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Delta of Number of Vulnerabilities Opened Each Week and Number Closed Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Time to Compromise and Exfiltration Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Discovery Timeline Within Insider and Privilege Misuse Over Time Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Frequency of Incident Classification Patterns Over Time Across Confirmed Data Breaches Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Frequency of Incident Classification Patterns Over Time Across Security Incidents Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Top 10 Threat Action Varieties Within Miscellaneous Errors, Excluding Public Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Summary Threat Actions Within Everything Else Breaches Source: http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Presentation Title