Module 3 (Ground Rules and Rules of Engagement)

Slides:



Advertisements
Similar presentations
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Advertisements

Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Introduction Social Implications & EthicsSocial Implications & Ethics Since the introduction of the Internet, many policies have been introduced as a way.
Module #2: What Sensitive Data is and how to handle it Module 2 is approximately 3min and 30 sec.
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
HIPAA PRIVACY AND SECURITY AWARENESS.
The Significance and Evolution of End User Privacy Julie Earp College of Management North Carolina State University WISE 2010 Sponsored by TRUST June 21-24,
Georgia Department of Human Services Division of Aging Services (DAS): Data Breach Presenter:Harold Johnson Acting General Counsel Presentation to: Board.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Supervision SICOR Securities, Inc.. Why? NASD 3110 requires the firm to “…establish and maintain a system to supervise the activities of each registered.
Prevent Data Breaches and PII from Walking Out the Door Jim Farrell, Senior Vice President Products Archive Systems 9/18/2015.
Academic Year 2014 Spring Academic Year 2014 Spring.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Computer Security By Duncan Hall.
Data protection—training materials [Name and details of speaker]
KS4 Lesson 2 :The media and sexualisation. Aim To explore the influence of the media, pornography and sexualisation of the high street on young people.
Hacking Techniques & Intrusion Detection
© 2012 by Robert W. Lucas Chapter 3: Verbal Communication Skills.
APTLD MEETING Manila 23 – 24 February ccTLD Role in Its Community RFC 1591 Introduction  Foresaw a few TLDs (edu, com, net, org, gov, etc.) and.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Defining your requirements for a successful security (and compliance
Law Firm Data Security: What In-house Counsel Need to Know
HIPAA Privacy and Security
Securing Information Systems
BUILD SECURE PRODUCTS AND SERVICES
PCard Sensitive and Protected Information Procedures
DATA SECURITY FOR MEDICAL RESEARCH
When a collector calls:
Internet Business Associate v2.0
Cybersecurity - What’s Next? June 2017
Advertising - Promotion and Special Events
Information Security.
Data Protection Act and Other Laws
Ethics CSE 591 – Security and Vulnerability Analysis Spring 2017
Overview 1. Phishing Scams
Requests to Restrict Use or Disclosure
BCOM 7 7 Delivering Bad-News Messages LEHMAN/ DUFRENE
Applying Communication Skills
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
Year 10 ICT ECDL/ICDL IT Security.
12: :00     Welcome   13: :55     Terumo and Flexso will share insights on the successful implementation of SuccessFactors Compensation module.
How to Protect your Identity Online PIYUSH HARSH
Internet Protocol Mr. Paulk.
COMPUTER PRIVACY.
Unit 1.6 Systems security Lesson 3
Creating a new Central Data Exchange (CDX) Account (to access NetDMR)
An Individual’s Right to Access and Obtain Their Health Information Under HIPAA.
Threat Landscape for Data Security
Big Data Considerations
All data occupies physical space, even if we don't think of it as such.
The new data protection rules
Unit 1.6 Systems security Lesson 2
Security Essentials for Small Businesses
Firewalls and Security
Ethics CSE 545 – Software Security Spring 2018 Adam Doupé
PRE PARE for High Returns on Industrial Surveys
Information Security Training
Incident response and intrusion detection
18734: Foundations of Privacy
What is Phishing? Pronounced “Fishing”
Spear Phishing Awareness
Dark Web Domain Status Report
COMPLETE BUSINESS TEXTING SOLUTION
Handling information 14 Standard.
A Model For Network Security
Comodo Dome Data Protection
Cybersecurity Simplified: Phishing
Anatomy of a Common Cyber Attack
Presentation transcript:

Module 3 (Ground Rules and Rules of Engagement) At the end of this module, you should have a good idea of how to lay out the ground rules for a penetration test and what issues must be addressed by your rules of engagement. Module 3

Verifying IP Address Ranges It is absolutely critical that when carrying out a penetration test, you test the correct machines. Companies may try to give you a single domain name and ask you to hack in just like the bad guys do. (Kevin Johnson: “Does that mean I get to sell all the information I find, just like the bad guys do?”) Third Parties abound. You need their permission as well: Cloud services ISP Web Hosting Managed Security Services Providers (MSSPs) Know what countries these machines are in and know their laws. Module 3

Social Engineering Pretexts Companies may be sensitive about what ways of fooling their employees are appropriate. Explain current popular phishing exploits. Some pretexts may use sensitive content (e.g. sexual performance enhancement, pornographic services, etc.) that companies do not want to impose on their employees. Make sure that any pretexts to be used in phishing are approved. In particular, get specific approval of every phishing message to be sent. Module 3

Communication and Contact Information Identify how and how often information will be conveyed concerning the state of the penetration test. Provide contact information about everyone involved in the penetration test including emergency contact information. Name Title Emergency contact information (24/7) Secure bulk data transfer method (sftp or encrypted email) Agree to an incident reporting process Share encryption keys. (Not an option.) Module 3

Rules of Engagement Timeline for the test. Locations (if on-site) Method of disclosure of sensitive information. Data may be protected by HIPAA. Avoid copying personal health information (PHI) and other personally identifiable information (PII). Evidence handling (use encryption) Regular status meetings Time of day to test Dealing with shunning Permission to test (including scope and possible negative outcomes of testing such as system instability, crashes, etc.) Legal considerations (wiretapping laws, etc.) Module 3

Testing the Customers Detection Capabilities Ability to detect and respond to information gathering Ability to detect and respond to foot printing Ability to detect and respond to scanning and vulnerability analysis Ability to detect and respond to infiltration (attacks) Ability to detect and respond to data aggregation Ability to detect and respond to data ex-filtration Module 3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.