Validating Your Information Security Program (ISP 3 of 3)

Slides:



Advertisements
Similar presentations
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Advertisements

Web Vulnerability Assessments
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
OU INFORMATION SECURITY & RISK MANAGEMENT ISA – February 4, 2015.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
SEC835 Database and Web application security Information Security Architecture.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Frontline Enterprise Security
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
Part 1: Corporate Operational benefits, Non-technical information for FSOs and ISSMs/ISSOs Part 2: Technical Tips on how to conduct a better audit review.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
If it’s not automated, it’s broken!
Defining your requirements for a successful security (and compliance
Vulnerability Management Programs & The Lessons Learned
CYBERSECURITY SOLUTIONS
Managing Compliance for All Departments
Performing Risk Analysis and Testing: Outsource or In-house
Six Steps to Secure Access for Privileged Insiders and Vendors
# 66.
Critical Security Controls
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Testing Methods
Security Standard: “reasonable security”
Secure Software Confidentiality Integrity Data Security Authentication
Microsoft /20/2018 9:26 AM BRK1037 Win the IT security battle: automate password changes, privileged access & Minimize Cyber Losses Christopher.
Putting It All Together
Putting It All Together
Penetration Testing following OWASP
Six Steps to Secure Access for Privileged Insiders and Vendors
Or how to learn to love the bomb
NEED OF JAILBREAKING IN IOS PENETRATION TESTING
Teaching Computing to GCSE
COMPTIA CAS-003 Dumps VCE
Combining the best of Audit and Penetration Testing
Risk Assessment = Risky Business
How To Land Your Dream Job in Cyber Security
Skybox Cyber Security Best Practices
National Cyber Security
AppExchange Security Certification
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Test 3 review FTP & Cybersecurity
Microsoft Data Insights Summit
6. Application Software Security
Engineering Secure Software
Presentation transcript:

Validating Your Information Security Program (ISP 3 of 3) Plan - Do - Check - Act

You’ve Planned Risk Reduction… You’ve Implemented Controls… Now what?

If You Don’t Validate (Check) Your Controls, How Can You Be Confident That They Are Working to Reduce Risk?

So we need to validate BUT HOW?

Proven ISP Validation Methods Less-Technical IT Audit Moderately-Technical Vulnerability Assessment Automated Scanning Highly Technical Penetration Testing Web & Mobile App Assessment

Method 1: IT Security Audit Broad/General Audits Information Security Program (Policies, Procedures & Standards) Regulatory/Compliance (PCI, HIPAA, FFIEC FISMA/FedRAMP/NIST) Best Practice (CIS Top 20, ISO 27000, NIST) Specific/Targeted Audits Firewall & Network Switch/Router Configuration & Policy Authentication, Authorization & Accounting (AAA) Remote Access Passwords Active Directory & Operating Systems (Windows, Linux) Technical, Administrative/Operational, Physical

Method 2: Automated Scanning Vulnerability Assessment Validates patch management and identifies well-known vulnerabilities, EOL software, default configurations, and default passwords Tools: Tenable Nessus, Rapid7 NeXpose, Qualys Configuration Assessment Compares operating system configurations against industry best practices Tools: Tenable Nessus, Redseal, Titania Nipper Application Assessment and Code Review Checks web applications for common and well-known flaws (OWASP Top 10) Tools: HP WebInspect, Burp Suite Pro, IBM AppScan

Method 3: Penetration Testing Network – External Conducted from the Internet and simulates a skilled and determined intruder with intent on compromising your systems and data Network – Internal Starts from a network connection on your internal network Social Engineering Most common and most successful attack path for intruders Focus is not on tricking people, but instead on the flaws and vulnerabilities that an attacker takes post-compromise Email (phishing), telephone (pre-text calls), or onsite (physical) Web & Mobile Applications (including APIs) Automated tools are great, but only in the hands of an experienced penetration tester The attack surface of most applications is 100x greater than most other network services

Modern & Advanced Methods Adversary Simulation Based on pre-defined or customized playbook Command and control, persistence, discovery and credential access Privilege escalation and lateral movement Collection and exfiltration Defense evasion Typically performed onsite in Cooperation with our client’s Team Methodical, repeating process: Attack > Validate Control > Improve Control > Validate Control > Next Attack Tactics, techniques and procedures based on MITRE ATT&CK for Enterprise Continuous Penetration Testing Most methods of validation are “point in time” and are conducted on 1-2 year cycles Continuous penetration testing shrinks the gap and provides regular validation throughout the entire year

Why independence matters

Experience Matters It’s more than a 2nd set of eyes, but it is that too! SynerComm’s consultants work with dozens of clients annually and come from diverse backgrounds Proven and repeatable processes One person can’t know it all, but a team of experts helps

Thank You for Attending! Questions? Thank You for Attending!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.