Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

System Security Scanning and Discovery Chapter 14.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Hands-On Ethical Hacking and Network Defense

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Network Security Testing Techniques Presented By:- Sachin Vador.

Handling Security Incidents

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

By: Ashwin Vignesh Madhu

Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

Introduction to Systems Analysis and Design

Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Penetration Testing Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802

Security+ Guide to Network Security Fundamentals, Fourth Edition

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Network Vulnerability Assessment Methodology Lesson 6.

CSCE 548 Secure Software Development Risk-Based Security Testing.

Information Systems Security Computer System Life Cycle Security.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

ISE Confidential - not for distribution THE EVOLVING THREAT LANDSCAPE: ADVANCING ENTERPRISE SECURITY 11 December 2013.

Chapter 1 Ethical Hacking Overview. Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.

South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Ethical Hacking License to hack. OVERVIEW Ethical Hacking ? Why do ethical hackers hack? Ethical Hacking - Process Reporting Keeping It Legal.

Computer Security Fundamentals by Chuck Easttom Chapter 11 Network Scanning and Vulnerability Scanning.

Risk Identification and Risk Assessment

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Safe’n’Sec IT security solutions for enterprises of any size.

Albany Bank Corporation Security Incident Management Program.

Your Cyber Security: The scope of your risk is broad and growing To understand the nature of the risk landscape look at the presentations here today-begin.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.

Tuesday March 15, 2016 Session 19-D Technology Forum David Finkelstein, CIO RiverSpring Health.

Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.

CSCE 548 Secure Software Development Penetration Testing.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Defining your requirements for a successful security (and compliance

Seminar On Ethical Hacking Submitted To: Submitted By:

CSCE 548 Secure Software Development Risk-Based Security Testing

Security Standard: “reasonable security”

Secure Software Confidentiality Integrity Data Security Authentication

CSCE 548 Secure Software Development Test 1 Review

Unauthorized Access Risk Mitigation Techniques

DATA COLLECTION, MANAGEMENT AND ANALYSIS

Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.

Chapter # 3 COMPUTER AND INTERNET CRIME

Presentation transcript:

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang

System security is critical  Affect performance of the system. (availability, reliability)  Disclose confidential information  Financial loss.  Blemish your business reputation. Security loop-hole is bad, it can: So, we had better to detect potential security problem beforehand.

Security Testing  (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. Common Methodologies: 1.Penetration Test 2.Vulnerability Test

Penetration Test A method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a hacker. Vulnerability Test Is the systematic examination of systems in order to determine the adequacy of security measures, identify security deficiencies and provide data from which to predict the effectiveness of proposed security measures.

Penetration Test I  It is active  It is from attacker’s angle  It aims to 1. Categorize potential security problem 2. Determine feasibility of an attack 3.Determine impact of a potential attack

 Port Scanning and Service probing Port Scanning is a technology to discover open ports which can further be used to discover services they can break into.  Example, Shock-wave virus which attack 80% computer in the world get access to system using ports 135,444, 69 and then use the bug of windows RPC service to influence system. Penetration Test II Black & White & Gray box test

Penetration Test III  Overt and Covert  Two teams can be involved Blue team: Performing a penetration test with the knowledge and consent of organization’s IT staff. Red team: Performing a penetration test without the knowledge of organization’s IT staff but with all permission of the upper management.  This type of test is useful for not only network security, but also the IT staff’s response to perceived security incidents and their knowledge and implementation of organization’s security policy.

Vulnerability Test I  It is more from a defender’s angle when compared to penetration test  It can be applied in more general area (Ie.Nuclear power plant)  It intends to: Identify, quantify and prioritize the vulnerability in a system. Provide decision-makers with information as to where and when interventions should be made. Provide early warning of potential dangerous.  It can used as reference when we are doing project security assessment

Vulnerability Test II Procedure: Defining Scope In-house or Out-house test Perform the vulnerability test Full-Scale VS Targeted Testing Use in-house resource VS Hire outside consultants Reporting and Delivering Result More in next page

 More as to performing vulnerability testing Vulnerability Test III Gather information Use commercial tool to search for vulnerability Network architecture, topology Hardware and software ISS Internet Scanner Cybercop Scanner Vulnerability missed by available tool Extra test to find missed and new vulnerabilities

Legitimacy Consideration  How to handle sensitive data?  Test or real attack?(IE.extent)  How to clean up test artifacts?

Security test and Risk management  Both penetration test and vulnerability test drive risk management process  Reporting and documenting procedure are critical.

Summary Similarity:  Both penetration test and vulnerability test intend to identify the potential security problems in the system.  Both of them are important to risk management process Differences:  Attacker VS Defender  Specilization VS Generalization