What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lecture 8: Risk Management Controlling Risk
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Security Governance Technology Executive Club
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Training for Management Complying with the HIPAA Security Law.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Information Systems Security Computer System Life Cycle Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Chapter 6 of the Executive Guide manual Technology.
Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure Sockets Layer (SSL): Most common form of securing channels.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Introduction to Information Security
Scott Charney Cybercrime and Risk Management PwC.
Pro-active Security Measures
CSCE 548 Secure Software Development Security Operations.
Defense in Depth. 1.A well-structured defense architecture treats security of the network like an onion. When you peel away the outermost layer, many.
SecSDLC Chapter 2.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Computer Security By Duncan Hall.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
THE NEED FOR NETWORK SECURITY Hunar & Nawzad & Kovan & Abdulla & Aram.
IS3220 Information Technology Infrastructure Security
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
EAST AFRICAN DATA HANDLERS DATA SECURITY/MOBILITY
I have many checklists: how do I get started with cyber security?
IS4680 Security Auditing for Compliance
Drew Hunt Network Security Analyst Valley Medical Center
Cybersecurity Threat Assessment
IT Management Services Infrastructure Services
Presentation transcript:

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test

Managing Risk l Some Facts We Can All Agree on: —All businesses can expect some “loss” also known as “the cost of doing business” —Some businesses are not tolerant of loss in certain areas Wise businesses choose which losses are acceptable!

My Life as a Fortune Teller! l Reality: —This system has a vulnerability —There are tools available on the Internet to exploit this vulnerability l Conclusion —You are not safe l Perception —This system may be vulnerable, based on the software version number being displayed —No known exploits l Conclusion —I’m safe

What is being tested? l Are trying to prove a negative? “I tried to compromise your systems and was able to do so. “ Your systems are not secure “I tried to compromise your systems and was unable to do so.” Your systems are secure

Risks in Penetration Testing l Your systems could crash l You could lose business data l You could miss a real penetration l Someone could follow your incident response procedures (and call law enforcement) l You could remain unaware about real vulnerabilities in your environment

Questions to ask a Pen-test team l Do they hire former hackers? l How do they store engagement data? l How do they dispose of engagement data? l Do they perform background checks? l How do they collect exploits? l How do they train their staff? l Do they test exploits in a lab?

Steps to Managing a Pen Test l Clearly define objectives l Schedule frequent status updates l Supervise closely l Request raw data l Inform internal security monitoring group* l Review results with team (before end of test) * will leak info in a zero-knowledge effort, but worth it!

What We Do Build, Secure and Manage Your Network Infrastructure Network and Systems Management Network and Systems Management Security Next Generation Networking Business Consulting Business Consulting Project Management Project Management l Network Infrastructure l Wireless l Convergence l.NET l Storage and Content Networking l Risk Assessment l Defense Planning l Architecture and Infrastructure l IT Operations Services l IT Optimization Services l Business Services Management

Unmatched Depth and Breadth of Resources Collaboration Network Methodology Solutions Library Training & Mentoring Technical Resource Library Business Value Justification

Network and Systems Management Security Next Generation Networking Security Solutions: Risk Assessment l Penetration Testing Directly tests network security utilizing the latest tools and techniques to emulate Internet, intranet or extranet-based attacks l Risk Analysis Identifies and determines the value of various information assets and the likelihood of loss based on the exposure to threats l Security Assessment Compares measured security against accepted industry practices and established rules, guidelines, or industry regulations

Network and Systems Management Security Next Generation Networking Security Solutions: Defense Planning l Policies & Procedures Develop a complete, custom corporate security policy that aligns with your IT and business goals l Security Operations Design an operational model for realizing security policy and technology across the organization l Incident Management Design an effective incident preparedness process and management framework l Awareness Training Train your employees on sound security practices and policies, and ensure your defined security policy is thoroughly communicated

Network and Systems Management Security Next Generation Networking Security Solutions: Security Architecture & Infrastructure l Authentication & Access Determine access requirements to design and implement a unified authentication and authorization design l Security Architecture Assess existing infrastructure to identify and mitigate gaps or weaknesses in security architecture l Technical Infrastructure Integrate security technologies, such as VPNs, PKI, IDS, firewalls, virus protection, content filtering, and AAA solutions