Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defining your requirements for a successful security (and compliance

Published byRoland McDaniel Modified over 7 years ago

Similar presentations

Presentation on theme: "Defining your requirements for a successful security (and compliance"— Presentation transcript:

1 Defining Security: Vulnerability Testing, Penetration Testing, and Network Assessments
Defining your requirements for a successful security (and compliance!) program Mike D’Arezzo, CISSP, CISA Director of Security Services

2 Agenda What is a Vulnerability Test? What is a Penetration Test?
What is a Network Assessment? What happens during each of the above? Best Practices

3 What is Vulnerability Testing?
Also know as “vulnerability scanning”, a vulnerability test vulnerabilities or potential issues in you organization’s environment specifically operating systems, software applications, and hardware configurations. Vulnerability testing comes in multiple forms: Network Vulnerability Scanning – Internal or External Web Application Vulnerability Scanning– testing of vulnerabilities in your public and internal website

4 What happens during a Vulnerability Test?
Assets detected or manually configured Scanning of available ports (http/ https) Scanning of operating system and available applications Scanning of version(s) detected Output recorded to determine existence You should validate discovered vulnerabilities!

5 Vulnerability Scanning Tools
Commercial Products (sample) Rapid 7 Nexpose Tenable Nessus Qualys QualysGard Open Source Products (sample) OpenVAS – installed in Kali Linux v2 Burp Suite – Web application, Pro version exists Arachni – Web application

6 What is Penetration Testing?
Also know as “pen test”, a penetration test identifies vulnerabilities or potential issues in you organization’s environment. Penetration testing comes in multiple forms: Network Penetration – Internal or External Web Application – testing of vulnerabilities in you public website Embedded Device – discovery of vulnerabilities in devices you produce or want to use in your environment Software Application – “Black box” or “gray box” testing

7 What happens during a Pen Test?
Different sources have different opinions but most agree on the following: Agreement on scope of test Intelligence Gathering including network maps and in-scope human targets if applicable “Foot printing” or the identification of assets/ targets in scope Vulnerability Detection on in scope targets Exploitation of vulnerabilities Reporting on vulnerabilities Closeout or removal of tools and environment changes/files

8 Network Penetration Test
Black Penetration Testing Not to be confused with “Black Hat Hacking” No prior knowledge Identifies any gap encountered Typically covers only 1-3 gaps but goes full depth of attack Tests response from any defenses in place Tests Incident Response Plan Goal: Identify if an attack could be successful from the outside Pros: Simulates an actual threat from an external user Cons: Does not cover all potential vulnerabilities and potentially disruptive

9 Network Penetration Test
Gray Penetration Testing User level knowledge of network Involves vulnerability scanning externally and internally Requires Phishing campaign to understand potential impact of user credentials Tests response from any defenses in place Tests Incident Response Plan Goal: Identify if an attack could be successful from the outside Pros: Simulates an actual threat from inside or Phishing campaign Cons: Does not go in to depth of attack (but also not as disruptive as Black)

10 Network Penetration Test
White Penetration Testing Administrator level knowledge of network Involves vulnerability scanning externally and internally Identifies all (99%) of network weaknesses Goal: Identify vulnerabilities in the network Pros: Identifies vulnerabilities to prioritize and remediate Cons: Does not simulate a threat

11 Website Penetration Test
Black Penetration Testing No prior knowledge of site Identifies any gap encountered Typically covers only 1-3 gaps but goes full depth of attack Tests response from any defenses in place Tests Incident Response Plan Goal: Identify if an attack could be successful from the outside without credentials Pros: Simulates an actual threat from an external user Cons: Does not cover all potential vulnerabilities and is potentially disruptive

12 Website Penetration Test
Gray Penetration Testing User level account/ self-registering account Tests ability to elevate privileges Tests response from any defenses in place Tests Incident Response Plan Goal: Identify if information (PII, IP, Network knowledge) can be discovered/ex- filtrated or if damage/defacement can occur Pros: Simulates an actual threat from a user level Cons: Does not go in to depth of attack but can be disruptive

13 Website Penetration Test
White Penetration Testing Administrator level access to site as well as knowledge of code Involves code review Identifies coding and security issues Goal: Identify vulnerabilities in the web site Pros: Identifies vulnerabilities to prioritize and remediate Cons: Does not simulate a threat (also not disruptive)

14 What is a Network Assessment?
A network assessment is a review of your organization’s current infrastructure to determine the following: Overall network protection Internal External Age of current deployed technology Availability of upgrading firmware Review of interoperability with existing AND potential new system Support for system and determined End of Life

15 What happens in a Network Assessment?
An certified network engineer should review and analyze the existing and potentially planned infrastructure. There are several models available to use as a framework: Cisco Network Security Policy: Best Practices White Paper availability/13601-secpol.html SANS

16 What happens in a Network Assessment?
Review of the following: Firewalls Network Segmentation Group Policies Passwords RBAC Capacity Review VM Hosts Storage Network Throughput – Laterally and Externally Network Defenses Endpoint Defenses

17 Summary There is a fundamental difference between vulnerability scanning and penetration testing Understand regulatory requirement to pick the right “test” Verify with your penetration test resource which type of test you need: White, Gray, or Black Define your requirements outside of what you have/want to do Scope if king!

18 Q & A

19 Schedule Security Through Intel or “Learning from other people’s mistakes” Thursday 9am – 10am – Mike D’Arezzo Building an Incident Response Plan Thursday 4:15 PM – 5:15 PM – Don Murdoch Penetration Testing for the everyday security analyst Friday 9am – 10am – Mike D’Arezzo Portable NFAT Tools, Techniques, and System Build 11:30 – 12:30 – Don Murdoch

20 SLAIT Security Offerings
Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review vISO Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics Technology Partners

Download ppt "Defining your requirements for a successful security (and compliance"

Similar presentations

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Business of Penetration Testing

The Business of Penetration Testing
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.

Update from Business Week Number of Net Fraud Complaints – 2002 – 48,252 – 2004 – 207,449.

Similar presentations

Ads by Google