Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Assessments and Penetration Testing

Published byPeregrine Sherman Modified over 6 years ago

Similar presentations

Presentation on theme: "Vulnerability Assessments and Penetration Testing"— Presentation transcript:

1 Vulnerability Assessments and Penetration Testing
Provide brief introduction about rising security threats and the related benefits about penetration and vulnerability testing.

2 Topics for discussion will be:
Introduction: This presentation will be used to illustrate the points of performing vulnerability assessments and penetration testing. Topics for discussion will be: Differences between a vulnerability assessment and penetration testing Vulnerability assessment steps Internal vulnerability risk assessment Third-party assessment steps Discuss in detail: 1) Provide a general summary on vulnerability and penetration testing. 2) Explain how the steps taken in a vulnerability assessment is a methodical approach to provide data about the security baseline. 3) General explanation about the targeted systems while conducting an internal risk assessment. 4) Discuss the steps taken by third party teams that would conduct such assessment.

3 Vulnerability Assessment and Penetration Testing Differences:
Vulnerability Assessment: Is a security process performed to identify all vulnerabilities present on a network. Scanning can be performed by a different array of tools. During the testing procedure the vulnerability data per scanned device will be collected. Once all vulnerabilities are identified the data is compiled into a list of specific priorities for review and remediation. Other characteristics of a vulnerability assessment are listed below: Provides vulnerability information such as type, threat value and possibly remediation resources Cost less than penetration testing due to effort of work involved, requiring different testing resources and/or third party personnel to perform penetration testing Takes less time to perform than penetration testing due to the testing process Test patching and remediation efforts to ensure vulnerabilities are eliminated or new ones haven't appeared due to patching or changes. Discuss in detail: 1) All resource information is required to provide an accurate security baseline. 2) Cost less due to time, training, resources required and possibly vendor assistance. 3) Takes less time due to planning and other research that is performed before attack simulation takes place. 4) Re-testing the vulnerability assessment targets can verify if remediation or changes corrected the problem and/or possibly created new vulnerabilities.

4 Vulnerability Assessment and Penetration Testing Differences:
Penetration Testing: Is a method of evaluating the security baseline of a network by simulating a network attack. When a penetration test (also known as pen-test) is performed all resources internal and external are subject to testing with the goal of gaining access. Other characteristics of penetration testing is listed below: Requires information gathering about network resources (whois, dns, web research, social engineering, etc.) Detect what resources are vulnerable to attack and attempt to gain access Verify that a system is truly is vulnerable from the information provided during a vulnerability assessment If significant time is available penetration testing can be used to expose weaknesses and takes more time to conduct than a vulnerability assessment Better conducted by third-party to provide accurate view of security posture Discuss in detail: 1) Gathering any information by external means such as whois, DNS, ip address searches, web search, social engineering, etc. 2) Detects what resources can be compromised to gain access 3) Validates information from vulnerability assessment 4) If time is not an issue, pen testing provides real simulation of resource attacks 5) Pen test are better conducted by third-party personnel to give an accurate view of security posture which internal personnel may be inexperienced or have bias.

5 Vulnerability Assessment Steps:
A vulnerability assessment in the following sequence of steps: Create a clearly written scope of work and obtain all permission to perform work in scope Scope must contain work plan along with date and time window of occurrence All written approvals must be signed by someone of authority for the customer 2) Create a plan that includes target systems Target list will include all servers, network devices, other resources and IP subnets 3) Ensure scanning tool is ready to perform task Tool must have latest signatures to ensure accurate scanning Test against a device to ensure tools are working properly to prevent any rescanning Discuss in detail: Why scope is required along with formal authorization. Also mention the scope will require date and time of work to ensure no organization is not inadvertently impacted. Explain that a target list is needed to ensure the correct resources are tested. Discuss that the latest vulnerability signatures are needed since older ones may be outdated or correct by previous patches Internal review is required to prevent any false information from entering the report or a system may need to be rescanned if results are not getting an accurate response. Complete the final report for management to review, and it’s rechecked for accuracy to ensure the correct amount of time is utilized on remediation efforts.

6 Vulnerability Assessment Steps (Continued): 4) Team review of findings
Weed out any false positives and other false data 5) Compile report for management with vulnerability listed per resource, threat value and any remediation assistance. 6) Start the remediation process to close vulnerabilities Discuss in detail: Testing provides a great deal of data and some may have to be sorted or removed due to false positives or incorrect testing response. Data must be compiled and formatted into a readable form to provide to management review. 3) Start remediation process, if performed by a vendor this needs to be determined if it’s part of work scope.

7 Internal Vulnerability Assessment Risk:
When performing an internal vulnerability assessment there are certain risks that must be noted such as: Network outages- If a person conducting a test is not experienced to perform the test incorrectly or possibly by no fault of the tester may cause a network outage due to the target resource being overwhelmed. Sometimes outage can just happen by mere coincidence and you’re at the wrong place at the wrong time. It’s best to be prepared. Possible interruptions to other networks- While performing scans service interruptions may be inadvertently done to business partners or other third party systems that connect to the organizations network. Discuss in detail: If test are not carefully performed outages may be caused, systems can be overloaded, stop responding or simply shutdown. 2) Inadvertent interruptions to other systems if not performed cautiously.

8 Third-Party Vulnerability Assessment Steps:
Legal Issues and Ramifications: When performing security testing it is crucial to have all legal considerations handled before any work takes place. Also ensure that the scope of work along with clear list of targeted devices is created and all non-disclosure documents are signed by both parties. Any unclear information and misunderstanding can put the tester in jeopardy of criminal charges from violating laws such as: Cyber Security Enhancement Act of 2002 18 USC Fraud and Related Activity in Connection with Computers Last but not least, make sure all “external” network connections such as vendors and other third parties are clearly identified. Possible damages to networks which you are not contracted to test with may cause criminal or liability issues. Discuss in detail: Stress the importance of having all legal considerations handled before performing any work. 2) Also inform audience that CSE Act of 2002 carries a life sentence if convicted. 3) Discuss scanning other connected networks by accident make cause legal problems.

9 Third-Party Vulnerability Assessment Steps Continued):
There are multiple steps taken by third-party personnel to conduct a vulnerability assessment. The sequence of steps are listed below: Complete all legal documents (NDA, Permission to perform assessment, scope of work, etc.) Compile a list of critical contacts such as: On-call personnel Management Senior management representative (work sponsor) 3) Compile a list of target systems to ensure everything is covered and results are accurate. Discuss in detail: All legal documents need to be completed before moving forward to ensure all actions are permitted and actions are fully understood. 2) Explain why a list of critical contacts such as on-call personnel, management and senior management (work sponsor) is needed tp have on hand during testing.

10 Third-Party Vulnerability Assessment Steps (Continued):
Perform scanning at scheduled time and date, while monitoring systems and making customer contact in the event something doest go as planned or causes an outage. Verify with customer all systems are fully operational and functional after scan to not impact business operations. Review results to ensure accuracy and remove any false positive or incorrect data Compile reports for customer with related information such as description, threat value and remediation recommendations. Review scan findings with customer to ensure the vulnerabilities are clearly communicated. Discuss in detail: Scanning must be performed at the exact date and time window detailed in the scope of work to ensure any unanticipated impact doesn’t affect the business or customers. Once scanning is complete ensure all systems are fully operational to ensure to prevent any business impact upon the start of business in the morning. Review all results to ensure the data is accurate and will need to remove any false positives or investigate any other false data

11 Reason for Testing to be Outsourced:
In many organizations the question of whether to perform certain security services in-house or outsourced is raised daily. Below are some of the reasons to perform outsourced testing: Cost- The cost of employing a small security team will cost more than the benefit it provides to the organization. Since vulnerability scanning and penetration testing is performed periodically local personnel could be trained to handle the daily security monitoring. The expense of training current personnel would be minimal as compared to hiring fully trained personnel. Discuss in detail: 1) High cost involved in employing and training security staff to stay current on trends and vulnerabilities

12 Reason for Testing to be Outsourced (Continued):
Experience- Outsourcers who perform this service daily obtain great experience in conducting the tests. They have the knowledge and experience to recognized false positives or other incorrect data that will produce a more accurate security baseline and provide the proper data to remediate the security problems. Non-biased- Outsourcers have stake in providing the most accurate information and will not cover any underlying problems. They will provide an unbiased opinion based on knowledge and experience. Internal personnel may overlook items that are security issues within their responsibilities or simply not focused due to other job responsibilities. Discuss in detail: Experienced testers provide great value to our testing needs and required level of accuracy. Outsourcers will not have bias against any systems within their responsibility or be able to suggest a better solution.

13 Reason for Testing to be Outsourced (Continued):
Cost of tools and other required items- The expense of purchasing and maintaining some testing tools and other required items can be quite costly for a small organization. Outsourcing relies on the vendors to have these tools to perform the task requested. Remediation assistance- Vendors would be able to assist with remediation effort while the onsite staff is conducting daily business activities. Regulatory requirements- In regards to certain regulatory requirements high risk items may need to be subjected to independent testing and auditing. If the organization fits into a regulatory requirement outsourcing would be necessary. Discuss in detail: To obtain and maintain some of the software testing tools are expensive and require training to operate. 2) Outsourcers would be able to augment work force and assist with remediation to not interrupt daily business operations. 3) In dealing with any regulatory requirements independent testing produces credible results.

14 Closing: In today’s world security risk are constantly evolving and preventative measure are required to lower the organization’s risk. The practice of performing periodic vulnerability and penetration testing will greatly assist in recognizing security issues before they are exploited by an attacker. Even if an attack occurs the team would be better prepared to handle the situation through previous testing and remediation efforts. Discuss in detail: 1) Discuss how period testing will lower threats by faster recognition and remediation.

15 Presentation Created By:
Phillip Neil Borne Provide contact information in case someone required more information about the topic discussed in the presentation.

Download ppt "Vulnerability Assessments and Penetration Testing"

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Computers: Tools for an Information Age

Computers: Tools for an Information Age
Health Informatics Series

Health Informatics Series
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.

Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Purpose of the Standards

Purpose of the Standards
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.

Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.
Copyright 2010, The World Bank Group. All Rights Reserved. Training and Procedural Manuals Section A 1.

Copyright 2010, The World Bank Group. All Rights Reserved. Training and Procedural Manuals Section A 1.
S/W Project Management

S/W Project Management
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
1 Accreditation and Certification: Definition  Certification: Procedures by which a third party gives written assurance that a product, process or service.

1 Accreditation and Certification: Definition  Certification: Procedures by which a third party gives written assurance that a product, process or service.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Similar presentations

Ads by Google