Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unauthorized Access Risk Mitigation Techniques

Published byJulianna Strickland Modified over 6 years ago

Similar presentations

Presentation on theme: "Unauthorized Access Risk Mitigation Techniques"— Presentation transcript:

1 Unauthorized Access Risk Mitigation Techniques
IS3230 Access Security Unit 10 Unauthorized Access Risk Mitigation Techniques

2 Unit 10: Class Agenda 11/119/15 Chapter 14 Learning Objectives
Lesson Presentation and Discussions. Final Exams is the next class. Next Class will be on: 11/25/15 Lab Activities will be performed in class. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: All Assignment and labs due today.

3 Learning Objective and Key Concepts
Mitigate risk from unauthorized access to IT systems through proper testing and reporting. Key Concepts System penetration testing and reporting System vulnerability assessment scanning and reporting Network and operating system (OS) discovery scan Scope for penetration test plan

4 Purpose of Testing Aces control
Testing reveals weakness in the system Weakness found can be dealt with before it is exploited. No one correct way to test Access control. Testing methodology at different stages: Software Design Hardware Development Penetration Testing

5 Access control Testing
Access Control consist of: Hardware Components Software components Username and password Networks Boundary conditions must also be tested

6 SDLC and Software Testing
Testing should be build into the SDLC Software testing reveals error, defects and ensure quality Code should be well written to ensure system reliability

7 Software Development Life Cycle (SDLC)
Planning Requirement Analysis Software Design Construction or coding (Development) Testing and Integration Release and Training Support and updating Different methodology exist: Waterfall, Iteration, Agile, Scrum etc

8 Software Testing Software testing can be automated or Manual testing. Black Box testing or White box Testing Coder review Unit Testing -Developing stage Boundary testing Integration Testing- Ensure different components work together Load or Tensile Testing- test of robustness Bounds System Testing Acceptance testing

9 Security Development Life Cycle
Initiation Acquisition and Development Implementation and testing Operation and Maintenance Security Testing require Management and security team to collaborate to make it a success.

10 Information Securities Activities
Primary Activities of security team are: Monitoring System Incident Handling Testing Discussion: What is perform in each of this activities.

11 Developing Test Plan Impact of testing on operations
Known Vulnerabilities Breach Planning Gap Analysis - Analysis of security concern across entire infrastructure. To identify the difference between reality and current state of IT infrastructure Gap analysis should cover the seven Infatructure domain

12 Security Testing Intrusive Testing- The test can disrupt or interrupt operations in the organization: Penetrate Testing Non intrusive Testing-Operation can continue without interruption: Vulnerability Assessment

13 Vulnerability Scanners 1
9/16/2018 Vulnerability Scanners 1 Attempts to identify vulnerabilities in the hosts scanned Helps identify out-of-date software versions, applicable patches, or system upgrades Validates compliance with or deviations from the organization's security policy Vulnerability scanners take the concept of a port scanner to the next level. Like a port scanner, a vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities (as opposed to relying on human interpretation of the results). Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities. Vulnerability scanners provide system and network administrators with proactive tools that can be used to identify vulnerabilities before an adversary can find them. A vulnerability scanner is a relatively fast and easy way to quantify an organization's exposure to surface vulnerabilities. (c) ITT Educational Services, Inc.

14 Vulnerability Assessment Scanner 2
Is the first step of Hardening a network Tools: Network Scanners Port Scanners Web application scanners Discussion: Student to mention vulnerability Scanner they are familiar with and explain how it works

15 Benefits of Vulnerability Scanning
9/16/2018 Benefits of Vulnerability Scanning Identifies: Active hosts on network Active and vulnerable services (ports) on hosts Applications and banner grabbing Operating systems Vulnerabilities associated with discovered operating systems and applications (c) ITT Educational Services, Inc.

16 Benefits of Vulnerability Scanning (Continued)
9/16/2018 Benefits of Vulnerability Scanning (Continued) Misconfigured settings Testing compliance with host application usage or security policies Establishing a foundation for penetration testing (c) ITT Educational Services, Inc.

17 Penetration Testing Preferably called security assessment
Process of actively evaluating your information security measures

18 Penetrating Testing Is an intrusive Testing Method
Use the same methods attackers use Can take down systems Management should be aware of possibilities Most of the time performed by third party The team must sign an agreement document before performing a penetration test.

19 Penetrating Testing Designed to exploit system weaknesses
Relies on tester’s skill, knowledge, cunning Usually conducted by independent contractor Tests usually conducted outside the security perimeter May even disrupt network operations End result: penetration test report

20 Penetrating Testing Black box test
Tester has no prior knowledge of network infrastructure White box test Tester has in-depth knowledge of network and systems being tested Gray box test Some limited information has been provided to the tester

21 Penetration Testing—Formal Permissions
9/16/2018 Penetration Testing—Formal Permissions Why are formal permissions required to conduct penetration testing??? Lets discuss!! Since penetration testing is designed to simulate an attack and use tools and techniques that may be restricted by law, federal regulations, and organizational policies, it is imperative to get formal permission for conducting penetration testing prior to starting. (c) ITT Educational Services, Inc.

22 9/16/2018 Rules of Engagement Specific Internet Protocol (IP) addresses or ranges to be tested Any restricted hosts, systems, and subnets not to be tested A list of acceptable testing techniques, such as social engineering and denial of service (DoS), and tools, such as password crackers and network sniffers Formal permissions are often called the rules of engagement. (c) ITT Educational Services, Inc.

23 Rules of Engagement (Continued)
9/16/2018 Rules of Engagement (Continued) Times when testing is to be conducted (for example, during business hours, after business hours) Identification of a finite period for testing IP addresses of the machines from which penetration testing will be conducted Formal permissions are often called the rules of engagement. IP addresses help administrators to differentiate the legitimate penetration testing attacks from actual malicious attacks. (c) ITT Educational Services, Inc.

24

25 Final Test Report Major deliverable of Penetration testing is a report
The report include: Detail description of the test activities Details of vulnerabilities found Test team final analysis, prioritization of risk and recommendation to harden security

26 Common Vulnerability Scanners
9/16/2018 Common Vulnerability Scanners Network-based scanners Host-based scanners Network-based scanners are used primarily for mapping an organization's network and identifying open ports and related vulnerabilities. In most cases, these scanners are not limited by the operating system of targeted systems. The scanners can be installed on a single system on the network and can quickly locate and test numerous hosts. Host-based scanners have to be installed on each host to be tested and are used primarily to identify specific host operating system and application misconfigurations and vulnerabilities. As host-based scanners are able to detect vulnerabilities at a higher degree of detail than network-based scanners, they usually require not only host (local) access but also a “root” or administrative account. (c) ITT Educational Services, Inc.

27 Roles Involved in Penetration Testing
9/16/2018 Roles Involved in Penetration Testing Network administrator Chief information officer (CIO) Security officer Management User Network administrators or individuals contracted to perform the network scanning, as part of a larger series of tests, should conduct the tests described in this section. The approval for the tests may need to come from as high as the CIO depending on the extent of the testing. It would be customary for the testing organization to alert other security officers, management, and users that network mapping is taking place. Since a number of these test mimic some of the signs of attack, the appropriate manages must be notified to avoid confusion and unnecessary expense. It may be wise to alert local law enforcement officials if, for example, the security policy included notifying law enforcement. (c) ITT Educational Services, Inc.

28 Why Conduct a Penetration Test or Vulnerability Scan?
9/16/2018 Why Conduct a Penetration Test or Vulnerability Scan? Let’s discuss!!!! From a business perspective, penetration testing helps safeguard your organization against failure, through: Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organization losing business, receiving heavy fines, gathering bad public relations, or ultimately failing. At a personal level it can also mean the loss of your job, prosecution, and sometimes even imprisonment. Protecting your brand by avoiding loss of consumer confidence and business reputation (c) ITT Educational Services, Inc.

29 Summary Penetration testing—concepts, processes, roles involved, importance Vulnerability scanning—concepts, processes, roles involved, importance

30 Unit 10 Lab Activities Complete the all you lab activities in class

31 Unit 10 Assignments Unit 10: Complete chapter 14 review question and submit in the next class. Complete all your Assignments and Read for your Exams. Complete you class project and submit in the next class.

Download ppt "Unauthorized Access Risk Mitigation Techniques"

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.

Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security
Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
S/W Project Management

S/W Project Management
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google