Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008."— Presentation transcript:

1 Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008

2 2 Outline Structure of Technology UK Security Team Why we test What we test When we test How we test Demo of a unix platform test Hot topics Questions and Answers

3 3 UK Technology Security teams Security Consultants Security Monitoring Mail, Logs, IDS, Firewall Review New Systems Vulnerability Test Team Vulnerability Testing Security OperationsUK Tech. Security MgrGroup CISO

4 4 Definition Penetration testing v Vulnerability testing ? Wikepedia “Security testing techniques scour for vulnerabilities or security holes in applications. These vulnerabilities leave applications open to exploitation. Ideally, security testing is implemented throughout the entire software development life cycle (SDLC) so that vulnerabilities may be addressed in a timely and thorough manner. Unfortunately, testing is often conducted as anafterthought at the end of the development cycle.”exploitationsoftware development life cycle Why ? – test against standards, identify misconfigurations, old vunerable versions of software, test drive Ethics & Legality

5 5 Why testing Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes. Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. Protecting your brand by avoiding loss of consumer confidence and business reputation. vulnerability testing helps shape information security strategy through identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

6 6 Defining the scope Full-Scale vs. Targeted Testing Platform, Network, Database, Applications Remote vs. Local Testing In-house v outsourcing

7 7 Defense in depth Operating System Database Application Network

8 8 Tester Sun Solaris Application Server HP-UX Oracle DB Redhat Apache Web server Network elements e.g SGSN’s, HLR’s Windows File server www.vodafone.co.uk Nmap Nessus

9 9 Nmap

10 10 Nessus

11 11 Tester Sun Solaris Application Server HP-UX Oracle DB Redhat Apache Web server Network elements e.g SGSN’s, HLR’s Windows File server www.vodafone.co.uk Assuria Agents

12 12 Assuria Auditor Console

13 13 Tester Sun Solaris Application Server HP-UX Oracle DB Redhat Apache Web server Network elements e.g SGSN’s, HLR’s Windows File server www.vodafone.co.uk NGS Squirrel

14 14 NGS Squirrel

15 15 Tester Sun Solaris Application Server HP-UX Oracle DB Redhat Apache Web server Network elements e.g SGSN’s, HLR’s Windows File server www.vodafone.co.uk Appscan, Superwalk

16 16 Appscan

17 17 Backtrack

18 18 Tester Sun Solaris Application Server HP-UX Oracle DB Redhat Apache Web server Network elements e.g SGSN’s, HLR’s Windows File server www.vodafone.co.uk Assuria CLI Remote test (Data Centre)

19 19 Remote platform vulnerability assessment using Assuria Auditor & workbench via the command line “It is better to voyage hopefully than to drive to Oldham” FTP and install scripts Run scans Copy off raw results files Generate csv files Import results into workbench Review scan results Producing reports Agreeing remedial actions and re-testing

20 20 Log onto remote server

21 21 FTP onto a remote server

22 22 unzip tarball file

23 23

24 24 Areas checked by ‘Initial’ policies

25 25 Run scans

26 26 FTP results back to desktop

27 27 Generate CSV files

28 28 Import into Workbench

29 29 Reconcile results

30 30 Filter results

31 31 Vulnerability testing - hot topics PCI-DSS – keeping Security vendor industry going! https://www.pcisecuritystandards.org/ Appliances and automation – keep your auditors happy http://www.qualys.com/products/qg_suite/ http://www.ncircle.com/index.php?s=products Virtualisation and middleware vulnerabilities – don’t forget’em…. http://labs.mwrinfosecurity.com/ Exploitation tools – Metasploit framework, Canvas, Core Impact. BEEF http://www.metasploit.com/ http://www.immunitysec.com/ http://www.coresecurity.com/ http://www.bindshell.net/tools/beef

32 32 Conclusions In depth, holistic approach to security testing Testing needs to take place during the development lifecycle Can be complex and time consuming Outsource specialist testing to third party vendors Commercial tools easy to maintain and use but can be expensive “A fool with a tool is still a fool” Results from tools need analysis and put into a ‘business risk’ context

33 33 Any Questions ?

Download ppt "Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008."

Similar presentations

Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.

OVERVIEW TEAM5 SOFTWARE The TEAM5 software manages personnel and test data for personal ESD grounding devices. Test and personnel data may be viewed/reported.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.

PCM2U Presentation by Paul A Cook IT SERVICES. PCM2U Our History  Our team has been providing complete development and networking solutions for over.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google