Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

Size: px
Start display at page:

Download "Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09"

Transcription

1 Inverting Risk Management for Ethical Hacking SecureWorld Expo 09

2 Agenda Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A 2

3 Introductions Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA Senior Staff, Electronic Security Governance Seagate Technology LLC Co-Speaker Brian Shura, PCI-QSA Director of Penetration Testing AppSec Consulting 3

4 Audience Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff Risk Managers Company Officers Ethical Hackers Recommended knowledge... Familiar with Security Best Practices Understand Risk Management Concepts Experience with Penetration Testing 4

5 Learning Objectives Understand the advantage of validating your security measures through ethical hacking Recognize the benefits of applying Risk Management and Risk Exploitation methods Understand your control options to mitigate risks Balance your enterprise security using FoRMA 5

6 FoRMA Overview

7 Benefits of FoRMA Big Picture Holistic relationship of related security models. Technology Independent Universal Risk Management concepts. Business Focused Minimize risk, instead of maximizing security. 7

8 Overview A Framework for integrating industry standard models, such as CIA*, STRIDE* and others Addresses Risk and Control elements: Risk Threat Vulnerability Control Technology Process *: See references at the end of the presentation material 8

9 Goal of FoRMA: Risk Mitigation I.e. Control risks within acceptable limits to support business objectives Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance 9

10 Building your foundation Start from the ground level and work your way up! Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices. A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance). 10

11 Building your foundation Methodology Model Subject Threat Management Security Architecture Security Management Asset/Resource Management STRIDE* APAIN* RIVET* CIA* Threat Technology Process Vulnerability Use Methodology with Sub-Model to evaluate Subject *: See references at the end of the presentation material 11

12 Building your foundation This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified. Physical Network System Application Data 12

13 Risk Mitigation Life Cycle Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the appropriate security resolution. Identify Source Threat Discovery Target Asset Valuation Result Business Survey Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain Threat Management Asset Management Managed Risk 13

14 Risk Mitigation Life Cycle: Identify Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered. Valuating the business importance of the asset will drive the prioritization of the remedation. Identify Threat Discovery Asset Valuation Business Survey Analyze Control Maintain 14

15 Risk Mitigation Cycle: Analyze To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk. Identify Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Maintain 15

16 Risk Mitigation Life Cycle: Control Once you have assessed the risk, you can apply controlmechanisms in the form of technology to mitigate the threat or reduce the vulnerability. Identify Analyze Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain 16

17 Risk Mitigation Life Cycle: Maintain Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments). Implement change control and regular audit processes to verify when an aspect of the formula has changed. Identify Analyze Control Maintain Threat Management Asset/Resource Management Managed Risk 17

18 FoRMA Model Overview Awareness Risk Threat Process Technology Vulnerability Protection Control Assurance Detection 18

19 Implementation: Phases 1 2 Awareness Protection Assurance 4 Detection 3 19

20 Risk Mitigation Phases & Life Cycle Awareness Protection IACM IACM IACM IACM Assurance Detection 20

21 Duality of Risk

22 Risk Prevention vs Risk Exploitation Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage. Discover Identify Reconnaissance Evaluate Risks Analyze Evaluate Risks Mitigate Risks Control Exploit Risks Balance Risk/Control Maintain Risk/Control Divergence 22

23 Risk Analysis Strategies The Blue Team s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed. Risk = Control (+/- acceptable residual control/risk) The Red Team s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor. Risk > Control Both teams need to analyze the risks and the controls to be able to execute their strategies. 23

24 FoRMA Model for Ethical Hacking Red Team Strategy Awareness Deception Threats Process Technology Vulnerabilities Protection Intrusion Blue Team Strategy Assurance Corruption Kris Kahn, Detection Evasion 24

25 Risk Exploitation Phases & Life Cycle Deception Intrusion IACM IACM IACM IACM Corruption Evasion 25

26 Information Warfare Scenario: Red Team/Blue Team Demonstration

27 Objectives Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test Blue Team - Operations Support the business by identifying and reducing risk Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data, administrative functions, and financial transactions 27

28 Penetration and Defense Life-Cycles Blue Team 1. Awareness 2. Protection 3. Detection 4. Assurance Red Team 1. Deception 2. Intrusion 3. Evasion 4. Corruption Background: The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server). 28

29 Target Free Penetration Testing platform Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities. 09/16/2009 Kris Kahn,

30 Red Team: Phase 1 Deception Intrusion I: Target Web Server Corruption IACM Evasion A: Manual JavaScript vulnerability test on Webbased forum C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse M: Elevate privileges of own account to admin status 30

31 Analyze Risk Level: High Enter into forum to test: Result: Conclusion: Vulnerability exists to allow XSS attack that may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn,

32 Control & Maintain XSS code to steal and reuse cookie to gain access: Risk Level: High Maintain: Set attacker account privilege to Admin type 09/16/2009 Kris Kahn,

33 Blue Team: Phase 1 I: Focus on accounts and authorized access Awareness Protection A: Validate user accounts and appropriate privileges Assurance Detection C: Repair access/accounts as necessary M: Improve coding practices IACM 33

34 Analyze Risk Level: High Validate Accounts through Database Conclusion: Admin privileges inappropriate for user account, may be due to error, root cause analysis in progress Remove unauthorized admin privileges for user account 09/16/2009 Kris Kahn,

35 Control & Maintain Find XSS attack in forum and cleanup: Risk Level: Low Maintain: Patch to prevent special characters entered in forum using input validation, improve coding practices to anticipate this vulnerability 09/16/2009 Kris Kahn,

36 Red Team: Phase 2 Deception Intrusion I: Target data flow A: Test for SQL injection vulnerabilities Corruption Evasion C: Exploit SQL injection flaws to bypass authentication and access admin account IACM M: Gather sensitive information from back-end database 36

37 Analyze Risk Level: Medium Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection Conclusion: SQL injection is possible and may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn,

38 Control Risk Level: High Use SQL injection attack on password field 09/16/2009 Kris Kahn,

39 Control Risk Level: High Successfully bypassed the authentication logic 09/16/2009 Kris Kahn,

40 Maintain Risk Level: High Leverage admin function to gather additional data 09/16/2009 Kris Kahn,

41 Blue Team: Phase 2 I: Focus on database server SQL activity Awareness Protection A: Assess potential unauthorized access to backend database through application Assurance Detection C: Install web application firewall for SQL injection protection M: Update application code to use parameterized queries to prevent SQL injection IACM 41

42 Analyze Risk Level: High Unauthorized SQL activity discovered Conclusion: Unauthorized access to database through application exposed user records with passwords 09/16/2009 Kris Kahn,

43 Control & Maintain Risk Level: Low Install WebKnight to mitigate risk of SQL injection attacks Maintain: Update application code to use parameterized queries to prevent SQL injection Encrypt passwords in database 09/16/2009 Kris Kahn,

44 Red Team: Phase 3 Deception Intrusion I: Target hidden directories and files Corruption Evasion A: Evade detection from using attack signatures and scan for application backdoors IACM C: Access the test admin functionality without authenticating M: Create ghost account for system owner 44

45 Analyze Use SensePost Wikto to identify backdoors Risk Level: Medium Conclusion: Back-door may lead to admin functionality 09/16/2009 Kris Kahn,

46 Control & Maintain Exploit discovered development access to admin functionality Risk Level: High Maintain: Create ghost account similar to owner s name 09/16/2009 Kris Kahn,

47 Blue Team: Phase 3 I: Focus on web activity Awareness Protection A: Review logs for problems or malicious activity C: Cleanup production environment and disable ghost account Assurance Detection M: Prevent external access to all admin functionality and only access admin functions locally IACM 47

48 Analyze Web Server log files, increased file size and activity Risk Level: High Conclusion: Web server scanning discovered a back-door exposing admin functionality (again) 09/16/2009 Kris Kahn,

49 Control & Maintain Remove development back-door and ghost account Maintain: Prevent unauthorized access to admin tools use WebKnight to filter on the URL Risk Level: Low 09/16/2009 Kris Kahn,

50 Maintain Risk Level: Low...and retain local admin functionality 09/16/2009 Kris Kahn,

51 Red Team: Phase 4 Deception Intrusion I: Identify other opportunities to access back-end data by reviewing details of previous error messages Corruption Evasion A: Test access to XML forms C: Use WebService to transfer funds IACM M: Re-enable attacker account 51

52 Analyze Risk Level: Low Identify other non-application opportunities to access the data (captured previously) 09/16/2009 Kris Kahn,

53 Analyze Test available methods Risk Level: Medium Conclusion: Lookup by userid method is not restricted 09/16/2009 Kris Kahn,

54 Control Use the soapui tool to generate a request Risk Level: Medium 09/16/2009 Kris Kahn,

55 Control Risk Level: Medium Acquire account number using the GetUserAccounts method 09/16/2009 Kris Kahn,

56 Control Risk Level: Medium Determine system owner s account balance 09/16/2009 Kris Kahn,

57 Control & Maintain Risk Level: High Transfer funds Maintain: Use WebService to re-enable attacker account 09/16/2009 Kris Kahn,

58 Blue Team: Phase 4 I: Focus on transaction activity Awareness Protection A: Identify significant banking activity and look for errors C: Correct unauthorized account transfers, remove offending account Assurance Detection M: Implement authorization between the web application and the WebService IACM 58

59 Analyze Risk Level: High Identify significant banking activity and account balance discrepancy Conclusion: Internal WebService exposed externally is allowing unauthorized and unauthenticated access 09/16/2009 Kris Kahn,

60 Control & Maintain Risk Level: Low Audit of all account activity and reverse unauthorized transactions. Implement manual approval control for large on-line transfers. Restrict the WebService to internal IP addresses only. Maintain: Implement authentication between the calling application (HackMe Bank) and the web service. 09/16/2009 Kris Kahn,

61 Wrap-Up 61

62 Wrap-Up Design security controls with attacker perspective in mind (and visa-versa). Be proactive in the implementation of phased controls. Validate your controls through Ethical Hacking to ensure effectiveness. Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives. 62

63 Questions? Feedback & Comments are welcome Contact information:

64 Tools (downloadable, non-commercial) Foundstone HacmeBank Paros hacmebank.htm SensePost Wikto SoapUI SQL Express Profiler WebKnight 09/16/2009 Kris Kahn,

65 References (*) Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI) Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications. STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in Writing Secure Code, 2nd Ed (ISBN ), pages CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum. APAIN Acronym for Security Architecture, developed by Curtis Coleman in RIVET Acronym for Security Management, developed by Kris Kahn Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the United States military as early as 1949 and is currently part of the SixSigma curriculum. Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University. 65

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED 01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments

More information

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting

More information

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

Defense in Depth Security in the Enterprise

Defense in Depth Security in the Enterprise Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection

More information

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP

More information

Vulnerability Management Policy

Vulnerability Management Policy Vulnerability Management Policy Document Type: Policy (PLCY) Endorsed By: Information Technology Policy Committee Date: 4/29/2011 Promulgated By: Chancellor Herzog Date: 6/16/2011 I. Introduction IT resources

More information

Automating the Top 20 CIS Critical Security Controls

Automating the Top 20 CIS Critical Security Controls 20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises

More information

epldt Web Builder Security March 2017

epldt Web Builder Security March 2017 epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication

More information

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry

More information

Ingram Micro Cyber Security Portfolio

Ingram Micro Cyber Security Portfolio Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Building Security Into Applications

Building Security Into Applications Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify

More information

Continuously Discover and Eliminate Security Risk in Production Apps

Continuously Discover and Eliminate Security Risk in Production Apps White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application

More information

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies

More information

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5

More information

Effective Strategies for Managing Cybersecurity Risks

Effective Strategies for Managing Cybersecurity Risks October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive

More information

Protect Your Organization from Cyber Attacks

Protect Your Organization from Cyber Attacks Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers

More information

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real

More information

Integrigy Consulting Overview

Integrigy Consulting Overview Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications

More information

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1 Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com

More information

Development*Process*for*Secure* So2ware

Development*Process*for*Secure* So2ware Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET DATASHEET Gavin, Technical Director Ensures Penetration Testing Quality CyberSecurity Penetration Testing CHESS CYBERSECURITY CREST-ACCREDITED PEN TESTS PROVIDE A COMPREHENSIVE REVIEW OF YOUR ORGANISATION

More information

Trustwave Managed Security Testing

Trustwave Managed Security Testing Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to

More information

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The SANS Institute Top 20 Critical Security Controls. Compliance Guide The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise

More information

To Audit Your IAM Program

To Audit Your IAM Program Top Five Reasons To Audit Your IAM Program Best-in-class organizations are auditing their IAM programs - are you? focal-point.com Introduction Stolen credentials are the bread and butter of today s hacker.

More information

Choosing the Right Security Assessment

Choosing the Right Security Assessment A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management Seven Habits of Cyber Security for SMEs Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management Security Policy is an important

More information

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology NIST Cybersecurity Framework Protect / Maintenance and Protective Technology Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries

More information

RiskSense Attack Surface Validation for Web Applications

RiskSense Attack Surface Validation for Web Applications RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment

More information

CS 356 Operating System Security. Fall 2013

CS 356 Operating System Security. Fall 2013 CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database

More information

Certified Information Security Manager (CISM) Course Overview

Certified Information Security Manager (CISM) Course Overview Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,

More information

Building Resilience in a Digital Enterprise

Building Resilience in a Digital Enterprise Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.

More information

Will you be PCI DSS Compliant by September 2010?

Will you be PCI DSS Compliant by September 2010? Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise

More information

Carbon Black PCI Compliance Mapping Checklist

Carbon Black PCI Compliance Mapping Checklist Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and

More information

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office Case Study: The Evolution of EMC s Product Security Office Dan Reddy, CISSP, CSSLP EMC Product Security Office 1 The Evolution of EMC Product Security 2000-2004 2005-2009 2010-Beyond External Drivers Hackers

More information

Penetration Testing and Team Overview

Penetration Testing and Team Overview ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going

More information

Penetration testing.

Penetration testing. Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external

More information

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,

More information

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Under the hood testing - Code Reviews - - Harshvardhan Parmar Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites

More information

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client

More information

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches Chris Bucolo, PCIP, MBA Today s Speaker Chris Bucolo Sr. Manager, Sikich

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

From Russia With Love

From Russia With Love #ARDAWorld From Russia With Love Is your technology vulnerable to data theft? Do you know your own security protocols? Learn about auditing cyber-security processes and discover how to stay compliant and

More information

PROTECTING INFORMATION ASSETS NETWORK SECURITY

PROTECTING INFORMATION ASSETS NETWORK SECURITY PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security

More information

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013 Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security

More information

Think Like an Attacker

Think Like an Attacker Think Like an Attacker Using Attack Intelligence to Ensure the Security of Critical Business Assets Current State of Information Security Focused on detection and response Desire to reduce detection to

More information

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite: Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE

More information

Nebraska CERT Conference

Nebraska CERT Conference Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology

More information

The University of Queensland

The University of Queensland UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council

More information

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San

More information

Engineering Your Software For Attack

Engineering Your Software For Attack Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.

More information

K12 Cybersecurity Roadmap

K12 Cybersecurity Roadmap K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the

More information

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need Infosec Europe 2009 Business Strategy Theatre Giving Executives the Security Management Information that they Really Need Simon Marvell Managing Director simon.marvell@acuityrm.com Agenda 1. What financial

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Product Security Program

Product Security Program Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,

More information

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved. FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who

More information

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting July 14 th 2010 Copyright 2010 - The OWASP Foundation Permission

More information

hidden vulnerabilities

hidden vulnerabilities hidden vulnerabilities industrial networks in 30 minutes Cyber Security introduction Frank Kemeling Certified Ethical Hacker [CEH] EC-Council Certified Security Analyst [ESCA] Licensed Penetration Tester

More information

the SWIFT Customer Security

the SWIFT Customer Security TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This

More information

Cyber Protections: First Step, Risk Assessment

Cyber Protections: First Step, Risk Assessment Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

An ICS Whitepaper Choosing the Right Security Assessment

An ICS Whitepaper Choosing the Right Security Assessment Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

Express Monitoring 2019

Express Monitoring 2019 Express Monitoring 2019 WHY CHOOSE PT EXPRESS MONITORING PT Express Monitoring provides a quick evaluation of the current signaling network protection level. This service helps to discover critical vulnerabilities

More information

Comprehensive Database Security

Comprehensive Database Security Comprehensive Database Security Safeguard against internal and external threats In today s enterprises, databases house some of the most highly sensitive, tightly regulated data the very data that is sought

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

Aguascalientes Local Chapter. Kickoff

Aguascalientes Local Chapter. Kickoff Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark

More information

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: 000205600 What is Penetration A penetration test, is a method of evaluating the security of a

More information

Advanced Security Tester Course Outline

Advanced Security Tester Course Outline Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,

More information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not

More information

CCISO Blueprint v1. EC-Council

CCISO Blueprint v1. EC-Council CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance

More information

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery. Modular Security Services Offering - BFSI Security In A Box A new concept to Security Services Delivery. 2017 Skillmine Technology Consulting Pvt. Ltd. The information in this document is the property

More information

What every IT professional needs to know about penetration tests

What every IT professional needs to know about penetration tests What every IT professional needs to know about penetration tests 24 th April, 2014 Geraint Williams IT Governance Ltd www.itgovernance.co.uk Overview So what do IT Professionals need to know about penetration

More information

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.

More information

SECURITY TRAINING SECURITY TRAINING

SECURITY TRAINING SECURITY TRAINING SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security

More information

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications

More information

Curso: Ethical Hacking and Countermeasures

Curso: Ethical Hacking and Countermeasures Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security

More information

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Attackers Process. Compromise the Root of the Domain Network: Active Directory Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain

More information

A (sample) computerized system for publishing the daily currency exchange rates

A (sample) computerized system for publishing the daily currency exchange rates A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency

More information

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting

More information

Cybersecurity The Evolving Landscape

Cybersecurity The Evolving Landscape Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG

More information

Security Audit What Why

Security Audit What Why What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,

More information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002 ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION

More information

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen

NCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen NCUA IT Exam Focus By Tom Schauer, Principal CliftonLarsonAllen My Background and Experience Computer Science Degree - Puget Sound Information Security Professional for 30 years Consultant: Ernst & Young,

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

SDR Guide to Complete the SDR

SDR Guide to Complete the SDR I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock

More information

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014 New Jersey Association of School Business Officials Information Security K-12 June 5, 2014 Agenda Introduction K 12 Technology Trends Case Study (A Cautionary Tale) What Constitutes a Data Breach Data

More information

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks

More information

Certified Ethical Hacker V9

Certified Ethical Hacker V9 Certified Ethical Hacker V9 Certificate: Certified Ethical Hacker Duration: 5 Days Course Delivery: Blended Course Description: Accreditor: EC Council Language: English This is the world s most advanced

More information