Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09
|
|
- Horatio Marsh
- 6 years ago
- Views:
Transcription
1 Inverting Risk Management for Ethical Hacking SecureWorld Expo 09
2 Agenda Speaker Introductions Learning Objectives Framework of Risk Management & Analysis (FoRMA) Duality of Risk Demonstration of Information Warfare Scenario Wrap-Up Q&A 2
3 Introductions Speaker Kris Kahn, CISSP, CISA, CGEIT, OPSA Senior Staff, Electronic Security Governance Seagate Technology LLC Co-Speaker Brian Shura, PCI-QSA Director of Penetration Testing AppSec Consulting 3
4 Audience Attendees should be involved with penetration testing or managing risks, such as... IT Security Staff Risk Managers Company Officers Ethical Hackers Recommended knowledge... Familiar with Security Best Practices Understand Risk Management Concepts Experience with Penetration Testing 4
5 Learning Objectives Understand the advantage of validating your security measures through ethical hacking Recognize the benefits of applying Risk Management and Risk Exploitation methods Understand your control options to mitigate risks Balance your enterprise security using FoRMA 5
6 FoRMA Overview
7 Benefits of FoRMA Big Picture Holistic relationship of related security models. Technology Independent Universal Risk Management concepts. Business Focused Minimize risk, instead of maximizing security. 7
8 Overview A Framework for integrating industry standard models, such as CIA*, STRIDE* and others Addresses Risk and Control elements: Risk Threat Vulnerability Control Technology Process *: See references at the end of the presentation material 8
9 Goal of FoRMA: Risk Mitigation I.e. Control risks within acceptable limits to support business objectives Establish Your Boundaries Define relevant policies, standards and best-practices Protect assets and resources in accordance with policy Detect policy violations Assure policy compliance 9
10 Building your foundation Start from the ground level and work your way up! Construct a strong security foundation to build your security policies, standards and best-practices. Use industry established security methodologies and codes of best practice to guide your standards and practices. A security foundation supports all layers (including physical, network, application, etc), and addresses each security implementation phase (Awareness, Protection, Detection, and Assurance). 10
11 Building your foundation Methodology Model Subject Threat Management Security Architecture Security Management Asset/Resource Management STRIDE* APAIN* RIVET* CIA* Threat Technology Process Vulnerability Use Methodology with Sub-Model to evaluate Subject *: See references at the end of the presentation material 11
12 Building your foundation This is a layered model based on the ISO Protocol model* which identifies five (of the original seven) layers where critical assets and resources can be identified. Physical Network System Application Data 12
13 Risk Mitigation Life Cycle Identify, Analyze, Control, Maintain, repeat. This process life cycle will guide you through the framework to the appropriate security resolution. Identify Source Threat Discovery Target Asset Valuation Result Business Survey Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain Threat Management Asset Management Managed Risk 13
14 Risk Mitigation Life Cycle: Identify Risks can be received through many input channels, if due to a security incident, the threat source needs to be identified to help guide the remediation. Inactive threats from untrusted sources should also be discovered. Valuating the business importance of the asset will drive the prioritization of the remedation. Identify Threat Discovery Asset Valuation Business Survey Analyze Control Maintain 14
15 Risk Mitigation Cycle: Analyze To determine the risk, you must understand the threat of attack and the vulnerability of the asset or resource. We measure and analyze these items in detail to determine the corresponding risk. Identify Analyze Threat Assessment Vulnerability Assessment Assessed Risk Control Maintain 15
16 Risk Mitigation Life Cycle: Control Once you have assessed the risk, you can apply controlmechanisms in the form of technology to mitigate the threat or reduce the vulnerability. Identify Analyze Control Threat Mitigation Vulnerability Reduction Controlled Risk Maintain 16
17 Risk Mitigation Life Cycle: Maintain Once a system is live, you apply counter-measures in the form of processes in the event of an attack (Incident Response) or to assure the integrity of the technology (Security Assessments). Implement change control and regular audit processes to verify when an aspect of the formula has changed. Identify Analyze Control Maintain Threat Management Asset/Resource Management Managed Risk 17
18 FoRMA Model Overview Awareness Risk Threat Process Technology Vulnerability Protection Control Assurance Detection 18
19 Implementation: Phases 1 2 Awareness Protection Assurance 4 Detection 3 19
20 Risk Mitigation Phases & Life Cycle Awareness Protection IACM IACM IACM IACM Assurance Detection 20
21 Duality of Risk
22 Risk Prevention vs Risk Exploitation Using opposing Objectives, the model can be used strategically to take advantage of vulnerabilities instead of preventing damage. Discover Identify Reconnaissance Evaluate Risks Analyze Evaluate Risks Mitigate Risks Control Exploit Risks Balance Risk/Control Maintain Risk/Control Divergence 22
23 Risk Analysis Strategies The Blue Team s strategy is create a balance by mitigating the risk by applying the appropriate amount of control. The remaining risk is acknowledged, regularly checked and managed. Risk = Control (+/- acceptable residual control/risk) The Red Team s strategy is to subvert the control and leverage the risk, keeping the scales tipped in their favor. Risk > Control Both teams need to analyze the risks and the controls to be able to execute their strategies. 23
24 FoRMA Model for Ethical Hacking Red Team Strategy Awareness Deception Threats Process Technology Vulnerabilities Protection Intrusion Blue Team Strategy Assurance Corruption Kris Kahn, Detection Evasion 24
25 Risk Exploitation Phases & Life Cycle Deception Intrusion IACM IACM IACM IACM Corruption Evasion 25
26 Information Warfare Scenario: Red Team/Blue Team Demonstration
27 Objectives Business Become profitable by offering banking services on-line Validate security controls through third-party Pen Test Blue Team - Operations Support the business by identifying and reducing risk Red Team - Ethical Hackers Exploit weaknesses to gain access to customer data, administrative functions, and financial transactions 27
28 Penetration and Defense Life-Cycles Blue Team 1. Awareness 2. Protection 3. Detection 4. Assurance Red Team 1. Deception 2. Intrusion 3. Evasion 4. Corruption Background: The business selected a Windows system running an IIS web server as their online customer interface to their WebService-based banking system and their back-end database system (MS SQL Server). 28
29 Target Free Penetration Testing platform Hacme Bank simulates a "real-world" web services-enabled online banking application, which was built with a number of known and common vulnerabilities. 09/16/2009 Kris Kahn,
30 Red Team: Phase 1 Deception Intrusion I: Target Web Server Corruption IACM Evasion A: Manual JavaScript vulnerability test on Webbased forum C: Cross-Site Scripting (XSS) code to steal admin cookie and reuse M: Elevate privileges of own account to admin status 30
31 Analyze Risk Level: High Enter into forum to test: Result: Conclusion: Vulnerability exists to allow XSS attack that may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn,
32 Control & Maintain XSS code to steal and reuse cookie to gain access: Risk Level: High Maintain: Set attacker account privilege to Admin type 09/16/2009 Kris Kahn,
33 Blue Team: Phase 1 I: Focus on accounts and authorized access Awareness Protection A: Validate user accounts and appropriate privileges Assurance Detection C: Repair access/accounts as necessary M: Improve coding practices IACM 33
34 Analyze Risk Level: High Validate Accounts through Database Conclusion: Admin privileges inappropriate for user account, may be due to error, root cause analysis in progress Remove unauthorized admin privileges for user account 09/16/2009 Kris Kahn,
35 Control & Maintain Find XSS attack in forum and cleanup: Risk Level: Low Maintain: Patch to prevent special characters entered in forum using input validation, improve coding practices to anticipate this vulnerability 09/16/2009 Kris Kahn,
36 Red Team: Phase 2 Deception Intrusion I: Target data flow A: Test for SQL injection vulnerabilities Corruption Evasion C: Exploit SQL injection flaws to bypass authentication and access admin account IACM M: Gather sensitive information from back-end database 36
37 Analyze Risk Level: Medium Perform manual test to use single quote (') to verify if a field is vulnerable to SQL Injection Conclusion: SQL injection is possible and may lead to Elevation of Privileges (Admin access) 09/16/2009 Kris Kahn,
38 Control Risk Level: High Use SQL injection attack on password field 09/16/2009 Kris Kahn,
39 Control Risk Level: High Successfully bypassed the authentication logic 09/16/2009 Kris Kahn,
40 Maintain Risk Level: High Leverage admin function to gather additional data 09/16/2009 Kris Kahn,
41 Blue Team: Phase 2 I: Focus on database server SQL activity Awareness Protection A: Assess potential unauthorized access to backend database through application Assurance Detection C: Install web application firewall for SQL injection protection M: Update application code to use parameterized queries to prevent SQL injection IACM 41
42 Analyze Risk Level: High Unauthorized SQL activity discovered Conclusion: Unauthorized access to database through application exposed user records with passwords 09/16/2009 Kris Kahn,
43 Control & Maintain Risk Level: Low Install WebKnight to mitigate risk of SQL injection attacks Maintain: Update application code to use parameterized queries to prevent SQL injection Encrypt passwords in database 09/16/2009 Kris Kahn,
44 Red Team: Phase 3 Deception Intrusion I: Target hidden directories and files Corruption Evasion A: Evade detection from using attack signatures and scan for application backdoors IACM C: Access the test admin functionality without authenticating M: Create ghost account for system owner 44
45 Analyze Use SensePost Wikto to identify backdoors Risk Level: Medium Conclusion: Back-door may lead to admin functionality 09/16/2009 Kris Kahn,
46 Control & Maintain Exploit discovered development access to admin functionality Risk Level: High Maintain: Create ghost account similar to owner s name 09/16/2009 Kris Kahn,
47 Blue Team: Phase 3 I: Focus on web activity Awareness Protection A: Review logs for problems or malicious activity C: Cleanup production environment and disable ghost account Assurance Detection M: Prevent external access to all admin functionality and only access admin functions locally IACM 47
48 Analyze Web Server log files, increased file size and activity Risk Level: High Conclusion: Web server scanning discovered a back-door exposing admin functionality (again) 09/16/2009 Kris Kahn,
49 Control & Maintain Remove development back-door and ghost account Maintain: Prevent unauthorized access to admin tools use WebKnight to filter on the URL Risk Level: Low 09/16/2009 Kris Kahn,
50 Maintain Risk Level: Low...and retain local admin functionality 09/16/2009 Kris Kahn,
51 Red Team: Phase 4 Deception Intrusion I: Identify other opportunities to access back-end data by reviewing details of previous error messages Corruption Evasion A: Test access to XML forms C: Use WebService to transfer funds IACM M: Re-enable attacker account 51
52 Analyze Risk Level: Low Identify other non-application opportunities to access the data (captured previously) 09/16/2009 Kris Kahn,
53 Analyze Test available methods Risk Level: Medium Conclusion: Lookup by userid method is not restricted 09/16/2009 Kris Kahn,
54 Control Use the soapui tool to generate a request Risk Level: Medium 09/16/2009 Kris Kahn,
55 Control Risk Level: Medium Acquire account number using the GetUserAccounts method 09/16/2009 Kris Kahn,
56 Control Risk Level: Medium Determine system owner s account balance 09/16/2009 Kris Kahn,
57 Control & Maintain Risk Level: High Transfer funds Maintain: Use WebService to re-enable attacker account 09/16/2009 Kris Kahn,
58 Blue Team: Phase 4 I: Focus on transaction activity Awareness Protection A: Identify significant banking activity and look for errors C: Correct unauthorized account transfers, remove offending account Assurance Detection M: Implement authorization between the web application and the WebService IACM 58
59 Analyze Risk Level: High Identify significant banking activity and account balance discrepancy Conclusion: Internal WebService exposed externally is allowing unauthorized and unauthenticated access 09/16/2009 Kris Kahn,
60 Control & Maintain Risk Level: Low Audit of all account activity and reverse unauthorized transactions. Implement manual approval control for large on-line transfers. Restrict the WebService to internal IP addresses only. Maintain: Implement authentication between the calling application (HackMe Bank) and the web service. 09/16/2009 Kris Kahn,
61 Wrap-Up 61
62 Wrap-Up Design security controls with attacker perspective in mind (and visa-versa). Be proactive in the implementation of phased controls. Validate your controls through Ethical Hacking to ensure effectiveness. Balance your enterprise security using a risk-based framework (FoRMA) that is focused on supporting business objectives. 62
63 Questions? Feedback & Comments are welcome Contact information:
64 Tools (downloadable, non-commercial) Foundstone HacmeBank Paros hacmebank.htm SensePost Wikto SoapUI SQL Express Profiler WebKnight 09/16/2009 Kris Kahn,
65 References (*) Control Objectives for IT and Related Technology (COBIT) trademarked by the IT Governance Institute (ITGI) Open System Interconnection (OSI) reference model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications. STRIDE Threat Model, conceived, built upon, and evangelized at Microsoft by Loren Hohnfelder, Praerit Garg, Jason Garms, and Michael Howard. Explained further in Writing Secure Code, 2nd Ed (ISBN ), pages CIA Security Model, author unknown, taught as part of the Common Body of Knowledge for CISSP curriculum. APAIN Acronym for Security Architecture, developed by Curtis Coleman in RIVET Acronym for Security Management, developed by Kris Kahn Failure Mode and Effects Analysis (FMEA) evolved as a process tool used by the United States military as early as 1949 and is currently part of the SixSigma curriculum. Capability Maturity Model (CMM) is a trademark of Carnegie Mellon University. 65
CSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationDefense in Depth Security in the Enterprise
Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection
More informationInternet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin
Internet of Things Internet of Everything Presented By: Louis McNeil Tom Costin Agenda Session Topics What is the IoT (Internet of Things) Key characteristics & components of the IoT Top 10 IoT Risks OWASP
More informationVulnerability Management Policy
Vulnerability Management Policy Document Type: Policy (PLCY) Endorsed By: Information Technology Policy Committee Date: 4/29/2011 Promulgated By: Chancellor Herzog Date: 6/16/2011 I. Introduction IT resources
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationIngram Micro Cyber Security Portfolio
Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationBuilding Security Into Applications
Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationVULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED
AUTOMATED CODE ANALYSIS WEB APPLICATION VULNERABILITIES IN 2017 CONTENTS Introduction...3 Testing methods and classification...3 1. Executive summary...4 2. How PT AI works...4 2.1. Verifying vulnerabilities...5
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationSecurity Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE
Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE Cyber Security Services Security Testing - a requirement for a secure business ISACA DAY in SOFIA Agenda No Agenda Some minimum theory More real
More informationIntegrigy Consulting Overview
Integrigy Consulting Overview Database and Application Security Assessment, Compliance, and Design Services March 2016 mission critical applications mission critical security About Integrigy ERP Applications
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationCyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET
DATASHEET Gavin, Technical Director Ensures Penetration Testing Quality CyberSecurity Penetration Testing CHESS CYBERSECURITY CREST-ACCREDITED PEN TESTS PROVIDE A COMPREHENSIVE REVIEW OF YOUR ORGANISATION
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationTo Audit Your IAM Program
Top Five Reasons To Audit Your IAM Program Best-in-class organizations are auditing their IAM programs - are you? focal-point.com Introduction Stolen credentials are the bread and butter of today s hacker.
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationSecurity Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management
Seven Habits of Cyber Security for SMEs Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management Security Policy is an important
More informationNIST Cybersecurity Framework Protect / Maintenance and Protective Technology
NIST Cybersecurity Framework Protect / Maintenance and Protective Technology Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationCase Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office
Case Study: The Evolution of EMC s Product Security Office Dan Reddy, CISSP, CSSLP EMC Product Security Office 1 The Evolution of EMC Product Security 2000-2004 2005-2009 2010-Beyond External Drivers Hackers
More informationPenetration Testing and Team Overview
ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going
More informationPenetration testing.
Penetration testing Penetration testing is a globally recognized security measure that can help provide assurances that a company s critical business infrastructure is protected from internal or external
More informationCybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank
Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationToday s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches
Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches Chris Bucolo, PCIP, MBA Today s Speaker Chris Bucolo Sr. Manager, Sikich
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationFrom Russia With Love
#ARDAWorld From Russia With Love Is your technology vulnerable to data theft? Do you know your own security protocols? Learn about auditing cyber-security processes and discover how to stay compliant and
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationThink Like an Attacker
Think Like an Attacker Using Attack Intelligence to Ensure the Security of Critical Business Assets Current State of Information Security Focused on detection and response Desire to reduce detection to
More informationStudents should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:
Secure Java Web Application Development Lifecycle - SDL (TT8325-J) Day(s): 5 Course Code: GK1107 Overview Secure Java Web Application Development Lifecycle (SDL) is a lab-intensive, hands-on Java / JEE
More informationNebraska CERT Conference
Nebraska CERT Conference Security Methodology / Incident Response Patrick Hanrion Security Center of Excellence Sr. Security Consultant Agenda Security Methodology Security Enabled Business Framework methodology
More informationThe University of Queensland
UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council
More informationThreat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved
Threat Modeling for System Builders and System Breakers!! Dan Cornell! @danielcornell Dan Cornell Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationInfosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need
Infosec Europe 2009 Business Strategy Theatre Giving Executives the Security Management Information that they Really Need Simon Marvell Managing Director simon.marvell@acuityrm.com Agenda 1. What financial
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationProduct Security Program
Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationSoftware Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting
Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting July 14 th 2010 Copyright 2010 - The OWASP Foundation Permission
More informationhidden vulnerabilities
hidden vulnerabilities industrial networks in 30 minutes Cyber Security introduction Frank Kemeling Certified Ethical Hacker [CEH] EC-Council Certified Security Analyst [ESCA] Licensed Penetration Tester
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationCyber Protections: First Step, Risk Assessment
Cyber Protections: First Step, Risk Assessment Presentation to: Presented to: Mark LaVigne, Deputy Director NYSAC November 21, 2017 500 Avery Lane Rome, NY 13441 315.338.5818 www.nystec.com In this presentation
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationExpress Monitoring 2019
Express Monitoring 2019 WHY CHOOSE PT EXPRESS MONITORING PT Express Monitoring provides a quick evaluation of the current signaling network protection level. This service helps to discover critical vulnerabilities
More informationComprehensive Database Security
Comprehensive Database Security Safeguard against internal and external threats In today s enterprises, databases house some of the most highly sensitive, tightly regulated data the very data that is sought
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationVULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:
VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID: 000205600 What is Penetration A penetration test, is a method of evaluating the security of a
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationSecurity In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.
Modular Security Services Offering - BFSI Security In A Box A new concept to Security Services Delivery. 2017 Skillmine Technology Consulting Pvt. Ltd. The information in this document is the property
More informationWhat every IT professional needs to know about penetration tests
What every IT professional needs to know about penetration tests 24 th April, 2014 Geraint Williams IT Governance Ltd www.itgovernance.co.uk Overview So what do IT Professionals need to know about penetration
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationIMEC Cybersecurity for Manufacturers Penetration Testing and Top 10
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationNCUA IT Exam Focus. By Tom Schauer, Principal CliftonLarsonAllen
NCUA IT Exam Focus By Tom Schauer, Principal CliftonLarsonAllen My Background and Experience Computer Science Degree - Puget Sound Information Security Professional for 30 years Consultant: Ernst & Young,
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSDR Guide to Complete the SDR
I. General Information You must list the Yale Servers & if Virtual their host Business Associate Agreement (BAA ) in place. Required for the new HIPAA rules Contract questions are critical if using 3 Lock
More informationNew Jersey Association of School Business Officials Information Security K-12. June 5, 2014
New Jersey Association of School Business Officials Information Security K-12 June 5, 2014 Agenda Introduction K 12 Technology Trends Case Study (A Cautionary Tale) What Constitutes a Data Breach Data
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationCertified Ethical Hacker V9
Certified Ethical Hacker V9 Certificate: Certified Ethical Hacker Duration: 5 Days Course Delivery: Blended Course Description: Accreditor: EC Council Language: English This is the world s most advanced
More information