CYBERSECURITY PENETRATION TESTING - INTRODUCTION
|
|
- Gervase Murphy
- 5 years ago
- Views:
Transcription
1 CYBERSECURITY PENETRATION TESTING - INTRODUCTION
2 Introduction Pen-testing 101 University Focus Our Environment Openness and learning Sharing and collaboration Leads to Security Weaknesses
3 What is Penetration Testing?
4 What Is Penetration Testing?
5 Why do Penetration Testing?
6 Attacker Profiles
7 Script Kiddies (Minor)
8 Hacker Group (Minor)
9 Criminal Organization (Major)
10 Patriot Hacking (Major)
11 Nation State Cyber Terrorism (Major)
12 Hacktivist(Moderate)
13 Hacktivist / Criminals? (Moderate)
14 Black Hat Professional (Moderate)
15 Vulnerability Assessment / Penetration Testing
16 Vulnerability Testing / Assessment
17 Vulnerability Testing / Assessment
18 Penetration Testing
19 Vulnerability Assessment NOT = Penetration Testing
20 Types of Penetration Tests
21 Types of Penetration Tests
22 Whitelisting
23 Penetration Testing
24 Reconnaissance
25 Reconnaisance What is available out there about you. csoe Intended / developed for Humor In part two. Less benign samples
26 Scanning
27 Gaining Access
28 Maintaining Access
29 Clearing Tracks
30 CYBERSECURITY PENETRATION TESTING EXPERIENCE CONFIDENTIAL
31 Agenda RFP Phase 1 (Assessment) Results Phase 2 (Penetration) Results Where do we go from here?
32 RFP Phase Penetration Testing at UVic Approach Phases Lessons
33 Penetration Testing at UVic Why Internal Audit? Client: Audit Committee Scope: University Wide/Multi-Jurisdiction
34 Approach RFP for Specialists Defined Attacker Profile (Moderate) Double Blind / Black Box / Remote Contracted Specialists Phase 1 - Vulnerability Assessment (inc. Social Engineering) Phase 2 - Penetration Testing
35 Phases Phase 1: Using a double-blind / black box approach, the proponent will employ all possible non-disruptive and non-destructive means of identifying vulnerabilities in the UVic environment that would allow penetration past UVic s defences (information security and cultural) and allow an attacker to gain access to the core financial systems and/or personal (employee, student, or member of the public) information. Interlude Phase 2: Within a defined scope, the proponent will perform an ethical (white hat) hack to perform a minimal disruption and non-destructive penetration with the objective of gaining evidence of access to core financial systems and/or employee, student or member of the public personal information
36 Select an Attacker Profile Establishes scope and context for RFP Defines how communications regarding the project will be handled Allows nature and extent of vulnerability scans and tests to be defined Establishes scope and context for assessing and reporting results
37 Be Very Specific in Your RFP Due to potential legal concerns with inadvertently scanning non-uvic information resources a number of proponents declined to submit responses or failed to meet selection criteria in this respect
38 Set Clear Rules of Engagement Vulnerability scanning can break systems or cause unexpected problems Rules of Engagement: What can be touched and what cannot Inside or outside Business Hours Who to contact when things go wrong
39 Involve Information Security Trusted IT Staff Member Part of the Audit Team A team member who Knows what we are likely to break Knows who we might need to inform Is supportive of the testing Is able to stick handle Can tell us if we broke something
40 Phase 1 (Assessment) Social Engineering Whitelisted Vulnerability Scanning Perimeter Defense Testing Lessons, Lessons, and More Lessons
41 Phishing
42 Common Phishing Example
43 Social Engineering
44 Social Engineering
45 Social Engineering Results 4 hours 838 phishing s sent 99 viewed, 49 responded nn sets of valid credentials obtained 1 unreported download of a Trojan Horse *** nn% compromise rate Statistically, not a great Detected/reported within minutes Shut down within a few hours
46 Trust Your Penetration Tester Do a thorough background check Select a trusted vendor Because they may gain access
47 Whitelisted Vulnerability Scanning Not feasible to scan every IP on network 3,000+ IP s targeted Assets of high value Assets of low awareness/visibility Representative Sample Whitelisted attacker Avoided assets where disruption would have a high negative impact
48 Vulnerability Scanning Results 3,260 Systems, 1000 top attack vectors 323 (10%) had vulnerabilities. Risk = Vulnerability (likelihood) Consultant report Consequences (impact) our analysis False Positives
49 Do or Don t: Whitelisting? Attackers wouldn t be whitelisted Moderate attackers would attack from behind the perimeter defence Or use Stealth to circumvent detection And actually don t do vulnerability scans
50 Perimeter Defense Testing Four series of Tests, no Whitelisting Payload Detection Needle in a Haystack Everything Plus the Kitchen Sink Lost in the Crowd Proved that the firewall doing its job Which is great against minor attackers
51 Do or Don t: Stealth Scanning? A stealth (detection avoidance) approach to vulnerability assessment carries significant cost implications and an undesirable engagement duration and is not how an attacker in our moderate range tends to attack the organization
52 Do or Don t: Stealth Scanning? There were benefits to whitelisted scanning (patch management validation) but it didn t prove much. Stealth scanning passes perimeter defences And interestingly finds new things
53 Other Test Elements Detection and Reporting of Security Incidents Effectiveness and Efficiency of Responding to a cyberattack Weaknesses in distributed (self managed) systems
54 Distinguish Between Scanning and Assessment Scanning is well. Scanning; seeing if ports respond Assessment is testing to see if a potential vulnerability is responsive We upset people with our terminology!
55 Involve General Counsel Because sometimes well intentioned internal staff take matters into their own hands in somewhat unexpected ways Even when policy and procedures would lead us to believe they would act in a different way
56 Be Prepared for Minor Disruption Unexpected disruptions occur during vulnerability assessments As staff react to these as security incidents, communication is needed to calm down the situation Such communications should be drafted in advance
57 Be Prepared for Mea Culpa In a partly distributed, multi-jurisdictional IT environment It s important to accept ownership for the impact of the engagement And get all fingers pointing squarely at us
58 Assess Organizational Responses It s not just about the technical vulnerabilities It s an opportunity to see how the organization reacts to unexpected events And potentially identify some areas for improvement
59 Look at Response Mechanisms Originally we just wanted to see if we were vulnerable but assessing organizational reaction and response was actually more interesting - Social Engineering - Incident Response and Internal Communication - Incident Attribution
60 Inform Staff of Perimeter Testing For additional testing of perimeter defences Tell people when testing will start and when testing will end Just in case a real attack happens at the same time
61 Involve System/Business Owners in Risk Evaluation Technical vulnerability does not = business risk you need to assess the real business impact risk. Fixing vulnerabilities will be an organizational / unit exercise
62 Share What You Learn Keep track of learnings for any future engagements and Share internally Share externally
63 Safeguard Findings Even When Reporting When discussing vulnerabilities in a multijurisdictional environment principle of least privilege applies It takes a swack of effort to only tell people about their systems perhaps we could have outsourced this a bit better
64 Keep Vulnerability Reporting Relevant Do not waste (anyone s) time and effort on low risk vulnerabilities and especially on informational items After going to the extent of testing rather than scanning, potential false positives were not helpful they were just annoying Exclude items with no appreciable risk factor or no solution.
65 Recognize You Can t Win Even when you tell people what s going on they may not believe you and auditors are scary people no matter what we do to try and generally people don t know we exist or what we do anyway
66 Put a Non-technical Wrapper Around the Technical Details Vulnerability scans are not the sorts of things most people can read or want to read vulnerabilities need context the why do I care factor And we wanted Board clarity but also educational awareness
67 Perform Follow-up Testing A Vulnerability Test in not a one-time event Ensure remediation is effective Look for new vulnerabilities The Auditors Mantra: Trust, but Validate
68 Phase 2 (Penetration) Social Engineering Check (Phase 1) Vulnerability Mitigation Validation Privilege Escalation SpearPhishing More Lessons
69 Engagement Differences Technical Components Vulnerability Mitigation Validation Privilege Escalation People Components Social Engineering Check SpearPhishing
70 Social Engineering Check From our original compromised accounts, some were still active in the UVic Domain Did they change their passwords like we requested? Surprise Some Didn t
71 Vulnerability Mitigation Validation Retested 26 of the highest risk hosts from Phase 1 Undertook stealth scanning and found even more issues than when whitelisted Tried to exploit vulnerabilities Nothing to Report
72 Privilege Escalation
73 Privilege Escalation Created an isolated target desktop Activated the compromise Attacker tried to compromise desktop standard protection Nothing to Report
74 SpearPhishing
75 SpearPhishing
76 Reconnaisance 9iC9I After Questions. A bit more far fetched?
77 SpearPhishing Exercise The Target (image deleted)
78 SpearPhishing Exercise
79 SpearPhishing Exercise
80 SpearPhishing Exercise
81 SpearPhishing Exercise The Target (sorry, image still deleted)
82 SpearPhishing Results Targets were Institution Leaders nn hours 90 SpearPhishing s sent nn responded nn submitted credentials nn submitted valid credentials 1 person not on our list gave credentials nn% compromise rate
83 Sacred Cows Displeasure with Internal Audit Perfect example of real SpearPhishing Phishing Not = SpearPhishing Are some organizational elements untouchable?
84 The Weakest Link
85 The Weakest Link
86 Low Cost Technical Solution
87 Multi-Factor Authentication (MFA)
88 Where Do We Go From Here? Our IT department is trying to setup proactive phishing training and awareness processes We may roll out MFA to key users Internal Audit future involvement in Penetration Testing
89 As Promised The Sequel id=annotation_202513&feature=iv&src_vid= F7pYHN9iC9I&v=Rn4Rupla11M
90 Questions 8 Minutes for Questions
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10
IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10 Christian Espinosa, Alpine Security www.alpinesecurity.com 1 Objectives Learn about penetration testing Learn what to consider when selecting
More informationCyber Security. Building and assuring defence in depth
Cyber Security Building and assuring defence in depth The Cyber Challenge Understanding the challenge We live in an inter-connected world that brings a wealth of information to our finger tips at the speed
More informationCYBER SECURITY AND MITIGATING RISKS
CYBER SECURITY AND MITIGATING RISKS 01 WHO Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti Slides PRESENTATION AGENDA 3 START HACKING DEFINITION BRIEF HISTORY
More informationFundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring
Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy.
More informationIntroduction to Ethical Hacking. Chapter 1
Introduction to Ethical Hacking Chapter 1 Definition of a Penetration Tester Sometimes called ethical hackers though label is less preferred Pen testers are: People who assess security of a target Specially
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationCITADEL INFORMATION GROUP, INC.
CITADEL INFORMATION GROUP, INC. The Role of the Information Security Assessment in a SAS 99 Audit Stan Stahl, Ph.D. President Citadel Information Group, Inc. The auditor has a responsibility to plan and
More informationPenetration Testing and Team Overview
ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationPenetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO
Penetration Testing! The Nitty Gritty Jeremy Conway Partner/CTO Before I Start What qualifies me to speak about this? It s all important and relevant! Brief History The Past! US Active Army DoD Contractor
More informationCyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET
DATASHEET Gavin, Technical Director Ensures Penetration Testing Quality CyberSecurity Penetration Testing CHESS CYBERSECURITY CREST-ACCREDITED PEN TESTS PROVIDE A COMPREHENSIVE REVIEW OF YOUR ORGANISATION
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationCyber security reviews and the benefits MM-CS-CSR-01
Cyber security reviews and the benefits INDEX Introduction Demystifying the subject Why do it? Things to get straight first The Cons of a penetration test Testing Testing from all angles Test types 5 Steps
More informationCSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague
Brmlab, hackerspace Prague Lightning talks, November 2016 in general in general WTF is an? in general WTF is an? Computer Security in general WTF is an? Computer Security Incident Response in general WTF
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More informationTake Risks in Life, Not with Your Security
Take Risks in Life, Not with Your Security Redefining Cybersecurity Why We re Here agio.com Agenda The Problem(s): Threat Landscape Current Threat Landscape People are the Problem Protect Yourself Solutions
More informationhidden vulnerabilities
hidden vulnerabilities industrial networks in 30 minutes Cyber Security introduction Frank Kemeling Certified Ethical Hacker [CEH] EC-Council Certified Security Analyst [ESCA] Licensed Penetration Tester
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationSecurity. Protect your business from security threats with Pearl Technology. The Connection That Matters Most
Security Protect your business from security threats with Pearl Technology The Connection That Matters Most Committed to Your Future When it comes to your business, security can mean many things. But to
More informationCyber Risk in the Marine Transportation System
Cyber Risk in the Marine Transportation System Cubic Global Defense MAR'01 1 Cubic.com/Global-Defense/National-Security 1 Cubic Global Defense Global Security Team Capabilities Program Management Integration
More informationManaging an Active Incident Response Case. Paul Underwood, COO
Managing an Active Incident Response Case Paul Underwood, COO 2 About Us Paul Underwood - COO Emagined Security is a leading professional services firm for Information Security, Privacy & Compliance solutions.
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationCyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.
1 Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event January 18, 2018 2 Today s Panel: Adam Cottini, Moderator Managing Director, Cyber
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationVulnerability Assessments and Penetration Testing
CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze
More informationMitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment
Mitigating Risk with Ongoing Cybersecurity Risk Assessment Scott Moser CISO Caesars Entertainment CSO50 Presentation Caesars Entertainment Cybersecurity Risk Management Scott Moser Chief Information Security
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationSTUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences
STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences Undergraduate Programs - Bachelor B.S. Computer Game Design Upon completion of the B.S. degree in Computer Game Design, students
More informationSession 5311 Critical Testing Programs for Security Operations
Session 5311 Critical Testing Programs for Security Operations Introduction Neil Lakomiak UL Rodney Thayer Smithee Spelvin Agnew & Plinge, Inc. Coleman Wolf Environmental Systems Design, Inc. Testing Programs
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationKaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Security Assessment Services www.kaspersky.com #truecybersecurity Security Assessment Services Security Assessment Services from Kaspersky Lab. the services
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationTiger Scheme QST/CTM Standard
Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel)
More informationCybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank
Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,
More informationThe Eight Rules of Security
The Eight Rules of Security The components of every security decision. Understanding and applying these rules builds a foundation for creating strong and formal practices through which we can make intelligent
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationHeavy Vehicle Cyber Security Bulletin
Heavy Vehicle Cyber Security Update National Motor Freight Traffic Association, Inc. 1001 North Fairfax Street, Suite 600 Alexandria, VA 22314 (703) 838-1810 Heavy Vehicle Cyber Security Bulletin Bulletin
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationThe Cyber War on Small Business
The Cyber War on Small Business Dillon Behr Executive Lines Broker Risk Placement Services, Inc. Meet Our Speaker Dillon Behr Executive Lines Broker Risk Placement Services, Inc. Previously worked as Cyber
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationAn Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)
An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL) Johns Hopkins University Applied Physics Lab (JHU/APL) University
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationANATOMY OF AN ATTACK!
ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable
More informationOA Cyber Security Plan FY 2018 (Abridged)
OA Cyber Security Plan FY 2018 (Abridged) 1 Table of Contents Vision... 3 Goals, Strategies, and Tactics... 5 Goal #1: Create a Culture that Fosters the Adoption of Cyber Security Best Practices... 5 1.1
More informationMission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS
Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS Stephanie Poe, DNP, RN-BC CNIO, The Johns Hopkins Hospital and Health System Discussion Topics The Age of Acceleration Cyber
More information2017 Annual Meeting of Members and Board of Directors Meeting
2017 Annual Meeting of Members and Board of Directors Meeting Dan Domagala; "Cybersecurity: An 8-Point Checklist for Protecting Your Assets" Join this interactive discussion about cybersecurity trends,
More informationIs Your z/os System Secure?
Ray Overby Key Resources, Inc. Info@kr-inc.com (312) KRI-0007 A complete z/os audit will: Evaluate your z/os system Identify vulnerabilities Generate exploits if necessary Require installation remediation
More informationUnderstanding IT Audit and Risk Management
Understanding IT Audit and Risk Management Presentation overview Understanding different types of Assessments Risk Assessments IT Audits Security Assessments Key Areas of Focus Steps to Mitigation We need
More informationMIS Class 2. The Threat Environment
MIS 5214 Class 2 The Threat Environment Agenda In the News Models Risk Hackers Vulnerabilities Information System Categorization Risk Assessment Exercise Conceptual Modeling and Information Systems In
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationMIS5206-Section Protecting Information Assets-Exam 1
Your Name Date 1. Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances? a. Policies b. Standards c. Procedures d. Guidelines
More informationfalanx Cyber Falanx Cyber Awareness Training: Educating your staff
falanx Cyber Falanx Cyber Awareness Training: Educating your staff Contents What is Cyber Security Awareness Training? 3 Why choose Falanx for your awareness training? 4 Types of training 5 Testimonials
More informationGovernance Ideas Exchange
www.pwc.com.au Anatomy of a Hack Governance Ideas Exchange Robert Di Pietro October 2018 Cyber Security Anatomy of a Hack Cyber Security Introduction Who are the bad guys? Profiling the victim Insights
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationHow to Improve Your. Cyber Health. Cybersecurity Ten Best Practices For a Healthy Network
How to Improve Your Cyber Health Cybersecurity Ten Best Practices For a Healthy Network Introduction With the frequency of cyber attacks making headline news, no wonder cybersecurity is top of mind. Cybersecurity
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationProtect Your Organization from Cyber Attacks
Protect Your Organization from Cyber Attacks Leverage the advanced skills of our consultants to uncover vulnerabilities our competitors overlook. READY FOR MORE THAN A VA SCAN? Cyber Attacks by the Numbers
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationObjectives of the Security Policy Project for the University of Cyprus
Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University
More informationMatt Walker s All in One Course for the CEH Exam. Course Outline. Matt Walker s All in One Course for the CEH Exam.
Course Outline Matt Walker s All in One Course for the CEH Exam 03 May 2018 Contents 1. Course Objective 2. Pre-Assessment 3. Exercises, Quizzes, Flashcards & Glossary Number of Questions 4. Expert Instructor-Led
More informationUnderstanding the Changing Cybersecurity Problem
Understanding the Changing Cybersecurity Problem Keith Price BBus, MSc, CGEIT, CISM, CISSP Founder & Principal Consultant 1 About About me - Specialise in information security strategy, architecture, and
More informationSecurity Awareness Training Courses
Security Awareness Training Courses Trusted Advisor for All Your Information Security Needs ZERODAYLAB Security Awareness Training Courses 75% of large organisations were subject to a staff-related security
More informationCyber Criminal Methods & Prevention Techniques. By
Cyber Criminal Methods & Prevention Techniques By Larry.Boettger@Berbee.com Meeting Agenda Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation
More informationto Enhance Your Cyber Security Needs
Our Service to Enhance Your Cyber Security Needs Since the business critical systems by its nature are ON all of the time and the increasingly connected world makes you open your organization to everything
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationCybersecurity, safety and resilience - Airline perspective
Arab Civil Aviation Commission - ACAC/ICAO MID GNSS Workshop Cybersecurity, safety and resilience - Airline perspective Rabat, November, 2017 Presented by Adlen LOUKIL, Ph.D CEO, Resys-consultants Advisory,
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationBring Your Own Device (BYOD)
Bring Your Own Device (BYOD) An information security and ediscovery analysis A Whitepaper Call: +44 345 222 1711 / +353 1 210 1711 Email: cyber@bsigroup.com Visit: bsigroup.com Executive summary Organizations
More informationRequest for Proposal (RFP)
Request for Proposal (RFP) BOK PENETRATION TESTING Date of Issue Closing Date Place Enquiries Table of Contents 1. Project Introduction... 3 1.1 About The Bank of Khyber... 3 1.2 Critical Success Factors...
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationEC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1
EC-Council Certified Incident Handler v2 Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1 THE CRITICAL NATURE OF INCIDENT HANDLING READINESS An organized and
More informationBreaches and Remediation
Breaches and Remediation Ramona Oliver US Department of Labor Personally Identifiable Information Personally Identifiable Information (PII): Any information about an individual maintained by an agency,
More informationThe GenCyber Program. By Chris Ralph
The GenCyber Program By Chris Ralph The Mission of GenCyber Provide a cybersecurity camp experience for students and teachers at the K-12 level. The primary goal of the program is to increase interest
More informationForging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health
Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1 Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors
More informationCyber Security Congress 2017
Cyber Security Congress 2017 A rich agenda covering both technical and management matters with targeted presentations and hands on workshops. Day 1 Conference Morning Session 8.30 9.00 Registration & Coffee
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationTackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud
Tackling Cybersecurity with Data Analytics Identifying and combatting cyber fraud San Antonio IIA iheartaudit Conference February 24, 2017 What We ll Cover + Current threat landscape + Common security
More informationSecurity Stream for Computer Science
Security Stream for Computer Science Compulsory COMP3441 Security Engineering or COMP6442 Extended Security Engineering Electives and three electives drawn from the elective list (below) COMP4442 -- Advanced
More informationUnit 3 Cyber security
2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 3 - revised September 2016 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationAUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03
AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03 Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More information