What every IT professional needs to know about penetration tests

Similar documents
Addressing penetration testing and vulnerabilities, and adding verification measures

Data Sheet The PCI DSS

Protect Your Organization from Cyber Attacks

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Spillemyndigheden s Certification Programme. Instructions on Penetration Testing SCP EN.1.1

External Supplier Control Obligations. Cyber Security

Penetration testing.

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

ASSURANCE PENETRATION TESTING

Certified Information Security Manager (CISM) Course Overview

Manchester Metropolitan University Information Security Strategy

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

locuz.com SOC Services

Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

falanx Cyber ISO 27001: How and why your organisation should get certified

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

SECURITY & PRIVACY DOCUMENTATION

Effective Strategies for Managing Cybersecurity Risks

Choosing the Right Security Assessment

10 FOCUS AREAS FOR BREACH PREVENTION

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Ingram Micro Cyber Security Portfolio

An ICS Whitepaper Choosing the Right Security Assessment

Security Awareness Training Courses

Cybersecurity Today Avoid Becoming a News Headline

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SDLC Maturity Models

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

IoT & SCADA Cyber Security Services

ISE Canada Executive Forum and Awards

Will you be PCI DSS Compliant by September 2010?

AGENDA: Cyber Essentials: The UK Government Scheme to improve cyber security (Dexter House, Royal Mint Court, London, 17 July 2014)

Definitive Guide to PENETRATION TESTING

PCI DSS Compliance and the Cloud

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cyber Risks in the Boardroom Conference

PCI DSS 3.0 Branden R. Williams, 12 September 2013

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Penetration Testing and Team Overview

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Welcome ControlCase Conference. Kishor Vaswani, CEO

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CCISO Blueprint v1. EC-Council

Penetration Testing: How to Test What Matters Most

Advanced Security Tester Course Outline

WORKSHARE SECURITY OVERVIEW

Vulnerability Assessments and Penetration Testing

Nebraska CERT Conference

Vulnerability Management

Department of Management Services REQUEST FOR INFORMATION

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

The Role of the Data Protection Officer

Gujarat Forensic Sciences University

TRACKVIA SECURITY OVERVIEW

Business continuity management and cyber resiliency

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

Sage Data Security Services Directory

Carbon Black PCI Compliance Mapping Checklist

A Passage to Penetration Testing!

A Model for Penetration Testing

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

Objectives of the Security Policy Project for the University of Cyprus

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Table of Contents. PCI Information Security Policy

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

What is Penetration Testing?

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Keys to a more secure data environment

Canada Life Cyber Security Statement 2018

Agenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.

SIEMLESS THREAT DETECTION FOR AWS

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

PCI Compliance Assessment Module with Inspector

1 Payment Security Consulting: PCI DSS February Testing. Consulting Advice

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

Mohammad Shahadat Hossain

PROFESSIONAL SERVICES (Solution Brief)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

POSITION DESCRIPTION

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

Cybersecurity Session IIA Conference 2018

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Transcription:

What every IT professional needs to know about penetration tests 24 th April, 2014 Geraint Williams IT Governance Ltd www.itgovernance.co.uk

Overview So what do IT Professionals need to know about penetration tests? What is a penetration test? Why do they need testing? What do the tests cover? What don t the tests cover? Who can conduct the tests? Why should I test? When should I test? Arranging a test 2

What is a Penetration Test A penetration test, or pen test, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data http://en.wikipedia.org/wiki/penetration_test 3

Difference between a Penetration test and a hack Penetration tester has permission to test the system(s). Malicious hacker is committing an illegal act. Penetration tester is limited in the time taken to complete the attack on the system(s). Malicious hacker has all the time in the world to attempt a hack. Penetration tester has to stay within legal and ethical limits. Malicious hacker has no legal or ethical restraints other than selfimposed ones. Penetration testing is a snap shot in time, conducted at intervals. An attack can occur at any time, vulnerabilities can be discovered at any time. 4

Gaining Access Gaining access to a system from outside the network by exploiting vulnerabilities in the user layer Gaining access to a system from outside the network by exploiting vulnerabilities in the application layer Gaining access to a system from outside the network by exploiting vulnerabilities in the network layer Easiest Hardest 5

Attack Surface User Attack Surface Application Attack Surface Network Attack Surface 6

Internal or External view Internal simulate A malicious insider. The actions of a hacker who has gained access. External simulate An external threat. The actions of a hacker trying to gain access. 7

What needs to be tested Network Layer Application Layer User Layer Public accessible system High risk systems High value systems Internal systems Segmentation 8

What do the tests cover Known vulnerabilities and exploits 9

Different test types Detail of Test Vulnerability Scan ITG Penetration Test L1 ITG Penetration Test L2 Alternative names Automated Scan Vulnerability Assessment Full Penetration Testing Pre-assessment client scoping and consultation Scope of assessment Agreed with client Agreed with client Agreed with client Can be conducted internally and externally Identification of potential vulnerabilities Identification of configuration vulnerabilities Identification of potential security loopholes Immediate notification of critical issues 10

Different test types (cont). Detail of Test Vulnerability Scan ITG Penetration Test L1 ITG Penetration Test L2 Automated Scanning Manual Scanning Manual Testing Manual grading of vulnerabilities Exploitation of potential vulnerabilities to establish the impact of an attack 11

What the tests don t cover Not absolute security. A penetration tester is unlikely to find all the security issues. New vulnerabilities are being discovered all the time. Constraints on the pen-tester limit success. 12

Lifecycle of a vulnerability - Heartbleed 2 Years 2 weeks Vulnerability scanners and exploit tools available. Vulnerability visible to testers. Vulnerability Introduced into Application/system Discovery by ethical researchers Public Announcement Remediation activities, public exploits and attacks 13

Who conducts the tests Internal Testers Tiger Teams. Red Teams. External Testers Ethical Hackers. Security Researchers. 14

Accreditation Number of schemes within the UK CHECK CREST Tiger Team 15

Qualification Number of qualifications within the UK CHECK CREST Tiger Team EC-Council SANS BSc or MSc 16

Why should I test Regulatory compliance Demonstrating due diligence Providing risk based assurance that controls are being implemented effectively 17

Why should you conduct a regular Penetration Test? New vulnerabilities are identified and exploited by hackers every week. http://www.net-security.org/secworld.php?id=14595 In many cases, you won t even know that your defences have been successfully breached until it s too late. 18

Are you doing business with the government? Penetration Testing is a requirement of the UK central Government Baseline Security Plans. Invitation to Tender documents issued by HM Government departments also reference penetration tests 19

ISO27001 and Penetration Testing As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats. As part of the Risk Treatment Plan, ensuring that controls that are implemented do actually work as designed. As part of the on-going corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with. 20

When should I test All the time Impractical Risk based frequency interval After deployment of new infrastructure or applications and after changes to infrastructure and applications 21

Arranging a test Selecting a supplier Scoping the engagement Understanding the report Remediation activities 22

What credentials should I look out for in a penetration tester? Can you provide evidence of a solid reputation, history and ethics (eg a full trading history, good feedback from both clients and suppliers, a reliable financial record, and a strong history of performance)? Do you take part in specialised industry events (such as those run by CREST or OWASP chapters)? Are you able to demonstrate exploits or vulnerabilities you have found in other similar environments? Can you provide independent feedback on the quality of work performed and conduct of staff involved? Do you adhere to a formal code of conduct overseen by an independent industry body? 23

Scoping the penetration test: questions your provider should ask What are the business drivers behind needing/wanting to do a penetration test? What are the outputs you require from the testing? Assurance / Governance What threats are trying to protect from? Internal / external What are the systems that require to be tested? Critical / high profile / everything Are you testing infrastructure and applications or admins and monitoring systems? 24

3 rd Party Permissions required? 25

Reporting what is included and what can I expect to receive? Provide a detailed technical report on the vulnerabilities of the system. Explain the vulnerabilities in a way that is easily understood by senior management. Report the outcome of the test in business risk terms. Identify short term (tactical) recommendations. Conclude with and define root cause long term (strategic) recommendations. Include a security improvement action plan. Provide assistance to the organisation in implementing the security improvements. 26

Report findings Findings identified during the penetration test should be recorded in an agreed format describing each finding in both: Technical terms that can be acted upon Non -technical, business context, so that the justifications for the corrective actions are understood. Reports should describe the vulnerabilities found, including: Test narrative describing the process that the tester used to achieve particular results Test evidence results of automated testing tools and screen shots of successful exploits The associated technical risks - and how to address them. 27

Summary Penetration testing provides a means of testing information security controls Gives assurance about the effectiveness of controls Requires careful scoping Need permission from ALL parties 28

Technical Services IT Health Checks Web Application Security Testing Network Testing Wireless Network Testing PCI DSS Approved Scanning Vendor (ASV) Services Annual / Quarterly Scanning Contracts 29

Technical & Consultancy Services Penetration Testing Service http://www.itgovernance.co.uk/shop/p-793-itg-penetration-testing-standard-package.aspx PCI QSA Services http://www.itgovernance.co.uk/pci-qsa-services.aspx PCI DSS ASV Scanning Service http://www.itgovernance.co.uk/pci-scanning.aspx PCI Hacker Guardian - Standard/ Enterprise Scanning Service http://www.itgovernance.co.uk/shop/p-1007-pci-asv-hackerguardian-scanning-service.aspx PCI DSS Consultancy Services - aligned to either Version 2 or Version 3 PCI DSS Scoping PCI DSS Gap Analysis Remediation support Consultancy by the Hour - IT Governance LiveOnline http://www.itgovernance.co.uk/pci-consultancy.aspx 30

Where to find us Visit our website: www.itgovernance.co.uk E-mail us: servicecentre@itgovernance.co.uk Call us: 0845 070 1750 Follow us on Twitter: twitter.com/#!/itgovernance Read our blog: blog.itgovernance.co.uk/ Join us on LinkedIn www.linkedin.com/company/it-governance Join us on Facebook www.facebook.com/itgovernanceltd 31

Any Questions? Contact details Blogs http://blog.itgovernance.co.uk/author/geraint-williams/ Linkedin uk.linkedin.com/in/geraintpwilliams Twitter twitter.com/#!/geraintw 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback