CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Similar documents
Vulnerability Management

deep (i) the most advanced solution for managed security services

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Machine-Based Penetration Testing

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

RiskSense Attack Surface Validation for IoT Systems

THE EVOLUTION OF SIEM

Machine-Based Penetration Testing

Are we breached? Deloitte's Cyber Threat Hunting

What every IT professional needs to know about penetration tests

What is Penetration Testing?

Vulnerability Assessments and Penetration Testing

Vulnerability Management. June Risk Advisory

Application Security Approach

Protect Your Organization from Cyber Attacks

CyBot Suite. Machine-based Penetration Testing

Tiger Scheme QST/CTM Standard

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Choosing the Right Security Assessment

The New Era of Cognitive Security

to Enhance Your Cyber Security Needs

locuz.com SOC Services

Ingram Micro Cyber Security Portfolio

CYBER SOLUTIONS & THREAT INTELLIGENCE

8 Must Have. Features for Risk-Based Vulnerability Management and More

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

hidden vulnerabilities

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Keys to a more secure data environment

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Trustwave Managed Security Testing

Background FAST FACTS

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Security Diagnostics for IAM

An ICS Whitepaper Choosing the Right Security Assessment

Cybersecurity Today Avoid Becoming a News Headline

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

TRUE SECURITY-AS-A-SERVICE

STEVE GOODING JUNE 15, 2018

RSA INCIDENT RESPONSE SERVICES

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

People risk. Capital risk. Technology risk

The Threat & Vulnerability Management Maturity Model

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI)

Automated Attack Framework for Test & Evaluation (AAFT)

Introduction to Ethical Hacking. Chapter 1

DIS10.3:CYBER FORENSICS AND INVESTIGATION

Unlocking the Power of the Cloud

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Secure the value chain. Risk management in the omnichannel consumer and retail environment

Department of Management Services REQUEST FOR INFORMATION

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

RiskSense Attack Surface Validation for Web Applications

Readiness, Response & Resilence:

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

HIPAA Compliance Assessment Module

Continuously Discover and Eliminate Security Risk in Production Apps

esendpoint Next-gen endpoint threat detection and response

Security-as-a-Service: The Future of Security Management

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

Penetration Testing Scope

align security instill confidence

CYBER RESILIENCE & INCIDENT RESPONSE

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RSA INCIDENT RESPONSE SERVICES

RastaLabs Red Team Simulation Lab

The Value of Automated Penetration Testing White Paper

Sage Data Security Services Directory

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Think Like an Attacker

Security by Default: Enabling Transformation Through Cyber Resilience

90% of data breaches are caused by software vulnerabilities.

4/13/2018. Certified Analyst Program Infosheet

HP Fortify Software Security Center

Threat Hunting in Modern Networks. David Biser

NEXT GENERATION SECURITY OPERATIONS CENTER

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Building a Resilient Security Posture for Effective Breach Prevention

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Threat Based Defence Alonso Jose da Silva II. GRC & Cyber Security Conference - Bringing the Silos

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

How to construct a sustainable vulnerability management program

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Transcription:

CASE STUDY How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

IN A RECENT ENHANCED RED TEAM/ADVANCED PENETRATION TEST, OUR TEAM OF TESTERS UNCOVERED A MAJOR VULNERABILITY IN A CLIENT S NETWORK. THIS VULNERABILITY GAVE THEM ACCESS TO DATA, WHICH HAD BEEN THERE SINCE 2012. IF OUR TEAM HAD BEEN A GROUP OF HACKERS, THIS BREACH WOULD HAVE COST THE COMPANY OVER $103 MILLION IN PCI FINES ALONE. The interesting fact about this study is that the company had been getting penetration testing quarterly every quarter since 2012 by various notable companies. We uncovered the information in the 4th quarter of 2016. That is a total of 16 penetration tests by 7 different vendors that missed the vulnerability. 16 PENETRATION TESTS 7 DIFFERENT VENDORS ALL MISSED VULNERABILITY How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

How Did 16 Pen Tests Miss This Vulnerability? Because of the way they are being tested. Each penetration test prior to ours had relied heavily on automated tools to identify vulnerabilities. The pen testing teams would run automated scans and then perform manual tests of the results. The problem with that is automated tools only look for publicly known vulnerabilities in systems leaving vulnerabilities in custom applications or undiscovered zero day vulnerabilities unidentified. 10% Documented and easily-detected vulnerabilities MOST CYBER RISKS ARE HIDDEN 295 Average time it takes an organization to identify a cyber attack 90% Organization-specific vulnerabilities detected only through advanced penetration testing Similar to an iceberg, most vulnerabilities are hidden from automated and compliance-driven vulnerability scanning and penetration testing. Taking an enhanced red teaming approach to advanced penetration testing finds risks below the surface by manually emulating the aggressive actions of a hacker. The Withum Cyber approach involves human cyber operations experience, tools, tactics, and procedures at each stage of the test. It has been determined, by comparing test results for organizations that have employed multiple testing methodologies, that applying deep hands-on technical experience towards finding organizationspecific vulnerabilities is a truly comprehensive way of identifying and analyzing a network s level of security. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

What Is Enhanced Teaming? AN ENHANCED BLUE TEAM APPROACH TO ADVANCED PENETRATION TESTING EMULATES THE ACTIVITIES THAT ADVANCED PERSISTENT THREAT ACTORS (SUCH AS NATION-STATE THREATS OR ORGANIZED CRIME) WOULD CARRY OUT AGAINST YOUR ORGANIZATION. Beyond a scan for vulnerabilities, this advanced level of testing takes advantage of the training, experience, and adaptability of our penetration testing specialists in finding, exploiting, and leveraging vulnerabilities to gain access and determine the impact of that access on the organization. VULNERABILITY ASSESSMENT TRADITIONAL PENETRATION ENHANCED BLUE TEAMING/ ADVANCED PENETRATION TESTING SCOPING Limited Limited to scan results Comprehensive SKILL LEVEL REQUIRED Tutorial Needed Training Required Advanced Degree OBJECTIVE Broad scanning for information gathering Utilize broad scanning to manually test a network for compliance driven needs. Uncover as many vulnerabilites as possible using the resources leveraged by real attackers. TECHNIQUES Fully automated using software which identifies publicly known vulnerabilities. Driven by automation with penetration testers manually testing the findings uncovered by automated scanning. Human driven with a team of hackers focused on your network identifying vulnerabilities unique to your network. THREAT EMULSION None Partial Advanced Persistent Threat Emulation REPORTING Computer generated report with unverified information and no determination of business impact. Computer generated report which is verified by penetration tester reducing the amount of false positives. Narrative report with actionable remediation steps and verified intelligence determining the business impact of all findings. It is important to understand the difference in the complexity and depth of testing levels, and why WITHUM CYBER uses an enhanced red team approach to penetration testing.

Key Learnings ONE TWO There is a vast difference in definitions of penetration testing. Make sure you understand the difference in the level of testing you are receiving. As cybercrime continues to grow and being an increasing threat, you must start to conduct more comprehensive testing in order to truly remain secure and build your cyber resilience. 10101001001010010010100101010010100100000100101001010100101010 01010101010010101001010101001010100101000100100001001001010010 00100100101010000010010010101010010010101001010010101010010010 01001010010101001010010100101010100101001010010101001010000010 THREE FOUR Becoming a want to know organization and proactively looking for threats and vulnerabilities is imperative. An enhanced blue teaming approach to penetration testing is the only way to uncover organization specific vulnerabilities. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines withum.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback