Penetration Testing and Team Overview

Similar documents
Transportation Security Risk Assessment

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

Trustwave Managed Security Testing

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Threat and Vulnerability Assessment Tool

CYBER SECURITY AND MITIGATING RISKS

What every IT professional needs to know about penetration tests

Vulnerability Assessments and Penetration Testing

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Machine-Based Penetration Testing

locuz.com SOC Services

Express Monitoring 2019

Choosing the Right Security Assessment

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Introduction to Ethical Hacking. Chapter 1

Session 5311 Critical Testing Programs for Security Operations

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Product Security Program

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Cyber Security. Building and assuring defence in depth

A Passage to Penetration Testing!

Penetration Testing. Strengthening your security by identifying potential cyber risks

Avanade s Approach to Client Data Protection

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Information Technology Branch Organization of Cyber Security Technical Standard

SIEMLESS THREAT DETECTION FOR AWS

Data Security Standard 9 IT protection The bigger picture and how the standard fits in

An ICS Whitepaper Choosing the Right Security Assessment

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

Digital Health Cyber Security Centre

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Certified Information Security Manager (CISM) Course Overview

Application Security Approach

Machine-Based Penetration Testing

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

MIS5206-Section Protecting Information Assets-Exam 1

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Tiger Scheme QST/CTM Standard

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

CyBot Suite. Machine-based Penetration Testing

Principles of ICT Systems and Data Security

SDLC Maturity Models

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Global Security Consulting Services, compliancy and risk asessment services

CCISO Blueprint v1. EC-Council

Unit Compliance to the HIPAA Security Rule

Position Description IT Auditor

Engineering Your Software For Attack

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Security and Architecture SUZANNE GRAHAM

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

What is Penetration Testing?

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

THE AUTOMATED TEST FRAMEWORK

Process Definition: Security Services

hidden vulnerabilities

Rethinking Information Security Risk Management CRM002

Business Continuity Management

Business Risk Management

IoT & SCADA Cyber Security Services

Network Security Assessment

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

Vulnerability Management Policy

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

MetricStream GRC Summit 2013: Case Study

Information Security Controls Policy

FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data

Penetration testing.

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Computer Security: Principles and Practice

ICS Penetration Testing

Developing an integrated approach to the analysis of MOD cyber-related risks

RiskSense Attack Surface Validation for Web Applications

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Patient Information Security

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

INFORMATION SECURITY AND RISK POLICY

Education Network Security

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

ACTIVE SHOOTER RESPONSE CAPABILITY STATEMENT. Dynamiq - Active Shooter Response

How to Conduct a Business Impact Analysis and Risk Assessment

Information Security Data Classification Procedure

The McGill University Health Centre (MUHC)

Technology Risk Management and Information Security A Practical Workshop

Risk Assessment. The Heart of Information Security

Medical Device Vulnerability Management

Internal Controls Evaluation (ICE) Processing

Report. An Evaluation of a Test driven Security Risk Analysis Method Based on an Industrial Case Study

Transcription:

ATO Trusted Access Penetration Testing and Team Overview PRESENTED BY Name: Len Kleinman Director ATO Trusted Access Australian Taxation Office 18 May 2011 What is Vulnerability Management? The on-going approach to the collection and analyses of information regarding vulnerabilities, exploits and possible inappropriate communications in identifying the level of IT risk the ATO may be facing at any one instant in time. Penetration Testing 2

VMR Roles and Responsibilities Security Testing - Penetration Testing & Security Assessments Incident Response Threat Intelligence Innovation Provision of Advice Technology compliance..and then some! Vulnerability Centric Evidence based Penetration Testing 3 Overview 24pt option with website in footer.

What is a Penetration Tester? An Out-of-the-box thinker One who bends computers to their will What s with the hats? Black = Cracker, script kiddie White = Ethical Hacker / Corporate Hacker Grey = Full disclosure and Hactivist What is a Penetration Test? A program of systematic testing that identifies weaknesses inherent in IT systems. System owners and Security administrators use the results of the testing to improve the security posture of the application/system and therefore improve the overall ATO IT environment.

How is a Penetration Test performed? VMR Penetration Test Team coordinates along with the project manager Penetration Test reviewed by relevant stakeholders Once a Penetration test is finalised, it is approved by the Director VMR, The AC Trusted Access and the system owner VMR conducts de-briefing sessions with the System Owners Flows into the compliance aspect Any residual risk is accepted by the System Owner Does not end there! VMR s penetration testing is normally conducted in four phases: Test Phase Planning and Information Gathering. Reconnaissance Setting up and setting expectations Phase Probing Phase Vulnerability Identification Attack Phase Exploitation of identified vulnerabilities through penetration Optional - social engineering Optional - physical penetration Reporting Phase Detailed reporting on the activities, results and recommendations as a result of testing

Structure of a Pen Test : Incorporating DREAD model Consequence Insignificant Minor Moderate High Very High Consequence Description No injuries, low financial loss First aid treatment, on-site release immediately contained, medium financial loss Medical treatment required, on-site release contained with outside assistance, high financial loss Extensive injuries, loss of production capability, off-site release with no detrimental effects, major financial loss Death, toxic release off-site with detrimental effect, huge financial loss CONSEQUENCE Likelihood Likelihood Description Almost certain Is expected to occur in most circumstances Likely Will probably occur in most circumstances LIKELIHOOD Possible Might occur at some time Unlikely Rare Could occur at some time May occur only in exceptional circumstances Structure of a Pen Test : LEVEL OF RISK: Likelihood Consequences Insignificant Minor Moderate High Very High Almost certain H H E E E Likely M H H E E Possible L M H E E Unlikely L L M H E Rare L L M H H E: extreme risk; immediate action required H: high risk; senior management attention needed M: moderate risk; management responsibility must be specified L: low risk; manage by routine procedures

What is it good for? Tests exposure of known security threats and vulnerabilities to both internal and external attack Provides a snapshot in time of what security looks like. Sets a benchmark. Assesses monitoring and escalation procedures Provide advice, solutions and recommendations to enhance the ATO s security yposture at both the enterprise and/or process level. Results enable VMR to provide early identification to project areas on common known vulnerabilities. What are the benefits? (for the Client) Improved information security knowledge and understanding around the real threats and vulnerabilities in ATO applications and processes. Proactive identification of potential risk and provision of assistance in mitigating these risk immediately. Assist in the decision making process i.e. Go Live! Is not an assurance/compliance/audit / activity it It can be part of and/or assurance derived from an interpretation of the results.

Summary and Take Aways Start small and expand slowly Apps or Network etc Development and document your process market it clearly Get proper approval! Recruit effectively - capable and qualified staff Training is essential Supporting Infrastructure cost and maintenance Embrace convergence and integration It is a feature for you but a BENEFIT for the Client. Thank you COMMONWEALTH OF AUSTRALIA 2011 This presentation was current in 9/05/2011

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback