Upload
alan-daniels
View
220
Download
4
Embed Size (px)
Citation preview
What Can Go Wrong During a Pen-test?
Effectively Engaging and Managing a Pen-test
Managing Risk
Some Facts We Can All Agree on:
— All businesses can expect some “loss” also known as “the cost of doing business”
— Some businesses are not tolerant of loss in certain areas
Wise businesses choose which losses are acceptable!
My Life as a Fortune Teller!
Reality:
—This system has a vulnerability
—There are tools available on the Internet to exploit this vulnerability
Conclusion
—You are not safe
Perception
—This system may be vulnerable, based on the software version number being displayed
—No known exploits
Conclusion
—I’m safe
What is being tested?
Are trying to prove a negative?
“I tried to compromise your systems and was able to do so. “
Your systems are not secure
“I tried to compromise your systems and was unable to do so.”
Your systems are secure
Risks in Penetration Testing
Your systems could crash
You could lose business data
You could miss a real penetration
Someone could follow your incident response procedures (and call law enforcement)
You could remain unaware about real vulnerabilities in your environment
Questions to ask a Pen-test team
Do they hire former hackers?
How do they store engagement data?
How do they dispose of engagement data?
Do they perform background checks?
How do they collect exploits?
How do they train their staff?
Do they test exploits in a lab?
Steps to Managing a Pen Test
Clearly define objectives
Schedule frequent status updates
Supervise closely
Request raw data
Inform internal security monitoring group*
Review results with team (before end of test)
* will leak info in a zero-knowledge effort, but worth it!
What We Do
• Build, Secure and Manage Your Network Infrastructure
Network and Systems Management
Network and Systems Management
SecuritySecurity
Next Generation Networking Next Generation Networking
Bus
ines
s C
onsu
ltin
gB
usin
ess
Con
sult
ing Project
Managem
entProject
Managem
ent
Network Infrastructure
Wireless
Convergence
.NET
Storage and Content Networking
Risk Assessment
Defense Planning
Architecture and
Infrastructure
IT Operations Services
IT Optimization Services
Business Services Management
Unmatched Depth and Breadth of Resources
Collaboration
NetworkMethodology
Solutions Library
Training & Mentoring Technical
Resource Library
Business ValueJustification
Network and SystemsManagement
SecuritySecurity
Next Generation Networking
Security Solutions: Risk Assessment
Penetration TestingDirectly tests network security utilizing the latest
tools and techniques to emulate Internet, intranet
or extranet-based attacks
Risk AnalysisIdentifies and determines the value of various information assets and the likelihood of loss based on the exposure to
threats
Security AssessmentCompares measured security against accepted industry
practices and established rules, guidelines, or industry
regulations
Network and SystemsManagement
SecuritySecurity
Next Generation Networking
Security Solutions: Defense Planning
Policies & ProceduresDevelop a complete, custom
corporate security policy that
aligns with your IT and
business goals
Security OperationsDesign an operational model for realizing security policy and technology across the organization
Incident ManagementDesign an effective incident preparedness process and management framework
Awareness TrainingTrain your employees on sound security practices and policies, and ensure your defined security policy is thoroughly communicated
Network and SystemsManagement
SecuritySecurity
Next Generation Networking
Security Solutions: Security Architecture & Infrastructure
Authentication & AccessDetermine access requirements to design and implement a unified authentication and
authorization design
Security ArchitectureAssess existing infrastructure to identify and mitigate gaps or weaknesses in security architecture
Technical InfrastructureIntegrate security technologies, such as VPNs, PKI, IDS, firewalls, virus protection, content filtering, and AAA solutions