P A G E © 2 0 1 4 C o r e S e c u r i t y
Closing the Loop on Vulnerability Management
P A G E © 2 0 1 4 C o r e S e c u r i t y
Vulnerabilities
• Vulnerabilities represent potential damage • Difficult to use in convincing arguments • Provide the opportunity to accept risk without pain
P A G E © 2 0 1 4 C o r e S e c u r i t y
Penetration Testing
• The ability to exploit a vulnerability removes ambiguity • Successful exploits demonstrate tangible consequences to the
business • Almost all penetration tests expose unauthorized access to
data
P A G E © 2 0 1 4 C o r e S e c u r i t y
The Key to Successful Risk Management
• The ability to demonstrate tangible consequences of risk acceptance
• Effective penetration testing makes accepting risk uncomfortable
• The combination of identified vulnerabilities and demonstrated exploitation provide a persuasive argument against risk acceptance
P A G E © 2 0 1 4 C o r e S e c u r i t y
Phased Approach
• Resistance to penetration testing can be overcome over time • Start in the lab • Move to non essential systems • Build trust to test critical production systems
P A G E © 2 0 1 4 C o r e S e c u r i t y
Penetration Testing Should Not be Optional
• Vulnerability assessment without penetration testing only reveals part of the problem
• Don’t force yourself to make a convincing argument for security without one of the most persuasive tools