P A G E © 2 0 1 4 C o r e S e c u r i t y

Closing the Loop on Vulnerability Management

P A G E © 2 0 1 4 C o r e S e c u r i t y

Vulnerabilities

• Vulnerabilities represent potential damage • Difficult to use in convincing arguments • Provide the opportunity to accept risk without pain

P A G E © 2 0 1 4 C o r e S e c u r i t y

Penetration Testing

• The ability to exploit a vulnerability removes ambiguity • Successful exploits demonstrate tangible consequences to the

business • Almost all penetration tests expose unauthorized access to

data

P A G E © 2 0 1 4 C o r e S e c u r i t y

The Key to Successful Risk Management

• The ability to demonstrate tangible consequences of risk acceptance

• Effective penetration testing makes accepting risk uncomfortable

• The combination of identified vulnerabilities and demonstrated exploitation provide a persuasive argument against risk acceptance

P A G E © 2 0 1 4 C o r e S e c u r i t y

Phased Approach

• Resistance to penetration testing can be overcome over time • Start in the lab • Move to non essential systems • Build trust to test critical production systems

P A G E © 2 0 1 4 C o r e S e c u r i t y

Penetration Testing Should Not be Optional

• Vulnerability assessment without penetration testing only reveals part of the problem

• Don’t force yourself to make a convincing argument for security without one of the most persuasive tools