SlideShare a Scribd company logo

IT Best Practices IT Security Assessments 2010

Download as PPTX, PDF
Donald E. Hester
Donald E. Hester

IT Best Practices: IT Security Assessments with proper IT governance practices

Technology
1 of 51
Donald Hester October 21, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 158313 IT Best Practices: IT Security Assessments
• Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window. Housekeeping
Adjusting Audio 1) If you’re listening on your computer, adjust your volume using the speaker slider. 2) If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.
Saving Files & Open/close Captions 1. Save chat window with floppy disc icon 2. Open/close captioning window with CC icon
Emoticons and Polling 1) Raise hand and Emoticons 2) Polling options
Donald Hester IT Best Practices: IT Security Assessments
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
Situation  Organizations are becoming increasingly dependent on technology and the Internet  The loss of technology or the Internet would bring operations to a halt  The need for security increases as our dependence on technology increases  Management wants to have assurance that technology has the attention it deserves8
Questions  Does our current security posture address what we are trying to protect?  Do we know what we need to protect?  Where can we improve?  Where do we start?  Are we compliant with laws, rules, contracts and organizational policies?  What are your risks? 9
Reason  Provide Assurance  Demonstrate due diligence  Make risk based decisions 10
Terms  Assessment  Audit  Review  ST&E = Security Test & Evaluation  Testing  Evaluation 11
Assessment Lifecycle Planning Information Gathering Business Process Assessment Technology Assessment Risk Analysis & Reporting 12
Common Types of Assessments  Vulnerability Assessment  Penetration Test  Application Assessment  Code Review  Standard Audit/Review  Compliance Assessment/Audit  Configuration Audit  Wireless Assessment  Physical/Environmental Assessment  Policy Assessment 13
Determine your Scope  What will be the scope of the assessment? • Network (Pen Test, Vul Scan, wireless) • Application (Code or Vul scan) • Process (business or automated)  How critical is the system you are assessing? • High, medium – use independent assessor • Low – self assessment 14
Identify and Select Automated Tools  Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)  Computer Assisted Audit Tools and Techniques (CAATTs) • SQL queries • Scanners • Excel programs • Live CDs • Checklists 15
Checklists  AuditNet • www.auditnet.org  ISACA & IIA • Member Resources  DoD Checklists • iase.disa.mil/stigs/checklist/  NIST Special Publications • csrc.nist.gov/publications/PubsSPs.html 16
Live CD Distributions for Security Testing  BackTrack  Knoppix Security Tool Distribution  F.I.R.E.  Helix 17
Review Techniques  Documentation Review  Log Review  Ruleset Review  System Configuration Review  Network Sniffing  File Integrity Checking 18
Target Identification and Analysis Techniques  Network Discovery  Network Port and Service Identification • OS fingerprinting  Vulnerability Scanning  Wireless Scanning • Passive Wireless Scanning • Active Wireless Scanning • Wireless Device Location Tracking (Site Survey) • Bluetooth Scanning • Infrared Scanning 19
Target Vulnerability Validation Techniques  Password Cracking • Transmission / Storage  Penetration Testing • Automated / Manual  Social Engineering • Phishing 20
Checklists / MSAT  Microsoft Security Assessment Tool (MSAT) 21
GRC Tools Governance RiskCompliance 22 Dashboards Metrics Checklists Reporting Trend Analysis Remediation
Test Types  Black Box Testing • Assessor starts with no knowledge  White Box Testing • Assessor starts with knowledge of the system, i.e. the code  Grey Box Testing • Assessor has some knowledge, not completely blind 23
Verification Testing Input • Data Entry Data Collection • Database Storage Output • Reports 24 Verification Match
Application testing  Code Review • Automated/Manual  Vulnerability scanning  Configuration review  Verification testing  Authentication  Information leakage  Input/output Manipulation 25
Database Auditing  Native Audit (Provided by DB)  SIEM & Log Management  Database Activity Monitoring  Database Audit Platforms • Remote journaling & analytics  Compliance testing  Performance 26
Intrusion Detection/Prevention  Configuration  Verification testing  Log and Alert review 27
28
EMR Testing  Electromagnetic Radiation  Emissions Security (EMSEC)  Van Eck phreaking  Tempest  Tempest surveillance prevention  Faraday Cage 29
Green Computing  Assessment on the use of resources  Power Management  Virtualization Assessment 30
Business Continuity  Plan Testing, Training, and Exercises (TT&E)  Tabletop Exercises • Checklist Assessment • Walk Through  Functional Exercises • Remote Recovery • Full Interruption Test 31
Vulnerability Scanning  Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.  Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical) 32
MBSA  Microsoft Baseline Security Analyzer 2.2 33
Vulnerability Reports 34 Sample from Qualys
External and Internal 35 Where is the best place to scan from? External scan found 2 critical vulnerabilities Internal scan found 15 critical vulnerabilities
Vulnerability Scanners 36 Source: http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
Red, White and Blue Teams 37 Penetration Testers Incident Responders Mimic real-world attacks Unannounced Observers and Referees
Red and Blue Teams 38 Penetration Testers Incident Responders Mimic real-world attacks Announced
Penetration Test Phases 39
Penetration Assessment Reports 40 Sample from CoreImpact
Vulnerability Information  Open Source Vulnerability DB • http://osvdb.org/  National Vulnerability Database • http://nvd.nist.gov/  Common Vulnerabilities and Exposures • http://cve.mitre.org/  Exploit Database • http://www.exploit-db.com/ 41
Physical Assessments  Posture Review  Access Control Testing  Perimeter review  Monitoring review  Alarm Response review  Location review (Business Continuity)  Environmental review (AC / UPS) 42
KSAs Knowledge SkillAbility 43
Assessor Competence  Priority Certifications • Certified Information Systems Auditor (CISA)* • GIAC Systems and Network Auditor (GSNA)  Secondary Certifications • Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… • Vendor Specific: Microsoft, Cisco, etc… 44 *GAO 65% of audit staff to be CISA
Legal Considerations  At the discretion of the organization  Legal Review • Reviewing the assessment plan • Providing indemnity or limitation of liability clauses (Insurance) • Particularly for tests that are intrusive • Nondisclosure agreements • Privacy concerns 45
Post-Testing Activities  Mitigation Recommendations • Technical, Managerial or Operational  Reporting • Draft and Final Reports  Remediation / Mitigation • Not enough to finds problems need to have a process to fix them 46
Organizations that can help  Information Systems Audit and Control Association (ISACA)  American Institute of Certified Public Accountants (AICPA)  Institute of Internal Auditors (IIA)  SANS  National State Auditors Association (NSAA)  U.S. Government Accountability Office (GAO) 47
Resources  Gartner Report on Vulnerability Assessment Tools  Twenty Critical Controls for Effective Cyber Defense 48
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments
Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/ IT Best Practices: IT Security Assessments

Recommended

shaabani-Final-NC
shaabani-Final-NCshaabani-Final-NC
shaabani-Final-NCMahdi Shabani
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011dma1965
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
 
The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 

Recommended

shaabani-Final-NC
shaabani-Final-NCshaabani-Final-NC
shaabani-Final-NCMahdi Shabani
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
CISSP - Software Development Security
CISSP - Software Development SecurityCISSP - Software Development Security
CISSP - Software Development SecurityKarthikeyan Dhayalan
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011dma1965
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer RisksKevo Meehan
 
The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Safety and security in distributed systems
Safety and security in distributed systemsSafety and security in distributed systems
Safety and security in distributed systemsEinar Landre
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptxssuser66c4d5
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 

More Related Content

What's hot

Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosheramiable_indian
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Donald E. Hester
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Safety and security in distributed systems
Safety and security in distributed systemsSafety and security in distributed systems
Safety and security in distributed systemsEinar Landre
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCFuad Khan
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 

What's hot (20)

Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Operations_Security - Richard Mosher
Operations_Security - Richard MosherOperations_Security - Richard Mosher
Operations_Security - Richard Mosher
 
Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008Prioritized Approach Twenty Critical Controls 2008
Prioritized Approach Twenty Critical Controls 2008
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Safety and security in distributed systems
Safety and security in distributed systemsSafety and security in distributed systems
Safety and security in distributed systems
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Skill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOCSkill Set Needed to work successfully in a SOC
Skill Set Needed to work successfully in a SOC
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 

Similar to IT Best Practices IT Security Assessments 2010

SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Jisc
 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipRedZone Technologies
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxImXaib
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management ProgramTripwire
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
 

Similar to IT Best Practices IT Security Assessments 2010 (20)

Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44
 
Enterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and LeadershipEnterprise IT Security| CIO Innovation and Leadership
Enterprise IT Security| CIO Innovation and Leadership
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
 
5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program5 Steps to an Effective Vulnerability Management Program
5 Steps to an Effective Vulnerability Management Program
 
Third Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure ProgramThird Party Security Testing for Advanced Metering Infrastructure Program
Third Party Security Testing for Advanced Metering Infrastructure Program
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 

More from Donald E. Hester

Cybersecurity for Local Gov for SAMFOG
Cybersecurity for Local Gov for SAMFOGCybersecurity for Local Gov for SAMFOG
Cybersecurity for Local Gov for SAMFOGDonald E. Hester
 
2017 IT Control Environment for Local Gov
2017 IT Control Environment for Local Gov2017 IT Control Environment for Local Gov
2017 IT Control Environment for Local GovDonald E. Hester
 
What you Need To Know About Ransomware
What you Need To Know About RansomwareWhat you Need To Know About Ransomware
What you Need To Know About RansomwareDonald E. Hester
 
CNT 54 Administering Windows Client
CNT 54 Administering Windows ClientCNT 54 Administering Windows Client
CNT 54 Administering Windows ClientDonald E. Hester
 
2016 Maze Live Fraud Environment
2016 Maze Live Fraud Environment2016 Maze Live Fraud Environment
2016 Maze Live Fraud EnvironmentDonald E. Hester
 
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...Donald E. Hester
 
2016 Maze Live Cyber-security for Local Governments
2016 Maze Live Cyber-security for Local Governments2016 Maze Live Cyber-security for Local Governments
2016 Maze Live Cyber-security for Local GovernmentsDonald E. Hester
 
GASB 68 and 71 Planning for the Second Year
GASB 68 and 71 Planning for the Second YearGASB 68 and 71 Planning for the Second Year
GASB 68 and 71 Planning for the Second YearDonald E. Hester
 
Implementing GASB 72: Fair Value Measurement and Application
Implementing GASB 72: Fair Value Measurement and ApplicationImplementing GASB 72: Fair Value Measurement and Application
Implementing GASB 72: Fair Value Measurement and ApplicationDonald E. Hester
 
2016 Maze Live 1 GASB update
2016 Maze Live 1 GASB update2016 Maze Live 1 GASB update
2016 Maze Live 1 GASB updateDonald E. Hester
 
Cyber Security for Local Gov SAMFOG
Cyber Security for Local Gov SAMFOGCyber Security for Local Gov SAMFOG
Cyber Security for Local Gov SAMFOGDonald E. Hester
 
Annual Maze Live Event 2016 – GASB Updates & Best Practices
Annual Maze Live Event 2016 – GASB Updates & Best Practices Annual Maze Live Event 2016 – GASB Updates & Best Practices
Annual Maze Live Event 2016 – GASB Updates & Best Practices Donald E. Hester
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: MonitorUnderstanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: MonitorDonald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...Donald E. Hester
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Donald E. Hester
 

More from Donald E. Hester (20)

Cybersecurity for Local Gov for SAMFOG
Cybersecurity for Local Gov for SAMFOGCybersecurity for Local Gov for SAMFOG
Cybersecurity for Local Gov for SAMFOG
 
2017 IT Control Environment for Local Gov
2017 IT Control Environment for Local Gov2017 IT Control Environment for Local Gov
2017 IT Control Environment for Local Gov
 
What you Need To Know About Ransomware
What you Need To Know About RansomwareWhat you Need To Know About Ransomware
What you Need To Know About Ransomware
 
CNT 54 Administering Windows Client
CNT 54 Administering Windows ClientCNT 54 Administering Windows Client
CNT 54 Administering Windows Client
 
2016 Maze Live Fraud Environment
2016 Maze Live Fraud Environment2016 Maze Live Fraud Environment
2016 Maze Live Fraud Environment
 
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
2016 Maze Live Changes in Grant Management and How to Prepare for the Single ...
 
2016 Maze Live Cyber-security for Local Governments
2016 Maze Live Cyber-security for Local Governments2016 Maze Live Cyber-security for Local Governments
2016 Maze Live Cyber-security for Local Governments
 
GASB 68 and 71 Planning for the Second Year
GASB 68 and 71 Planning for the Second YearGASB 68 and 71 Planning for the Second Year
GASB 68 and 71 Planning for the Second Year
 
Implementing GASB 72: Fair Value Measurement and Application
Implementing GASB 72: Fair Value Measurement and ApplicationImplementing GASB 72: Fair Value Measurement and Application
Implementing GASB 72: Fair Value Measurement and Application
 
2016 Maze Live 1 GASB update
2016 Maze Live 1 GASB update2016 Maze Live 1 GASB update
2016 Maze Live 1 GASB update
 
Cyber Security for Local Gov SAMFOG
Cyber Security for Local Gov SAMFOGCyber Security for Local Gov SAMFOG
Cyber Security for Local Gov SAMFOG
 
Annual Maze Live Event 2016 – GASB Updates & Best Practices
Annual Maze Live Event 2016 – GASB Updates & Best Practices Annual Maze Live Event 2016 – GASB Updates & Best Practices
Annual Maze Live Event 2016 – GASB Updates & Best Practices
 
Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016Payment Card Cashiering for Local Governments 2016
Payment Card Cashiering for Local Governments 2016
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 15: Incident ...
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 14: Security ...
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: MonitorUnderstanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...
Understanding the Risk Management Framework & (ISC)2 CAP Module 12: Cloud Com...
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 

Recently uploaded

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

IT Best Practices IT Security Assessments 2010

  • 1. Donald Hester October 21, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 158313 IT Best Practices: IT Security Assessments
  • 2. • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window. Housekeeping
  • 3. Adjusting Audio 1) If you’re listening on your computer, adjust your volume using the speaker slider. 2) If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.
  • 4. Saving Files & Open/close Captions 1. Save chat window with floppy disc icon 2. Open/close captioning window with CC icon
  • 5. Emoticons and Polling 1) Raise hand and Emoticons 2) Polling options
  • 6. Donald Hester IT Best Practices: IT Security Assessments
  • 7. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
  • 8. Situation  Organizations are becoming increasingly dependent on technology and the Internet  The loss of technology or the Internet would bring operations to a halt  The need for security increases as our dependence on technology increases  Management wants to have assurance that technology has the attention it deserves8
  • 9. Questions  Does our current security posture address what we are trying to protect?  Do we know what we need to protect?  Where can we improve?  Where do we start?  Are we compliant with laws, rules, contracts and organizational policies?  What are your risks? 9
  • 10. Reason  Provide Assurance  Demonstrate due diligence  Make risk based decisions 10
  • 11. Terms  Assessment  Audit  Review  ST&E = Security Test & Evaluation  Testing  Evaluation 11
  • 13. Common Types of Assessments  Vulnerability Assessment  Penetration Test  Application Assessment  Code Review  Standard Audit/Review  Compliance Assessment/Audit  Configuration Audit  Wireless Assessment  Physical/Environmental Assessment  Policy Assessment 13
  • 14. Determine your Scope  What will be the scope of the assessment? • Network (Pen Test, Vul Scan, wireless) • Application (Code or Vul scan) • Process (business or automated)  How critical is the system you are assessing? • High, medium – use independent assessor • Low – self assessment 14
  • 15. Identify and Select Automated Tools  Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)  Computer Assisted Audit Tools and Techniques (CAATTs) • SQL queries • Scanners • Excel programs • Live CDs • Checklists 15
  • 16. Checklists  AuditNet • www.auditnet.org  ISACA & IIA • Member Resources  DoD Checklists • iase.disa.mil/stigs/checklist/  NIST Special Publications • csrc.nist.gov/publications/PubsSPs.html 16
  • 17. Live CD Distributions for Security Testing  BackTrack  Knoppix Security Tool Distribution  F.I.R.E.  Helix 17
  • 18. Review Techniques  Documentation Review  Log Review  Ruleset Review  System Configuration Review  Network Sniffing  File Integrity Checking 18
  • 19. Target Identification and Analysis Techniques  Network Discovery  Network Port and Service Identification • OS fingerprinting  Vulnerability Scanning  Wireless Scanning • Passive Wireless Scanning • Active Wireless Scanning • Wireless Device Location Tracking (Site Survey) • Bluetooth Scanning • Infrared Scanning 19
  • 20. Target Vulnerability Validation Techniques  Password Cracking • Transmission / Storage  Penetration Testing • Automated / Manual  Social Engineering • Phishing 20
  • 21. Checklists / MSAT  Microsoft Security Assessment Tool (MSAT) 21
  • 23. Test Types  Black Box Testing • Assessor starts with no knowledge  White Box Testing • Assessor starts with knowledge of the system, i.e. the code  Grey Box Testing • Assessor has some knowledge, not completely blind 23
  • 24. Verification Testing Input • Data Entry Data Collection • Database Storage Output • Reports 24 Verification Match
  • 25. Application testing  Code Review • Automated/Manual  Vulnerability scanning  Configuration review  Verification testing  Authentication  Information leakage  Input/output Manipulation 25
  • 26. Database Auditing  Native Audit (Provided by DB)  SIEM & Log Management  Database Activity Monitoring  Database Audit Platforms • Remote journaling & analytics  Compliance testing  Performance 26
  • 27. Intrusion Detection/Prevention  Configuration  Verification testing  Log and Alert review 27
  • 28. 28
  • 29. EMR Testing  Electromagnetic Radiation  Emissions Security (EMSEC)  Van Eck phreaking  Tempest  Tempest surveillance prevention  Faraday Cage 29
  • 30. Green Computing  Assessment on the use of resources  Power Management  Virtualization Assessment 30
  • 31. Business Continuity  Plan Testing, Training, and Exercises (TT&E)  Tabletop Exercises • Checklist Assessment • Walk Through  Functional Exercises • Remote Recovery • Full Interruption Test 31
  • 32. Vulnerability Scanning  Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.  Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical) 32
  • 33. MBSA  Microsoft Baseline Security Analyzer 2.2 33
  • 35. External and Internal 35 Where is the best place to scan from? External scan found 2 critical vulnerabilities Internal scan found 15 critical vulnerabilities
  • 37. Red, White and Blue Teams 37 Penetration Testers Incident Responders Mimic real-world attacks Unannounced Observers and Referees
  • 38. Red and Blue Teams 38 Penetration Testers Incident Responders Mimic real-world attacks Announced
  • 41. Vulnerability Information  Open Source Vulnerability DB • http://osvdb.org/  National Vulnerability Database • http://nvd.nist.gov/  Common Vulnerabilities and Exposures • http://cve.mitre.org/  Exploit Database • http://www.exploit-db.com/ 41
  • 42. Physical Assessments  Posture Review  Access Control Testing  Perimeter review  Monitoring review  Alarm Response review  Location review (Business Continuity)  Environmental review (AC / UPS) 42
  • 44. Assessor Competence  Priority Certifications • Certified Information Systems Auditor (CISA)* • GIAC Systems and Network Auditor (GSNA)  Secondary Certifications • Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… • Vendor Specific: Microsoft, Cisco, etc… 44 *GAO 65% of audit staff to be CISA
  • 45. Legal Considerations  At the discretion of the organization  Legal Review • Reviewing the assessment plan • Providing indemnity or limitation of liability clauses (Insurance) • Particularly for tests that are intrusive • Nondisclosure agreements • Privacy concerns 45
  • 46. Post-Testing Activities  Mitigation Recommendations • Technical, Managerial or Operational  Reporting • Draft and Final Reports  Remediation / Mitigation • Not enough to finds problems need to have a process to fix them 46
  • 47. Organizations that can help  Information Systems Audit and Control Association (ISACA)  American Institute of Certified Public Accountants (AICPA)  Institute of Internal Auditors (IIA)  SANS  National State Auditors Association (NSAA)  U.S. Government Accountability Office (GAO) 47
  • 48. Resources  Gartner Report on Vulnerability Assessment Tools  Twenty Critical Controls for Effective Cyber Defense 48
  • 49. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
  • 50. Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments
  • 51. Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/ IT Best Practices: IT Security Assessments