For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning
Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.
Presentation Description: What is expected of vendor's network security? How do you ensure your company is meeting essential security requirements? With payments security expert Gary Glover, attendees will explore the benefits, limitations, processes, and business relevancy of vulnerability scanning and penetration testing.
How do you figure out if you’re safe?What is expected?If data is compromised, ignorance will not be an effective excuseEven if you might not deal with critical data yourself, essential to check all environmentsVA and Penetration testing are the most thorough
Cost- average pen test is $5-10k and a vulnerability scan is only a couple hundred bucks.Another benefit: If you have a ton of networks set up exactly the same, you can just sample a few instead of paying to test them all (VA scan is required to test them all)
Manual test- main difference between VA scanning and pen testing. Ruling out false positives- Automated scan is only as good as the code. Pen tester can manually prove false positives. Thoroughness- all automated tools struggle with automation. A real person can completely review the target scope. Exploitation- if an analyst finds it, they can determine the inherent risk with the issue at that time.Most automated scans can’t authenticate. They’re from an external perspective. Not usually given login credentials to authenticate to look in internal applications. Talk about how these two work together!!!!!! They need both!
-Network security testing required for Payment Card Industry Data Security Standard compliance-Database exploitation: Pen testers are able to obtain full credit card data, full customer contact info, trade secrets, social security numbers within a matter of daysIn 90% of cases, where SQL injection is present, SecurityMetrics penetration testers can get inside the database
About Us> Assisted >1 million merchants> Largest PCI support staff worldwide> Certified as ASV, PFI, QSA, PA QSA> Member of PCI Security Standard Counciltask forces and special interest groups> Performs on-site auditing, forensicinvestigations, penetration testing,vulnerability scanning, security consulting,PCI compliance> Offers network security devices, datadiscovery software
Testing Network Security• 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012)• Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust• Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
Vulnerability Scan (VA scan)An automated, high-level test Process • Should be conducted by a company with accreditation• Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis• Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
Penetration Test An exhaustive, live examination Process• Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities• Analyst takes on “hacker” role • Prove the vulnerability can be exploited• Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
Conclusion• Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. Its always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, youll be glad you did.” -Bruce Schneier: cryptographer, security expert