1.
Network Security
Vulnerability Scanning & Penetration Testing

2.
About Us
> Assisted >1 million merchants
> Largest PCI support staff worldwide
> Certified as ASV, PFI, QSA, PA QSA
> Member of PCI Security Standard Council
task forces and special interest groups
> Performs on-site auditing, forensic
investigations, penetration testing,
vulnerability scanning, security consulting,
PCI compliance
> Offers network security devices, data
discovery software

3.
Testing Network Security
• 93 % of large organisations and 76% of small
businesses experienced a security breach in 2011
(Information Security Breaches Survey, 2012)
• Compromise costs
• Financial penalties
• Average organisational cost $5.5 million
(Ponemon Institute, 2012)
• Significant loss of reputation/brand trust
• Various ways to test network security
– Vulnerability scan (most thorough)
– Penetration test
– Anti-virus/malware software
– Appliances (Intrusion Prevention Systems)
– Spyware

4.
Vulnerability Scan (VA scan)
An automated, high-level test
Process
• Should be conducted by a company with accreditation
• Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor)
and ranks how critical they are • Automatic network scans on a quarterly basis
• Gives a beginning look at what • Report of weaknesses, false positives
possibly could be exploited • Weaknesses patched on a prioritised basis
• Good VA scan searches for over 50,000 vulnerabilities
Benefits
• Quick high-level look at possible vulnerabilities
• Very affordable
• Automatic
• Takes a matter of minutes
Limitations
• Sometimes test falsely classifies object as a
vulnerability (false positive)
Internal • Manually check each vulnerability before testing again

5.
Penetration Test
An exhaustive, live examination
Process
• Live attempt to exploit • Run automatic vulnerability scan
vulnerabilities • Follow up on reported vulnerabilities
• Analyst takes on “hacker” role • Prove the vulnerability can be exploited
• Try to fake passwords, manipulate • Internal and external testing
code, fool web servers into giving •External- perspective of an hacker over Internet
sensitive information •Internal- perspective of someone within network
• Report findings and recommendations per target
Benefits
• More accurate, thorough than VA scan
• Manual: Live analyst reviews the logic of the
application and determines how to leverage access
• Rules out false positives
Limitations
• Time (1 day to 3 weeks)
• Cost

6.
Comparison
Vulnerability Scan Penetration Test
• Automated • Manual (main difference)
• Minutes • Days
• Scheduled • Annually (after significant change)
• Passive • Aggressive
• Report false positives • Rules out false positives
• Programmed • Intuitive
• Identical scans • Accurate/thorough
• N/A • Exploitation
Both tests work together to encourage optimal network security

7.
Conclusion
• Computer intrusion was responsible for 83% of the total
reported exposed records in 2011 and 1/3 total
breaches.
– Data Breach Intelligence Report, 2012
“History has taught us: never underestimate
the amount of money, time, and effort
someone will expend to thwart a security
system. It's always better to assume the
worst…Give yourself a margin for error. Give
yourself more security than you need today.
When the unexpected happens, you'll be
glad you did.”
-Bruce Schneier: cryptographer, security expert