1.
Network SecurityVulnerability Scanning & Penetration Testing

2.
About Us> Assisted >1 million merchants> Largest PCI support staff worldwide> Certified as ASV, PFI, QSA, PA QSA> Member of PCI Security Standard Counciltask forces and special interest groups> Performs on-site auditing, forensicinvestigations, penetration testing,vulnerability scanning, security consulting,PCI compliance> Offers network security devices, datadiscovery software

3.
Testing Network Security• 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012)• Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust• Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware

4.
Vulnerability Scan (VA scan)An automated, high-level test Process • Should be conducted by a company with accreditation• Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis• Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again

5.
Penetration Test An exhaustive, live examination Process• Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities• Analyst takes on “hacker” role • Prove the vulnerability can be exploited• Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost

6.
ComparisonVulnerability Scan Penetration Test• Automated • Manual (main difference)• Minutes • Days• Scheduled • Annually (after significant change)• Passive • Aggressive• Report false positives • Rules out false positives• Programmed • Intuitive• Identical scans • Accurate/thorough• N/A • ExploitationBoth tests work together to encourage optimal network security

7.
Conclusion• Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. Its always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, youll be glad you did.” -Bruce Schneier: cryptographer, security expert