SlideShare a Scribd company logo

Penetration testing as an internal audit activity

Transcendent Group
Transcendent Group

Penetration testing as an internal audit activity, at the ECIIA conference in Stockholm, October 6th 2016. Speaker: Carsten Maartmann-Moe

Business
1 of 23
Download to read offline
Penetration testing as an internal audit activity ECIIA conference, Stockholm, October 6th 2016
Who am I? • I’m a hacker • I’ve hacked applications, networks, trains, lottery machines, routers, laptops, ATM:s, wireless networks, cell phones, embedded systems, production plants, stock exchanges and more… • …all with permission, which makes me a penetration tester • a fair share of the penetration tests I’ve performed were as a part of internal audits. ©TranscendentGroup2016
What is penetration testing? A point-in-time assessment of quality of the implemented security controls within the scope of testing. ©TranscendentGroup2016
The burning question ©TranscendentGroup2016 Are we secure?
Unfortunately, the questions answered by a penetration test are: ©TranscendentGroup2016 How vulnerable is application X? Is detection and response effective? Are our employees aware and alert? Where are we most vulnerable? Are our preventive controls effective? Are our user’s passwords strong? quite no no your entire intranet no no
An analogy: Your house ©TranscendentGroup2016 door sensor front door key alarm sensors CCTV camera
The burning question, modified ©TranscendentGroup2016 Are we secure enough?
What to ask instead ©TranscendentGroup2016 Are we robust, capable, and continuously improving? • prevention • detection • response• organized • funded • right competencies • right tools and data • aligned to the business • goal-oriented • measuring and adapting to both needs and risks
Internal audit’s role as per TLD ©TranscendentGroup2016 The third line of defence – internal audit – is responsible for ensuring that the first and second lines are functioning as designed.
What to consider ©TranscendentGroup2016
What to consider Planning • audit objective • sourcing • engage IT/service provider Execution • help the pentesters translate technical risk to business risk Reporting • do root cause analysis ©TranscendentGroup2016
Planning and scoping • First: Ask yourself if a pentest is really a good idea? • Second: What is the question to be answered by the test? • Engage and alert your IT security function and service provider. • Make sure the consultants understand the high-level concepts of your business. ©TranscendentGroup2016 Planning Execution Reporting
Tips on sourcing • You’ll get what you pay for. • Choose a preferred vendor, and stick with it. • Hire people, not brand: look for experience. • Certifications to look for: CEH, GIAC certs (GWAPT, GPEN, etcetera). ©TranscendentGroup2016 Planning Execution Reporting
Execution • Don’t force your pentesters to go through detailed checklists of what to do/not to do unless absolutely necessary. • Help the pentesters escalate issues. • Set aside time for root cause analysis with the part of the business that has been audited. ©TranscendentGroup2016 Planning Execution Reporting
Reporting What to expect: • too technical, unstructured reports • doom and gloom • no business risks • mistaking exploitable technical vulnerabilities for critical business risks How to manage: • keep your eye on the audit objective • make the pentesters rate the difficulty of getting in • challenge, challenge, challenge • understand that it is difficult for an external party to gauge your business risk • uon’t skip root cause analysis ©TranscendentGroup2016 Planning Execution Reporting
A word on reporting ©TranscendentGroup2016
Root causes ©TranscendentGroup2016
Example from a pentest: passwords 485 142 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percentage of passwords cracked Cracked Not cracked ©TranscendentGroup2016 • We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop. • 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
5 whys Q: Why are our user’s passwords easy to crack? A: Because they are short and easy to guess. Q: Why are they short and easy to guess? A: Users don’t know what constitutes a strong password, and create short and easy to guess ones because they are also easy to remember. Q: So why do they have trouble remembering their passwords? A: Each user have 5+ different passwords they need to remember to perform their job. We also force them to change their password every 90. days. Q: Why do we force them to change their password? A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though… Q: Why not? A: Well, everybody just creates systems to avoid forgetting the new password. If your first password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security in that. ©TranscendentGroup2016
5 why’s Q: Why did this SQL injection vulnerability occur? A: Because it’s a legacy back-end application that has been exposed to the Internet. Q: Why was it exposed to the Internet? B: To drive and support business initiative X, which requires customer interaction with the system. Q: So why weren’t the project behind business initiative X aware of the vulnerabilities? A: Well, we [the dev team] suspected that the application had substandard security, but there was no one on the team that had the knowledge or time to have an in-depth look. Q: Why? A: Because there’s not allocated any resources to security in our project. Q: Why are there no resources? A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers and sysadmins should fix as a part of the job. But no one has been given training, and if you look at the project plans, there’s not an hour dedicated to security. ©TranscendentGroup2016
Summary ©TranscendentGroup2016
Internal audit penetration testing can cause significant security improvement • Penetration testing does not answer the «Are we secure?» question, but provides symptoms of internal control failure. • Pentesting can provide concrete and measurable risk reduction and spark significant improvement initiatives. • Engage with your IT function/service provider/preferred consultants to evaluate the best way to leverage these types of services for your business. ©TranscendentGroup2016
www.transcendentgroup.com

Recommended

Tentang ma'rifatullah 3
Tentang ma'rifatullah 3Tentang ma'rifatullah 3
Tentang ma'rifatullah 3Fitri Indra Wardhono
 
The Dark Side of Certificate Transparency
The Dark Side of Certificate TransparencyThe Dark Side of Certificate Transparency
The Dark Side of Certificate TransparencyAan
 
Prezentacja szkolna
Prezentacja szkolnaPrezentacja szkolna
Prezentacja szkolnaJedyneczka
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Phishing
PhishingPhishing
Phishingguicelacatalina
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Hacking
HackingHacking
HackingSharique Masood
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNcell
 

Recommended

Tentang ma'rifatullah 3
Tentang ma'rifatullah 3Tentang ma'rifatullah 3
Tentang ma'rifatullah 3Fitri Indra Wardhono
 
The Dark Side of Certificate Transparency
The Dark Side of Certificate TransparencyThe Dark Side of Certificate Transparency
The Dark Side of Certificate TransparencyAan
 
Prezentacja szkolna
Prezentacja szkolnaPrezentacja szkolna
Prezentacja szkolnaJedyneczka
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Phishing
PhishingPhishing
Phishingguicelacatalina
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical HackingRaghav Bisht
 
Hacking
HackingHacking
HackingSharique Masood
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityNcell
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Insider threat
Insider threatInsider threat
Insider threatARCON TECHSOLUTIONS
 
Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Pengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifatPengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifatYuliana Aminulloh
 
Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking pptshreya_omar
 
HACKING
HACKINGHACKING
HACKINGD's Surti
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Design and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing TransferDesign and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing TransferDebabrata Halder
 
Ethical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hackingEthical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hackingmissstevenson01
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy ServerMohit Dhankher
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Cyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber CrimeCyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber CrimeAdeel Rasheed
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Dark wed
Dark wedDark wed
Dark wedAraVind Pillai
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Okan YILDIZ
 
Cyber safety 101
Cyber safety 101Cyber safety 101
Cyber safety 101Manjula Sridhar
 
Bezpieczeństwo w Internecie
Bezpieczeństwo w InternecieBezpieczeństwo w Internecie
Bezpieczeństwo w Interneciesp2zabki
 
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Alex Pinto
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 
Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetTranscendent Group
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Transcendent Group
 

More Related Content

What's hot

Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Pengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifatPengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifatYuliana Aminulloh
 
Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking pptshreya_omar
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksdinCloud Inc.
 
Design and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing TransferDesign and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing TransferDebabrata Halder
 
Ethical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hackingEthical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hackingmissstevenson01
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationPECB
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITYafaque jaya
 
Cyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber CrimeCyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber CrimeAdeel Rasheed
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Okan YILDIZ
 
Bezpieczeństwo w Internecie
Bezpieczeństwo w InternecieBezpieczeństwo w Internecie
Bezpieczeństwo w Interneciesp2zabki
 
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Alex Pinto
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 

What's hot (20)

Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Insider threat
Insider threatInsider threat
Insider threat
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 
Pengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifatPengalaman batin, khouf, mahabbah, fana, ma;rifat
Pengalaman batin, khouf, mahabbah, fana, ma;rifat
 
Cse ethical hacking ppt
Cse ethical hacking pptCse ethical hacking ppt
Cse ethical hacking ppt
 
HACKING
HACKINGHACKING
HACKING
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
Design and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing TransferDesign and Implementation of a Secure File Sharing Transfer
Design and Implementation of a Secure File Sharing Transfer
 
Ethical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hackingEthical hacking introduction to ethical hacking
Ethical hacking introduction to ethical hacking
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy Server
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Cyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber CrimeCyber Crime - What is Cyber Crime
Cyber Crime - What is Cyber Crime
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Dark wed
Dark wedDark wed
Dark wed
 
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
Phishing, Smishing and vishing_ How these cyber attacks work and how to preve...
 
Cyber safety 101
Cyber safety 101Cyber safety 101
Cyber safety 101
 
Bezpieczeństwo w Internecie
Bezpieczeństwo w InternecieBezpieczeństwo w Internecie
Bezpieczeństwo w Internecie
 
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumar
 

Viewers also liked

Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetTranscendent Group
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Transcendent Group
 
Är kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxÄr kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxTranscendent Group
 
Måling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetMåling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetTranscendent Group
 
Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Transcendent Group
 
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTa kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTranscendent Group
 
Vad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenVad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenTranscendent Group
 
Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Transcendent Group
 
Sensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetSensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetTranscendent Group
 
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagSträngare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagTranscendent Group
 
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadGrc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadTranscendent Group
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapInternal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapHein & Associates
 
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Scott Webb CPA CIA PMIIA CRMA
 
Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Stephen Ong
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomHardway Hou
 
Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016leschaney
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Viewers also liked (20)

Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighet
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...
 
Är kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxÄr kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptx
 
Måling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetMåling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhet
 
Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145
 
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTa kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
 
Vad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenVad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagen
 
Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17
 
Sensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetSensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighet
 
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagSträngare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
 
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadGrc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapInternal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
 
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
 
Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Charter School Audit Guide 2015
Charter School Audit Guide 2015Charter School Audit Guide 2015
Charter School Audit Guide 2015
 

Similar to Penetration testing as an internal audit activity

The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 

Similar to Penetration testing as an internal audit activity (20)

CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 

More from Transcendent Group

Next generation access controls
Next generation access controlsNext generation access controls
Next generation access controlsTranscendent Group
 
Star strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningStar strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningTranscendent Group
 
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareVarför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareTranscendent Group
 
Hur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringHur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringTranscendent Group
 
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerDen anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerTranscendent Group
 
Vem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierVem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierTranscendent Group
 
Styrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarStyrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarTranscendent Group
 
Solvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskSolvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskTranscendent Group
 
Kravställning för grc systemstöd
Kravställning för grc systemstödKravställning för grc systemstöd
Kravställning för grc systemstödTranscendent Group
 
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanFem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanTranscendent Group
 
Cybersecurity inom bilindustrin
Cybersecurity inom bilindustrinCybersecurity inom bilindustrin
Cybersecurity inom bilindustrinTranscendent Group
 
Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Transcendent Group
 
Frukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetFrukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetTranscendent Group
 
Förberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringFörberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringTranscendent Group
 
Mobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenMobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenTranscendent Group
 
Effectively managing operational risk
Effectively managing operational riskEffectively managing operational risk
Effectively managing operational riskTranscendent Group
 
Åtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarÅtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarTranscendent Group
 
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetUtvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetTranscendent Group
 

More from Transcendent Group (20)

Next generation access controls
Next generation access controlsNext generation access controls
Next generation access controls
 
Star strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningStar strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrning
 
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareVarför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
 
Hur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringHur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshantering
 
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerDen anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
 
Vem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierVem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerier
 
Styrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarStyrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvar
 
Solvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskSolvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the risk
 
Kravställning för grc systemstöd
Kravställning för grc systemstödKravställning för grc systemstöd
Kravställning för grc systemstöd
 
How we got domain admin
How we got domain adminHow we got domain admin
How we got domain admin
 
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanFem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
 
Finansiering av terrorism
Finansiering av terrorismFinansiering av terrorism
Finansiering av terrorism
 
Cybersecurity inom bilindustrin
Cybersecurity inom bilindustrinCybersecurity inom bilindustrin
Cybersecurity inom bilindustrin
 
Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?
 
Frukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetFrukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhet
 
Förberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringFörberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementering
 
Mobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenMobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjaren
 
Effectively managing operational risk
Effectively managing operational riskEffectively managing operational risk
Effectively managing operational risk
 
Åtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarÅtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringar
 
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetUtvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
 

Recently uploaded

(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCRsoniya singh
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Serviceankitnayak356677
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 

Recently uploaded (20)

(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 

Penetration testing as an internal audit activity

  • 1. Penetration testing as an internal audit activity ECIIA conference, Stockholm, October 6th 2016
  • 2. Who am I? • I’m a hacker • I’ve hacked applications, networks, trains, lottery machines, routers, laptops, ATM:s, wireless networks, cell phones, embedded systems, production plants, stock exchanges and more… • …all with permission, which makes me a penetration tester • a fair share of the penetration tests I’ve performed were as a part of internal audits. ©TranscendentGroup2016
  • 3. What is penetration testing? A point-in-time assessment of quality of the implemented security controls within the scope of testing. ©TranscendentGroup2016
  • 5. Unfortunately, the questions answered by a penetration test are: ©TranscendentGroup2016 How vulnerable is application X? Is detection and response effective? Are our employees aware and alert? Where are we most vulnerable? Are our preventive controls effective? Are our user’s passwords strong? quite no no your entire intranet no no
  • 6. An analogy: Your house ©TranscendentGroup2016 door sensor front door key alarm sensors CCTV camera
  • 7. The burning question, modified ©TranscendentGroup2016 Are we secure enough?
  • 8. What to ask instead ©TranscendentGroup2016 Are we robust, capable, and continuously improving? • prevention • detection • response• organized • funded • right competencies • right tools and data • aligned to the business • goal-oriented • measuring and adapting to both needs and risks
  • 9. Internal audit’s role as per TLD ©TranscendentGroup2016 The third line of defence – internal audit – is responsible for ensuring that the first and second lines are functioning as designed.
  • 11. What to consider Planning • audit objective • sourcing • engage IT/service provider Execution • help the pentesters translate technical risk to business risk Reporting • do root cause analysis ©TranscendentGroup2016
  • 12. Planning and scoping • First: Ask yourself if a pentest is really a good idea? • Second: What is the question to be answered by the test? • Engage and alert your IT security function and service provider. • Make sure the consultants understand the high-level concepts of your business. ©TranscendentGroup2016 Planning Execution Reporting
  • 13. Tips on sourcing • You’ll get what you pay for. • Choose a preferred vendor, and stick with it. • Hire people, not brand: look for experience. • Certifications to look for: CEH, GIAC certs (GWAPT, GPEN, etcetera). ©TranscendentGroup2016 Planning Execution Reporting
  • 14. Execution • Don’t force your pentesters to go through detailed checklists of what to do/not to do unless absolutely necessary. • Help the pentesters escalate issues. • Set aside time for root cause analysis with the part of the business that has been audited. ©TranscendentGroup2016 Planning Execution Reporting
  • 15. Reporting What to expect: • too technical, unstructured reports • doom and gloom • no business risks • mistaking exploitable technical vulnerabilities for critical business risks How to manage: • keep your eye on the audit objective • make the pentesters rate the difficulty of getting in • challenge, challenge, challenge • understand that it is difficult for an external party to gauge your business risk • uon’t skip root cause analysis ©TranscendentGroup2016 Planning Execution Reporting
  • 16. A word on reporting ©TranscendentGroup2016
  • 18. Example from a pentest: passwords 485 142 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percentage of passwords cracked Cracked Not cracked ©TranscendentGroup2016 • We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop. • 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
  • 19. 5 whys Q: Why are our user’s passwords easy to crack? A: Because they are short and easy to guess. Q: Why are they short and easy to guess? A: Users don’t know what constitutes a strong password, and create short and easy to guess ones because they are also easy to remember. Q: So why do they have trouble remembering their passwords? A: Each user have 5+ different passwords they need to remember to perform their job. We also force them to change their password every 90. days. Q: Why do we force them to change their password? A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though… Q: Why not? A: Well, everybody just creates systems to avoid forgetting the new password. If your first password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security in that. ©TranscendentGroup2016
  • 20. 5 why’s Q: Why did this SQL injection vulnerability occur? A: Because it’s a legacy back-end application that has been exposed to the Internet. Q: Why was it exposed to the Internet? B: To drive and support business initiative X, which requires customer interaction with the system. Q: So why weren’t the project behind business initiative X aware of the vulnerabilities? A: Well, we [the dev team] suspected that the application had substandard security, but there was no one on the team that had the knowledge or time to have an in-depth look. Q: Why? A: Because there’s not allocated any resources to security in our project. Q: Why are there no resources? A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers and sysadmins should fix as a part of the job. But no one has been given training, and if you look at the project plans, there’s not an hour dedicated to security. ©TranscendentGroup2016
  • 22. Internal audit penetration testing can cause significant security improvement • Penetration testing does not answer the «Are we secure?» question, but provides symptoms of internal control failure. • Pentesting can provide concrete and measurable risk reduction and spark significant improvement initiatives. • Engage with your IT function/service provider/preferred consultants to evaluate the best way to leverage these types of services for your business. ©TranscendentGroup2016