SlideShare a Scribd company logo
http://www.enterprisegrc.com
Security Assessment – Concept Review with
a hint of CISSP Exam Prep
Contribution to ISACA-SV January 2016
Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP (pending)
Which items are elements of “security”?
Resilience
 What are our critical assets?
 Who is responsible for them?
 Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
 Are we prepared for when there is a successful attack?
 Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?
Types of Security Assessment
 Technical Security Testing
 Security Process Assessment
 Security Audit
Technical
 Looking for security weaknesses
 Vulnerability Assessment
 Network Penetration Testing
 Web Application Penetration Testing
 Source Code Analysis
Vulnerability Assessment
 Scanning systems looking for a set of vulnerabilities
(a list)
 Looks for common and known vulnerabilities
 Uses a scanning tool
 Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP
OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows
AppScan IBM Commercial Windows
AVDS Beyond Security Commercial / Free (Limited Capability) N/A
BugBlast Buguroo Offensive Security Commercial SaaS or On-Premises
Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported
Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises
GamaScan GamaSec Commercial Windows
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh
GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh
Hailstorm Cenzic Commercial Windows
IKare ITrust Commercial N/A
IndusGuard Web Indusface Commercial SaaS
N-Stealth N-Stalker Commercial Windows
Netsparker MavitunaSecurity Commercial Windows
Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux
Nikto CIRT Open Source Unix/Linux
OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
AppSpider Rapid7 Commercial Windows
ParosPro MileSCAN Commercial Windows
Proxy.app Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
Vega Subgraph Open Source Windows, Linux and Macintosh
Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh
WebApp360 TripWire Commercial Windows
WebInspect HP Commercial Windows
SOATest Parasoft Commercial Windows / Linux / Solaris
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh
Wikto Sensepost Open Source Windows
w3af w3af.org GPLv2.0 Linux and Mac
Xenotix XSS Exploit Framework OWASP Open Source Windows
Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh
What to do with a list of known vulnerabilities
 Scanners provide a score of 1 to 5 (relative to what?)
 CVSS Common Vulnerability Scoring System is method used to classify
 OCTAVE Operational Critical Threat, Asset, and Vulnerability Evaluation
 OCTAVE defines three phases, is criticized as complex and not providing
detailed quantitative analysis of security exposure.
Phase 1: Build
Asset-Based
Threat Profiles
Phase 2: Identify
Infrastructure
Vulnerabilities
Phase 3: Develop
Security Strategy
and Plans
Penetration Tests
 Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
 We know we have flaws - pen test seeks to exploit them
 Simulates attacker (does not cause harm)
 Output: Identification of susceptible assets (sites)
 In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia
Penetration Testing – Operations Evaluation
 War Dialing (looking for modems – especially plugged into older
enterprise hardware)
 Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
 Eavesdropping
 Radiation monitoring
 Dumpster diving
 Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget
Security Process Review
 Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process
Security Process
 Process is more than policy, although we start with
policy
 What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
 Cobit5 and NIST Cybersecurity Framework
 http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
 National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)
You Need to U Read
 International Organization for Standardization, Risk management – Principles and
guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm
 International Organization for Standardization/International Electrotechnical Commission,
Information technology – Security techniques – Information security risk management,
ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742
 Joint Task Force Transformation Initiative, Managing Information Security Risk:
Organization, Mission, and Information System View, NIST Special Publication 800-39,
March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
 U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process,
DOE/OE-0003, May 2012.
http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20
Guideline%20%20Final%20-%20May%202012.pdf
U Need to Use: NIST Framework for
Improving Critical Infrastructure
Cybersecurity; Annex A
Cobit 5: Process Area Assessment
 APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
 APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
 DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”
Assessment v. Audit
 Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/
CISM)
 Security assessments normally include use of
testing tools and goes beyond automated
scanning
 Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
 The output of assessment is a report addressed
to management with recommendations in both
technical and non technical language
Auditing Security Assessment & Verification
 Compliance checks
 Internal and external
 Frequency of review
 Standard of due care
 Internal Audit typically performs assessment
for internal audience
 External Audits are performed for external
investors and as part of third party due
diligence requirements
 Third Party review is emphasized to avoid
“conflict of interest”
What are the “Related Metrics” from Manage Risk APO12
 Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
 Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
 Related Metrics
 Degree of visibility and
recognition in the current
environment
 Number of loss events with
key characteristics captured
in repositories
 Percent of audits, events and
trends captured in
repositories
 Percent of key business
processes included in the risk
profile
 Completeness of attributes
and values in the risk profile
 Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
 Number of significant
incidents not identified and
included in the risk
management portfolio
 Percent of IT risk action plans
executed as designed
 Number of measures not
reducing residual risk
*Align, Plan and Organize
What are the “Related Metrics” from Manage Security APO13
 Define, operate and
monitor a system for
information security
management.
 Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
 Related Metrics
 Number of key security
roles clearly defined
 Number of security
related incidents
 Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
 Number of security
solutions deviating from
the plan
 Number of security
solutions deviating from
the enterprise
architecture
 Number of services with
confirmed alignment to
the security plan
 Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize
What are the “Related Metrics” from Manage Security Services DSS05
 Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
 Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
 Related Metrics
 Number of vulnerabilities
discovered
 Number of firewall
breaches
 Percent of individuals
receiving awareness
training relating to use of
endpoint devices
 Number of incidents
involving endpoint devices
 Number of unauthorized
devices detected on the
network or in the end-
user environment
 Average time between
change and update of
accounts
 Number of accounts (vs.
number of authorized
users/staff)
 Percent of periodic tests
of environmental security
devices
 Average rating for physical
security assessments
 Number of physical
security-related incidents
 Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support
Technical Security Testing
 Technical testing is looking for security flaws, specifically
impacts to confidentiality, integrity or availability, ways to
steal, alter or destroy information
 Vulnerability Assessments are looking for weakness
 Penetration testing adds human factor
 Code review includes errors that make it susceptible, e.g. to
buffer overflow, SQL insertion, etc.
 Phishing is to see what users do when presented with typical
malicious email scenarios
 Password assessments evaluate password settings and
practices, (sometimes as a part of scanning)
 Goal: assess risk by discovering flaws that persist in
systems and applications
Threat Vectors – Attack surface
 Methods attackers use to touch or exploit vulnerabilities
 A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
 If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
 One way to reduce risk is to minimize the attack vectors
 Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities
Shift in attack vectors:
Server Side v. Client Side Attacks
 Attacks against a listening service are called “Server-side
attacks”
 TCP server side attacks are initiated by an attacker (client)
 Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
 We have to understand the environment from the
perspective of an adversary.
 We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”
STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
 Spoofing v. Authentication
 Tampering v. Integrity
 Repudiation v. Non-Repudiation
 Information Disclosure v. Confidentiality
 Denial of Service v. Availability
 Elevation of Privilege v. Authorization
How they get us drives how we protect
against them
 External or internal actor is able to
perform host discovery
 Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities
Port Scanners
 Open ports on systems is an attack
surface
 Port scanners evaluates all TCP / UDP
ports (scans twice) to determine which
are open (there are 65535 ports)
 Nmap is a well-known open source port
scanner
 Question:
 Who should be allowed to run a port
scanner?
 What should happen when we detect a
port scan is in progress?
 How long should we take to respond to
that information?
Its just a port – how much damage could be done?
 Hacker scans to find vulnerabilities
to target – ports, services, versions
 Hacker injects a virus, Trojan
 Infected machines further scan and
infect (worm) – spreading from
internal network (bypassing DMZ)
 Hacker issues commands to infected
hosts, able to send spam, effect
DDoS (denial of service)
 Intrusion Prevention Systems (IPS),
IDS, NIDS, NIPS… architecture could
have prevented all this
https://www.cityu.edu.hk/csc/netcomp/dec2006-5p.htm
Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
 Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
 Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
 Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
 The MetaSploit Framework (metasploit)
 Core Impact (coresecurity)
 Immunity Canvas (immunitysec.com)
 For Linux, Backtrack and Kali
What do you call a person who uses attack
tools without permission?
 inmate
 Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation
Source Code Review – White Box (v.
Blackbox) Testing
 Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
 Code review discovers security vulnerabilities by inspecting the source
code of a target application.
 Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
 Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
 Compiled code review should be “blackbox”
Fuzzing is Blackbox – sends unexpected inputs
 Automated cramming, exploits poorly
constructed interface constraints
 Web Application Testing
 HTTP Interception Proxy
 Code Analysis
 Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps
Audit Velocity increases Maturity
 Approach: Find a flaw, fix
a flaw
 Approach: Find a lot of
flaws and keep a list
 Approach: align
vulnerability metrics into
a continual service
improvement model
Root Cause Analysis
 What is the root cause for any failure
 Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
 What were the steps to create the finding?
 What are the expectations as a result of this finding?
 What is the measure of Security Program health?
Security Audit – Raising the right Bar
 Cloud Security Alliance Control Matrix – Cloud
Operational Security
 Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
 United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
 PCI-DSS – The Payment Card Industry Data Standard
 Associated to credit card processing – however should be
true in general – 12 tenants
Federal Information Processing Standards (FIPS) Publications
 FIPS 202 SHA-3 Standard: Permutation-
Based Hash and Extendable-Output
Functions
 FIPS 201-2 Personal Identity Verification
(PIV) of Federal Employees and Contractors
 FIPS 200 Minimum Security Requirements
for Federal Information and Information
Systems
 FIPS 199 Standards for Security
Categorization of Federal Information and
Information Systems
 FIPS 198-1 The Keyed-Hash Message
Authentication Code (HMAC)
 FIPS 197Advanced Encryption Standard
(AES)
 FIPS 186-4 Digital Signature Standard (DSS)
 FIPS 180-4 Secure Hash Standard (SHS)
 FIPS 140-2 Security Requirements for
Cryptographic Modules
Standards issued by NIST after approval by the Secretary of Commerce
pursuant to the Federal Information Security Management Act (FISMA).
http://csrc.nist.gov/publications/PubsFIPS.html
Questions?
 Reach out on LinkedIn and we can continue the dialogue.
 Good luck in your studies. Hope this was helpful.

More Related Content

What's hot

Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
Cohesive Networks
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots   ulf mattsson - aug 2016How can i find my security blind spots   ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
Ulf Mattsson
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
Jim Meyer
 
Qradar Business Case
Qradar Business CaseQradar Business Case
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Security operations center 5 security controls
 Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
GDPR
GDPRGDPR
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST  CSF compliance BrochureHappiest Minds NIST  CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
Suresh Kanniappan
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
Amazon Web Services
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
Donald E. Hester
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 

What's hot (20)

Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
 
How can i find my security blind spots ulf mattsson - aug 2016
How can i find my security blind spots   ulf mattsson - aug 2016How can i find my security blind spots   ulf mattsson - aug 2016
How can i find my security blind spots ulf mattsson - aug 2016
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
Qradar Business Case
Qradar Business CaseQradar Business Case
Qradar Business Case
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Security operations center 5 security controls
 Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
GDPR
GDPRGDPR
GDPR
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST  CSF compliance BrochureHappiest Minds NIST  CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 

Viewers also liked

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
EnterpriseGRC Solutions, Inc.
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 

Viewers also liked (6)

Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
COBIT®5 - Foundation
COBIT®5 - FoundationCOBIT®5 - Foundation
COBIT®5 - Foundation
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
COBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an IntroductionCOBIT 5 IT Governance Model: an Introduction
COBIT 5 IT Governance Model: an Introduction
 

Similar to Security assessment with a hint of CISSP Prep

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
Teri Radichel
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
RakeshKumar442494
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
Infosectrain3
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
amiable_indian
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Priyanka Aash
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
baoyin
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Allianz Global CISO october-2015-draft
Allianz Global CISO  october-2015-draftAllianz Global CISO  october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Jeremiah Grossman
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

Similar to Security assessment with a hint of CISSP Prep (20)

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Allianz Global CISO october-2015-draft
Allianz Global CISO  october-2015-draftAllianz Global CISO  october-2015-draft
Allianz Global CISO october-2015-draft
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 

More from EnterpriseGRC Solutions, Inc.

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
EnterpriseGRC Solutions, Inc.
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
EnterpriseGRC Solutions, Inc.
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
EnterpriseGRC Solutions, Inc.
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
EnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
Green Tech
Green TechGreen Tech

More from EnterpriseGRC Solutions, Inc. (11)

Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Green Tech
Green TechGreen Tech
Green Tech
 

Recently uploaded

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 

Recently uploaded (20)

June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 

Security assessment with a hint of CISSP Prep

  • 1. http://www.enterprisegrc.com Security Assessment – Concept Review with a hint of CISSP Exam Prep Contribution to ISACA-SV January 2016 Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP (pending)
  • 2. Which items are elements of “security”?
  • 3. Resilience  What are our critical assets?  Who is responsible for them?  Is everyone involved in cyber-resilience? Do they have the knowledge and autonomy to make good decisions?  Are we prepared for when there is a successful attack?  Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos?
  • 4. Types of Security Assessment  Technical Security Testing  Security Process Assessment  Security Audit
  • 5. Technical  Looking for security weaknesses  Vulnerability Assessment  Network Penetration Testing  Web Application Penetration Testing  Source Code Analysis
  • 6. Vulnerability Assessment  Scanning systems looking for a set of vulnerabilities (a list)  Looks for common and known vulnerabilities  Uses a scanning tool  Performed in house and by third party Let’s look at common and recommended scanning tools. Source is OWASPVulnerability Scanning Tools - OWASP
  • 7. OWASP Listed Vulnerability Scanning Tools Name Owner Licence Platforms Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows AppScan IBM Commercial Windows AVDS Beyond Security Commercial / Free (Limited Capability) N/A BugBlast Buguroo Offensive Security Commercial SaaS or On-Premises Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises GamaScan GamaSec Commercial Windows Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh Hailstorm Cenzic Commercial Windows IKare ITrust Commercial N/A IndusGuard Web Indusface Commercial SaaS N-Stealth N-Stalker Commercial Windows Netsparker MavitunaSecurity Commercial Windows Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux Nikto CIRT Open Source Unix/Linux
  • 8. OWASP Listed Vulnerability Scanning Tools Name Owner Licence Platforms AppSpider Rapid7 Commercial Windows ParosPro MileSCAN Commercial Windows Proxy.app Websecurify Commercial Macintosh QualysGuard Qualys Commercial N/A Retina BeyondTrust Commercial Windows Securus Orvant, Inc Commercial N/A Sentinel WhiteHat Security Commercial N/A Vega Subgraph Open Source Windows, Linux and Macintosh Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh WebApp360 TripWire Commercial Windows WebInspect HP Commercial Windows SOATest Parasoft Commercial Windows / Linux / Solaris Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS WebReaver Websecurify Commercial Macintosh WebScanService German Web Security Commercial N/A Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh Wikto Sensepost Open Source Windows w3af w3af.org GPLv2.0 Linux and Mac Xenotix XSS Exploit Framework OWASP Open Source Windows Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh
  • 9. What to do with a list of known vulnerabilities  Scanners provide a score of 1 to 5 (relative to what?)  CVSS Common Vulnerability Scoring System is method used to classify  OCTAVE Operational Critical Threat, Asset, and Vulnerability Evaluation  OCTAVE defines three phases, is criticized as complex and not providing detailed quantitative analysis of security exposure. Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans
  • 10. Penetration Tests  Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue team, but not yet.)  We know we have flaws - pen test seeks to exploit them  Simulates attacker (does not cause harm)  Output: Identification of susceptible assets (sites)  In short: As good as the people who perform them and as valuable as the reduced risk on the items that get remediated A red team is an independent group that challenges an organization to improve its effectiveness. The United States intelligence community (military and civilian) has red teams that explore alternative futures and write articles as if they were foreign world leaders. Red team - Wikipedia, the free encyclopedia
  • 11. Penetration Testing – Operations Evaluation  War Dialing (looking for modems – especially plugged into older enterprise hardware)  Sniffing – Wireshark -Configuring a monitor port on a managed switch - network tap  Eavesdropping  Radiation monitoring  Dumpster diving  Social Engineering http://www.lawtechnologytoday.org/2015/03/information-security-threat- social-engineering-and-the-human-element/ You typically insert a network tap inline between two nodes in a network, such as between your firewall and your first switch. $$$ Not typically in audit budget
  • 12. Security Process Review  Looking for weaknesses and vulnerabilities Security Assessment Report Deficient Security Posture Technology People Process
  • 13. Security Process  Process is more than policy, although we start with policy  What are two great frameworks for establishing necessary procedure and work product to show that the processes are effective?  Cobit5 and NIST Cybersecurity Framework  http://www.nist.gov/cyberframework/upload/cybersec urity-framework-021214.pdf  National Institute of Standards and Technology, U.S. Department of Commerce (Not copyrightable in the United States.)
  • 14. You Need to U Read  International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm  International Organization for Standardization/International Electrotechnical Commission, Information technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742  Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800-39, March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf  U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May 2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20 Guideline%20%20Final%20-%20May%202012.pdf
  • 15. U Need to Use: NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A
  • 16. Cobit 5: Process Area Assessment  APO12: Manage Risk, “Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.”  APO13: Manage Security, “Define, operate and monitor a system for information security management.”  DSS05: Manage Security Services, “Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.”
  • 17. Assessment v. Audit  Security assessment is comprehensive review of systems and applications performed by trained security professionals (CISSP/ CCIE/ CCNA/ CISM)  Security assessments normally include use of testing tools and goes beyond automated scanning  Involves thoughtful review of the threat environment, current and future risk, and value definition of the targeted environments  The output of assessment is a report addressed to management with recommendations in both technical and non technical language
  • 18. Auditing Security Assessment & Verification  Compliance checks  Internal and external  Frequency of review  Standard of due care  Internal Audit typically performs assessment for internal audience  External Audits are performed for external investors and as part of third party due diligence requirements  Third Party review is emphasized to avoid “conflict of interest”
  • 19. What are the “Related Metrics” from Manage Risk APO12  Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.  Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT- related enterprise risk.  Related Metrics  Degree of visibility and recognition in the current environment  Number of loss events with key characteristics captured in repositories  Percent of audits, events and trends captured in repositories  Percent of key business processes included in the risk profile  Completeness of attributes and values in the risk profile  Percent of risk management proposals rejected due to lack of consideration of other related risk  Number of significant incidents not identified and included in the risk management portfolio  Percent of IT risk action plans executed as designed  Number of measures not reducing residual risk *Align, Plan and Organize
  • 20. What are the “Related Metrics” from Manage Security APO13  Define, operate and monitor a system for information security management.  Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.  Related Metrics  Number of key security roles clearly defined  Number of security related incidents  Level of stakeholder satisfaction with the security plan throughout the enterprise  Number of security solutions deviating from the plan  Number of security solutions deviating from the enterprise architecture  Number of services with confirmed alignment to the security plan  Number of security incidents caused by non- adherence to the security plan Number of solutions developed with confirmed alignment to the security plan *Align, Plan and Organize
  • 21. What are the “Related Metrics” from Manage Security Services DSS05  Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.  Minimize the business impact of operational information security vulnerabilities and incidents.  Related Metrics  Number of vulnerabilities discovered  Number of firewall breaches  Percent of individuals receiving awareness training relating to use of endpoint devices  Number of incidents involving endpoint devices  Number of unauthorized devices detected on the network or in the end- user environment  Average time between change and update of accounts  Number of accounts (vs. number of authorized users/staff)  Percent of periodic tests of environmental security devices  Average rating for physical security assessments  Number of physical security-related incidents  Number of incidents relating to unauthorized access to information * Deliver, Service and Support
  • 22. Technical Security Testing  Technical testing is looking for security flaws, specifically impacts to confidentiality, integrity or availability, ways to steal, alter or destroy information  Vulnerability Assessments are looking for weakness  Penetration testing adds human factor  Code review includes errors that make it susceptible, e.g. to buffer overflow, SQL insertion, etc.  Phishing is to see what users do when presented with typical malicious email scenarios  Password assessments evaluate password settings and practices, (sometimes as a part of scanning)  Goal: assess risk by discovering flaws that persist in systems and applications
  • 23. Threat Vectors – Attack surface  Methods attackers use to touch or exploit vulnerabilities  A systems attack surface represents all of the ways in which an attacker could attempt to introduce data to exploit a vulnerability  If you look at a list of vulnerabilities, you get too much information, so we have to start by analyzing our network, our data, evaluating our assets and their attack surface, then their vulnerabilities to known threats  One way to reduce risk is to minimize the attack vectors  Once we know those vectors, we remediate prioritized threats by reducing the likelihood of exploiting vulnerabilities
  • 24. Shift in attack vectors: Server Side v. Client Side Attacks  Attacks against a listening service are called “Server-side attacks”  TCP server side attacks are initiated by an attacker (client)  Client-side attacks work in reverse, where victim initiates the traffic, usually by clicking on a link or email.  We have to understand the environment from the perspective of an adversary.  We use threat modelling and ask “Who is the adversary and what does the adversary want to accomplish?”
  • 25. STRIDE – Microsoft Privacy Standard (MPSD) in response to FIPS  Spoofing v. Authentication  Tampering v. Integrity  Repudiation v. Non-Repudiation  Information Disclosure v. Confidentiality  Denial of Service v. Availability  Elevation of Privilege v. Authorization
  • 26. How they get us drives how we protect against them  External or internal actor is able to perform host discovery  Live systems can be discovered via ARP, ICMP, TCP, UDP traffic, IPv6 neighbor discovery, Sniffing packets and reviewing contents Any person with administrative privilege to network and systems can perform these functions Many general users can perform some of these functions Perform reconnaissance Network enumeration Port scanning Determine version of OS and services Determine vulnerable service versions Exploit vulnerabilities
  • 27. Port Scanners  Open ports on systems is an attack surface  Port scanners evaluates all TCP / UDP ports (scans twice) to determine which are open (there are 65535 ports)  Nmap is a well-known open source port scanner  Question:  Who should be allowed to run a port scanner?  What should happen when we detect a port scan is in progress?  How long should we take to respond to that information?
  • 28. Its just a port – how much damage could be done?  Hacker scans to find vulnerabilities to target – ports, services, versions  Hacker injects a virus, Trojan  Infected machines further scan and infect (worm) – spreading from internal network (bypassing DMZ)  Hacker issues commands to infected hosts, able to send spam, effect DDoS (denial of service)  Intrusion Prevention Systems (IPS), IDS, NIDS, NIPS… architecture could have prevented all this https://www.cityu.edu.hk/csc/netcomp/dec2006-5p.htm
  • 29. Attackers shouldn’t know our weaknesses before we do – We should do something about our weaknesses  Vulnerability assessment determines weakness across our actual attack surface or threat vectors  Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina  Once vulnerable systems are identified, procedures to perform limited exploits can involve use of:  The MetaSploit Framework (metasploit)  Core Impact (coresecurity)  Immunity Canvas (immunitysec.com)  For Linux, Backtrack and Kali
  • 30. What do you call a person who uses attack tools without permission?  inmate  Penetration testing is a process of HIRING or assigning a whitehat to penetrate an application, system or network Business Process, Scope Reconnaissance Port scanning, VA Exploitation Post Exploitation
  • 31. Source Code Review – White Box (v. Blackbox) Testing  Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from blackbox has high probability of impacting systems, is expensive and time consuming  Code review discovers security vulnerabilities by inspecting the source code of a target application.  Certain C Functions are commonly associated to buffer overflow “-get(), strcpy(),strcat()”  Compilers usually include security checks, but they need to be run by policy and results need to be understood.  Compiled code review should be “blackbox”
  • 32. Fuzzing is Blackbox – sends unexpected inputs  Automated cramming, exploits poorly constructed interface constraints  Web Application Testing  HTTP Interception Proxy  Code Analysis  Beyond the proxy, Dynamic web application scanners code attempt to automate assess the security of customer web apps
  • 33. Audit Velocity increases Maturity  Approach: Find a flaw, fix a flaw  Approach: Find a lot of flaws and keep a list  Approach: align vulnerability metrics into a continual service improvement model
  • 34. Root Cause Analysis  What is the root cause for any failure  Example: “metrics indicate 80% of malicious code infections are attributed to vulnerable versions of Java”  What were the steps to create the finding?  What are the expectations as a result of this finding?  What is the measure of Security Program health?
  • 35. Security Audit – Raising the right Bar  Cloud Security Alliance Control Matrix – Cloud Operational Security  Controls Domain and Controls Matrix (98 Controls with Mappings) Value – architecture, portability and interoperability; physical, network, compute, storage, applications, and data, differentiates service provider versus tenants  United States NIST Publication 200, NIST SP 800-54 rev4 – (mentioned earlier)  PCI-DSS – The Payment Card Industry Data Standard  Associated to credit card processing – however should be true in general – 12 tenants
  • 36. Federal Information Processing Standards (FIPS) Publications  FIPS 202 SHA-3 Standard: Permutation- Based Hash and Extendable-Output Functions  FIPS 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors  FIPS 200 Minimum Security Requirements for Federal Information and Information Systems  FIPS 199 Standards for Security Categorization of Federal Information and Information Systems  FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)  FIPS 197Advanced Encryption Standard (AES)  FIPS 186-4 Digital Signature Standard (DSS)  FIPS 180-4 Secure Hash Standard (SHS)  FIPS 140-2 Security Requirements for Cryptographic Modules Standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA). http://csrc.nist.gov/publications/PubsFIPS.html
  • 37. Questions?  Reach out on LinkedIn and we can continue the dialogue.  Good luck in your studies. Hope this was helpful.

Editor's Notes

  1. How is this possible? What missing?
  2. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization. Process, Purpose, Metrics
  3. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
  4. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
  5. STRIDE Spoofing v. Authentication Tampering v. Integrity Repudiation v. Non-Repudiation Information Disclosure v. Confidentiality Denial of Service v. Availability Elevation of Privilege v. Authorization