This document summarizes Daniel Miessler's blog post describing different types of security assessments. It discusses vulnerability assessments, penetration tests, red team assessments, audits, white/grey/black box assessments, risk assessments, threat assessments, threat modeling, and bug bounties. For each type, it provides a definition, what they are commonly confused with, and what they are best used for. The key messages are that vulnerability assessments aim to find all issues while penetration tests validate security, and organizations should perform assessments before tests to identify and fix issues.
cyber security,need,security problem and types of cyber securityVansh Bathla
Cyber security is necessary to protect online information from threats. As more people use the internet, cyber security risks increase. There are several types of threats like viruses, hackers, malware, Trojan horses, and password cracking. Cyber security helps secure data and systems from these threats. It involves protecting applications, information, networks, websites, and endpoints from unauthorized access and cyber attacks. Maintaining strong passwords and using security software are important for cyber security.
The document provides an overview of threat landscapes, common threat actors, and tools used in cyber attacks against corporations. It discusses how threat landscapes change over time due to new vulnerabilities, software/hardware, and global events. Common threat actors described include white hat, gray hat, and black hat hackers. A variety of penetration testing and hacking tools are outlined that threat actors use, such as password crackers, wireless hacking tools, network scanners, packet sniffers, and vulnerability exploitation tools. Different types of attacks like eavesdropping, data modification, and IP spoofing are also summarized.
This document provides an overview of topics, technologies, programming languages, tools, certifications, and job roles commonly required in the field of cybersecurity. It lists fundamentals areas like computer science, networking, and cryptography. It also outlines essential security domains including web security, ethical hacking, incident response, policies, and human factors. Finally, it provides steps to get started in cybersecurity, including choosing a specialization, developing skills, and staying up to date in the field.
This document provides an agenda for mobile app security testing. It discusses topics like mobile OS versions, the mobile app SDLC, testing techniques, vulnerabilities, and security tools. Testing approaches include black box testing, code review, penetration testing and security assessments. Real devices are preferred over emulators due to limitations like missing features and network behavior issues. Common vulnerabilities discussed are cross-site scripting, SQL injection, and client-side injection. Popular security tools mentioned are ZAP, IBM AppScan, HP Fortify, and VeraCode. A three-tiered approach of testing the client, network and server layers is recommended for building secure mobile apps.
An introduction-to-factor-analysis-of-information-risk-fair680Kabogo
This document introduces the Factor Analysis of Information Risk (FAIR) framework, which provides definitions, components, and a process for quantitatively analyzing information risk. It aims to standardize terminology and establish a common lexicon for discussing risk that can be understood by both information security professionals and executives. The framework breaks down risk into measurable factors like threat event frequency, vulnerability, probable loss magnitude, and others. It then provides a multi-step process for applying these factors to scenarios to derive a measurable risk score. The goal is to improve communication around risk and bring more credibility, consistency, and efficiency to how organizations assess and manage their information risk exposure.
This document discusses breaking and penetration testing Ruby on Rails applications. It covers fingerprinting the Rails framework, testing the attack surface through routes, session security issues, authentication vulnerabilities, authorization testing, CSRF protection bypass, model attribute assignment and SQL injection issues, view rendering exploits, and insecure defaults. Recommended tools for analysis include Brakeman, grep searches, and the Ruby Mechanize and Nokogiri libraries. The document provides references for further Rails security best practices.
Cybersecurity for Small Business - Incident Response.pptxArt Ocain
Art Ocain discusses approaches to ransomware incident response for small businesses. From the NIST 800-61 or SANS incident response framework, Art walks small business owners through the stages of response and recovery.
cyber security,need,security problem and types of cyber securityVansh Bathla
Cyber security is necessary to protect online information from threats. As more people use the internet, cyber security risks increase. There are several types of threats like viruses, hackers, malware, Trojan horses, and password cracking. Cyber security helps secure data and systems from these threats. It involves protecting applications, information, networks, websites, and endpoints from unauthorized access and cyber attacks. Maintaining strong passwords and using security software are important for cyber security.
The document provides an overview of threat landscapes, common threat actors, and tools used in cyber attacks against corporations. It discusses how threat landscapes change over time due to new vulnerabilities, software/hardware, and global events. Common threat actors described include white hat, gray hat, and black hat hackers. A variety of penetration testing and hacking tools are outlined that threat actors use, such as password crackers, wireless hacking tools, network scanners, packet sniffers, and vulnerability exploitation tools. Different types of attacks like eavesdropping, data modification, and IP spoofing are also summarized.
This document provides an overview of topics, technologies, programming languages, tools, certifications, and job roles commonly required in the field of cybersecurity. It lists fundamentals areas like computer science, networking, and cryptography. It also outlines essential security domains including web security, ethical hacking, incident response, policies, and human factors. Finally, it provides steps to get started in cybersecurity, including choosing a specialization, developing skills, and staying up to date in the field.
This document provides an agenda for mobile app security testing. It discusses topics like mobile OS versions, the mobile app SDLC, testing techniques, vulnerabilities, and security tools. Testing approaches include black box testing, code review, penetration testing and security assessments. Real devices are preferred over emulators due to limitations like missing features and network behavior issues. Common vulnerabilities discussed are cross-site scripting, SQL injection, and client-side injection. Popular security tools mentioned are ZAP, IBM AppScan, HP Fortify, and VeraCode. A three-tiered approach of testing the client, network and server layers is recommended for building secure mobile apps.
An introduction-to-factor-analysis-of-information-risk-fair680Kabogo
This document introduces the Factor Analysis of Information Risk (FAIR) framework, which provides definitions, components, and a process for quantitatively analyzing information risk. It aims to standardize terminology and establish a common lexicon for discussing risk that can be understood by both information security professionals and executives. The framework breaks down risk into measurable factors like threat event frequency, vulnerability, probable loss magnitude, and others. It then provides a multi-step process for applying these factors to scenarios to derive a measurable risk score. The goal is to improve communication around risk and bring more credibility, consistency, and efficiency to how organizations assess and manage their information risk exposure.
This document discusses breaking and penetration testing Ruby on Rails applications. It covers fingerprinting the Rails framework, testing the attack surface through routes, session security issues, authentication vulnerabilities, authorization testing, CSRF protection bypass, model attribute assignment and SQL injection issues, view rendering exploits, and insecure defaults. Recommended tools for analysis include Brakeman, grep searches, and the Ruby Mechanize and Nokogiri libraries. The document provides references for further Rails security best practices.
Cybersecurity for Small Business - Incident Response.pptxArt Ocain
Art Ocain discusses approaches to ransomware incident response for small businesses. From the NIST 800-61 or SANS incident response framework, Art walks small business owners through the stages of response and recovery.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
In this presentation, you will see what is Ethical Hacking, the purpose of Ethical Hacking, who is an Ethical Hacker, and the various Ethical Hacking certifications. With the rise in the number of cybercrimes, it is necessary for companies to hire Ethical Hackers to protect their networks and data. Here you will have a look at the five different Ethical Hacking certifications, namely Certified Ethical Hacker (CEH), Global Information Assurance Certification Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP), CompTIA Pentest+ and Licensed Penetration Tester(LPT). We will talk about each of these certifications individually and have a look at their description, requirements to take up the certification, the exam fees, the exam duration, and finally, the average annual salary of a candidate with these certifications.
Below topics are explained in this Ethical Hacking certifications presentation:
1. What is Ethical Hacking?
2. Purpose of Ethical Hacking
3. Who is an Ethical Hacker?
4. Ethical Hacking certifications
5. CEH (Certified Ethical Hacker)
6. Global information assurance certification penetration tester (GPEN)
7. Offensive security certified professional (OSCP)
8. CompTia PenTest+
9. Licensed penetration tester (LPT)
This Certified Ethical Hacker-Version 10 (earlier CEHv9) course will train you on the advanced step-by-step methodologies that hackers actually use, such as writing virus codes and reverse engineering, so you can better protect corporate infrastructure from data breaches. This ethical hacking course will help you master advanced network packet analysis and advanced system penetration testing techniques to build your network security skill-set and beat hackers at their own game.
Why is the CEH certification so desirable?
The EC-Council Certified Ethical Hacker course verifies your advanced security skill-sets to thrive in the worldwide information security domain. Many IT departments have made CEH certification a compulsory qualification for security-related posts, making it a go-to certification for security professionals. CEH-certified professionals typically earn 44 percent higher salaries than their non-certified peers. The ethical hacking certification course opens up numerous career advancement opportunities, preparing you for a role as a computer network defence (CND) analyst, CND infrastructure support, CND incident responder, CND auditor, forensic analyst, intrusion analyst, security manager, and other related high-profile roles.
Learn more at https://www.simplilearn.com/cyber-security/ceh-certification
Cyber threat intelligence aims to help companies understand and address cybersecurity threats. It involves collecting and analyzing information on current and potential cyber attacks from sources like malware analysis and human intelligence. There are three main types of threat intelligence: strategic intelligence for executives, tactical intelligence for IT professionals, and operational intelligence from active attacks. Uncovering threats through cyber threat intelligence can help identify security issues like malware infections and prevent costly data breaches and ransomware attacks. The intelligence gathering process typically involves four phases: planning, data collection, threat analysis, and responding to threats.
This document discusses Check Point's perspective on the importance of the best security. It begins by outlining some of the major threats in 2021 like ransomware, APT groups, and software vulnerabilities. It then defines what "best security" means to Check Point, including blocking threats in real-time, prevention over detection, being everywhere across networks and clouds, being smart with AI, and being trusted. The document provides examples of how Check Point provides real-time prevention and highlights technology and testing that shows it is more effective than competitors. It emphasizes the importance of security vendors securing their own code and shows data that Check Point has fewer vulnerabilities and faster response times. The conclusion discusses how the best companies choose Check Point.
This document provides an overview of governance of security operations centers. It discusses the impact of disruptive technologies on organizations and the need for security operations centers to manage security risks. It covers designing an effective SOC including defining threats, processes, technology and acquiring a SOC. Operating a SOC includes defining expectations, baselining normal activity, using threat intelligence and handling incidents. Qualities of analysts and measuring SOC success are also discussed. Sustainable SOC governance principles like investing in people and emphasizing teamwork are presented.
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
A seminar presentation on the infamous wannacry attack.The presentation cover various terms related to wannacry ,how the attack is carried out, who are responsible and how to prevent getting affected.
The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.
The document provides an introduction and agenda for a 3-day security operations center fundamentals course. Day 1 will cover famous attacks and how to confront them, as well as an introduction to security operations centers. Day 2 will discuss the key features, modules, processes, and people involved in SOCs. Day 3 will focus on the technology used in SOCs, including network monitoring, investigation, and correlation tools. The instructor is introduced and the document provides an overview of common attacks such as eavesdropping, data modification, spoofing, password attacks, denial of service, man-in-the-middle, and application layer attacks.
FireEye provides cybersecurity products and services including threat intelligence, security consulting, incident response, and security technologies. The document outlines FireEye's offerings including threat intelligence subscriptions, security products like network security and email security, security services like incident response and expertise on demand, and consulting services from Mandiant. FireEye differentiates itself through its threat intelligence capabilities which leverage insights from responding to breaches and its security technologies.
This presentation lets you understand about the biggest cyber-attack extortion in the history of the internet. It contains all details of what, how and whys of WannaCry Ransomware.
This document discusses ransomware, including its impact, evolution, and prevention. It defines ransomware as malicious software that blocks access to a computer system until a ransom is paid. There are two main types: locker ransomware which locks the system, and crypto ransomware which encrypts files. The document then discusses how ransomware enters systems, how it executes once inside, examples of ransomware strains, and defensive measures like backups and training users.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
From ATT&CKcon 4.0
By Pranusha Somareddy, Lark Health
"By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.
In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:
(i)Customizing security training and awareness programs based on roles and responsibilities
(ii)Conducting thorough assessments of incident response capabilities through the framework
(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture"
Security misconfiguration is a major risk due to its prevalence and impact. It occurs when default passwords, debugging settings, or excessive privileges are left unchanged, potentially allowing hackers access. Proper configuration through secure coding practices, access controls, patching, and audits can help safeguard systems and data.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Penetration testing is an essential security practice that assesses vulnerabilities in systems, networks, and web applications before attackers can exploit them. It involves gathering target information, identifying entry points, attempting to break in either virtually or for real, and reporting findings. Penetration testing should be done regularly to identify issues that vulnerability assessments and security tools may miss, as hackers develop new techniques daily. It is important for organizations of any size to conduct penetration testing to protect their business continuity, save money, and comply with regulations like GDPR.
Increasing Value Of Security Assessment ServicesChris Nickerson
Session Description:
Compliance and Best Practices tell us to do a Penetration Test, but there is not real definition. We are asked to do Vulnerability Scanning, but are the scores relevant? What about this huge audit we went through? All those tests and all those boxes checked.... is our company more secure?
As a tester and defender I am SICK of seeing people pay for testing and have no idea what the tester did, how they did it, or what value it provides. Unless we follow a methodology that is repeatable, understand the business and its assets, and work on both the Red Team AND Blue Team.....we are defending our networks with the same stacks of cash the attackers are trying to steal.
This session will talk about practical testing and defense, getting the most out of your testing dollar, and < surprise face> how to track the growth of your InfoSec program from its management systems all the way out to the magical question "how are we REALLY?"
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
In this presentation, you will see what is Ethical Hacking, the purpose of Ethical Hacking, who is an Ethical Hacker, and the various Ethical Hacking certifications. With the rise in the number of cybercrimes, it is necessary for companies to hire Ethical Hackers to protect their networks and data. Here you will have a look at the five different Ethical Hacking certifications, namely Certified Ethical Hacker (CEH), Global Information Assurance Certification Penetration Tester (GPEN), Offensive Security Certified Professional (OSCP), CompTIA Pentest+ and Licensed Penetration Tester(LPT). We will talk about each of these certifications individually and have a look at their description, requirements to take up the certification, the exam fees, the exam duration, and finally, the average annual salary of a candidate with these certifications.
Below topics are explained in this Ethical Hacking certifications presentation:
1. What is Ethical Hacking?
2. Purpose of Ethical Hacking
3. Who is an Ethical Hacker?
4. Ethical Hacking certifications
5. CEH (Certified Ethical Hacker)
6. Global information assurance certification penetration tester (GPEN)
7. Offensive security certified professional (OSCP)
8. CompTia PenTest+
9. Licensed penetration tester (LPT)
This Certified Ethical Hacker-Version 10 (earlier CEHv9) course will train you on the advanced step-by-step methodologies that hackers actually use, such as writing virus codes and reverse engineering, so you can better protect corporate infrastructure from data breaches. This ethical hacking course will help you master advanced network packet analysis and advanced system penetration testing techniques to build your network security skill-set and beat hackers at their own game.
Why is the CEH certification so desirable?
The EC-Council Certified Ethical Hacker course verifies your advanced security skill-sets to thrive in the worldwide information security domain. Many IT departments have made CEH certification a compulsory qualification for security-related posts, making it a go-to certification for security professionals. CEH-certified professionals typically earn 44 percent higher salaries than their non-certified peers. The ethical hacking certification course opens up numerous career advancement opportunities, preparing you for a role as a computer network defence (CND) analyst, CND infrastructure support, CND incident responder, CND auditor, forensic analyst, intrusion analyst, security manager, and other related high-profile roles.
Learn more at https://www.simplilearn.com/cyber-security/ceh-certification
Cyber threat intelligence aims to help companies understand and address cybersecurity threats. It involves collecting and analyzing information on current and potential cyber attacks from sources like malware analysis and human intelligence. There are three main types of threat intelligence: strategic intelligence for executives, tactical intelligence for IT professionals, and operational intelligence from active attacks. Uncovering threats through cyber threat intelligence can help identify security issues like malware infections and prevent costly data breaches and ransomware attacks. The intelligence gathering process typically involves four phases: planning, data collection, threat analysis, and responding to threats.
This document discusses Check Point's perspective on the importance of the best security. It begins by outlining some of the major threats in 2021 like ransomware, APT groups, and software vulnerabilities. It then defines what "best security" means to Check Point, including blocking threats in real-time, prevention over detection, being everywhere across networks and clouds, being smart with AI, and being trusted. The document provides examples of how Check Point provides real-time prevention and highlights technology and testing that shows it is more effective than competitors. It emphasizes the importance of security vendors securing their own code and shows data that Check Point has fewer vulnerabilities and faster response times. The conclusion discusses how the best companies choose Check Point.
This document provides an overview of governance of security operations centers. It discusses the impact of disruptive technologies on organizations and the need for security operations centers to manage security risks. It covers designing an effective SOC including defining threats, processes, technology and acquiring a SOC. Operating a SOC includes defining expectations, baselining normal activity, using threat intelligence and handling incidents. Qualities of analysts and measuring SOC success are also discussed. Sustainable SOC governance principles like investing in people and emphasizing teamwork are presented.
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
A seminar presentation on the infamous wannacry attack.The presentation cover various terms related to wannacry ,how the attack is carried out, who are responsible and how to prevent getting affected.
The document discusses the Common Vulnerability Scoring System (CVSS). It provides a history of CVSS and describes the development of CVSS version 2. It outlines the base, temporal, and environmental metrics used in CVSS scoring. It notes some caveats in CVSS scoring, including subjective interpretations by vendors and a lack of representation from some groups. It also discusses politics around CVSS scoring and challenges in initial adoption.
The document provides an introduction and agenda for a 3-day security operations center fundamentals course. Day 1 will cover famous attacks and how to confront them, as well as an introduction to security operations centers. Day 2 will discuss the key features, modules, processes, and people involved in SOCs. Day 3 will focus on the technology used in SOCs, including network monitoring, investigation, and correlation tools. The instructor is introduced and the document provides an overview of common attacks such as eavesdropping, data modification, spoofing, password attacks, denial of service, man-in-the-middle, and application layer attacks.
FireEye provides cybersecurity products and services including threat intelligence, security consulting, incident response, and security technologies. The document outlines FireEye's offerings including threat intelligence subscriptions, security products like network security and email security, security services like incident response and expertise on demand, and consulting services from Mandiant. FireEye differentiates itself through its threat intelligence capabilities which leverage insights from responding to breaches and its security technologies.
This presentation lets you understand about the biggest cyber-attack extortion in the history of the internet. It contains all details of what, how and whys of WannaCry Ransomware.
This document discusses ransomware, including its impact, evolution, and prevention. It defines ransomware as malicious software that blocks access to a computer system until a ransom is paid. There are two main types: locker ransomware which locks the system, and crypto ransomware which encrypts files. The document then discusses how ransomware enters systems, how it executes once inside, examples of ransomware strains, and defensive measures like backups and training users.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and using the cyber kill chain framework. It outlines an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also discusses advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
From ATT&CKcon 4.0
By Pranusha Somareddy, Lark Health
"By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.
In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:
(i)Customizing security training and awareness programs based on roles and responsibilities
(ii)Conducting thorough assessments of incident response capabilities through the framework
(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture"
Security misconfiguration is a major risk due to its prevalence and impact. It occurs when default passwords, debugging settings, or excessive privileges are left unchanged, potentially allowing hackers access. Proper configuration through secure coding practices, access controls, patching, and audits can help safeguard systems and data.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Penetration testing is an essential security practice that assesses vulnerabilities in systems, networks, and web applications before attackers can exploit them. It involves gathering target information, identifying entry points, attempting to break in either virtually or for real, and reporting findings. Penetration testing should be done regularly to identify issues that vulnerability assessments and security tools may miss, as hackers develop new techniques daily. It is important for organizations of any size to conduct penetration testing to protect their business continuity, save money, and comply with regulations like GDPR.
Increasing Value Of Security Assessment ServicesChris Nickerson
Session Description:
Compliance and Best Practices tell us to do a Penetration Test, but there is not real definition. We are asked to do Vulnerability Scanning, but are the scores relevant? What about this huge audit we went through? All those tests and all those boxes checked.... is our company more secure?
As a tester and defender I am SICK of seeing people pay for testing and have no idea what the tester did, how they did it, or what value it provides. Unless we follow a methodology that is repeatable, understand the business and its assets, and work on both the Red Team AND Blue Team.....we are defending our networks with the same stacks of cash the attackers are trying to steal.
This session will talk about practical testing and defense, getting the most out of your testing dollar, and < surprise face> how to track the growth of your InfoSec program from its management systems all the way out to the magical question "how are we REALLY?"
Common and dangerous myths about security vulnerability assessments from experienced vulnerability assessors of physical security and nuclear safeguards devices, systems, and programs.
EuroSTAR Software Testing Conference 2012 presentation on Curing Our Binary Disease by Rekard Edgren.
See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
Red Team Operations: Attack and Think Like a CriminalInfosec
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our on-demand webinar series.
Senior security researcher and InfoSec Instructor Jeremy Martin digs into the mindset of an attacker during this on-demand webinar, Red Team Operations: Attack and Think Like a Criminal. The webinar will cover:
- The job duties of a Red Team professional
- Frameworks and strategies for conducting Red Team assessments
- How to get started and progress your offensive security career
- And answer any live questions you have!
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Don’t miss the second part of the series, Cyber Threat Hunting: Identify and Hunt Down Intruders: https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
This document provides guidance on how to effectively communicate security issues to management. It discusses how to plan presentations by developing a clear topic and message (the pyramid principle). It also stresses the importance of thorough research and analysis to support conclusions and recommendations. Finally, it describes how to tailor the presentation by understanding the roles and perspectives of different management audiences. The overall goal is to engage management and help them appreciate security challenges by focusing the presentation on their needs.
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
Juan Morales advises prioritizing vulnerability remediation by first identifying the critical assets that are most important to keeping the business running operationally and financially. It is important to understand where these key assets are located and have conversations with business stakeholders to obtain insight on the criticality of the assets. Quantifying risk to stakeholders in terms of potential system downtime and financial impact, such as revenue loss, can help communicate risk more effectively than simply stating the cost to fix a vulnerability. Visuals like charts and dashboards with trend lines are also effective for stakeholders to understand risk.
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
As the security industry has grown we've seen every aspect of our world become more complicated and more overwhelming. We're consistently promised solutions and technology to make our lives easier, to stop the attacker, to catch them quicker, to automate the pain away, but the reality falls flat. Frankly, it's underwhelming. Understanding where your program stands today, where you should spend time and resources, and how best to reduce risk to your organization are key aspects of any program. Join us to discuss and discover what some of the largest organizations in the world are doing to try to make sense of it all, and how they got there.
Penetration Testing for Cybersecurity Professionals211 Check
Penetration Testing for Cybersecurity Professionals is a joint presentation by Charles Chol and Chuol Buok who are both Cyber Security Analysts in South Sudan.
Threat hunting involves proactively searching for unknown threats that have penetrated an organization's networks without raising alarms. It helps strengthen security by rooting out attackers and identifying weaknesses. While similar to incident response and penetration testing, threat hunting does not require an existing security alert or known vulnerabilities. Building an effective threat hunting program requires assembling a team with diverse skills like network security expertise, data analytics abilities, and curiosity to explore unusual patterns. Regularly scheduled threat hunting exercises can improve incident response skills and shrink the overall attack surface.
The document summarizes a panel discussion on security and hacking held by the Tech Talent Meetup. The panel of security experts from various companies discussed why security is important, greatest risks and threats, how companies can protect data, career opportunities in security, and tips for personal online security. Some key points included prioritizing security of important data, investing in staff training, focusing on detection over prevention, and using tools like password managers and two-factor authentication.
Testing in modern times a story about quality and value - agile testing dev ...Huib Schoots
In agile and especially DevOps approaches the motto is: automated everything! Companies like Facebook claim they do not have testers at all. Microsoft only has SDET (software development engineers in Test), other companies are T-shaping developers to do the testing. New kid on the block is AI and machine learning, that will definitely replace testing I hear people claim. What is really happening globally? Do we no longer need testers? Can we actually automate everything? How can we make valuable software for our clients?
In this presentation I will address questions like:
* Do we need testing? And if so: why is testing important?
* What is the business case of testing?
* Can developers also test? And if so: do we still need testers?
* How can we create quality software?
The 360 degree feedback report provides assessments of Paul's safety leadership practices from his perspective, two line managers, and three peers. It identifies his top strengths as speaking up with care, looking out for others, demonstrating commitment, actively caring, and showing worth of care. His top areas for improvement are maintaining best practice policies and procedures, acknowledging outdated policies, sharing improvements, looking for gaps, and talking above line controls. The report includes a spidergraph comparing his current and desired performance, an analysis of his transformational level, and a personal development plan.
An exploration of the cyber security market factors that lend to pervasive issues with hyperbole and feelings of broken trust across the various participants. Much is left off the slide & was covered in narrative at a recent OWASP LA meetup, original done for B-Sides LV.
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
It’s impossible to prevent everything (we see examples of this in the press every week), so you must be prepared to respond. The sad fact is that you will be breached. Maybe not today or tomorrow, but it will happen. So response is more important than any specific control. But it’s horrifying how unsophisticated most organizations are about response.
This is compounded by the reality of an evolving attack space, which means even if you do incident response well today, it won’t be good enough for tomorrow.
The document discusses accepting audits as a service and provides tips for dealing with auditors. It notes that audits evaluate people, organizations, systems and processes. The scope of an audit drives the results and controls must be evaluated to manage risk. Communication is key when dealing with auditors and clarifying the scope can help reduce face time. Ultimately, audits can help show risks and improvements when controls are properly addressed.
Let’s see if you have a picture in your head of auditors. Do see you them, sitting there in the darkness, with a maniacal look on their faces. They pour over your documentation and configuration files just hoping to find the red meat. If there is anything juicy they will find it and feed off it at your expense. Is this the image you have of auditors? Perhaps you were burned during an audit, or just didn’t have a very good experience at the auditor’s hands. With a bit of explanation, your next audit doesn’t have to be so stressful and adversarial. Maybe, just maybe, you can walk away with some value to help improve what you do that you hadn’t thought of before.
Starting from the beginning, we will walk through why IT auditors exist and what role they play in the organizations risk management process. Since we all can relate to risk, maybe we can find the common ground and start to derive value from what auditors provide. Given the right amount of attention and care, organizations can ultimately benefit from IT and Audit working together. Plus you will sleep better at night knowing the bogeyman is just a myth.
Speaker Bio
Jeff Kirsch is an IT auditor by day and ghostnomad, an infosec geek alter ego, every chance he can get. Always trying to learn new things drives him to find better ways to help others learn about technology. His passion for technology also drives him to help those in technology understand auditors and the audit process.
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
Basically, Enterprise Security 101. Covering frameworks, and how to try and wrap your arms around running the whole Information Security program from the beginning.
Similar to Understanding Information Security Assessment Types (20)
The document lists the top 20 public bug bounty programs on the HackerOne platform based on total bounties paid out. Verizon Media ranked #1 having paid out over $4 million total in bounties. Other top programs included Uber, PayPal, Shopify, Twitter, Intel, Airbnb, Ubiquiti Networks, Valve, GitLab, GitHub, Slack, Starbucks, Mail.ru, Grab, Coinbase, Snapchat, HackerOne, DropBox, and VK. The document provides details on total bounties paid, response times, number of hackers thanked, largest bounty amounts, and number of reports resolved for each program.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
Federal Trade Commission's Start With Security GuideHackerOne
Sound security is no accident. Here's what the FTC learned from more than 50 law enforcement actions related to data security, distilled down into their wonderful guide https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
The Federal Trade Commission’s (FTC) job is to protect consumers. The agency’s Bureau of Consumer Protection works to investigate issues related to many areas, including data security. When they discover unfair, deceptive, or fraudulent business practices, they work with law enforcement to follow-up.
To help businesses better protect their customers’ sensitive data, they published Start With Security: A Guide for Business to surface their lessons learned from settling more than 50 law enforcement actions. The FTC found that most of the cases involved “basic, fundamental security missteps.”
What follows are suggestions from the FTC so, hopefully, you can avoid those same basic, fundamental missteps. We’ve also included the FTC’s real examples of infractions and some helpful resources.
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...HackerOne
We are in the age of the hacker. Never before has there been more opportunities to learn, more tools, more welcoming companies and more money up for grabs. At the end of last year, we tapped into our community of ethical hackers to better understand how they like to work, what’s most important to them and what needs to change. The 2018 Hacker Report is the largest survey ever conducted of the ethical hacking community with 1,698 respondents.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
What companies have paid the most in bug bounties to date
Highest paid bounties and average bounty amount across top programs
How long it takes to respond, pay, and respond to reported vulnerabilities
Top hackers average number of hackers that have reported bugs across each program
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
Why Executives Underinvest In CybersecurityHackerOne
Learn how to get around misguided thinking that leads to executive under investment in cyber security, and secure the resources you need. You'll learn how to:
- Work around CEO and CFO human biases
- Motivate decision makers to invest more in cyber infrastructure
- Replace your CEO’s mental model with new success metrics
- Compare your company’s performance with similar firms to overcome executive overconfidence
Watch the full video recording!
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
Scott Crawford, Research Director of Information Security at 451 Research, shares:
Why having a Vulnerability Disclosure Policy is now “table stakes”
The what, how and why of Vulnerability Disclosure Policy documentation
Tangible benefits and tradeoffs of incorporating bug bounties into software development
How bug bounties make for a more secure software development lifecycle
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
The private sector and federal government are increasingly considering the use of vulnerability disclosure programs and bug bounties to improve cybersecurity of connected products, websites and services.
These programs can improve security, but they present legal and practical challenges that companies should consider. In this joint webinar with Wiley Rein, Legal cybersecurity experts Megan Brown and Matthew Gardner cover the following:
A overview of vulnerability disclosure controversies and the current push for vulnerability disclosure programs, including recommendations from the FTC, NIST, NTIA, and federal programs like Hack the Pentagon;
Analyze the legal framework for vulnerability disclosure programs, including the rights companies may give up;
Look at the dangers associated with a poorly implemented program, like failing to dedicate proper resources to it;
Explore pragmatic considerations of working with hackers, including how to establish respect and proper boundaries; and
Discuss real-world examples of successful bug bounty programs.
See the full recording here: https://www.youtube.com/watch?v=-xb87hEt_Ws
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.
HackerOne Presents in China - COO Ning WangHackerOne
On a recent trip to China, HackerOne COO and CFO Ning Wang gave a presentation at Hack for Security Conference. Thanks to the hosts and awesome welcome from the community!
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
1. The document discusses how to write effective bug bounty reports by understanding what security teams look for in reports. It emphasizes providing detailed reproduction steps, analyzing exploitability and potential impact, and considering the perspective of the security team.
2. Common elements of an effective report include clear reproduction steps, analysis of how an attack could actually work in the real world, and understanding what types of vulnerabilities are important to the specific organization based on their industry and needs.
3. The presentation provides examples of good and bad reports, outlines typical service level agreements, and emphasizes asking questions to understand the priorities and scope of individual security programs.
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Understanding Information Security Assessment Types
1. Reprint of IOActive’s Daniel Miessler’s blog post describing the major types of
security assessment, along with what differentiates them.
UNDERSTANDING INFORMATION
SECURITY ASSESSMENT TYPES
2. “There are many different types of security assessments…
...and they’re not always easy to keep separately in our minds (especially for sales types).”
Daniel Miessler is a well-known
information security professional based
in San Francisco. For more than 20 years,
he’s been writing about his infosec
projects and other interests, as he puts it,
“as a means of organizing everything
I have learned and want to learn.”
With organization and education in mind,
Daniel wrote a helpful post describing
the major types of security assessments
and how they’re unique and we asked if
we could re-share it. If you’re one of the
“sales types” Daniel mentions above, or
just looking to educate yourself on
infosec topics, then click ahead.
3. VULNERABILITY ASSESSMENT
What is it?
A vulnerability assessment is a technical assessment
designed to yield as many vulnerabilities as possible
in an environment, along with severity and
remediation priority information.
What’s it commonly confused with?
The vulnerability assessment is most often confused
(and/or conflated) with the Penetration Test. This is
primarily because sales people think the latter
sounds cooler, bless their hearts.
4. VULNERABILITY
ASSESSMENT
What’s it best at?
The vulnerability assessment is best used when
security maturity is low to medium, when you
need a prioritized list of everything that’s wrong,
where the goal is to fix as many things as
possible as efficiently as possible.
5. What is it?
A Penetration Test is a technical assessment
designed to achieve a specific goal, e.g., to steal
customer data, to gain domain administrator, or to
modify sensitive salary information.
What’s it commonly confused with?
The Penetration Test is most often confused (and/or
conflated) with the vulnerability assessment. See
‘Sales People’ for more information. Another way to
think about this is to imagine vulnerability
assessments as looking for security problems when
you know/assume they exist, and penetration testing
as validating a configuration when you believe it to
be secure.
PENETRATION TEST
6. PENETRATION TEST What’s it best at?
Because a Penetration Test is designed to achieve
one or more specific goals, they should not be
commissioned by low or medium security
organizations in most cases. Performing a
Penetration Test against a low or medium security
shop will simply yield recommendation
all-time-greats like, “Implement patching across the
organization.”, “Disable inactive users.”, and—one of
my favorites—”Understand where your sensitive
data is.” Do not waste money on a Penetration Test
unless you’ve already undergone one or seventeen
vulnerability assessments and then remediated
everything that was found. Penetration Tests are for
testing security that is assumed to be strong, not
documenting the contents of a soup sandwich.
7. PENETRATION TESTING: HACKERONE CAN HELP
TRY A HACKERONE CHALLENGE TODAY AND SEE FOR YOURSELF
Crowdsourced penetration testing has been proven to find more critical
vulnerabilities, at a lower cost than traditional penetration tests.
Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial...
Or read the guide on hacker-powered pen tests for more information
8. RED TEAM ASSESSMENT
What is it?
A Red Team “assessment” is something of a
misnomer in the corporate context since corporate
Red Team services should ideally be continuous
rather than point-in-time. So it should ideally be
more of a service than an assessment. But
regardless of that distinction, the central purpose of
a corporate Red Team is to improve the quality of
the corporate information security defenses, which,
if one exists, would be the company’s Blue Team.
In fact, that’s what a lowercase “red team” is: an
independent group that challenges an organization
to improve its effectiveness. In the case of
corporate Red Teams, the org they’re improving is
the Blue Team.
Red Team services should, in my opinion, always
have the following five elements: Organizational
Independence, Defensive Coordination, Continuous
Operation, Adversary Emulation, and Efficacy
Measurement.
9. RED TEAM ASSESSMENT
What’s it commonly confused with?
Red Team services are most commonly confused
with Penetration Testing. Sales and marketing
groups are using the terms nearly interchangeably,
as are many internal security groups. People
confusing the two are basically seeing “Red Teaming”
as a sexier, more elite type of Penetration Test. They
are not the same. A Penetration Test is a defined,
scoped, and point-in-time assessment that has
specific goals for success or failure. A corporate
Red Team (whether internal or external) is a
continuous service that emulates real-world
attackers for the purpose of improving the Blue
Team. They may share TTPs at times, but they have
very different purposes.
10. RED TEAM ASSESSMENT What it’s best at?
Red Team services are best used when an
organization has covered the basics of strong
vulnerability management and has at least some
capability to detect and respond to malicious or
suspicious behavior in the environment. If an
organization is still struggling with basic asset
management, patching, egress traffic control, and
other fundamentals, it’s usually best that they get
those solved before hiring or building a “Red Team”.
Red Teams are for testing mature security postures
in a real-world way, not for enumerating issues in
low-maturity environments. If you don’t have a Blue
Team, you probably don’t need a Red Team.
11. AUDIT
What is it?
An audit can be technical and/or
documentation-based, and focuses on how an
existing configuration compares to a desired
standard. This is an important point. It doesn’t prove
or validate security; it validates conformance with a
given perspective on what security means. These
two things should not be confused.
What’s it commonly confused with?
Audits are often confused with pretty much any
other type of security assessment where the goal is
to find vulnerabilities and fix them. That could be
part of an audit, if there’s an item in the standard
that says you shouldn’t have vulnerabilities, but the
key attribute is mapping current state against an
arbitrary standard.
12. AUDIT
What’s it best at?
Organizations use audits to demonstrate compliance.
Importantly, compliance should not be used to
demonstrate security. Secure organizations are
significantly more likely to be compliant (if checked), but
compliant organizations should lay no claims to being
secure just because they are in accordance with
standard X or Y.
13. BEYOND THE AUDIT: HACKERONE CAN HELP
SEE HOW HACKERONE RESPONSE, THE ISO 29147 COMPLIANT SOLUTION, CAN HELP
Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial...
Compliance does not equal security but it is a
necessary box to check.
Or read our guide on the 5 Critical Components of a VDP for more information
14. WHITE/GREY/BLACK ASSESSMENT
What is it?
The white/grey/black assessment parlance is used to
indicate how much internal information a tester will
get to know or use during a given technical
assessment. The levels map light to internal
transparency, so a white-box assessment is where
the tester has full access to all internal information
available, such as network diagrams, source code,
etc. A grey-box assessment is the next level of
opacity down from white, meaning that the tester
has some information but not all. The amount varies.
A black-box assessment—as you’re hopefully
guessing—is an assessment where the tester has
zero internal knowledge about the environment, i.e.
it’s performed from the attacker perspective.
15. WHITE/GREY/BLACK ASSESSMENT
What’s it commonly confused with?
The largest source of confusion around
white/grey/black-box nomenclature is not realizing
that they aren’t really an assessment type but rather
an aspect of one. They’re most commonly paired
with vulnerability assessments where you’re trying to
find the most issues possible, and that provides
significant incentive to open the curtains a bit.
Remember that the goal of a vulnerability
assessment is to find as many issues as possible, so
hiding internal information from a tester that keeps
them from finding issues doesn’t hurt them—it hurts
you. Don’t confuse wanting to know what attackers
can see/do with wanting to know what problems you
have. These are two separate things and need to be
approached separately. If you want to know what an
attacker can do, fix all your issues until you’re
confident you’re as secure as possible, and then get
a Penetration Test.
16. WHITE/GREY/BLACK ASSESSMENT
What’s it best at?
White-box assessments are best used with
vulnerability assessments because you want to find
as many issues as possible, regardless of how the
tester came to discover them. Grey-box
assessments are often used when people are
confused about the difference between a
Penetration Test and a vulnerability assessment.
They want to give some information, but not all.
Let’s be clear: if you’re trying to find all of your issues,
you shouldn’t withhold information from the tester.
If you’re doing a Penetration Test,
however, you shouldn’t give the tester anything,
which is a black-box assessment. Keep these clear in
your mind and you’ll be ok.
17. RISK ASSESSMENT What is it?
Risk Assessments, like threat models, are extremely
broad in both how they’re understood and how
they’re carried out. At the highest level, a risk
assessment should involve determining what the
current level of acceptable risk is, measuring the
current risk level, and then determining what can be
done to bring these two in line where there are
mismatches. Risk Assessments commonly involve
the rating of risks in two dimensions: probability, and
impact, and both quantitative and qualitative models
are used. In many ways, risk assessments and threat
modeling are similar exercises, as the goal of each is
to determine a course of action that will bring risk to
an acceptable level.
18. RISK ASSESSMENT
What’s it commonly confused with?
Risk Assessments are commonly confused with
threat assessments, as both are pursuing similar
goals. The primary differentiator is in where
assessments start and where they place their focus.
Threat Models focus on attack scenarios and then
move into the agents, the vulns, the controls, and
the potential impacts. Risk Assessments often start
from the asset side, rating the value of the asset and
the map onto it the potential threats, probabilities of
loss, the impact of loss, etc.
What’s it best at?
Risk Assessments should arguably be considered an
umbrella term for determining what you have of
value, how it can be attacked, what you would lose if
those attacks were successful, and what should be
done to address the issues. It’s important that when
someone says they’re going to do a risk assessment
that you delve deeper into exactly what is meant by
that, i.e. what approach or methodology will be used,
what the artifacts will be, etc.
19. THREAT ASSESSMENT
What is it?
A threat assessment is a type of security review that’s
somewhat different than the others mentioned. In
general it pertains more to physical attacks than
technology, but the lines are blurring. The primary
focus of a threat assessment is to determine whether
a threat (think bomb threat or violence threat) that
was made, or that was detected some other way, is
credible. The driver for the assessment is to
determine how many resources—if any—should be
spent on addressing the issue in question.
20. THREAT ASSESSMENT
What’s it commonly confused with?
The term “threat” is used numerous ways within security,
which leads to significant confusion. In this case the term is
used as in, “a threat was made”, or “determining whether
the threat was real”, as opposed to the “threat-agent”
usage. The origin comes from the Secret Service
investigating school violence, and the challenge was
determining which of the thousands of threats they
received they should respond to with extremely limited
resources. This is in stark contrast to what many think of
when they hear threat assessment, which is investigating
potential threat-agents, such as hackers, governments, etc.
What’s it best at?
A threat assessment is best used in situations
where someone has made a claim around
performing an attack in the future, or such a
potential is uncovered somehow. The goal in
that case would be to learn whether the
situation is worth spending resources on
addressing.
21. THREAT MODELING What is it?
Threat Modeling is not a well-understood type of
security assessment to most organizations, and part
of the problem is that it means many different things
to many different people. At the most basic level,
threat modeling is the process of capturing,
documenting, and (often) visualizing how
threat-agents, vulnerabilities, attacks,
countermeasures, and impacts to the business are
related for a given environment. As the name
suggests, the focus often starts with the threat agent
and a given attack scenario, but the subsequent
workflow then captures what vulnerabilities may be
taken advantage of, what exploits may be used, what
countermeasures may exist to stop/diminish such
an attack, and what business impact may result.
22. THREAT MODELING
What’s it commonly confused with?
Threat Modeling is confusing in general. Much of the
confusion comes from debates around definitions
and semantics, as threat modeling often includes
discussions around threats, threat-agents,
vulnerabilities, exploits, controls, risks, and impacts.
Each of these is loaded on its own, and when you
start trying to have a conversation with all of them at
the same time religious wars often result. The other
issue is that people lose track of the goal because
there are so many elements in play. Are we trying to
identify vulnerabilities? Are we trying to profile
threat-agents? Are we documenting potential
business impacts? Etc. The best way to summarize is
to say that Threat Modeling brings a dose of
potential reality to a security posture. It shows you,
through attack scenarios, where gaps exist that
could lead to real-world consequences.
23. THREAT MODELING What’s it best at?
Organizations should be using threat modeling early
and often, and they should definitely be part of the
development process. They are a way of ensuring
that known potential attack scenarios can actually be
handled by a given security posture. They can also
be extraordinarily illuminating from a pure
documentation and visibility standpoint. Seeing your
potential threat-actors, how they’re likely to attack
your app or system, using what vulns and what
exploits, and what it’ll likely do to your organization is
often a sobering experience. They’re especially
useful for showing non-security-people how
compliance and security products do not a security
program make.
24. BUG BOUNTY What is it?
A Bug Bounty is a type of technical security
assessment that leverages crowdsourcing to find
vulnerabilities in a system. The central concept is
simple: security testers, regardless of quality, have
their own set of strengths, weaknesses, experiences,
biases, and preferences, and these combine to yield
different findings for the same system when tested
by different people. In other words, you can give 100
experienced security testers the exact same testing
methodology and they’re likely to find widely
different vulnerabilities. The bug bounty concept is
to embrace this difference instead of fighting it by
harnessing multiple testers on a single assessment.
25. BUG BOUNTY What’s it commonly confused with?
Bug bounties are a relatively new approach to doing
technical security testing, and there is some
confusion around whether they should be done
instead of another security test or in addition. The
best answer, I’d argue, is that a bug bounty should
be considered a vulnerability assessment in its goal
of finding as many issues to remediate as possible,
but be considered a Penetration Test in that you
should do classical vulnerability assessments first.
The reason for this is that bug bounties, because
they use many people, excel in finding uncommon
and eccentric issues, and the exercise is somewhat
wasted on identifying the common problems that
can be uncovered using automation and
single-tester assessments.
26. BUG BOUNTY
What’s it best at?
Bug bounties are best used when you have already
performed one or more standard vulnerability
assessments (which should have included both
automated and manual testing) and then you’ve
remediated everything that was found. Consider
them an optional step between classical vulnerability
assessments and a Penetration Test, which, as noted
above, does not seek to find all issues but rather to
confirm that the security posture is where it needs to
be by pursuing specific goals.
27. Want to find critical vulnerabilities? You need
continuous testing by the best hackers
BUG BOUNTY PROGRAMS: HACKERONE CAN HELP
HACKERONE CAN HELP YOU START A BUG BOUNTY PROGRAM TODAY
Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial...
Or read our Bug Bounty Field Manual guide on how to plan, launch, and operate a bug bounty program for more information
28. Most Frequently Confused
ASSESS THEN TEST!
Miessler says: If you aren’t confident in your
security posture and know already that it’s
not solid, you should be doing Vulnerability
Assessments—not Penetration Testing.
Penetration testing is for testing your posture
once you have it where you want it.
BOUNTIES SURFACE BUGS NOT FOUND WITH OTHER METHODS!
Miessler says: The best way to think about Bug Bounties is an
enhancement to the discovery phase of a Vulnerability Assessment.
Vulnerability Assessments have two pieces: Discovery (finding as many
issues as possible), and Prioritization (ranking what should be fixed
first). Bug Bounties are great at the first part, and not good at the
second. As such, they are best used when you have done multiple
Vulnerability Assessments already and have already found the easy
stuff. Bug Bounties excel at finding issues not found using other
methods.
29. Most Frequently Confused
RED TEAMS ARE CONTINUOUS!
Miessler says: Because marketing and sales drive
the infosec industry, people are constantly
conflating Red Teaming and Penetration Testing.
Because Red Teams are meant to emulate the
adversary they generally only work if they are
both continuous and run over long
periods—ideally permanently. So if you have
some company offering to do a 2-week “Red
Team” engagement, this is probably better
described as a Penetration Test. So the key
distinctions are the emulation of real-world
attackers, including their tenacity, the permanent
duration of the attack, the TTP sophistication, etc.
Assessments that lack those elements are
Penetration Tests, not Red Team engagements.
30. Expand & Reinforce Your Security Efforts
Receive vulnerability reports on a secure platform, perform discreet
tests using ethical hackers, and run bug bounties at any scale.
HACKERONE CAN HELP!
LEARN HOW
31. Did You Like This Presentation? You Can Get More
InfoSec Insights by following Daniel Miessler
Daniel Miessler is an information security
professional and writer based in the San
Francisco Bay Area. Learn more about
Daniel and read his 2,500 essays, posts,
and other content on his website,
danielmiessler.com. And, subscribe to his
weekly podcast and newsletter,
Unsupervised Learning, to get Daniel’s
curated look at the most interesting stories
covering security, technology, and humans.