SlideShare a Scribd company logo

Understanding Information Security Assessment Types

HackerOne
HackerOne

This document summarizes Daniel Miessler's blog post describing different types of security assessments. It discusses vulnerability assessments, penetration tests, red team assessments, audits, white/grey/black box assessments, risk assessments, threat assessments, threat modeling, and bug bounties. For each type, it provides a definition, what they are commonly confused with, and what they are best used for. The key messages are that vulnerability assessments aim to find all issues while penetration tests validate security, and organizations should perform assessments before tests to identify and fix issues.

Internet
1 of 32
Download to read offline
Reprint of IOActive’s Daniel Miessler’s blog post describing the major types of security assessment, along with what differentiates them. UNDERSTANDING INFORMATION SECURITY ASSESSMENT TYPES
“There are many different types of security assessments… ...and they’re not always easy to keep separately in our minds (especially for sales types).” Daniel Miessler is a well-known information security professional based in San Francisco. For more than 20 years, he’s been writing about his infosec projects and other interests, as he puts it, “as a means of organizing everything I have learned and want to learn.” With organization and education in mind, Daniel wrote a helpful post describing the major types of security assessments and how they’re unique and we asked if we could re-share it. If you’re one of the “sales types” Daniel mentions above, or just looking to educate yourself on infosec topics, then click ahead.
VULNERABILITY ASSESSMENT What is it? A vulnerability assessment is a technical assessment designed to yield as many vulnerabilities as possible in an environment, along with severity and remediation priority information. What’s it commonly confused with? The vulnerability assessment is most often confused (and/or conflated) with the Penetration Test. This is primarily because sales people think the latter sounds cooler, bless their hearts.
VULNERABILITY ASSESSMENT What’s it best at? The vulnerability assessment is best used when security maturity is low to medium, when you need a prioritized list of everything that’s wrong, where the goal is to fix as many things as possible as efficiently as possible.
What is it? A Penetration Test is a technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information. What’s it commonly confused with? The Penetration Test is most often confused (and/or conflated) with the vulnerability assessment. See ‘Sales People’ for more information. Another way to think about this is to imagine vulnerability assessments as looking for security problems when you know/assume they exist, and penetration testing as validating a configuration when you believe it to be secure. PENETRATION TEST
PENETRATION TEST What’s it best at? Because a Penetration Test is designed to achieve one or more specific goals, they should not be commissioned by low or medium security organizations in most cases. Performing a Penetration Test against a low or medium security shop will simply yield recommendation all-time-greats like, “Implement patching across the organization.”, “Disable inactive users.”, and—one of my favorites—”Understand where your sensitive data is.” Do not waste money on a Penetration Test unless you’ve already undergone one or seventeen vulnerability assessments and then remediated everything that was found. Penetration Tests are for testing security that is assumed to be strong, not documenting the contents of a soup sandwich.
PENETRATION TESTING: HACKERONE CAN HELP TRY A HACKERONE CHALLENGE TODAY AND SEE FOR YOURSELF Crowdsourced penetration testing has been proven to find more critical vulnerabilities, at a lower cost than traditional penetration tests. Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Or read the guide on hacker-powered pen tests for more information
RED TEAM ASSESSMENT What is it? A Red Team “assessment” is something of a misnomer in the corporate context since corporate Red Team services should ideally be continuous rather than point-in-time. So it should ideally be more of a service than an assessment. But regardless of that distinction, the central purpose of a corporate Red Team is to improve the quality of the corporate information security defenses, which, if one exists, would be the company’s Blue Team. In fact, that’s what a lowercase “red team” is: an independent group that challenges an organization to improve its effectiveness. In the case of corporate Red Teams, the org they’re improving is the Blue Team. Red Team services should, in my opinion, always have the following five elements: Organizational Independence, Defensive Coordination, Continuous Operation, Adversary Emulation, and Efficacy Measurement.
RED TEAM ASSESSMENT What’s it commonly confused with? Red Team services are most commonly confused with Penetration Testing. Sales and marketing groups are using the terms nearly interchangeably, as are many internal security groups. People confusing the two are basically seeing “Red Teaming” as a sexier, more elite type of Penetration Test. They are not the same. A Penetration Test is a defined, scoped, and point-in-time assessment that has specific goals for success or failure. A corporate Red Team (whether internal or external) is a continuous service that emulates real-world attackers for the purpose of improving the Blue Team. They may share TTPs at times, but they have very different purposes.
RED TEAM ASSESSMENT What it’s best at? Red Team services are best used when an organization has covered the basics of strong vulnerability management and has at least some capability to detect and respond to malicious or suspicious behavior in the environment. If an organization is still struggling with basic asset management, patching, egress traffic control, and other fundamentals, it’s usually best that they get those solved before hiring or building a “Red Team”. Red Teams are for testing mature security postures in a real-world way, not for enumerating issues in low-maturity environments. If you don’t have a Blue Team, you probably don’t need a Red Team.
AUDIT What is it? An audit can be technical and/or documentation-based, and focuses on how an existing configuration compares to a desired standard. This is an important point. It doesn’t prove or validate security; it validates conformance with a given perspective on what security means. These two things should not be confused. What’s it commonly confused with? Audits are often confused with pretty much any other type of security assessment where the goal is to find vulnerabilities and fix them. That could be part of an audit, if there’s an item in the standard that says you shouldn’t have vulnerabilities, but the key attribute is mapping current state against an arbitrary standard.
AUDIT What’s it best at? Organizations use audits to demonstrate compliance. Importantly, compliance should not be used to demonstrate security. Secure organizations are significantly more likely to be compliant (if checked), but compliant organizations should lay no claims to being secure just because they are in accordance with standard X or Y.
BEYOND THE AUDIT: HACKERONE CAN HELP SEE HOW HACKERONE RESPONSE, THE ISO 29147 COMPLIANT SOLUTION, CAN HELP Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Compliance does not equal security but it is a necessary box to check. Or read our guide on the 5 Critical Components of a VDP for more information
WHITE/GREY/BLACK ASSESSMENT What is it? The white/grey/black assessment parlance is used to indicate how much internal information a tester will get to know or use during a given technical assessment. The levels map light to internal transparency, so a white-box assessment is where the tester has full access to all internal information available, such as network diagrams, source code, etc. A grey-box assessment is the next level of opacity down from white, meaning that the tester has some information but not all. The amount varies. A black-box assessment—as you’re hopefully guessing—is an assessment where the tester has zero internal knowledge about the environment, i.e. it’s performed from the attacker perspective.
WHITE/GREY/BLACK ASSESSMENT What’s it commonly confused with? The largest source of confusion around white/grey/black-box nomenclature is not realizing that they aren’t really an assessment type but rather an aspect of one. They’re most commonly paired with vulnerability assessments where you’re trying to find the most issues possible, and that provides significant incentive to open the curtains a bit. Remember that the goal of a vulnerability assessment is to find as many issues as possible, so hiding internal information from a tester that keeps them from finding issues doesn’t hurt them—it hurts you. Don’t confuse wanting to know what attackers can see/do with wanting to know what problems you have. These are two separate things and need to be approached separately. If you want to know what an attacker can do, fix all your issues until you’re confident you’re as secure as possible, and then get a Penetration Test.
WHITE/GREY/BLACK ASSESSMENT What’s it best at? White-box assessments are best used with vulnerability assessments because you want to find as many issues as possible, regardless of how the tester came to discover them. Grey-box assessments are often used when people are confused about the difference between a Penetration Test and a vulnerability assessment. They want to give some information, but not all. Let’s be clear: if you’re trying to find all of your issues, you shouldn’t withhold information from the tester. If you’re doing a Penetration Test, however, you shouldn’t give the tester anything, which is a black-box assessment. Keep these clear in your mind and you’ll be ok.
RISK ASSESSMENT What is it? Risk Assessments, like threat models, are extremely broad in both how they’re understood and how they’re carried out. At the highest level, a risk assessment should involve determining what the current level of acceptable risk is, measuring the current risk level, and then determining what can be done to bring these two in line where there are mismatches. Risk Assessments commonly involve the rating of risks in two dimensions: probability, and impact, and both quantitative and qualitative models are used. In many ways, risk assessments and threat modeling are similar exercises, as the goal of each is to determine a course of action that will bring risk to an acceptable level.
RISK ASSESSMENT What’s it commonly confused with? Risk Assessments are commonly confused with threat assessments, as both are pursuing similar goals. The primary differentiator is in where assessments start and where they place their focus. Threat Models focus on attack scenarios and then move into the agents, the vulns, the controls, and the potential impacts. Risk Assessments often start from the asset side, rating the value of the asset and the map onto it the potential threats, probabilities of loss, the impact of loss, etc. What’s it best at? Risk Assessments should arguably be considered an umbrella term for determining what you have of value, how it can be attacked, what you would lose if those attacks were successful, and what should be done to address the issues. It’s important that when someone says they’re going to do a risk assessment that you delve deeper into exactly what is meant by that, i.e. what approach or methodology will be used, what the artifacts will be, etc.
THREAT ASSESSMENT What is it? A threat assessment is a type of security review that’s somewhat different than the others mentioned. In general it pertains more to physical attacks than technology, but the lines are blurring. The primary focus of a threat assessment is to determine whether a threat (think bomb threat or violence threat) that was made, or that was detected some other way, is credible. The driver for the assessment is to determine how many resources—if any—should be spent on addressing the issue in question.
THREAT ASSESSMENT What’s it commonly confused with? The term “threat” is used numerous ways within security, which leads to significant confusion. In this case the term is used as in, “a threat was made”, or “determining whether the threat was real”, as opposed to the “threat-agent” usage. The origin comes from the Secret Service investigating school violence, and the challenge was determining which of the thousands of threats they received they should respond to with extremely limited resources. This is in stark contrast to what many think of when they hear threat assessment, which is investigating potential threat-agents, such as hackers, governments, etc. What’s it best at? A threat assessment is best used in situations where someone has made a claim around performing an attack in the future, or such a potential is uncovered somehow. The goal in that case would be to learn whether the situation is worth spending resources on addressing.
THREAT MODELING What is it? Threat Modeling is not a well-understood type of security assessment to most organizations, and part of the problem is that it means many different things to many different people. At the most basic level, threat modeling is the process of capturing, documenting, and (often) visualizing how threat-agents, vulnerabilities, attacks, countermeasures, and impacts to the business are related for a given environment. As the name suggests, the focus often starts with the threat agent and a given attack scenario, but the subsequent workflow then captures what vulnerabilities may be taken advantage of, what exploits may be used, what countermeasures may exist to stop/diminish such an attack, and what business impact may result.
THREAT MODELING What’s it commonly confused with? Threat Modeling is confusing in general. Much of the confusion comes from debates around definitions and semantics, as threat modeling often includes discussions around threats, threat-agents, vulnerabilities, exploits, controls, risks, and impacts. Each of these is loaded on its own, and when you start trying to have a conversation with all of them at the same time religious wars often result. The other issue is that people lose track of the goal because there are so many elements in play. Are we trying to identify vulnerabilities? Are we trying to profile threat-agents? Are we documenting potential business impacts? Etc. The best way to summarize is to say that Threat Modeling brings a dose of potential reality to a security posture. It shows you, through attack scenarios, where gaps exist that could lead to real-world consequences.
THREAT MODELING What’s it best at? Organizations should be using threat modeling early and often, and they should definitely be part of the development process. They are a way of ensuring that known potential attack scenarios can actually be handled by a given security posture. They can also be extraordinarily illuminating from a pure documentation and visibility standpoint. Seeing your potential threat-actors, how they’re likely to attack your app or system, using what vulns and what exploits, and what it’ll likely do to your organization is often a sobering experience. They’re especially useful for showing non-security-people how compliance and security products do not a security program make.
BUG BOUNTY What is it? A Bug Bounty is a type of technical security assessment that leverages crowdsourcing to find vulnerabilities in a system. The central concept is simple: security testers, regardless of quality, have their own set of strengths, weaknesses, experiences, biases, and preferences, and these combine to yield different findings for the same system when tested by different people. In other words, you can give 100 experienced security testers the exact same testing methodology and they’re likely to find widely different vulnerabilities. The bug bounty concept is to embrace this difference instead of fighting it by harnessing multiple testers on a single assessment.
BUG BOUNTY What’s it commonly confused with? Bug bounties are a relatively new approach to doing technical security testing, and there is some confusion around whether they should be done instead of another security test or in addition. The best answer, I’d argue, is that a bug bounty should be considered a vulnerability assessment in its goal of finding as many issues to remediate as possible, but be considered a Penetration Test in that you should do classical vulnerability assessments first. The reason for this is that bug bounties, because they use many people, excel in finding uncommon and eccentric issues, and the exercise is somewhat wasted on identifying the common problems that can be uncovered using automation and single-tester assessments.
BUG BOUNTY What’s it best at? Bug bounties are best used when you have already performed one or more standard vulnerability assessments (which should have included both automated and manual testing) and then you’ve remediated everything that was found. Consider them an optional step between classical vulnerability assessments and a Penetration Test, which, as noted above, does not seek to find all issues but rather to confirm that the security posture is where it needs to be by pursuing specific goals.
Want to find critical vulnerabilities? You need continuous testing by the best hackers BUG BOUNTY PROGRAMS: HACKERONE CAN HELP HACKERONE CAN HELP YOU START A BUG BOUNTY PROGRAM TODAY Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Or read our Bug Bounty Field Manual guide on how to plan, launch, and operate a bug bounty program for more information
Most Frequently Confused ASSESS THEN TEST! Miessler says: If you aren’t confident in your security posture and know already that it’s not solid, you should be doing Vulnerability Assessments—not Penetration Testing. Penetration testing is for testing your posture once you have it where you want it. BOUNTIES SURFACE BUGS NOT FOUND WITH OTHER METHODS! Miessler says: The best way to think about Bug Bounties is an enhancement to the discovery phase of a Vulnerability Assessment. Vulnerability Assessments have two pieces: Discovery (finding as many issues as possible), and Prioritization (ranking what should be fixed first). Bug Bounties are great at the first part, and not good at the second. As such, they are best used when you have done multiple Vulnerability Assessments already and have already found the easy stuff. Bug Bounties excel at finding issues not found using other methods.
Most Frequently Confused RED TEAMS ARE CONTINUOUS! Miessler says: Because marketing and sales drive the infosec industry, people are constantly conflating Red Teaming and Penetration Testing. Because Red Teams are meant to emulate the adversary they generally only work if they are both continuous and run over long periods—ideally permanently. So if you have some company offering to do a 2-week “Red Team” engagement, this is probably better described as a Penetration Test. So the key distinctions are the emulation of real-world attackers, including their tenacity, the permanent duration of the attack, the TTP sophistication, etc. Assessments that lack those elements are Penetration Tests, not Red Team engagements.
Expand & Reinforce Your Security Efforts Receive vulnerability reports on a secure platform, perform discreet tests using ethical hackers, and run bug bounties at any scale. HACKERONE CAN HELP! LEARN HOW
Did You Like This Presentation? You Can Get More InfoSec Insights by following Daniel Miessler Daniel Miessler is an information security professional and writer based in the San Francisco Bay Area. Learn more about Daniel and read his 2,500 essays, posts, and other content on his website, danielmiessler.com. And, subscribe to his weekly podcast and newsletter, Unsupervised Learning, to get Daniel’s curated look at the most interesting stories covering security, technology, and humans.
MAKE THE INTERNET SAFER. WWW.HACKERONE.COM / SALES@HACKERONE.COM / +1 (415) 891-0777

Recommended

cyber security,need,security problem and types of cyber security
cyber security,need,security problem and types of cyber securitycyber security,need,security problem and types of cyber security
cyber security,need,security problem and types of cyber security
Vansh Bathla
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680
Kabogo
 
Owasp top 10 inceleme
Owasp top 10 incelemeOwasp top 10 inceleme
Owasp top 10 inceleme
Cyber-Warrior.org
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
3S Labs
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptx
Art Ocain
 

Recommended

cyber security,need,security problem and types of cyber security
cyber security,need,security problem and types of cyber securitycyber security,need,security problem and types of cyber security
cyber security,need,security problem and types of cyber security
Vansh Bathla
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
Krisshhna Daasaarii
 
An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680An introduction-to-factor-analysis-of-information-risk-fair680
An introduction-to-factor-analysis-of-information-risk-fair680
Kabogo
 
Owasp top 10 inceleme
Owasp top 10 incelemeOwasp top 10 inceleme
Owasp top 10 inceleme
Cyber-Warrior.org
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
3S Labs
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptx
Art Ocain
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Simplilearn
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
Moti Sagey מוטי שגיא
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
CVSS
CVSSCVSS
CVSS
Christian Heinrich
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
Prime Infoserv
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Sho Shimizu
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
Bharat Jindal
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıBGA Cyber Security
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Micho Hayek
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
Chris Nickerson
 

More Related Content

What's hot

Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Simplilearn
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
Moti Sagey מוטי שגיא
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
CVSS
CVSSCVSS
CVSS
Christian Heinrich
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
Prime Infoserv
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Sho Shimizu
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
Bharat Jindal
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıBGA Cyber Security
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Micho Hayek
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 

What's hot (20)

Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
Ethical Hacking Certifications | Certified Ethical Hacker | Ethical Hacking |...
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Wannacry
WannacryWannacry
Wannacry
 
CVSS
CVSSCVSS
CVSS
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
FireEye Portfolio
FireEye PortfolioFireEye Portfolio
FireEye Portfolio
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
 
Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像 Open vSwitchソースコードの全体像
Open vSwitchソースコードの全体像
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
 
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların KullanımıPenetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
Penetrasyon Testlerinde Açık Kod Yazılımların Kullanımı
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Similar to Understanding Information Security Assessment Types

Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
Badawy Abd El-Aziz
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
Chris Nickerson
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
Roger Johnston
 
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
TEST Huddle
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
Infosec
 
Selling security-management 393
Selling security-management 393Selling security-management 393
Selling security-management 393
Alberto Marroquin
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
Mighty Guides, Inc.
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
CODE BLUE
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
211 Check
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
CecilSu
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Testing in modern times a story about quality and value - agile testing dev ...
Testing in modern times a story about quality and value - agile testing dev ...Testing in modern times a story about quality and value - agile testing dev ...
Testing in modern times a story about quality and value - agile testing dev ...
Huib Schoots
 
ISA 360 sample report_Standard
ISA 360 sample report_StandardISA 360 sample report_Standard
ISA 360 sample report_Standard
EllieShaw6
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
Dave Cole
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
SilvioPappalardo
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
Varun Mithran
 
Whose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad WolfWhose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad Wolf
ghost nomad
 
Whose afraid of the big bad wolf
Whose afraid of the big bad wolfWhose afraid of the big bad wolf
Whose afraid of the big bad wolf
Northeast Ohio Information Security Forum
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Sean Jackson
 

Similar to Understanding Information Security Assessment Types (20)

Penetration Testing Guide
Penetration Testing GuidePenetration Testing Guide
Penetration Testing Guide
 
Increasing Value Of Security Assessment Services
Increasing Value Of Security Assessment ServicesIncreasing Value Of Security Assessment Services
Increasing Value Of Security Assessment Services
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
Rekard Edgren - Curing Our Binary Disease - EuroSTAR 2012
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
 
Selling security-management 393
Selling security-management 393Selling security-management 393
Selling security-management 393
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
Penetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity ProfessionalsPenetration Testing for Cybersecurity Professionals
Penetration Testing for Cybersecurity Professionals
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Testing in modern times a story about quality and value - agile testing dev ...
Testing in modern times a story about quality and value - agile testing dev ...Testing in modern times a story about quality and value - agile testing dev ...
Testing in modern times a story about quality and value - agile testing dev ...
 
ISA 360 sample report_Standard
ISA 360 sample report_StandardISA 360 sample report_Standard
ISA 360 sample report_Standard
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019Security Snake Oil Cycle 2019
Security Snake Oil Cycle 2019
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
Whose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad WolfWhose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad Wolf
 
Whose afraid of the big bad wolf
Whose afraid of the big bad wolfWhose afraid of the big bad wolf
Whose afraid of the big bad wolf
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
 

More from HackerOne

Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
HackerOne
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
HackerOne
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
HackerOne
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
HackerOne
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
HackerOne
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
HackerOne
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
HackerOne
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
HackerOne
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
HackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
HackerOne
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
HackerOne
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
HackerOne
 

More from HackerOne (18)

Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In Cybersecurity
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 

Recently uploaded

KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (12)

KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

Understanding Information Security Assessment Types

  • 1. Reprint of IOActive’s Daniel Miessler’s blog post describing the major types of security assessment, along with what differentiates them. UNDERSTANDING INFORMATION SECURITY ASSESSMENT TYPES
  • 2. “There are many different types of security assessments… ...and they’re not always easy to keep separately in our minds (especially for sales types).” Daniel Miessler is a well-known information security professional based in San Francisco. For more than 20 years, he’s been writing about his infosec projects and other interests, as he puts it, “as a means of organizing everything I have learned and want to learn.” With organization and education in mind, Daniel wrote a helpful post describing the major types of security assessments and how they’re unique and we asked if we could re-share it. If you’re one of the “sales types” Daniel mentions above, or just looking to educate yourself on infosec topics, then click ahead.
  • 3. VULNERABILITY ASSESSMENT What is it? A vulnerability assessment is a technical assessment designed to yield as many vulnerabilities as possible in an environment, along with severity and remediation priority information. What’s it commonly confused with? The vulnerability assessment is most often confused (and/or conflated) with the Penetration Test. This is primarily because sales people think the latter sounds cooler, bless their hearts.
  • 4. VULNERABILITY ASSESSMENT What’s it best at? The vulnerability assessment is best used when security maturity is low to medium, when you need a prioritized list of everything that’s wrong, where the goal is to fix as many things as possible as efficiently as possible.
  • 5. What is it? A Penetration Test is a technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information. What’s it commonly confused with? The Penetration Test is most often confused (and/or conflated) with the vulnerability assessment. See ‘Sales People’ for more information. Another way to think about this is to imagine vulnerability assessments as looking for security problems when you know/assume they exist, and penetration testing as validating a configuration when you believe it to be secure. PENETRATION TEST
  • 6. PENETRATION TEST What’s it best at? Because a Penetration Test is designed to achieve one or more specific goals, they should not be commissioned by low or medium security organizations in most cases. Performing a Penetration Test against a low or medium security shop will simply yield recommendation all-time-greats like, “Implement patching across the organization.”, “Disable inactive users.”, and—one of my favorites—”Understand where your sensitive data is.” Do not waste money on a Penetration Test unless you’ve already undergone one or seventeen vulnerability assessments and then remediated everything that was found. Penetration Tests are for testing security that is assumed to be strong, not documenting the contents of a soup sandwich.
  • 7. PENETRATION TESTING: HACKERONE CAN HELP TRY A HACKERONE CHALLENGE TODAY AND SEE FOR YOURSELF Crowdsourced penetration testing has been proven to find more critical vulnerabilities, at a lower cost than traditional penetration tests. Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Or read the guide on hacker-powered pen tests for more information
  • 8. RED TEAM ASSESSMENT What is it? A Red Team “assessment” is something of a misnomer in the corporate context since corporate Red Team services should ideally be continuous rather than point-in-time. So it should ideally be more of a service than an assessment. But regardless of that distinction, the central purpose of a corporate Red Team is to improve the quality of the corporate information security defenses, which, if one exists, would be the company’s Blue Team. In fact, that’s what a lowercase “red team” is: an independent group that challenges an organization to improve its effectiveness. In the case of corporate Red Teams, the org they’re improving is the Blue Team. Red Team services should, in my opinion, always have the following five elements: Organizational Independence, Defensive Coordination, Continuous Operation, Adversary Emulation, and Efficacy Measurement.
  • 9. RED TEAM ASSESSMENT What’s it commonly confused with? Red Team services are most commonly confused with Penetration Testing. Sales and marketing groups are using the terms nearly interchangeably, as are many internal security groups. People confusing the two are basically seeing “Red Teaming” as a sexier, more elite type of Penetration Test. They are not the same. A Penetration Test is a defined, scoped, and point-in-time assessment that has specific goals for success or failure. A corporate Red Team (whether internal or external) is a continuous service that emulates real-world attackers for the purpose of improving the Blue Team. They may share TTPs at times, but they have very different purposes.
  • 10. RED TEAM ASSESSMENT What it’s best at? Red Team services are best used when an organization has covered the basics of strong vulnerability management and has at least some capability to detect and respond to malicious or suspicious behavior in the environment. If an organization is still struggling with basic asset management, patching, egress traffic control, and other fundamentals, it’s usually best that they get those solved before hiring or building a “Red Team”. Red Teams are for testing mature security postures in a real-world way, not for enumerating issues in low-maturity environments. If you don’t have a Blue Team, you probably don’t need a Red Team.
  • 11. AUDIT What is it? An audit can be technical and/or documentation-based, and focuses on how an existing configuration compares to a desired standard. This is an important point. It doesn’t prove or validate security; it validates conformance with a given perspective on what security means. These two things should not be confused. What’s it commonly confused with? Audits are often confused with pretty much any other type of security assessment where the goal is to find vulnerabilities and fix them. That could be part of an audit, if there’s an item in the standard that says you shouldn’t have vulnerabilities, but the key attribute is mapping current state against an arbitrary standard.
  • 12. AUDIT What’s it best at? Organizations use audits to demonstrate compliance. Importantly, compliance should not be used to demonstrate security. Secure organizations are significantly more likely to be compliant (if checked), but compliant organizations should lay no claims to being secure just because they are in accordance with standard X or Y.
  • 13. BEYOND THE AUDIT: HACKERONE CAN HELP SEE HOW HACKERONE RESPONSE, THE ISO 29147 COMPLIANT SOLUTION, CAN HELP Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Compliance does not equal security but it is a necessary box to check. Or read our guide on the 5 Critical Components of a VDP for more information
  • 14. WHITE/GREY/BLACK ASSESSMENT What is it? The white/grey/black assessment parlance is used to indicate how much internal information a tester will get to know or use during a given technical assessment. The levels map light to internal transparency, so a white-box assessment is where the tester has full access to all internal information available, such as network diagrams, source code, etc. A grey-box assessment is the next level of opacity down from white, meaning that the tester has some information but not all. The amount varies. A black-box assessment—as you’re hopefully guessing—is an assessment where the tester has zero internal knowledge about the environment, i.e. it’s performed from the attacker perspective.
  • 15. WHITE/GREY/BLACK ASSESSMENT What’s it commonly confused with? The largest source of confusion around white/grey/black-box nomenclature is not realizing that they aren’t really an assessment type but rather an aspect of one. They’re most commonly paired with vulnerability assessments where you’re trying to find the most issues possible, and that provides significant incentive to open the curtains a bit. Remember that the goal of a vulnerability assessment is to find as many issues as possible, so hiding internal information from a tester that keeps them from finding issues doesn’t hurt them—it hurts you. Don’t confuse wanting to know what attackers can see/do with wanting to know what problems you have. These are two separate things and need to be approached separately. If you want to know what an attacker can do, fix all your issues until you’re confident you’re as secure as possible, and then get a Penetration Test.
  • 16. WHITE/GREY/BLACK ASSESSMENT What’s it best at? White-box assessments are best used with vulnerability assessments because you want to find as many issues as possible, regardless of how the tester came to discover them. Grey-box assessments are often used when people are confused about the difference between a Penetration Test and a vulnerability assessment. They want to give some information, but not all. Let’s be clear: if you’re trying to find all of your issues, you shouldn’t withhold information from the tester. If you’re doing a Penetration Test, however, you shouldn’t give the tester anything, which is a black-box assessment. Keep these clear in your mind and you’ll be ok.
  • 17. RISK ASSESSMENT What is it? Risk Assessments, like threat models, are extremely broad in both how they’re understood and how they’re carried out. At the highest level, a risk assessment should involve determining what the current level of acceptable risk is, measuring the current risk level, and then determining what can be done to bring these two in line where there are mismatches. Risk Assessments commonly involve the rating of risks in two dimensions: probability, and impact, and both quantitative and qualitative models are used. In many ways, risk assessments and threat modeling are similar exercises, as the goal of each is to determine a course of action that will bring risk to an acceptable level.
  • 18. RISK ASSESSMENT What’s it commonly confused with? Risk Assessments are commonly confused with threat assessments, as both are pursuing similar goals. The primary differentiator is in where assessments start and where they place their focus. Threat Models focus on attack scenarios and then move into the agents, the vulns, the controls, and the potential impacts. Risk Assessments often start from the asset side, rating the value of the asset and the map onto it the potential threats, probabilities of loss, the impact of loss, etc. What’s it best at? Risk Assessments should arguably be considered an umbrella term for determining what you have of value, how it can be attacked, what you would lose if those attacks were successful, and what should be done to address the issues. It’s important that when someone says they’re going to do a risk assessment that you delve deeper into exactly what is meant by that, i.e. what approach or methodology will be used, what the artifacts will be, etc.
  • 19. THREAT ASSESSMENT What is it? A threat assessment is a type of security review that’s somewhat different than the others mentioned. In general it pertains more to physical attacks than technology, but the lines are blurring. The primary focus of a threat assessment is to determine whether a threat (think bomb threat or violence threat) that was made, or that was detected some other way, is credible. The driver for the assessment is to determine how many resources—if any—should be spent on addressing the issue in question.
  • 20. THREAT ASSESSMENT What’s it commonly confused with? The term “threat” is used numerous ways within security, which leads to significant confusion. In this case the term is used as in, “a threat was made”, or “determining whether the threat was real”, as opposed to the “threat-agent” usage. The origin comes from the Secret Service investigating school violence, and the challenge was determining which of the thousands of threats they received they should respond to with extremely limited resources. This is in stark contrast to what many think of when they hear threat assessment, which is investigating potential threat-agents, such as hackers, governments, etc. What’s it best at? A threat assessment is best used in situations where someone has made a claim around performing an attack in the future, or such a potential is uncovered somehow. The goal in that case would be to learn whether the situation is worth spending resources on addressing.
  • 21. THREAT MODELING What is it? Threat Modeling is not a well-understood type of security assessment to most organizations, and part of the problem is that it means many different things to many different people. At the most basic level, threat modeling is the process of capturing, documenting, and (often) visualizing how threat-agents, vulnerabilities, attacks, countermeasures, and impacts to the business are related for a given environment. As the name suggests, the focus often starts with the threat agent and a given attack scenario, but the subsequent workflow then captures what vulnerabilities may be taken advantage of, what exploits may be used, what countermeasures may exist to stop/diminish such an attack, and what business impact may result.
  • 22. THREAT MODELING What’s it commonly confused with? Threat Modeling is confusing in general. Much of the confusion comes from debates around definitions and semantics, as threat modeling often includes discussions around threats, threat-agents, vulnerabilities, exploits, controls, risks, and impacts. Each of these is loaded on its own, and when you start trying to have a conversation with all of them at the same time religious wars often result. The other issue is that people lose track of the goal because there are so many elements in play. Are we trying to identify vulnerabilities? Are we trying to profile threat-agents? Are we documenting potential business impacts? Etc. The best way to summarize is to say that Threat Modeling brings a dose of potential reality to a security posture. It shows you, through attack scenarios, where gaps exist that could lead to real-world consequences.
  • 23. THREAT MODELING What’s it best at? Organizations should be using threat modeling early and often, and they should definitely be part of the development process. They are a way of ensuring that known potential attack scenarios can actually be handled by a given security posture. They can also be extraordinarily illuminating from a pure documentation and visibility standpoint. Seeing your potential threat-actors, how they’re likely to attack your app or system, using what vulns and what exploits, and what it’ll likely do to your organization is often a sobering experience. They’re especially useful for showing non-security-people how compliance and security products do not a security program make.
  • 24. BUG BOUNTY What is it? A Bug Bounty is a type of technical security assessment that leverages crowdsourcing to find vulnerabilities in a system. The central concept is simple: security testers, regardless of quality, have their own set of strengths, weaknesses, experiences, biases, and preferences, and these combine to yield different findings for the same system when tested by different people. In other words, you can give 100 experienced security testers the exact same testing methodology and they’re likely to find widely different vulnerabilities. The bug bounty concept is to embrace this difference instead of fighting it by harnessing multiple testers on a single assessment.
  • 25. BUG BOUNTY What’s it commonly confused with? Bug bounties are a relatively new approach to doing technical security testing, and there is some confusion around whether they should be done instead of another security test or in addition. The best answer, I’d argue, is that a bug bounty should be considered a vulnerability assessment in its goal of finding as many issues to remediate as possible, but be considered a Penetration Test in that you should do classical vulnerability assessments first. The reason for this is that bug bounties, because they use many people, excel in finding uncommon and eccentric issues, and the exercise is somewhat wasted on identifying the common problems that can be uncovered using automation and single-tester assessments.
  • 26. BUG BOUNTY What’s it best at? Bug bounties are best used when you have already performed one or more standard vulnerability assessments (which should have included both automated and manual testing) and then you’ve remediated everything that was found. Consider them an optional step between classical vulnerability assessments and a Penetration Test, which, as noted above, does not seek to find all issues but rather to confirm that the security posture is where it needs to be by pursuing specific goals.
  • 27. Want to find critical vulnerabilities? You need continuous testing by the best hackers BUG BOUNTY PROGRAMS: HACKERONE CAN HELP HACKERONE CAN HELP YOU START A BUG BOUNTY PROGRAM TODAY Now for a quick break from Daniel’s awesome content to show you this HackerOne commercial... Or read our Bug Bounty Field Manual guide on how to plan, launch, and operate a bug bounty program for more information
  • 28. Most Frequently Confused ASSESS THEN TEST! Miessler says: If you aren’t confident in your security posture and know already that it’s not solid, you should be doing Vulnerability Assessments—not Penetration Testing. Penetration testing is for testing your posture once you have it where you want it. BOUNTIES SURFACE BUGS NOT FOUND WITH OTHER METHODS! Miessler says: The best way to think about Bug Bounties is an enhancement to the discovery phase of a Vulnerability Assessment. Vulnerability Assessments have two pieces: Discovery (finding as many issues as possible), and Prioritization (ranking what should be fixed first). Bug Bounties are great at the first part, and not good at the second. As such, they are best used when you have done multiple Vulnerability Assessments already and have already found the easy stuff. Bug Bounties excel at finding issues not found using other methods.
  • 29. Most Frequently Confused RED TEAMS ARE CONTINUOUS! Miessler says: Because marketing and sales drive the infosec industry, people are constantly conflating Red Teaming and Penetration Testing. Because Red Teams are meant to emulate the adversary they generally only work if they are both continuous and run over long periods—ideally permanently. So if you have some company offering to do a 2-week “Red Team” engagement, this is probably better described as a Penetration Test. So the key distinctions are the emulation of real-world attackers, including their tenacity, the permanent duration of the attack, the TTP sophistication, etc. Assessments that lack those elements are Penetration Tests, not Red Team engagements.
  • 30. Expand & Reinforce Your Security Efforts Receive vulnerability reports on a secure platform, perform discreet tests using ethical hackers, and run bug bounties at any scale. HACKERONE CAN HELP! LEARN HOW
  • 31. Did You Like This Presentation? You Can Get More InfoSec Insights by following Daniel Miessler Daniel Miessler is an information security professional and writer based in the San Francisco Bay Area. Learn more about Daniel and read his 2,500 essays, posts, and other content on his website, danielmiessler.com. And, subscribe to his weekly podcast and newsletter, Unsupervised Learning, to get Daniel’s curated look at the most interesting stories covering security, technology, and humans.
  • 32. MAKE THE INTERNET SAFER. WWW.HACKERONE.COM / SALES@HACKERONE.COM / +1 (415) 891-0777