SlideShare a Scribd company logo

Understanding Penetration Testing & its Benefits for Organization

PECB
PECB

This topic will cover the most important part related the penetration testing and the importance of its implementation on the organization. Considering it as a good tool for companies to deal with information security vulnerabilities, it is becoming significant part for companies to develop it. Main point that will be covered: • Overview of Penetration Testing • Purpose of Penetration testing and benefits • What are the Rules of Engagement (White, Black and Grey Box Testing) • Penetration Testing and Phases Presenter: Christie Oso is Managing Principal Information Security consultant and trainer at Intex IT. She is also responsible for Risk Management, Vulnerability Assessment, and Penetration Testing. She holds certification on CISSP, CISM, CEH, ISO 27001 LA, ISO 27005 Risk Manager, Link of the recorded session published on YouTube: https://youtu.be/lyqOJmC94vg

1 of 27
www.intexit.co.uk Understanding Penetration Testing & its benefits for organization
Christie Oso Security Consultant | Trainer Managing Principal Information Security Consultant | Trainer at Intex IT, responsible for Risk Management, Vulnerability Assessment and Penetration Testing. Among many she is PECB Certified Lead Pen Tester, CISSP, CISM, CEH, ISO 27001 Lead Auditor, ISO 27005 Risk Manager Contact Information 00441634 566 555 admin@intexit.co.uk www.intexit.co.uk https://uk.linkedin.com/in/christieo1 Twitter@Christiexto
www.intexit.co.uk Agenda • Part 1: Overview of Penetration Testing? • Part 2: Purpose of Penetration Testing and Benefits • Part 3: What are the Rules of Engagement? • White, Black and Grey Box Testing • Part 4: Penetration Testing Phases
www.intexit.co.uk Part 1 •What is Penetration Testing •Purpose of Penetration Testing
www.intexit.co.uk What is Penetration Testing?  Penetration Testing is an exercise to identify vulnerabilities which could be present in an Information System, Network, Application or the Organizations overall Information Security Posture  Tests are authorized and carried out by skilled professionals using techniques that real world attackers may use  Testing demonstrates the weaknesses, how they can be exploited and importantly provides guidance on how to reduce the associated risk  Testing can also identify the organizations ability to respond to an incident
www.intexit.co.uk Purpose of Penetration Testing  There are many reasons why an organization may wish to commission a penetration test, these include:  To identify risks or confirm risk scenarios  To gain assurance on security prior to deploying or procuring a new system/service  To provide assurance to customers and/or business partners about the security of a system/service  To demonstrate due diligence and due care regarding security risk  To comply with legal, regulatory and contractual requirements -PCI DSS requirements 11.3 environment: the entire cardholder data environment (CDE).
www.intexit.co.uk Part 2 •Types of penetration test •The role of a Penetration Tester
www.intexit.co.uk So what is a Vulnerability assessment?  Vulnerability assessment scans a network for known security weaknesses.  Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications.  Vulnerability scanners can test systems and network devices for exposure to common attacks.  Vulnerability scanners can identify common security configuration mistakes. 8
www.intexit.co.uk Types of penetration test • Network Security testing: • Social Engineering testing • Wireless Security testing • Web Application testing
www.intexit.co.uk Skill Level of Penetration Tester  Should have basic knowledge of ethical and permissible issues  Should have primary level knowledge of session hijacking  Should know about hacking wireless networks  Should be good in sniffing  Should know how to handle virus and worms  Should have the basic knowledge of cryptography  Should have the basic knowledge of accounts administration  Should know how to perform system hacking  Knowledge of network and computer technology – Ability to communicate with management and IT personnel, Understanding of the laws, Ability to use necessary tools 10
www.intexit.co.uk Part 3: •Penetration Testing Benefits •What are the Rules of Engagement? •White, Black and Grey Box Testing
www.intexit.co.uk 1. Improvement of security1. Improvement of security 2. Good governance2. Good governance 3. Conformity3. Conformity 4. Cost management4. Cost management 5. Customer and partner assurance5. Customer and partner assurance ADVANTAGESADVANTAGES Penetration Testing Benefits
www.intexit.co.uk Rules of Engagement  Penetration involves using techniques used by attackers and some basic rules of engagement must be followed to stay legal and meet expectations:  Ensure the scope is clear detailing exactly what tests will/will not be carried out and the times and dates of such tests  Never carry out tests outside of this scope under any circumstances  Always have formal written permission from the correct authority before conducting any form of testing  Always report immediately to the client any major finding and await the response, a report should never contain surprises! Ensure you or your company has adequate insurance coverage
www.intexit.co.uk White, Black and Grey Box Testing  White Box Testing is a test whereby a penetration tester is given full details of the system to be tested including designs and credentials.  The primary purpose of a whitebox test is to allow the tester to conduct a through detailed and in depth security test of all elements of the system.  Black Box Testing is the opposite whereby the tester is simply given an amount of time to compromise organizational systems with no prior information.  The primary purpose of a blackbox test is to identify what individuals without any prior association to the organization could achieve. This will require the tester to perform reconnaissance and gather information.  Greybox Testing is the combination of the two
www.intexit.co.uk Penetration Testing Phases
www.intexit.co.uk Performing Reconnaissance  Performing Reconnaissance is focused on gathering information about the target in a passive way.  This may involve reviewing the web for information about key technologies, key staff (who could be targets for social engineering), and technical details such as IP address ranges.  The information gathered in this stage will be useful going forward as it will inform the kind of tests and techniques that could be used.
www.intexit.co.uk Scanning and Enumeration  Once you have information from the reconnaissance activities the next step is to build on that information with a view to finding potential vulnerabilities.  Scanning and Enumeration is that stage where we attempt to validate some of our initial information and find specific facts, such as what actual systems are running, can we map the network, can we identify potential vulnerabilities which can be tested for exploitation in the next phase?  Numerous tools and techniques can be used in this phase and some will be explored later in this course.
www.intexit.co.uk Gaining Access  Gaining Access is the phase whereby the potential vulnerabilities identified in the previous phase are put to the test  In this phase we attempt to gain access to the system(s) in scope by exploiting the vulnerabilities  Note: For Denial of Service vulnerabilities (those effecting availability) it is usual practice to report such vulnerabilities but not attempt to exploit them especially on live production systems
www.intexit.co.uk Elevate Privileges • We are in!! … Now what’s next ?
www.intexit.co.uk Elevate Privileges  Once access is gained the next step is to identify if privileges can be elevated. I.e. once logged in as a standard user is it now possible to gain administrator access?
www.intexit.co.uk Maintain Access  In a real world hacking attack this is a key step. How long can attacker go without being detected?  Depending on the scope of the test avoiding detection (whether that be avoiding triggering alters on an IDS or avoiding being detected inside a building) may be a fundamental part of the test.
www.intexit.co.uk Placing Backdoors  Backdoors are used to allow an attacker to continue gaining access to the system in the future. A backdoor is a mechanism that allows access whilst avoiding the normal authentication approach.  In a penetration test it is important to agree the scope and identify whether the placement of backdoors is part of the test. Placing such backdoors essentially creates a gap in the security posture of the organization and may not be an acceptable risk!
www.intexit.co.uk Hiding Evidence Removing all traces
www.intexit.co.uk Covering Tracks  Once the backdoors are placed and the attack complete the attacker wishes to reduce the likelihood of the attack ever being uncovered.  Covering tracks includes techniques to remove log entries, hide files and remove all trace of such attacks.  Such a step in a penetration test maybe used to identify if an organizations’ protective monitoring is truly working and indeed is very useful in an unannounced test.
www.intexit.co.uk Penetration Testing Checklist These are the typical items to be in place before the testing A formally documented and approved scopeA formally documented and approved scope A signed contract with legal elements and NDAA signed contract with legal elements and NDA Adequate and complete insurance coverageAdequate and complete insurance coverage Ensure reporting channles are agreed along with reporting timesEnsure reporting channles are agreed along with reporting times Is access to the building arranged, user credentials established?Is access to the building arranged, user credentials established? Is IT Support in place and available when testing commences?Is IT Support in place and available when testing commences? A process for following up on penetration test findingsA process for following up on penetration test findings An agreement on how findings will be rated and rankedAn agreement on how findings will be rated and ranked Agreement on the process and timeframes for follow up testingAgreement on the process and timeframes for follow up testing
www.intexit.co.uk Conclusion • What's next? • Certification? • PECB Certified Lead Penetration Tester
THANK YOU ? 00441634 566 555 admin@intexit.co.uk www.intexit.co.uk https://uk.linkedin.com/in/christieo1 Twitter@Christiexto Contact Information

Recommended

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 

Recommended

What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Prashant Gupta
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
Mark J. Feldman
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 

More Related Content

What's hot

penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Application Security
Application SecurityApplication Security
Application Security
florinc
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Prashant Gupta
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 

What's hot (20)

penetration testing
penetration testingpenetration testing
penetration testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Application Security
Application SecurityApplication Security
Application Security
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 

Viewers also liked

II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
Mark J. Feldman
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
Chandan Bagai, GWAPT, CEHv8, CCNA
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Health IT Conference – iHT2
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
Rafal Los
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructure
David Sweigert
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
Seccuris Inc.
 
The New Security - Post "9/11"
The New Security - Post "9/11"The New Security - Post "9/11"
The New Security - Post "9/11"
Wivenhoe Management Group
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
The Hacker News
 
Module 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimesModule 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimes
sagaroceanic11
 
Email investigation
Email investigationEmail investigation
Email investigation
Animesh Shaw
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Cone Penetration Test
Cone Penetration TestCone Penetration Test
Cone Penetration Test
Mohd. Ikhwan
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security Strategy
Directorate of Information Security | Ditjen Aptika
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 

Viewers also liked (20)

II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
Keynote Presentation "Building a Culture of Privacy and Security into Your Or...
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
Sample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructureSample penetration testing agreement for core infrastructure
Sample penetration testing agreement for core infrastructure
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
The New Security - Post "9/11"
The New Security - Post "9/11"The New Security - Post "9/11"
The New Security - Post "9/11"
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
Module 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimesModule 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimes
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Cone Penetration Test
Cone Penetration TestCone Penetration Test
Cone Penetration Test
 
Indonesia National Cyber Security Strategy
Indonesia National Cyber Security StrategyIndonesia National Cyber Security Strategy
Indonesia National Cyber Security Strategy
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 

Similar to Understanding Penetration Testing & its Benefits for Organization

Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security EnhancementDemystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
cyberprosocial
 
Network Penetration Testing Service
Network Penetration Testing ServiceNetwork Penetration Testing Service
Network Penetration Testing Service
Sense Learner Technologies Pvt Ltd
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
An overview of network penetration testing
An overview of network penetration testingAn overview of network penetration testing
An overview of network penetration testing
eSAT Publishing House
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
Expeed Software
 
Penetration Testing Service in India Senselearner .pdf
Penetration Testing Service in India Senselearner .pdfPenetration Testing Service in India Senselearner .pdf
Penetration Testing Service in India Senselearner .pdf
Sense Learner Technologies Pvt Ltd
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
Nutan Kumar Panda
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
Cognic Systems Pvt Ltd
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdf
Ming Man Chan
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
Rapid7
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
osandadeshan
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
Drm Kapoor
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era university
pheonix4
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptx
pawandeoli1
 
What are the 3 Phases of Penetration Testing
What are the 3 Phases of Penetration TestingWhat are the 3 Phases of Penetration Testing
What are the 3 Phases of Penetration Testing
Cyber security professional services- Detox techno
 
What are the 3 Phases of Penetration Testing.pdf
What are the 3 Phases of Penetration Testing.pdfWhat are the 3 Phases of Penetration Testing.pdf
What are the 3 Phases of Penetration Testing.pdf
Cyber security professional services- Detox techno
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 

Similar to Understanding Penetration Testing & its Benefits for Organization (20)

Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security EnhancementDemystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
 
Network Penetration Testing Service
Network Penetration Testing ServiceNetwork Penetration Testing Service
Network Penetration Testing Service
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
An overview of network penetration testing
An overview of network penetration testingAn overview of network penetration testing
An overview of network penetration testing
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
 
Penetration Testing Service in India Senselearner .pdf
Penetration Testing Service in India Senselearner .pdfPenetration Testing Service in India Senselearner .pdf
Penetration Testing Service in India Senselearner .pdf
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Cyber Security vs.pdf
Cyber Security vs.pdfCyber Security vs.pdf
Cyber Security vs.pdf
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
BASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKINGBASICS OF ETHICAL HACKING
BASICS OF ETHICAL HACKING
 
Security testing
Security testingSecurity testing
Security testing
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era university
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptx
 
What are the 3 Phases of Penetration Testing
What are the 3 Phases of Penetration TestingWhat are the 3 Phases of Penetration Testing
What are the 3 Phases of Penetration Testing
 
What are the 3 Phases of Penetration Testing.pdf
What are the 3 Phases of Penetration Testing.pdfWhat are the 3 Phases of Penetration Testing.pdf
What are the 3 Phases of Penetration Testing.pdf
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 

More from PECB

ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
PECB
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
PECB
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
PECB
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
PECB
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
PECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
PECB
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
PECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
PECB
 

More from PECB (20)

ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of CybersecurityDORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
 
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI GovernanceSecuring the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
Securing the Future: ISO/IEC 27001, ISO/IEC 42001, and AI Governance
 
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
ISO/IEC 27001 and ISO/IEC 27035: Building a Resilient Cybersecurity Strategy ...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
Aligning ISO/IEC 27032:2023 and ISO/IEC 27701: Strengthening Cybersecurity Re...
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulationsManaging ISO 31000 Framework in AI Systems - The EU ACT and other regulations
Managing ISO 31000 Framework in AI Systems - The EU ACT and other regulations
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?IT Governance and Information Security – How do they map?
IT Governance and Information Security – How do they map?
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 

Recently uploaded

ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
Dr. Shivangi Singh Parihar
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Akanksha trivedi rama nursing college kanpur.
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
adhitya5119
 
Assessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptxAssessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptx
Kavitha Krishnan
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionExecutive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
TechSoup
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
taiba qazi
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
IreneSebastianRueco1
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
AyyanKhan40
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
Celine George
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
Celine George
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
chanes7
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 

Recently uploaded (20)

ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.PCOS corelations and management through Ayurveda.
PCOS corelations and management through Ayurveda.
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama UniversityNatural birth techniques - Mrs.Akanksha Trivedi Rama University
Natural birth techniques - Mrs.Akanksha Trivedi Rama University
 
Main Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docxMain Java[All of the Base Concepts}.docx
Main Java[All of the Base Concepts}.docx
 
Assessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptxAssessment and Planning in Educational technology.pptx
Assessment and Planning in Educational technology.pptx
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
 
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionExecutive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
Executive Directors Chat Leveraging AI for Diversity, Equity, and Inclusion
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
 
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
RPMS TEMPLATE FOR SCHOOL YEAR 2023-2024 FOR TEACHER 1 TO TEACHER 3
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
PIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf IslamabadPIMS Job Advertisement 2024.pdf Islamabad
PIMS Job Advertisement 2024.pdf Islamabad
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
 
How to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold MethodHow to Build a Module in Odoo 17 Using the Scaffold Method
How to Build a Module in Odoo 17 Using the Scaffold Method
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 

Understanding Penetration Testing & its Benefits for Organization

  • 2. Christie Oso Security Consultant | Trainer Managing Principal Information Security Consultant | Trainer at Intex IT, responsible for Risk Management, Vulnerability Assessment and Penetration Testing. Among many she is PECB Certified Lead Pen Tester, CISSP, CISM, CEH, ISO 27001 Lead Auditor, ISO 27005 Risk Manager Contact Information 00441634 566 555 admin@intexit.co.uk www.intexit.co.uk https://uk.linkedin.com/in/christieo1 Twitter@Christiexto
  • 3. www.intexit.co.uk Agenda • Part 1: Overview of Penetration Testing? • Part 2: Purpose of Penetration Testing and Benefits • Part 3: What are the Rules of Engagement? • White, Black and Grey Box Testing • Part 4: Penetration Testing Phases
  • 4. www.intexit.co.uk Part 1 •What is Penetration Testing •Purpose of Penetration Testing
  • 5. www.intexit.co.uk What is Penetration Testing?  Penetration Testing is an exercise to identify vulnerabilities which could be present in an Information System, Network, Application or the Organizations overall Information Security Posture  Tests are authorized and carried out by skilled professionals using techniques that real world attackers may use  Testing demonstrates the weaknesses, how they can be exploited and importantly provides guidance on how to reduce the associated risk  Testing can also identify the organizations ability to respond to an incident
  • 6. www.intexit.co.uk Purpose of Penetration Testing  There are many reasons why an organization may wish to commission a penetration test, these include:  To identify risks or confirm risk scenarios  To gain assurance on security prior to deploying or procuring a new system/service  To provide assurance to customers and/or business partners about the security of a system/service  To demonstrate due diligence and due care regarding security risk  To comply with legal, regulatory and contractual requirements -PCI DSS requirements 11.3 environment: the entire cardholder data environment (CDE).
  • 7. www.intexit.co.uk Part 2 •Types of penetration test •The role of a Penetration Tester
  • 8. www.intexit.co.uk So what is a Vulnerability assessment?  Vulnerability assessment scans a network for known security weaknesses.  Vulnerability scanning tools search network segments for IP-enabled devices and enumerate systems, operating systems, and applications.  Vulnerability scanners can test systems and network devices for exposure to common attacks.  Vulnerability scanners can identify common security configuration mistakes. 8
  • 9. www.intexit.co.uk Types of penetration test • Network Security testing: • Social Engineering testing • Wireless Security testing • Web Application testing
  • 10. www.intexit.co.uk Skill Level of Penetration Tester  Should have basic knowledge of ethical and permissible issues  Should have primary level knowledge of session hijacking  Should know about hacking wireless networks  Should be good in sniffing  Should know how to handle virus and worms  Should have the basic knowledge of cryptography  Should have the basic knowledge of accounts administration  Should know how to perform system hacking  Knowledge of network and computer technology – Ability to communicate with management and IT personnel, Understanding of the laws, Ability to use necessary tools 10
  • 11. www.intexit.co.uk Part 3: •Penetration Testing Benefits •What are the Rules of Engagement? •White, Black and Grey Box Testing
  • 12. www.intexit.co.uk 1. Improvement of security1. Improvement of security 2. Good governance2. Good governance 3. Conformity3. Conformity 4. Cost management4. Cost management 5. Customer and partner assurance5. Customer and partner assurance ADVANTAGESADVANTAGES Penetration Testing Benefits
  • 13. www.intexit.co.uk Rules of Engagement  Penetration involves using techniques used by attackers and some basic rules of engagement must be followed to stay legal and meet expectations:  Ensure the scope is clear detailing exactly what tests will/will not be carried out and the times and dates of such tests  Never carry out tests outside of this scope under any circumstances  Always have formal written permission from the correct authority before conducting any form of testing  Always report immediately to the client any major finding and await the response, a report should never contain surprises! Ensure you or your company has adequate insurance coverage
  • 14. www.intexit.co.uk White, Black and Grey Box Testing  White Box Testing is a test whereby a penetration tester is given full details of the system to be tested including designs and credentials.  The primary purpose of a whitebox test is to allow the tester to conduct a through detailed and in depth security test of all elements of the system.  Black Box Testing is the opposite whereby the tester is simply given an amount of time to compromise organizational systems with no prior information.  The primary purpose of a blackbox test is to identify what individuals without any prior association to the organization could achieve. This will require the tester to perform reconnaissance and gather information.  Greybox Testing is the combination of the two
  • 16. www.intexit.co.uk Performing Reconnaissance  Performing Reconnaissance is focused on gathering information about the target in a passive way.  This may involve reviewing the web for information about key technologies, key staff (who could be targets for social engineering), and technical details such as IP address ranges.  The information gathered in this stage will be useful going forward as it will inform the kind of tests and techniques that could be used.
  • 17. www.intexit.co.uk Scanning and Enumeration  Once you have information from the reconnaissance activities the next step is to build on that information with a view to finding potential vulnerabilities.  Scanning and Enumeration is that stage where we attempt to validate some of our initial information and find specific facts, such as what actual systems are running, can we map the network, can we identify potential vulnerabilities which can be tested for exploitation in the next phase?  Numerous tools and techniques can be used in this phase and some will be explored later in this course.
  • 18. www.intexit.co.uk Gaining Access  Gaining Access is the phase whereby the potential vulnerabilities identified in the previous phase are put to the test  In this phase we attempt to gain access to the system(s) in scope by exploiting the vulnerabilities  Note: For Denial of Service vulnerabilities (those effecting availability) it is usual practice to report such vulnerabilities but not attempt to exploit them especially on live production systems
  • 19. www.intexit.co.uk Elevate Privileges • We are in!! … Now what’s next ?
  • 20. www.intexit.co.uk Elevate Privileges  Once access is gained the next step is to identify if privileges can be elevated. I.e. once logged in as a standard user is it now possible to gain administrator access?
  • 21. www.intexit.co.uk Maintain Access  In a real world hacking attack this is a key step. How long can attacker go without being detected?  Depending on the scope of the test avoiding detection (whether that be avoiding triggering alters on an IDS or avoiding being detected inside a building) may be a fundamental part of the test.
  • 22. www.intexit.co.uk Placing Backdoors  Backdoors are used to allow an attacker to continue gaining access to the system in the future. A backdoor is a mechanism that allows access whilst avoiding the normal authentication approach.  In a penetration test it is important to agree the scope and identify whether the placement of backdoors is part of the test. Placing such backdoors essentially creates a gap in the security posture of the organization and may not be an acceptable risk!
  • 24. www.intexit.co.uk Covering Tracks  Once the backdoors are placed and the attack complete the attacker wishes to reduce the likelihood of the attack ever being uncovered.  Covering tracks includes techniques to remove log entries, hide files and remove all trace of such attacks.  Such a step in a penetration test maybe used to identify if an organizations’ protective monitoring is truly working and indeed is very useful in an unannounced test.
  • 25. www.intexit.co.uk Penetration Testing Checklist These are the typical items to be in place before the testing A formally documented and approved scopeA formally documented and approved scope A signed contract with legal elements and NDAA signed contract with legal elements and NDA Adequate and complete insurance coverageAdequate and complete insurance coverage Ensure reporting channles are agreed along with reporting timesEnsure reporting channles are agreed along with reporting times Is access to the building arranged, user credentials established?Is access to the building arranged, user credentials established? Is IT Support in place and available when testing commences?Is IT Support in place and available when testing commences? A process for following up on penetration test findingsA process for following up on penetration test findings An agreement on how findings will be rated and rankedAn agreement on how findings will be rated and ranked Agreement on the process and timeframes for follow up testingAgreement on the process and timeframes for follow up testing
  • 26. www.intexit.co.uk Conclusion • What's next? • Certification? • PECB Certified Lead Penetration Tester
  • 27. THANK YOU ? 00441634 566 555 admin@intexit.co.uk www.intexit.co.uk https://uk.linkedin.com/in/christieo1 Twitter@Christiexto Contact Information

Editor's Notes

  1. There is much discussion and debate about penetration testing in various publications and on the web. A penetration test is an exercise or set of exercises which are: Pre-authorized and carried out by skilled and qualified professionals Aim to identify security vulnerabilities in targets such as: A network – An example of an Infrastructure Penetration Test A server(s) – An example of an Infrastructure Penetration Test A web application – An example of an Application Penetration Test A building – An example of a Physical Security Test (e.g. can the tester gain unauthorized access to a building and then to information or information systems?) A security posture – In this case the testers maybe looking for what security vulnerabilities generally exist in the organization. This may include using techniques such as Social Engineering to obtain information from staff or to convince people to grant access to information or information systems. Such tests will demonstrate the vulnerabilities how these can be exploited and the controls which an organization could implement to reduce the risk of such a compromise happening in a real world situation. There are many types of test including internal and external testing, tests where the tester has no knowledge, partial knowledge or full knowledge of the environment to be tested and tests which are announced and unannounced. The various types of test their purpose benefits and disadvantages will be explored in detail during this course.
  2. Improvement of security: General improvement of the effectiveness of information security with controls implemented to address real proven vulnerabilities; Independent review of your information security management system; Increased awareness of security and how controls can be circumvented and vulnerabilities exploited; Advice provided to address identified security problems. Good governance: Awareness and empowerment of personnel regarding information security; Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due diligence’’ principles; The opportunity to identify the weaknesses and to provide corrections; If linked with a good Information Security Management System (ISMS) the opportunity to increase of the accountability of top management for information security. Helps in the effort to be conformant with: ISO standards; OECD (Organization for Economic Co-operation and Development) principles; Industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II (for the banking industry); National and regional laws. Customer contractual requirements Cost management: Decision makers often ask to justify the profitability of projects or security control and demand concrete and measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the information security field: Return on Security Investment (ROSI). ROSI is a concept derived from Return on Investment (ROI). It can be interpreted as a security controls financial profit taking into account its total cost over a given period of time. Understanding the clear risks by analyzing the results of a well constructed penetration test can help in the selection of the correct and most effective controls which will address the real business risks and issues. Customer and partner assurance: Differentiation provides a competitive advantage for the organization; Satisfaction of requirements of customer and/or other stakeholders; Meeting customer contractual obligations; Consolidating confidence of customers, suppliers and partners of the organization.
  3. Whilst it may be interesting to find the next vulnerability or prove a specific security concept it must be considered that only the items in the scope may be tested at the agreed times using the agreed techniques. The scope for the test must be formally documented and a letter of authority and legal contract must be signed by the relevant person(s) with authority before the test commences. There are several key reasons for this: Penetration tests always carry a risk of system outage due to the fact that testers maybe performing activities that are outside of that expected by the system. When authorizing activities the organization are accepting this risk in very specific circumstances. Testing outside of these parameters can introduced un expected risk and in the worst case result in damage and systems outages which the tester and his company maybe held liable for. Penetration testing involves using techniques to circumvent security controls. In many cases such techniques would be a criminal offence under computer misuse law. Working outside of scope is likely to be considered a criminal act. From an insurance point of view a professional tester should have adequate professional indemnity cover. Often this cover is only valid if activities are being performed within clear formal boundaries. If there is an area outside of scope where you suspect vulnerabilities may exist which are relevant or feel there maybe a benefit to extending the scope this should be brought to the attention of the organization along with an explanation of the benefits purpose of such a scope change. As above this must be authorized formally in writing before proceeding. In terms of reporting a formal report will be presented to the relevant management representatives at the end of the engagement. Whilst this maybe the case it is important that any finding deemed major or critical is reported immediately to the organization. The purpose here is to allow the organization to take a view as to whether they need to work on the vulnerability immediately. Consider the scenario, a test is being undertaken on a public facing website and it is identified that an individual could easily gain access to the accounts of other users and the impact of this would be significant. It would not be fair on the organization to leave them further exposed to this risk until the end of the testing (which could be several days) it is our professional duty to report that finding and provide the necessary advice. It maybe that the organization postpones the testing whilst the issue addressed. Ultimately the organization being tested must make the necessary judgment with the right advice. It is important to note that the role of the penetration tester is to work with organizations to help them reduce risk not spring surprises at the end of the test or to demonstrate their technical skill set (the technical skills will be demonstrated by working in a positive manner).
  4. As tester I have sometimes been asked why Penetration Testers need to be given credentials (white box test) surely a good penetration tester could just “hack in”. The simple answer is it depends on what risk scenario is being tested. If we are testing what an internal user could achieve then it makes sense for the tester to assume the credentials of such a user and also saves time and cost on the test. If the risk being tested is purely focused on the external person with no knowledge then the black box approach is appropriates. This shows that before any decision is taken on test type the risk scenarios, purpose and objectives of the test should be clearly defined ad agreed.
  5. On some occasions I have heard organizations stating that they have never had a security breach as way to justify the failure to implement controls In most cases however the approach to proactive protective monitoring is limited meaning attackers could have easily conducted attacks and covered their tracks. Sometimes convincing an organization to invest in security controls (and indeed monitoring for something which they may think does not exist) is an extremely difficult task. A penetration test which also examines how easy it is for an attacker to hide their activity is a very useful way of showing whether a real case for such monitoring applies.
  6. Prior to starting penetration testing activities it is critical that the key points are addressed: A formal scope is agreed, documented and approved; A clear contract is in place with authorizes the tests, addresses confidentiality issues and ensures the tests are conducted legally and inline with business requirements; Clarity that the adequate professional indemnity insurance is in place in case of any errors or incidents which result in immediate or future damage and subsequent losses; It is important to ensure that the reporting channels are clear. What happens when major or critical vulnerabilities are found, who should they be reported to? What about the report when the test is completed?; All the logistics for the actual tests should be agreed and organisaed such as access to buildings, information systems and remote access as required dependent on the scope of brief of the assignment; Ensuring that IT Support is available during the testing is recommended in order to allow any issues or problems to be addressed rapidly; The way in which the findings are presented is critical. It can cause potential problems if the test team rate everything as “high” and the client disagrees or if the presentation of the findings are unclear (see Day 4 for a discussion on reporting); Agreement should be reached on who will be responsible for managing remediation actions and how follow up activities will be carried out if necessary. Considering and addressing all of these factors will significantly reduce the risks associated with testing and increase the liklihood of a succesful testing exercise.