1. What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test

2. Managing Risk l Some Facts We Can All Agree on: —All businesses can expect some “loss” also known as “the cost of doing business” —Some businesses are not tolerant of loss in certain areas Wise businesses choose which losses are acceptable!

3. My Life as a Fortune Teller! l Reality: —This system has a vulnerability —There are tools available on the Internet to exploit this vulnerability l Conclusion —You are not safe l Perception —This system may be vulnerable, based on the software version number being displayed —No known exploits l Conclusion —I’m safe

4. What is being tested? l Are trying to prove a negative? “I tried to compromise your systems and was able to do so. “ Your systems are not secure “I tried to compromise your systems and was unable to do so.” Your systems are secure

5. Risks in Penetration Testing l Your systems could crash l You could lose business data l You could miss a real penetration l Someone could follow your incident response procedures (and call law enforcement) l You could remain unaware about real vulnerabilities in your environment

6. Questions to ask a Pen-test team l Do they hire former hackers? l How do they store engagement data? l How do they dispose of engagement data? l Do they perform background checks? l How do they collect exploits? l How do they train their staff? l Do they test exploits in a lab?

7. Steps to Managing a Pen Test l Clearly define objectives l Schedule frequent status updates l Supervise closely l Request raw data l Inform internal security monitoring group* l Review results with team (before end of test) * will leak info in a zero-knowledge effort, but worth it!

8. What We Do Build, Secure and Manage Your Network Infrastructure Network and Systems Management Network and Systems Management Security Next Generation Networking Business Consulting Business Consulting Project Management Project Management l Network Infrastructure l Wireless l Convergence l.NET l Storage and Content Networking l Risk Assessment l Defense Planning l Architecture and Infrastructure l IT Operations Services l IT Optimization Services l Business Services Management

9. Unmatched Depth and Breadth of Resources Collaboration Network Methodology Solutions Library Training & Mentoring Technical Resource Library Business Value Justification

10. Network and Systems Management Security Next Generation Networking Security Solutions: Risk Assessment l Penetration Testing Directly tests network security utilizing the latest tools and techniques to emulate Internet, intranet or extranet-based attacks l Risk Analysis Identifies and determines the value of various information assets and the likelihood of loss based on the exposure to threats l Security Assessment Compares measured security against accepted industry practices and established rules, guidelines, or industry regulations

11. Network and Systems Management Security Next Generation Networking Security Solutions: Defense Planning l Policies & Procedures Develop a complete, custom corporate security policy that aligns with your IT and business goals l Security Operations Design an operational model for realizing security policy and technology across the organization l Incident Management Design an effective incident preparedness process and management framework l Awareness Training Train your employees on sound security practices and policies, and ensure your defined security policy is thoroughly communicated

12. Network and Systems Management Security Next Generation Networking Security Solutions: Security Architecture & Infrastructure l Authentication & Access Determine access requirements to design and implement a unified authentication and authorization design l Security Architecture Assess existing infrastructure to identify and mitigate gaps or weaknesses in security architecture l Technical Infrastructure Integrate security technologies, such as VPNs, PKI, IDS, firewalls, virus protection, content filtering, and AAA solutions