1 Tactics and Penetration Testing. Overview Tactics: A procedure or set of maneuvers engaged in to achieve an end, an aim, or a goal. Tactics Penetration.

Slides:



Advertisements
Similar presentations
Get ready! New-gTLD Preparedness Project Thoughts August, 2013 © Mikey OConnor (just attribution is fine) version 0.3.
Advertisements

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Telstra in Confidence Managing Security for our Mobile Technology.
Chapter 19: Network Management Business Data Communications, 4e.
Information Security Policies and Standards
1 An Overview of Computer Security computer security.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Penetration Testing.
Introduction to Network Defense
Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operations Security Domain #9.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Ground Combat Support. Training & Logistics Support.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Scott Charney Cybercrime and Risk Management PwC.
July 2007 National Quality Assurance and Accreditation Committee & Quality Assurance and Accreditation Project Role of Action Planning in The Developmental.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Ethical Hacking License to hack. OVERVIEW Ethical Hacking ? Why do ethical hackers hack? Ethical Hacking - Process Reporting Keeping It Legal.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Web Security Introduction to Ethical Hacking, Ethics, and Legality.
Role Of Network IDS in Network Perimeter Defense.
Risk management. Definition and Aim  Risk management is examine systematically all risks and react on them, taking into account all the effects of.
CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.
IT Audit and Penetration Testing What’s the difference and why should I care?
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
UNCLASSIFIED 6/24/2016 8:12:34 PM Szymanski UNCLASSIFIED Page 1 of 15 Pages Space Policy Issues - Space Principles of War - 14 June, 2010.
Servers in the Wild… …and the threats that lurk about. DePaul University Information Security Team TLT Presentation 08 May 2002.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Defining your requirements for a successful security (and compliance
Information Security Management Goes Global
Proactive Incident Response
Topic 5 Penetration Testing 滲透測試
GENI, Pen Testing, & other stories
Network and Telecommunications Audit
Shifting from “Incident” to “Continuous” Response
Operations Security (OPSEC)
Enhanced alerting and collaborative incident management
Cyber Security For Civil Engineering
Presentation transcript:

1 Tactics and Penetration Testing

Overview Tactics: A procedure or set of maneuvers engaged in to achieve an end, an aim, or a goal. Tactics Penetration testing Methods Guidelines 2

Tactics Reconnaissance Exploit Communication Command Effect Reserve Implications 3

IW-Strategy: 4 Critical Issues What must you defend? –Mission of the organization –Assets of the organization What can you defend? –Personnel limitations –Information limitations What is likely to be attacked?

IW-Strategy: 5 Reconnaissance Extend view of the World Finding the network: Lookup, DNS, Routes Locating key hosts: Services, Public Nodes Profiling: Role, OS, Age, Content, Relations, hosts vs. decoys Points of Access: Initial and Follow-on Points of Vulnerability: technical, procedure Points of Exploit: Change State Points of Effect: Channel, Target, Cover

Exploit Methods by which to gain access or elevate privileges System type: Service and OS End goal: Impersonate, Intercept, Modify, Interrupt Jump points: Local, Border, Remote Methods: Vulnerability, Action, Reaction Evidence: System, Defense, Network 6

Communication Transfer of information on progress Indicators: External evidence of progress Waypoints: Phases of method Signaling: Present, Ready, Beacon Reporting: Success, Fail, Options Transfer: Information, Code, Command 7

Command Directing actions of hack Manual vs. Automatic: interactive, shells Command Channels: application, infrastructure Encryption and encoding Passive vs. Active Intelligence: actions, options, productivity Commanding Effects 8

Effect Mechanism for advancing hack Employ, Corrupt, Install, Reconfigure Phased effects Split effects Delegation, Propagation, Relocation Confusion Reconnaissance Plant the flag, Capture the flag 9

Reserve Unused means of attack Respond to defenses Respond to detection Branch points Redundancy Deception 10

Implications Replicating attacks Modifying attacks Operational damage Mission damage 11

Penetration Testing Identify weakness Inform response: Priority, Options, Effectiveness Assess security performance Communicate risk: “We think we’re really secure.” 12

Methods Appropriate to goal Within scenario Deception Bounded range Bounded damage 13

Guidelines Agreement on terms of penetration Goal Constraints Liabilities Indemnification Success and Failure 14

Goal Personnel Process Technology Service Readiness Exploration 15

Constraints Where applied When applied Scenario Resources: cost, effort, personnel, technology Excluded methods 16

Liabilities Technical instability Personnel distraction Financial dispersion Public perception Mission disruption 17

Indemnification Authority Accountability Oversight and Decision Reporting Information handling Non-disclosure 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.