Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing in Financial Institutions

Published bySydney Wright Modified over 6 years ago

Similar presentations

Presentation on theme: "Penetration Testing in Financial Institutions"— Presentation transcript:

1 Penetration Testing in Financial Institutions
27 November, 2016 Penetration Testing in Financial Institutions COINS Ph.D. student seminar 2016 Oleksandr kazymyrov, technical test analyst

2 How the SWIFT Hack Went Down and How to Benefit from the Lessons Learned
Agenda of the webinar : The sophisticated techniques used during the SWIFT hack, affecting the network, operating system, application and database layer. Key strategies and technologies to put in place for attack prevention and proper response. How Carbon Black can help you to implement the right level of protection and monitoring for different classes of systems. Source:

3 Agenda Chapter I – Brief Introduction Chapter II – What Is Penetration Testing? Chapter III – Pentest in Financial Institutions Chapter IV – Security Incidents Chapter V – Summary

4 Brief Introduction Chapter I

5 Education Additional Job Who am I? Certificates
Candidate of Engineering Sciences in Information Security KHNURE, Ukraine Ph.D. in Cryptology University of Bergen, Norway Additional Certificates Certified Ethical Hacker Certified Encryption Specialist Standards DSTU 7624:2014 DSTU 7564:2014 Job Technical Test Analyst at EVRY Penetration Tester in Financial Services at EVRY

6 EVRY 26% 39yrs – Nordic Champion Women Age Universum #4
100+ employees EVRY – Nordic Champion 50 towns and cities with capacity to deliver 11 regional offices with specialist competencies employees Women Age Universum 26% 39yrs #4

7 EVRY GROUP - Geographic distribution
Nordics Rest of the World (Global Delivery)

8 Performance Reliability Security NFT Department Front-end Load
Endurance Stress Spike Reliability Failover Interruption Recoverability Load balancing Security Application layer Network layer Wireless PCI DSS

9 What Is Penetration Testing?
Chapter II

10 Base Definitions Threat Vulnerability Exploit

11 Vulnerability Scanning vs Penetration Testing
Corvin Castle in Transylvania Source:

12 Types of Penetration Tests
Technical Social Engineering Physical

13 Pre-Engagement Engagement Post-Engagement High-Level Overview Scoping
Information Gathering Vulnerability Analysis Attack Modeling Exploitation Evidence Retention Cleaning up Reporting Remediation Mitigation Retesting Scoping Rules of Engagement Success Criteria Sign Off Pre-Engagement Engagement Post-Engagement

14 Timeline of a Penetration Test
Finish Start Post-exploitation Service and operating system identification Internal External Information gathering Pivoting Exploitation Vulnerability scanning

15 Workflow of a Penetration Test
Information Gathering Vulnerability Analysis Attack Modelling Attack Execution Reporting Retesting

16 Why conduct a penetration test?
Prevent data breach Test security controls Ensure system security Get a base line Compliance

17 Pentest in Financial Institutions
CHAPTER III

18 PCI DSS

19 PCI DSS: What? When? Requirement 11.3.1
“Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).” Requirement “Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).” Requirement

20 Penetration testing Guidance: How?
Penetration Testing Components Understanding of the different components that make up a penetration test and how this differs from a vulnerability scan including scope, application and network layer testing, segmentation checks, and social engineering Qualifications of a Penetration Tester Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications. Penetration Testing Methodologies Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement. Penetration Testing Reporting Guidelines Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.

21 PCI DSS Penetration Testing
External AL NL Internal Segmentation Checks

22 Cardholder Data Environment (CDE)
Source:

23 Scope for PCI DSS Pentest
External Internal Segmentation Source:

24 Security Incidents CHAPTER IV

25 2016 Data Breach Investigations Report
Source:

26 Delta of Number of Vulnerabilities Opened Each Week and Number Closed
Source:

27 Time to Compromise and Exfiltration
Source:

28 Discovery Timeline Within Insider and Privilege Misuse Over Time
Source:

29 Frequency of Incident Classification Patterns Over Time Across Confirmed Data Breaches
Source:

30 Frequency of Incident Classification Patterns Over Time Across Security Incidents
Source:

31 Top 10 Threat Action Varieties Within Miscellaneous Errors, Excluding Public
Source:

32 Summary Threat Actions Within Everything Else Breaches
Source:

33 Presentation Title

Download ppt "Penetration Testing in Financial Institutions"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
Software Quality Assurance Plan

Software Quality Assurance Plan
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
The Information Systems Audit Process

The Information Systems Audit Process
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
The Business of Penetration Testing

The Business of Penetration Testing
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
BackTrack Penetration Testing Workshop Michael Holcomb, CISSP Upstate ISSA Chapter.

BackTrack Penetration Testing Workshop Michael Holcomb, CISSP Upstate ISSA Chapter.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.

Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Similar presentations

Ads by Google