Presentation is loading. Please wait.

Presentation is loading. Please wait.

Validating Your Information Security Program (ISP 3 of 3)

Published byChristal Gray Modified over 5 years ago

Similar presentations

Presentation on theme: "Validating Your Information Security Program (ISP 3 of 3)"— Presentation transcript:

1 Validating Your Information Security Program (ISP 3 of 3)
Plan - Do - Check - Act

2 You’ve Planned Risk Reduction… You’ve Implemented Controls… Now what?

3 If You Don’t Validate (Check) Your Controls,
How Can You Be Confident That They Are Working to Reduce Risk?

4 So we need to validate BUT HOW?

5 Proven ISP Validation Methods
Less-Technical IT Audit Moderately-Technical Vulnerability Assessment Automated Scanning Highly Technical Penetration Testing Web & Mobile App Assessment

6 Method 1: IT Security Audit
Broad/General Audits Information Security Program (Policies, Procedures & Standards) Regulatory/Compliance (PCI, HIPAA, FFIEC FISMA/FedRAMP/NIST) Best Practice (CIS Top 20, ISO 27000, NIST) Specific/Targeted Audits Firewall & Network Switch/Router Configuration & Policy Authentication, Authorization & Accounting (AAA) Remote Access Passwords Active Directory & Operating Systems (Windows, Linux) Technical, Administrative/Operational, Physical

7 Method 2: Automated Scanning
Vulnerability Assessment Validates patch management and identifies well-known vulnerabilities, EOL software, default configurations, and default passwords Tools: Tenable Nessus, Rapid7 NeXpose, Qualys Configuration Assessment Compares operating system configurations against industry best practices Tools: Tenable Nessus, Redseal, Titania Nipper Application Assessment and Code Review Checks web applications for common and well-known flaws (OWASP Top 10) Tools: HP WebInspect, Burp Suite Pro, IBM AppScan

8 Method 3: Penetration Testing
Network – External Conducted from the Internet and simulates a skilled and determined intruder with intent on compromising your systems and data Network – Internal Starts from a network connection on your internal network Social Engineering Most common and most successful attack path for intruders Focus is not on tricking people, but instead on the flaws and vulnerabilities that an attacker takes post-compromise (phishing), telephone (pre-text calls), or onsite (physical) Web & Mobile Applications (including APIs) Automated tools are great, but only in the hands of an experienced penetration tester The attack surface of most applications is 100x greater than most other network services

9 Modern & Advanced Methods
Adversary Simulation Based on pre-defined or customized playbook Command and control, persistence, discovery and credential access Privilege escalation and lateral movement Collection and exfiltration Defense evasion Typically performed onsite in Cooperation with our client’s Team Methodical, repeating process: Attack > Validate Control > Improve Control > Validate Control > Next Attack Tactics, techniques and procedures based on MITRE ATT&CK for Enterprise Continuous Penetration Testing Most methods of validation are “point in time” and are conducted on 1-2 year cycles Continuous penetration testing shrinks the gap and provides regular validation throughout the entire year

10 Why independence matters

11 Experience Matters It’s more than a 2nd set of eyes, but it is that too! SynerComm’s consultants work with dozens of clients annually and come from diverse backgrounds Proven and repeatable processes One person can’t know it all, but a team of experts helps

12 Thank You for Attending!
Questions? Thank You for Attending!

Download ppt "Validating Your Information Security Program (ISP 3 of 3)"

Similar presentations

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Web Vulnerability Assessments

Web Vulnerability Assessments
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.

Red Team “You keep using that word, I do not think it means what you think it means” – Inigo Montoya.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
OU INFORMATION SECURITY & RISK MANAGEMENT ISA – February 4, 2015.

OU INFORMATION SECURITY & RISK MANAGEMENT ISA – February 4, 2015.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Web Application Testing with AppScan Terry Labach.

Web Application Testing with AppScan Terry Labach.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Similar presentations

Ads by Google