Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang."— Presentation transcript:

1 Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang

2 System security is critical  Affect performance of the system. (availability, reliability)  Disclose confidential information  Financial loss.  Blemish your business reputation. Security loop-hole is bad, it can: So, we had better to detect potential security problem beforehand.

3 Security Testing  (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. Common Methodologies: 1.Penetration Test 2.Vulnerability Test

4 Penetration Test A method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a hacker. Vulnerability Test Is the systematic examination of systems in order to determine the adequacy of security measures, identify security deficiencies and provide data from which to predict the effectiveness of proposed security measures.

5 Penetration Test I  It is active  It is from attacker’s angle  It aims to 1. Categorize potential security problem 2. Determine feasibility of an attack 3.Determine impact of a potential attack

6  Port Scanning and Service probing Port Scanning is a technology to discover open ports which can further be used to discover services they can break into.  Example, Shock-wave virus which attack 80% computer in the world get access to system using ports 135,444, 69 and then use the bug of windows RPC service to influence system. Penetration Test II Black & White & Gray box test

7 Penetration Test III  Overt and Covert  Two teams can be involved Blue team: Performing a penetration test with the knowledge and consent of organization’s IT staff. Red team: Performing a penetration test without the knowledge of organization’s IT staff but with all permission of the upper management.  This type of test is useful for not only network security, but also the IT staff’s response to perceived security incidents and their knowledge and implementation of organization’s security policy.

8 Vulnerability Test I  It is more from a defender’s angle when compared to penetration test  It can be applied in more general area (Ie.Nuclear power plant)  It intends to: Identify, quantify and prioritize the vulnerability in a system. Provide decision-makers with information as to where and when interventions should be made. Provide early warning of potential dangerous.  It can used as reference when we are doing project security assessment

9 Vulnerability Test II Procedure: Defining Scope In-house or Out-house test Perform the vulnerability test Full-Scale VS Targeted Testing Use in-house resource VS Hire outside consultants Reporting and Delivering Result More in next page

10  More as to performing vulnerability testing Vulnerability Test III Gather information Use commercial tool to search for vulnerability Network architecture, topology Hardware and software ISS Internet Scanner Cybercop Scanner Vulnerability missed by available tool Extra test to find missed and new vulnerabilities

11 Legitimacy Consideration  How to handle sensitive data?  Test or real attack?(IE.extent)  How to clean up test artifacts?

12 Security test and Risk management  Both penetration test and vulnerability test drive risk management process  Reporting and documenting procedure are critical.

13 Summary Similarity:  Both penetration test and vulnerability test intend to identify the potential security problems in the system.  Both of them are important to risk management process Differences:  Attacker VS Defender  Specilization VS Generalization

Download ppt "Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435.

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.

Chapter 1.  Security Problem  Virus and Worms  Intruders  Types of Attack  Avenues of Attack 2 Prepared by Mohammed Saher Hasan.
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Handling Security Incidents

Handling Security Incidents
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.

Vulnerability Assessment & Penetration Testing By: Michael Lassiter Jr.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Similar presentations

Ads by Google