Network Security Vulnerability Scanning & Penetration Testing
Nov 19, 2014
Network SecurityVulnerability Scanning & Penetration Testing
About Us
> Assisted >1 million merchants> Largest PCI support staff worldwide> Certified as ASV, PFI, QSA, PA QSA> Member of PCI Security Standard Council task forces and special interest groups> Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance> Offers network security devices, data discovery software
Testing Network Security
• 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012)
• Compromise costs• Financial penalties
• Average organisational cost $5.5 million(Ponemon Institute, 2012)
• Significant loss of reputation/brand trust
• Various ways to test network security– Vulnerability scan – Penetration test– Anti-virus/malware software– Appliances (Intrusion Prevention Systems)– Spyware
(most thorough)
Vulnerability Scan (VA scan)
Process• Should be conducted by a company with accreditation
(i.e., PCI SSC Approved Scanning Vendor)• Automatic network scans on a quarterly basis• Report of weaknesses, false positives• Weaknesses patched on a prioritised basis• Good VA scan searches for over 50,000 vulnerabilities
• Identifies network weaknesses and ranks how critical they are
• Gives a beginning look at what possibly could be exploited
Internal
Benefits• Quick high-level look at possible vulnerabilities• Very affordable• Automatic• Takes a matter of minutes
Limitations• Sometimes test falsely classifies object as a
vulnerability (false positive)• Manually check each vulnerability before testing again
An automated, high-level test
Penetration Test
Process• Run automatic vulnerability scan• Follow up on reported vulnerabilities• Prove the vulnerability can be exploited• Internal and external testing
• External- perspective of an hacker over Internet• Internal- perspective of someone within network
• Report findings and recommendations per target
• Live attempt to exploit vulnerabilities
• Analyst takes on “hacker” role• Try to fake passwords, manipulate
code, fool web servers into giving sensitive information
Benefits• More accurate, thorough than VA scan• Manual: Live analyst reviews the logic of the
application and determines how to leverage access• Rules out false positives
Limitations• Time (1 day to 3 weeks)• Cost
An exhaustive, live examination
ComparisonVulnerability Scan
• Automated• Minutes• Scheduled• Passive• Report false positives• Programmed• Identical scans• N/A
Penetration Test
• Manual (main difference)
• Days• Annually (after significant change)
• Aggressive• Rules out false positives• Intuitive• Accurate/thorough• Exploitation
Both tests work together to encourage optimal network security
Conclusion• Computer intrusion was responsible for 83% of the total
reported exposed records in 2011 and 1/3 total breaches.
– Data Breach Intelligence Report, 2012
“History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.”
-Bruce Schneier: cryptographer, security expert