What Can Go Wrong During a Pen-test?

Effectively Engaging and Managing a Pen-test

Managing Risk

Some Facts We Can All Agree on:

— All businesses can expect some “loss” also known as “the cost of doing business”

— Some businesses are not tolerant of loss in certain areas

Wise businesses choose which losses are acceptable!

My Life as a Fortune Teller!

Reality:

—This system has a vulnerability

—There are tools available on the Internet to exploit this vulnerability

Conclusion

—You are not safe

Perception

—This system may be vulnerable, based on the software version number being displayed

—No known exploits

Conclusion

—I’m safe

What is being tested?

Are trying to prove a negative?

“I tried to compromise your systems and was able to do so. “

Your systems are not secure

“I tried to compromise your systems and was unable to do so.”

Your systems are secure

Risks in Penetration Testing

Your systems could crash

You could lose business data

You could miss a real penetration

Someone could follow your incident response procedures (and call law enforcement)

You could remain unaware about real vulnerabilities in your environment

Questions to ask a Pen-test team

Do they hire former hackers?

How do they store engagement data?

How do they dispose of engagement data?

Do they perform background checks?

How do they collect exploits?

How do they train their staff?

Do they test exploits in a lab?

Steps to Managing a Pen Test

Clearly define objectives

Schedule frequent status updates

Supervise closely

Request raw data

Inform internal security monitoring group*

Review results with team (before end of test)

* will leak info in a zero-knowledge effort, but worth it!

What We Do

• Build, Secure and Manage Your Network Infrastructure

Network and Systems Management

Network and Systems Management

SecuritySecurity

Next Generation Networking Next Generation Networking

Bus

ines

s C

onsu

ltin

gB

usin

ess

Con

sult

ing Project

Managem

entProject

Managem

ent

Network Infrastructure

Wireless

Convergence

.NET

Storage and Content Networking

Risk Assessment

Defense Planning

Architecture and

Infrastructure

IT Operations Services

IT Optimization Services

Business Services Management

Unmatched Depth and Breadth of Resources

Collaboration

NetworkMethodology

Solutions Library

Training & Mentoring Technical

Resource Library

Business ValueJustification

Network and SystemsManagement

SecuritySecurity

Next Generation Networking

Security Solutions: Risk Assessment

Penetration TestingDirectly tests network security utilizing the latest

tools and techniques to emulate Internet, intranet

or extranet-based attacks

Risk AnalysisIdentifies and determines the value of various information assets and the likelihood of loss based on the exposure to

threats

Security AssessmentCompares measured security against accepted industry

practices and established rules, guidelines, or industry

regulations

Network and SystemsManagement

SecuritySecurity

Next Generation Networking

Security Solutions: Defense Planning

Policies & ProceduresDevelop a complete, custom

corporate security policy that

aligns with your IT and

business goals

Security OperationsDesign an operational model for realizing security policy and technology across the organization

Incident ManagementDesign an effective incident preparedness process and management framework

Awareness TrainingTrain your employees on sound security practices and policies, and ensure your defined security policy is thoroughly communicated

Network and SystemsManagement

SecuritySecurity

Next Generation Networking

Security Solutions: Security Architecture & Infrastructure

Authentication & AccessDetermine access requirements to design and implement a unified authentication and

authorization design

Security ArchitectureAssess existing infrastructure to identify and mitigate gaps or weaknesses in security architecture

Technical InfrastructureIntegrate security technologies, such as VPNs, PKI, IDS, firewalls, virus protection, content filtering, and AAA solutions