12. Some Insights – drivers for security spend <version 1.0> Public Document By 2008, more than 75% of large and midsize companies will purchase new compliance management, monitoring, and automation solutions. By 2009, compliance will grow to 14.2% of IT budget from 12% in 2006. Source: Gartner 2007
23. Leverage the Technology Solution <version 1.0> Public Document Results allow the organization to compare findings against known vulnerabilities and prioritize remediation by implementing controls. Provides a health report on the organization security posture. All Standards, Regulations, Frameworks recommend (or require) Network Assessments as an essential practice. Helps determine whether the controls are in fact preventing the vulnerability from actually endangering the network. A well-executed penetration test can identify the most critical holes in an organization’s defensive net; including the holes exploited by social engineering. pen tests are best used as a way to get an extra set of eyes on a network after major system upgrades. Vulnerability Assessment (VA) Penetration Testing (PT)
24. Leverage the Technology Solution <version 1.0> Public Document Provides a 24 x 7 x 365 watch on network traffic and is available as a Managed Security Service. Traffic is monitored and events (incidents) are correlated against updated industry Common Vulnerability & Exposure (CVE) database. Reports are available online to client via a web interface which will provide information about the threat(s) and remediation plans. Continuous Vulnerability Monitoring and Assessment
25. VA/PT <version 1.0> Public Document Undertaken by qualified professionals Methodology includes use of automated tools augmented with manual skills Meet regulatory requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.) Organizations can realize their true security level Measure IT security effectiveness Identify and remediate potential breach points reducing security risk and liability Benchmark / baseline security posture Certifications Certified Vulnerability Assessor (CVA) (Secure Matrix - DNV) CEH (EC Council) CISSP (ISC2) certifications in Forensics, Fraud (Secure Matrix) Commonly used Tools for VA/PT (commercial / open source) Nessus, GFI Languard (c), Nmap; Metasploit, Canvas (c), etc.
26. List of Tools (indicative) <version 1.0> Public Document Vulnerability Assessment Nessus Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins. GFI Languard GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities. Netcat Netcat is a network debugging and exploration tool Hping This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This is to map out firewall rulesets. Nikto A comprehensive webserver scanner Sam Spade Windows network query tool Web Inspect Web Application Scanner Firewalk An Advanced traceroute tool Penetration Testing Metasploit Framework This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this framework Canvas A Commercial Penetration Testing tool Core Impact A Commercial Penetration Testing tool SAINT A commercial Penetration Testing tool CenZic A Commercial Web application testing tool John the ripper powerful, flexible, and fast multi-platform password hash cracker THC Hydra A Fast network authentication cracker which support many different services Dsniff A suite of powerful network auditing and penetration-testing tools Solarwinds Network discovery/monitoring/attack tools
The movie “Shooter” gives a classic example. A US Marine sharpshooter is brought back from retirement to help prevent the assassination of the US President. The President is visiting three cities and they want him to identify the venue where the killer may make the attempt. The hero checks out the three cities, the President’s program, the venues and the surroundings and comes up with his recommendation. Turns out that the guys who had called him back wanted to kill the President and the movie is about how they use his intelligence and then frame him. Of course, eventually, he thinks like them and kills them all. 10/06/10
The movie “Shooter” gives a classic example. A US Marine sharpshooter is brought back from retirement to help prevent the assassination of the US President. The President is visiting three cities and they want him to identify the venue where the killer may make the attempt. The hero checks out the three cities, the President’s program, the venues and the surroundings and comes up with his recommendation. Turns out that the guys who had called him back wanted to kill the President and the movie is about how they use his intelligence and then frame him. Of course, eventually, he thinks like them and kills them all. 10/06/10