1 / 13

Comp 8130 Presentation

Comp 8130 Presentation. Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang. Security Testing. System security is critical. Affect performance of the system. (availability, reliability) Disclose confidential information Financial loss.

amity-ramos
Télécharger la présentation

Comp 8130 Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Comp 8130 Presentation Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang Security Testing

  2. System security is critical • Affect performance of the system. (availability, reliability) • Disclose confidential information • Financial loss. • Blemish your business reputation. Security loop-hole is bad, it can: So, we had better to detect potential security problem beforehand.

  3. Security Testing • (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. • Common Methodologies: • Penetration Test • Vulnerability Test

  4. Penetration Test A method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a hacker. Vulnerability Test Is the systematic examination of systems in order to determine the adequacy of security measures, identify security deficiencies and provide data from which to predict the effectiveness of proposed security measures.

  5. Penetration Test I • It is active • It is from attacker’s angle • It aims to 1. Categorize potential security problem 2. Determine feasibility of an attack 3.Determine impact of a potential attack

  6. Penetration Test II Black & White & Gray box test • Port Scanning and Service probing Port Scanning is a technology to discover open ports which can further be used to discover services they can break into. • Example, Shock-wave virus which attack 80% computer in the world get access to system using ports 135,444, 69 and then use the bug of windows RPC service to influence system.

  7. Penetration Test III • Overt and Covert • Two teams can be involved Blue team: Performing a penetration test with the knowledge and consent of organization’s IT staff. Red team: Performing a penetration test without the knowledge of organization’s IT staff but with all permission of the upper management. • This type of test is useful for not only network security, but also the IT staff’s response to perceived security incidents and their knowledge and implementation of organization’s security policy.

  8. Vulnerability Test I • It is more from a defender’s angle when compared to penetration test • It can be applied in more general area (Ie.Nuclear power plant) • It intends to: Identify, quantify and prioritize the vulnerability in a system. Provide decision-makers with information as to where and when interventions should be made. Provide early warning of potential dangerous. • It can used as reference when we are doing project security assessment

  9. Vulnerability Test II Full-Scale VS Targeted Testing Procedure: Defining Scope Use in-house resource VS Hire outside consultants In-house or Out-house test More in next page Perform the vulnerability test Reporting and Delivering Result

  10. Vulnerability Test III • More as to performing vulnerability testing Network architecture, topology Hardware and software ISS Internet Scanner Cybercop Scanner Vulnerability missed by available tool Gather information Use commercial tool to search for vulnerability Extra test to find missed and new vulnerabilities

  11. Legitimacy Consideration • How to handle sensitive data? • Test or real attack?(IE.extent) • How to clean up test artifacts?

  12. Security test and Risk management • Both penetration test and vulnerability test drive risk management process • Reporting and documenting procedure are critical.

  13. Summary Similarity: • Both penetration test and vulnerability test intend to identify the potential security problems in the system. • Both of them are important to risk management process Differences: • Attacker VS Defender • Specilization VS Generalization

More Related