1 / 20

Breaking Down the Enterprise Security Assessment

Breaking Down the Enterprise Security Assessment. Presented by: Michael R. Farnum, CISSP Senior Security Solutions Engineer. Purpose and Audience. SME and Enterprise Security Staff Risk in the assessment What am I missing? How far should I (or the assessor) go? Assessor / Consultant

vianca
Télécharger la présentation

Breaking Down the Enterprise Security Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Breaking Down the Enterprise Security Assessment Presented by: Michael R. Farnum, CISSP Senior Security Solutions Engineer

  2. Purpose and Audience • SME and Enterprise Security Staff • Risk in the assessment • What am I missing? • How far should I (or the assessor) go? • Assessor / Consultant • Risk in the assessment • What am I missing? • How far should I go?

  3. The Basic Premise Many enterprise security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered.

  4. THE BIG MISTAKE Security assessment = find the vulnerabilities and more of a holistic look at security. Penetration test = a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing. • Pen Test ≠ Assessment

  5. Religious Debate How far do you dig? Will it break my stuff? Will I be responsible if you break my stuff?

  6. What about RISK? Assessment vectors can (and probably should) be based on risk But... DON’T ASSUME YOU KNOW YOUR RISK! The Security “ASS”-umption

  7. LET'S DIG INTO THE ASSESSMENT

  8. External Assessment Information Gathering Vulnerability Identification Confirmation and Exploitation (”Pen Test”) Web applications • External Technical Testing

  9. Wireless Testing Identification Penetration War Dialing Identification Penetration • External Technical Testing

  10. Vulnerability Testing Workstations (sampling or images) Servers (maybe sampling) Network Devices Configuration Review (criticals or sampling) Servers Workstations Network Devices • Internal Technical Testing

  11. Network Activity Analysis Threat (malicious traffic) Traffic (policy compliance) Applications • Internal Technical Testing

  12. Policies and Standards Review Social Engineering User environment Physical environment Physical Security Gap Analysis Penetration Testing • Non-Technical Testing

  13. Interviews for reviews Architecture review Security coverage review Compliance review • Non-Technical Testing

  14. NEVER FORGET ABOUT THE DELIVERABLES

  15. Deliverables Tangibles Documentation Remediation help Strategy document Attestation Raw data

  16. Deliverables Intangibles Knowledge transfer Workshops Presentations

  17. Remediation Verification AKA – Follow-Up Testing Very important, especially for compliance Point in time security is NOT security Develop a security program

  18. Summary • Get the terms straight • Don’t ignore risk, but don’t assume you know all your vectors • Deliverables (tangible and intangible) are important • Follow-up to verify remediation

  19. Work Contact Info • Email – mfarnum@accuvant.com • Phone – 832.971.4854 • http://www.accuvant.com

  20. Other places you can find me • http://infosecplace.com/blog • http://infosecplacepodcast.com • Twitter - @m1a1vet

More Related