Download - Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingPresented By: Emily ChowJuly 6, 2011
AgendaWhat is Ethical Hacking/Penetration Testing?
Issues Relevant to Organizations
Benefits & Limitations of Penetration Testing
Impact on the CA Profession
Current Issues
#1
Tools & Techniques of Penetration Testing
#2
#3
#4
#5
#6
#7 Recommendations
1. What is Ethical Hacking/Penetration Testing?
• Objective: Improve the security system and close the security gaps before a real hacker penetrates within the organization
• Preventative measure
• Exploit a company’s security weaknesses by using same or similar techniques of malicious hackers
• “White Hat Hackers”
• “Red Team”
2. Issues Relevant to Organizations
• Internal Risk: malicious employees & employee’s lack of security awareness
• External Risk: exploitation of external hackers
• Non-Financial Losses: damaged reputation, loss of credibility
• Financial Losses: lost in revenue, litigations
PROS - AUTOMATION• Cost-effective• Perform in several hours• As frequent as possible
• Flexibility of substituting different scenarios
PROS - MANUAL
2. Types of Penetration Testing: Automated vs. Manual
• WARNING: Both are NOT 100% Guaranteed!
EXTERNAL• Simulate Malicious Hacker• Use of Internet or Extranet
• Simulate Employee• Use of Intranet
INTERNAL
2. Types of Penetration Testing: External vs. Internal
Web Applications Software
2. Penetration Testing Techniques
Denial of Service
Wireless Network
Social Engineering
Google Hacking
Google search: intitle:"index of" site:edu "server at"
3. Google Hacking Example
BENEFITS• Strengthen security
procedures and processes• Improve efficiency and
effectiveness of risk management
• Increase degree of transparency
• Not 100% guaranteed• Changing technology• Legislations and contractual
obligations restrictions• Limited resources over
limited period of time
LIMITATIONS
4. Benefits & Limitations of Penetration Testing
5. Impact on CA Profession
• Provide greater assurance in addition to SysTrust, WebTrust and Section 5900
• Conformity with PIPEDA, Gramm-Leach-Act and SOX• IS Auditing Standards, CISA, COBIT Framework• Goes beyond the traditional methods by auditors
6. Current Hacking Issues in 2011
• Sony’s PlayStation Video Games – loss of personal data from 77M users’
• Sony Ericsson’s Canada eShop- loss of data from 2,000 customer accounts
• Google’s Gmail Accounts – U.S. Government Officials• CitiBank – loss of 200,000 credit card customers data
This calls for a greater need for penetration testing!
• SIGNIFICANCEBreach of trust
• LIKELIHOOD“Target of choice”
“Target of opportunity”
• PENETRATION TESTING
7.Recommendations
Thank You!
Please feel free to contact me via uwace if you have any questions