Network SecurityVulnerability Scanning & Penetration Testing

About Us

> Assisted >1 million merchants> Largest PCI support staff worldwide> Certified as ASV, PFI, QSA, PA QSA> Member of PCI Security Standard Council task forces and special interest groups> Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance> Offers network security devices, data discovery software

Testing Network Security

• 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012)

• Compromise costs• Financial penalties

• Average organisational cost $5.5 million(Ponemon Institute, 2012)

• Significant loss of reputation/brand trust

• Various ways to test network security– Vulnerability scan – Penetration test– Anti-virus/malware software– Appliances (Intrusion Prevention Systems)– Spyware

(most thorough)

Vulnerability Scan (VA scan)

Process• Should be conducted by a company with accreditation

(i.e., PCI SSC Approved Scanning Vendor)• Automatic network scans on a quarterly basis• Report of weaknesses, false positives• Weaknesses patched on a prioritised basis• Good VA scan searches for over 50,000 vulnerabilities

• Identifies network weaknesses and ranks how critical they are

• Gives a beginning look at what possibly could be exploited

Internal

Benefits• Quick high-level look at possible vulnerabilities• Very affordable• Automatic• Takes a matter of minutes

Limitations• Sometimes test falsely classifies object as a

vulnerability (false positive)• Manually check each vulnerability before testing again

An automated, high-level test

Penetration Test

Process• Run automatic vulnerability scan• Follow up on reported vulnerabilities• Prove the vulnerability can be exploited• Internal and external testing

• External- perspective of an hacker over Internet• Internal- perspective of someone within network

• Report findings and recommendations per target

• Live attempt to exploit vulnerabilities

• Analyst takes on “hacker” role• Try to fake passwords, manipulate

code, fool web servers into giving sensitive information

Benefits• More accurate, thorough than VA scan• Manual: Live analyst reviews the logic of the

application and determines how to leverage access• Rules out false positives

Limitations• Time (1 day to 3 weeks)• Cost

An exhaustive, live examination

ComparisonVulnerability Scan

• Automated• Minutes• Scheduled• Passive• Report false positives• Programmed• Identical scans• N/A

Penetration Test

• Manual (main difference)

• Days• Annually (after significant change)

• Aggressive• Rules out false positives• Intuitive• Accurate/thorough• Exploitation

Both tests work together to encourage optimal network security

Conclusion• Computer intrusion was responsible for 83% of the total

reported exposed records in 2011 and 1/3 total breaches.

– Data Breach Intelligence Report, 2012

“History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.”

-Bruce Schneier: cryptographer, security expert