2. Background
Incident Summary
Failures
Solutions
Strategic (Long term) Solutions
Tactical (Short term) Solutions
ISO 27001
ISMS PDCA Model
NIST Overview
Information Security Management System
(ISMS) Framework
ISMS for ABC Corp.
Bibliography
3. Background
ABC Corp is a regular Retail Store with an online business
“The financial and reputational damage that can be inflicted on a retailer by a
major security breach can be so severe, and so destructive, as to approach the
financial and reputational damage a commercial airline might suffer from a
serious accident,”
- Mark Yourek , IBM’s Global
Retail Solution Lead
Here are some are some other statistics that highlight the role of a strong
security strategy in retail stores, especially ones with e-commerce platforms
as well.
• Almost one-tenth of retailers haven’t reported any cyber risks in
financial documents filed with the SEC since 2011.
• Only 9 percent consider outsourced vendors a potential threat source
• Less than 10 percent have purchased insurance to cover any cyber
exposures, accidental or otherwise.
• Almost half (49%) of retail companies cited the use of technical
safeguards as a chief remedy for cyber risk
- Source: Dark Reading, Report: Some Retail Firms Still Don't
Recognize Cyber Security Risks
In other words, retailers don’t seem that concerned as far as their cyber
security strategies are concerned. Not since attacks like the Target breach
came to surface. That is the reason we decided to study a hypothetical attack
scenario for a retail corporation with an online business. The following figure
illustrates some more statistics about the cyber-attacks to retail businesses
over the years.
4. Incident Summary
An ABC Corp. employee accidentally picked an USB drive from the parking lot
and bought it to her work station. She plugs into her computer to check if the
owner’s information could be found. Not finding anything, the USB sticker was
submitted to the helpdesk personal, who has elevated access on his account.
When the helpdesk person plugin the USB driver to his computer, the virus
named as “Virus”, was copied to the servers and to all the workstations his
elevated access allowed him to access. As a result of this the malicious code
was be able to check the Active directory for an old contract account. And
found that the account was still active. As is usually the case, the virus didn’t
get activated right away, and instead it stayed stealth and slowly and gradually
was copied to all the POS system. This slow and residual growth of the virus is
engineered so as not to arouse suspicion in the usual “signature-based”
security solutions that are employed by most corporations.
The malware script used the compromised machine as a pivot to launch the
exploit which attached the database server, and hence exploited a SQL server
using SQL SQL Injection Attack tool. Now wwhenever in-store customers swipe
their credit cards and debit cards on the store PCS systems, the virus keeps the
records and outputs it to a file.
Magnitude of Incident:
• After three busy holiday shopping month, the attacker was able to
gather 20 million customers credit card information.
• This database was sent to overseas servers and later shown up in
underground black market.
5. Attackers Pre-knowledge:
• Hacker found vendor name from garbage bin
• Discovered that Log files only go back 30 days
Current Controls
ABC Corp. is a major retail store selling consumer products both online and in
the store. As per usual, customer uses Cash, Credit and Debit card on the POS
terminal in store. The current controls in place to support ABC Corp.’s current
information security policy:
– Antiviruses installed on every machine
– Incident triggered review policy
– “signature-based” security solutions, which tried to identify
known, malicious code patterns and block them
– Internet De-militarized zone (DMZ )for online store
– Dedicated subnets for external facing web servers
– Firewalls and router Access Control Lists (ACLs) for access controls
– Regular third party penetration tests
– Database kept online customers’ contact and payment
information
– Database encrypted credit and debit card numbers, but not user
names and contact information.
6. Failures
To understand the root causes of the attack, we would essentially have to look
at the:
Policy failures:
1) Failure to properly block USB/Media ports upon the discovery of the
breach
2) Lack of awareness on the employees part
3) Failure to install patches for SQL vulnerabilities on time
4) No expiration dates for user accounts – vastly expands the attack
exposure surface
5) User account with admin access
Design failures:
1) PCI DSS shares same network subnet from the main network - PCI POS
systems were not segmented
2) External facing servers directly on public IP address
3) Elevated user accounts were not separated from regular accounts
4) Database server that scheduled patch installs and updates were failing
with no further investigation as to why that was happening.
5) Log file only keeps past 30 days data
6) USB/Media ports were not disabled on all workstations.
7) Outside vendor account still active after contract is over
8) Database structure flaws:
a. Tables weren’t normalized. Allowed for account information,
credit card transactions and order information to be compromised
easily
7. 9) Web server code flaws
a. Didn’t use parameters which automatically encode data being
passed back to the database
b. No client or server side user input error handling present
c. Allowed unlimited login attempts
Solutions
Such breach incidents can be fatal to a business, even more so to an online
business. The solutions to recovery from such incident can be broken into
tactical (short term)and strategic (long term)
Strategic (Long Term)
There needs to be a paradigm shift in the way retail businesses look at the
essentiality of a comprehensive cybersecurity and the implications of not doing
that. Along the technology lines, there needs to be as shift in focus from the
old and soon to be driven to become obsolete by necessity, “signature” based
solutions to a more “behavioural/analytics” based solutions that employ big
data technologies to detect minor system anomalies that could potentially be
malware attacks.
8.
9. • Continuous monitoring system – by both Third-Party vendors and
Information Technology/Information Security teams.
• Raise employee awareness training – There should be periodic
information security awareness seminars and awareness campaigns.
Information Security should be inculcated in the Professional
Development program (if there is any such initiative already in place).
CISO’s need to stress the severity of a compromise to the employees,
and educate them to adopt a constant state of caution. The paradigm
needs to be shifted from a “if” to a “when”
• Deploy Patch Management System – So software patches and security
updates are installed immediately. In most breach incidents, an instant
system update can result in significant decrement in an attack exposure
surface.
• User access control – security on every click (multiple authentications)
and need-to-know basis policy
• Establish a comprehensive Incident Response procedure
• PCIDSS Compliance – Elevated access work stations must be segregated
from the other network. ABC Corp.’s network architecture design was a
violation of Payment Card Industry Data Compliance Standard (PCI DSS)
• 3rd
party security management, enforce expiration dates for all vendor
accounts.
• Periodical penetration test
• Investment in Analytics team
• Administration assets and databases should be made only available on
ABC Corp’s internal network and completely removed from our public
facing servers. Additionally, it must have a secondary authentication that
authenticates users with ABC Corps internal Windows network
• Don't store sensitive data. "There is no reason to store thousands of
records on your customers, especially credit card numbers, expiration
dates and CVV2 [card verification value] codes. The risk of a breach
outweighs the convenience for your customers at checkout
• Layer the security- Add extra layers of security to the website and
applications such as contact forms, login boxes and search queries."
These measures will ensure that your ecommerce environment is
10. protected from application-level attacks like SQL (Structured Query
Language) injections and cross-site scripting (XSS).
• Monitor site regularly--and make sure whoever is hosting it is, too-
Tools like Woopra or Clicky allow you to observe how visitors are
navigating and interacting with your website in real time, allowing you to
detect fraudulent or suspicious behavior. They are capable of sending
our alerts to all personnel on alert roster when there is suspicious
activity, allowing them to act quickly and prevent suspicious behavior
from causing harm.
• Also, make sure whoever is hosting the ecommerce site regularly
monitors the servers for malware, viruses and other harmful software.
Explore the current or potential Web host if they have a plan that
includes at least daily scanning, detection and removal of malware and
viruses on the website.
• Perform regular PCI scans. Perform regular quarterly PCI scans through
services like Trustwave to lessen the risk of the ecommerce platform
being vulnerable to hacking attempts. If the company is using third-party
downloaded software like (Magento or PrestaShop), they must stay on
top of new versions with security enhancement.
• Patch the systems immediately- literally the day they release a new
version. That includes the Web server itself, as well as other third-party
code like Java, Python, Perl, WordPress and Joomla, which are favorite
targets for attackers.
Tactical (Near term)
We recommend the CISO of ABC Corps to follow the following best practices
for Online Retail business in dealing with cyber security threats:
To use the latest endpoint security solutions which base their data
collection on kernel-level integration:
CYBERREASON
AORATO
• Update employee training to raise user awareness.
11. • Dedicated subnet for PCI systems – This is a huge design flaw, and needs
to re- engineered by the Information Technology/Information Security
teams.
• Third party penetration test to find vulnerability – for immediate
diagnosis of system vulnerabilities.
• Separate elevated access accounts from regular accounts.
• Introduce “Break Glass” policy – which allows for exceptional elevated
access to authorized people if admin access is needed in case of an
attack.
CISO of the ABC Company should induct an information security strategy,
the doctrine of which should be centric around the following policies:
• Fixation on penetration prevention - focuses on the adversarial activity
that is going on within your network by the use of big-data analytics and
machine learning technologies.
• Accepting simple explanations. Solution: Always dig deeper. Security
events are not caused by error or accident. Every piece of evidence
should be over-analysed and malicious intent must always be
considered. Because your security teams cannot know all adversarial
activities, in a sense they are at a disadvantage; therefore, it is crucial for
the teams to over-investigate what they can see in order to reveal other
unknown and undetected connecting elements. Security teams must
always assume they only see half the picture, working diligently to
uncover the rest of the pieces of the puzzle.
Example of documents to use: system configuration logs, time logs,
intrusion detection logs, employee system usage logs, process
actions, file access information, network events and configuration
changes on the endpoints
• Striving for fast remediation. Solution: Leverage the known. Instead of
remediating isolated incidents as fast as possible, the security team
should closely monitor the known to understand how it connects to
other elements within the environment and strive to reveal the
12. unknown. For example, an unknown malicious process can be revealed if
it is connecting to the same IP address as a detected known malicious
process. Moreover, when you reveal to the hackers which of their tools
are easy to detect, hackers can purposely deploy, in excess, the known
tools to distract and waste the defender’s time.
• Focusing on malware. Solution: Focus on the entire attack. Although
detecting malware is important, solutions that mainly focus on detecting
isolated activity on individual endpoints are unable to properly combat
complex hacking operations. Instead, employ a more holistic defense.
Leverage automation - analytics and threat intelligence in particular - in
order to gain context on the entire malicious operation, as opposed to
just the code. Keep in mind that your adversary is a person and malware
is one of their most powerful tools, but one of many in their tool kits.
ISO27001 Overview
In helping ABC Corp. draft their updated information security strategy, we
propose the use of ISO 270001. Why? Because it:
• Most widely recognized security standard in the world
• More flexible and comprehensive in its coverage of security controls
• Process centric Information Security Management System (ISMS)
Framework
• Address Information security issues across industries
Information Security Management System (ISMS) Framework can be
illustrated by the figure below as essentially a 4 step framework.
13. ISMS PDCA Model
• Review/audit
security
management
and controls
•Implement
identified
improvements,
corrective/preve
ntive actions
• Implement
and manage
Security
controls/proc
ess
• Define
Security
Policies and
procedures
PLAN DO
CHECKACT
14. Implementation Approach
Phase I - Baseline Information Security Assessment
• Identify the scope and coverage of Information Security
• Assess the Current Environment
• Prepare baseline information security assessment report
Phase II - Design of Information Security Policy & Procedures
• Establish Security Policy, Organization & Governance
• Asset Profiling
• Risk Assessment
• Risk treatment (Identification of ISO27001 Controls& Additional
Controls)
• Formulate Information Security Policy & Procedures
• Prepare Statement of Accountability
Phase III - Implementation of Information Security Policy
• Implementation of Controls
• Security Awareness training
Phase IV - Pre Certification Audit
Review by Internal team
15. NIST Overview
NIST Architecture is centred on 5 steps:
- Identify
Develop the organizational understanding to manage cybersecurity risk
to systems, assets, data, and capabilities. The activities in the Identify
Function are foundational for effective use of the Framework.
Understanding the business context, the resources that support critical
functions, and the related cybersecurity risks enables an organization to
focus and prioritize its efforts, consistent with its risk management
strategy and business needs.
Examples of outcome Categories within this Function include: Asset
Management; Business Environment; Governance; Risk Assessment; and
Risk Management Strategy
- Protect – Develop and implement the appropriate safeguards to ensure
delivery of critical infrastructure services.
The Protect Function supports the ability to limit or contain the impact
of a potential cybersecurity event. Examples of outcome Categories
within this Function include: Access Control; Awareness and Training;
16. Data Security; Information Protection Processes and Procedures;
Maintenance; and Protective Technology.
- Detect
Develop and implement the appropriate activities to identify the
occurrence of a cybersecurity event. The Detect Function enables timely
discovery of cybersecurity events. Examples of outcome Categories
within this Function include: Anomalies and Events; Security Continuous
Monitoring; and Detection Processes.
- Respond – Develop and implement the appropriate activities to take
action regarding a detected cybersecurity event. The Respond Function
supports the ability to contain the impact of a potential cybersecurity
event. Examples of outcome Categories within this Function include:
Response Planning; Communications; Analysis; Mitigation; and
Improvements.
- Recover – Develop and implement the appropriate activities to maintain
plans for resilience and to restore any capabilities or services that were
impaired due to a cybersecurity event. The Recover Function supports
timely recovery to normal operations to reduce the impact from a
cybersecurity event. Examples of outcome Categories within this
Function include: Recovery Planning; Improvements; and
Communications.
17. In the following section, we will explain how the ISMS Framework, derived
from ISO 27001 can be used by ABC Corp. as they define their Information
Security Strategy.
Information Security Management System
(ISMS) Framework
1. Security Policy
2. Organization of Information Security
3. Assets Management
4. Human Resource Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information system acquisition, development and maintenance
9. Information Security Incident Management
10.Business Continuity Planning
11.Compliance
18. ISMS framework for ABC Corp.
• Revisit company policies on a periodic manner -- Security Policy
• Assemble an Information Security (IS) group with appointed IS officers
who would be responsible for the management and execution of daily
tasks and responsibilities required for the security systems and policies
to be enforced--Organization of Information Security
• Know where everything is, Dispose Assets properly, Maintain inventory
of physical and electronic assets-- Asset Management
• Awareness and training campaigns aimed at educating employees about
the security policy and importance to the company. In the case of ABC
Corp. the employee should not have plugged the USB into her
workstation to discover its ownership. Neither should the helpdesk
personal should have. In addition to employee awareness, the CISO
must also implement Vendor Management steps, in order to make sure
the third party vendors whose services might be used by ABC Corp. (for
example, internet web hosting companies, outsourced data center and
help desk services, outsourced security solutions from third party
vendors) -- Human Resource Security
• Security Cameras must be installed and the corporate facility must be
secured. The attacker had access to ABC Corp. employee parking lot and
was able to use the garbage disposal to discover vendor name.
Corporate perimeters must be secured and budget must be allocated for
the hiring of security personnel. -- Physical and Environmental Security
• Monitoring the network. Segment PCI network from other subnets --
Operations Management
• Elevated access, separate role of duty, need-to-know vs role-based --
Access Control
• Process data correctly – Info. system acquisition, development and
maintenance
• Incident Response Plan -- Information Security Incident Management
• Business Continuity Planning (BCP), Public relation -- Business Continuity
Planning
• Federal, State, International - PCI DSS -- Compliance
19. 1) Security Policy
Ensure information security functions are performed by groups.
Ensure adequate information security management and coverage.
Created to communicate to the organization how to use products
(infrastructure/ hardware, applications/software) to make certain there is
adequate information security.
An organization’s high level instructions
Computer security rules
Management’s directives or decisions on the use of
resources (e.g. email privacy policy.)
Not be confused with the enforcement mechanisms
Benefits
Provides basis and guide for an organization’s security
program.
Establish commitment to the security program.
Benchmarks that can be used to track progress.
Ensure consistency within security program.
Provides a due diligence paper trail.
Basic Rules
Don’t conflict with the law.
Can stand up in court, if challenged.
Supported and administered.
Contribute to the success of the organization.
Shared and supported by management.
Formulated with input from end users of information
systems.
20. Policy: is a high level formal statement sanctioned by senior
management about the organization’s information security
philosophy and is used to drive the standards.
Standards: are more detailed statements as to what employees
must do to comply with policy.
Practices, procedures and guidelines: specify how employees are
to comply with policy.
Policy and Law
Policies must be secondary to law.
Polices should specifically state that the law overrides policy
if they differ.
Regulators can force organizations to follow policies.
Lawyers should review policies prior to dissemination.
o ISO 27001 policy framework
The following picture depicts how Policies drive Standards which
drive Practices, Procedures and Guidelines.
21. 2) Organization of Information Security
Security Councils
Ensure information security functions are performed by
groups
Ensure adequate information security management and
coverage.
Coordinate and integrate the information security program
across major areas:
Share best practice methods, perform benchmarking and
actively work together on industry standards.
3) Assets Management
Prioritize assets based on quantifiable metrics that General
Management, Information Security and Information must all work in
congruence with each other to come up with. Securely dispose of assets
that are outdated or provide frivolous access points to a potential
attacker. In addition, when data files and physical transaction
receipts/files are being disposed, they must be disposed properly and it
must be made sure that no body is able to access the information that is
disposed. Employees must be trained about the importance of securing
their company issued assets like laptops, cell phones, tablets. They must
maintain an inventory for the electronic assets of the company so as to
keep track of them and also so that all the assets can be backed up when
an employee leaves the organisation.
22. 4) Human resource Security
Focus on the security controls needed to minimize the
information security and operational risks.
Conduct background checks of employees and companies
who are being used for outsourced solutions.
Utilize non-disclosure agreements as needed – to cover the
liability issue as well as to make sure that no sensitive
information is leaked from the inside.
Create and publish “Need-to-know” and “Need-to-have”
policies on information sharing.
Ensure “separation of duties” where appropriate – to
ensure that the organizational machinery is not too
dependent on any single person or department.
Actively administer user facility and systems access.
Utilize “role-based” access control systems.
Conduct user access reviews.
23. 5) Physical Security
The figure above illustrates a labelling mechanism for categorizing the
access levels in the physical locations of the company office/headquarter
premises.
Physical Security refers to the Practices focused on strategies to protect
people, physical assets and the workplace from various threats.
Protect people, physical assets, and the workplace from
various threats, including fire, unauthorized access, and
natural disasters.
Physical security is at the foundation and core of the
“defense-in-depth”
Focuses on:
Security needs for equipment and services
Human resources required for physical security
Financial resources for physical security
24. Location of Facility:
Geological risks (seismic zones, flooding,
landslides)
Crime, political unrest, social unrest
Accessibility to facility
Review Documentation: check on the up-to-date
documentation
Check International/Industry Standards Compliance
Conduct Visual Walk-Through
Evaluate Physical Security Infrastructure
6) Operations Management
NIST Special Publication 800-137 – Information Security
Continuous Monitoring
25. Each manager in an organization regardless of their affinity to one of the
following communities must make tangible steps to reduce risk in the following
manners:
The general management should structure the IT department and the
Information Security strategy in such a way that they provide a defence
against an attack on the company’s information assets- like data,
hardware, software, people, procedures, reports, strategies.
IT management must work to serve the information technology needs of
the organization at large, and at the same time leverage the expertise of
the information security resources that have been made available to it.
Information Security management must work with diligence, skill and
professionalism in congruence with other departments and
organizational communities in order to balance the trade-offs between
information security and information utility
For any organization to manage its risk properly, the managers must be fully
aware of the information assets that are valuable to the organization, and how
information is stored, transmitted and processed. Risk is inherent in simple
organizational decisions like hiring, marketing products, internal//external
communication systems, and even in deciding the physical location of the
office building. These inherent risks comprise of third party risks (people,
processes, technology etc.).
All three communities must bear responsibility for the risk management and
assessment.
Information Security team : Since this team is the subject matter expert
and best understands the risks that are introduced by specific threats and
attacks, they must take the leadership role in third party risk assessment.
Information Technology (IT): This team is responsible for building the
tools that safeguard a company’s value assets. They have to be very
mindful and educated about the risks that are posed to the organization
because of the specific technology loopholes and constraints of the
software solutions that the company has implemented. They must also
implement proper control mechanisms to monitor and control risk.
26. Management and users-at-large : This group, if well educated about the
importance of information security, often times plays the role of first
layer in Detection and Response. They must also be responsible for
allocating enough resources (money and human resources) into the IT
and Information Security teams.
The Information Security Risk Assessment should mandate around the cyclic
steps listed below. Of course we can go in great extents about the details of
each of the steps, but that would go beyond the scope of the project.
START
Evaluation of Risk controls
Determinations of cost-effectiveness of control options
Installation of the proper controls
Overseeing the controls
Identification of the risks
Assessment of the risks
Summarization of the findings
GO TO THE FIRST STEP
The threats the above proposes cyclic steps should be looking out for are time
varying and ever-evolving. However some of the basic and ever present-
threats as well as some new ones to look out for are listed below:
• Human mistakes
• Intellectual Property
• Intentional trespassing
• Information extortion
• Actions aimed at sabotaging and destruction of assets
27. • Theft
• Software assault
• Natural calamities
• Compromising of quality
• Hardware malfunctioning
• Software failure
• Obsolescence of technology
7) Access Control
As discussed previously as well, access control policies include:
• Personnel with Elevated Access should be segregated from the
regular front facing IP domains.
• “Need to know” / “Role-based” Access Control Lists (ACL’s)
• “Security on every click” – multiple credentials login for secure
resources access
• Linux strengthening by standardization using :
Standard Operating Environment (SOE)
Standard Operating Environment Management Platform
(SOEMP)
• Access Control managed centrally using platforms such as Centrify or
IdM.
28. 8) Information System Maintenance
• Process data with latest encryption standards. Example:
– AES for Wireless Communication
Deploy Patch Management System - literally the day they release a new
version. That includes the Web server itself, as well as other third-party
code like Java, Python, Perl, WordPress and Joomla, which are favorite
targets for attackers."
"Breached sites are constantly found running a three-year-old version of
PHP or ColdFusion from 2007," says Pogue. So it's critical you install
patches on all software: "Your Web apps, Xcart, OSCommerce, ZenCart
and any of the others all need to be patched regularly."
• Third party maintenance for all functions including functions outsourced
to third party services e.g. :
– Database management
– Software development
– Web site hosting
Make sure whoever is providing these third party services regularly
monitors the servers for malware, viruses and other harmful software.
Explore the current or potential Web host if they have a plan that
includes at least daily scanning, detection and removal of malware and
viruses on the website.
29. 9) Incident Management and Business Continuity planning
(BCP)
Figure: Threat scenarios response
ABC Corp. should use:
Intrusion Detection and Prevention Systems (IDPS)
Log Management technologies and best practices
Threat modeling frame works like:
STRIDE
DREAD
Trike
CVSS
OCTAVE
30. to come up with threat scenarios responses:
Incident Reaction Planning
Disaster Recovery Planning
Business Continuity Planning
After an incident has occurred the analytics and diagnostic tools must be run to
immediately report upon the statistics of the breach, and how the business is
going to recover from it. Business Continuity Planning refers to a set of
procedures, policies, strategies for reaching out to the 20 million customers
whose information was stolen, and making sure that their loyalty is retained.
BCP for ABC Corp. includes reaching out to the customers, notifying them,
enduring then that appropriate measure have been taken to make sure that
the organization is doing everything possible to limit the extent of the damage.
Public Relations and customer detainment teams must kick into action
31. 10) Compliance
ABC Corp. must meet the following necessary information security-related
legal and regulatory compliance requirements.
State data breach notification
Forty-seven states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands have enacted legislation
requiring private, governmental or educational entities to
notify individuals of security breaches of information
involving personally identifiable information.
Security breach laws typically have provisions regarding
who must comply with the law (e.g., businesses, data/
information brokers, government entities, etc); definitions
of “personal information” (e.g., name combined with SSN,
driver’s license or state ID, account numbers, etc.); what
constitutes a breach (e.g., unauthorized acquisition of data);
requirements for notice (e.g., timing or method of notice,
who must be notified); and exemptions (e.g., for encrypted
information).
Federal regulations
Federal Information Security Management Act (FISMA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act of 1996
(HIPAA)
Sarbanes–Oxley Act (SOX)
International standards
Payment Card Industry Data Security Standard (PCI DSS)
32. 11) Information Security Measures
Information security dashboards used to measure the effectiveness of security
controls – both technical and managerial.
Benefits
• Increased Accountability
• Improve Information Security Effectiveness
• Demonstrate Compliance
• Provide Quantifiable Inputs for Resource Allocation
Decisions
Success Factors
• Strong Upper-Level Management Support
• Practical Information Security Policies & Procedures
• Quantifiable Performance Measures
• Results-oriented Measures Analysis
Roles and Responsibilities
• Agency Head / Chief Information Officer
• Senior Information Security Officer
• Program Manager/Information System Owner
• Information System Security Officer
• Additional stakeholders
33. 12) Security Testing
Security testing must be conducted on a regular basis, by both third party
services and by in-house information security (IS) and information technology
(IT) teams. The security testing must essentially be of three types:
Acceptance Testing
o User acceptance testing
o Operational acceptance testing (OAT)
o Contract and regulation acceptance testing
o Alpha and beta testing
Social Engineering
o Pretexting
o Diversion
o Phishing
o IVR/Phone Phishing
Penetration Testing – NIST Four Phases
o Planning
o Discovery
o Attack
o Reporting
