SlideShare a Scribd company logo

Penetration testing as an internal audit activity

Transcendent Group
Transcendent Group

Penetration testing as an internal audit activity, at the ECIIA conference in Stockholm, October 6th 2016. Speaker: Carsten Maartmann-Moe

Business
1 of 23
Download to read offline
Penetration testing as an internal audit activity ECIIA conference, Stockholm, October 6th 2016
Who am I? • I’m a hacker • I’ve hacked applications, networks, trains, lottery machines, routers, laptops, ATM:s, wireless networks, cell phones, embedded systems, production plants, stock exchanges and more… • …all with permission, which makes me a penetration tester • a fair share of the penetration tests I’ve performed were as a part of internal audits. ©TranscendentGroup2016
What is penetration testing? A point-in-time assessment of quality of the implemented security controls within the scope of testing. ©TranscendentGroup2016
The burning question ©TranscendentGroup2016 Are we secure?
Unfortunately, the questions answered by a penetration test are: ©TranscendentGroup2016 How vulnerable is application X? Is detection and response effective? Are our employees aware and alert? Where are we most vulnerable? Are our preventive controls effective? Are our user’s passwords strong? quite no no your entire intranet no no
An analogy: Your house ©TranscendentGroup2016 door sensor front door key alarm sensors CCTV camera
The burning question, modified ©TranscendentGroup2016 Are we secure enough?
What to ask instead ©TranscendentGroup2016 Are we robust, capable, and continuously improving? • prevention • detection • response• organized • funded • right competencies • right tools and data • aligned to the business • goal-oriented • measuring and adapting to both needs and risks
Internal audit’s role as per TLD ©TranscendentGroup2016 The third line of defence – internal audit – is responsible for ensuring that the first and second lines are functioning as designed.
What to consider ©TranscendentGroup2016
What to consider Planning • audit objective • sourcing • engage IT/service provider Execution • help the pentesters translate technical risk to business risk Reporting • do root cause analysis ©TranscendentGroup2016
Planning and scoping • First: Ask yourself if a pentest is really a good idea? • Second: What is the question to be answered by the test? • Engage and alert your IT security function and service provider. • Make sure the consultants understand the high-level concepts of your business. ©TranscendentGroup2016 Planning Execution Reporting
Tips on sourcing • You’ll get what you pay for. • Choose a preferred vendor, and stick with it. • Hire people, not brand: look for experience. • Certifications to look for: CEH, GIAC certs (GWAPT, GPEN, etcetera). ©TranscendentGroup2016 Planning Execution Reporting
Execution • Don’t force your pentesters to go through detailed checklists of what to do/not to do unless absolutely necessary. • Help the pentesters escalate issues. • Set aside time for root cause analysis with the part of the business that has been audited. ©TranscendentGroup2016 Planning Execution Reporting
Reporting What to expect: • too technical, unstructured reports • doom and gloom • no business risks • mistaking exploitable technical vulnerabilities for critical business risks How to manage: • keep your eye on the audit objective • make the pentesters rate the difficulty of getting in • challenge, challenge, challenge • understand that it is difficult for an external party to gauge your business risk • uon’t skip root cause analysis ©TranscendentGroup2016 Planning Execution Reporting
A word on reporting ©TranscendentGroup2016
Root causes ©TranscendentGroup2016
Example from a pentest: passwords 485 142 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percentage of passwords cracked Cracked Not cracked ©TranscendentGroup2016 • We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop. • 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
5 whys Q: Why are our user’s passwords easy to crack? A: Because they are short and easy to guess. Q: Why are they short and easy to guess? A: Users don’t know what constitutes a strong password, and create short and easy to guess ones because they are also easy to remember. Q: So why do they have trouble remembering their passwords? A: Each user have 5+ different passwords they need to remember to perform their job. We also force them to change their password every 90. days. Q: Why do we force them to change their password? A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though… Q: Why not? A: Well, everybody just creates systems to avoid forgetting the new password. If your first password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security in that. ©TranscendentGroup2016
5 why’s Q: Why did this SQL injection vulnerability occur? A: Because it’s a legacy back-end application that has been exposed to the Internet. Q: Why was it exposed to the Internet? B: To drive and support business initiative X, which requires customer interaction with the system. Q: So why weren’t the project behind business initiative X aware of the vulnerabilities? A: Well, we [the dev team] suspected that the application had substandard security, but there was no one on the team that had the knowledge or time to have an in-depth look. Q: Why? A: Because there’s not allocated any resources to security in our project. Q: Why are there no resources? A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers and sysadmins should fix as a part of the job. But no one has been given training, and if you look at the project plans, there’s not an hour dedicated to security. ©TranscendentGroup2016
Summary ©TranscendentGroup2016
Internal audit penetration testing can cause significant security improvement • Penetration testing does not answer the «Are we secure?» question, but provides symptoms of internal control failure. • Pentesting can provide concrete and measurable risk reduction and spark significant improvement initiatives. • Engage with your IT function/service provider/preferred consultants to evaluate the best way to leverage these types of services for your business. ©TranscendentGroup2016
www.transcendentgroup.com

Recommended

Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxsaurabhpandey251355
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 

Recommended

Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxsaurabhpandey251355
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization Chalermpon Areepong
 
Full report final for NotPetya
Full report final for NotPetyaFull report final for NotPetya
Full report final for NotPetyaKimme Buranasombati
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementMario Worwell
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software DevelopmentNarudom Roongsiriwong, CISSP
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team FrameworkAdrian Sanabria
 
Playwright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern WebPlaywright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern WebApplitools
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformMauricio (Salaboy) Salatino
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 
Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetTranscendent Group
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Transcendent Group
 

More Related Content

What's hot

Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization Chalermpon Areepong
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAaronLieberman5
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementMario Worwell
 
Playwright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern WebPlaywright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern WebApplitools
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun YenCODE BLUE
 

What's hot (20)

Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
 
Full report final for NotPetya
Full report final for NotPetyaFull report final for NotPetya
Full report final for NotPetya
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
API Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIsAPI Security - Everything You Need to Know To Protect Your APIs
API Security - Everything You Need to Know To Protect Your APIs
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity Management
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Playwright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern WebPlaywright: A New Test Automation Framework for the Modern Web
Playwright: A New Test Automation Framework for the Modern Web
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
[CB20] Pwning OT: Going in Through the Eyes by Ta-Lun Yen
 

Viewers also liked

Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetTranscendent Group
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Transcendent Group
 
Är kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxÄr kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxTranscendent Group
 
Måling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetMåling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetTranscendent Group
 
Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Transcendent Group
 
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTa kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTranscendent Group
 
Vad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenVad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenTranscendent Group
 
Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Transcendent Group
 
Sensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetSensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetTranscendent Group
 
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagSträngare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagTranscendent Group
 
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadGrc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadTranscendent Group
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapInternal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapHein & Associates
 
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Scott Webb CPA CIA PMIIA CRMA
 
Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Stephen Ong
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomHardway Hou
 
Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016leschaney
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Viewers also liked (20)

Frukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighetFrukostseminarium om finansiell brottslighet
Frukostseminarium om finansiell brottslighet
 
Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...Har ditt företag implementerat en process för att identifiera och hantera int...
Har ditt företag implementerat en process för att identifiera och hantera int...
 
Är kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptxÄr kris en förutsättning för compliance.pptx
Är kris en förutsättning för compliance.pptx
 
Måling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhetMåling og visualisering av informasjonssikkerhet
Måling og visualisering av informasjonssikkerhet
 
Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145Erfarenhet från granskning av tredje parter utifrån fffs 20145
Erfarenhet från granskning av tredje parter utifrån fffs 20145
 
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sättTa kontroll över personuppgiftshanteringen på ett effektivt sätt
Ta kontroll över personuppgiftshanteringen på ett effektivt sätt
 
Vad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagenVad innebär den nya penningtvättslagen
Vad innebär den nya penningtvättslagen
 
Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17Frukostseminarium om assurance map och audit universe 2014-06-17
Frukostseminarium om assurance map och audit universe 2014-06-17
 
Sensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighetSensommarmingel på temat finansiell brottslighet
Sensommarmingel på temat finansiell brottslighet
 
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lagSträngare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
Strängare krav på personuppgiftsbehandling senaste nytt om vår nya eu lag
 
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnadGrc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
Grc succéfaktorer; hur får man ut mer värde av grc än enbart regelefterlevnad
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 RecapInternal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
Internal Control Assessment: Lessons Learned and the Pain Felt - 2014 Recap
 
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
Delivering Meaningful Audit Reports Local Govt - Scott Webb Nov 2013
 
Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712Bcu msc cg week 8 audit 290712
Bcu msc cg week 8 audit 290712
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016Evaluation of process level control deficiencies 5 20-2016
Evaluation of process level control deficiencies 5 20-2016
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Charter School Audit Guide 2015
Charter School Audit Guide 2015Charter School Audit Guide 2015
Charter School Audit Guide 2015
 

Similar to Penetration testing as an internal audit activity

The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldMark Nunnikhoven
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityRohit Kapoor
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini PresentationRohit Kapoor
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Rohit Kapoor
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 

Similar to Penetration testing as an internal audit activity (20)

CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 
PNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture JamPNSQC 2021 January 28 Culture Jam
PNSQC 2021 January 28 Culture Jam
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
LoginCat - Mini Presentation
LoginCat - Mini PresentationLoginCat - Mini Presentation
LoginCat - Mini Presentation
 
Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)Login cat tekmonks - v5 (mini)
Login cat tekmonks - v5 (mini)
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonks
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 

More from Transcendent Group

Next generation access controls
Next generation access controlsNext generation access controls
Next generation access controlsTranscendent Group
 
Star strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningStar strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningTranscendent Group
 
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareVarför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareTranscendent Group
 
Hur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringHur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringTranscendent Group
 
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerDen anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerTranscendent Group
 
Vem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierVem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierTranscendent Group
 
Styrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarStyrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarTranscendent Group
 
Solvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskSolvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskTranscendent Group
 
Kravställning för grc systemstöd
Kravställning för grc systemstödKravställning för grc systemstöd
Kravställning för grc systemstödTranscendent Group
 
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanFem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanTranscendent Group
 
Cybersecurity inom bilindustrin
Cybersecurity inom bilindustrinCybersecurity inom bilindustrin
Cybersecurity inom bilindustrinTranscendent Group
 
Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Transcendent Group
 
Frukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetFrukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetTranscendent Group
 
Förberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringFörberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringTranscendent Group
 
Mobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenMobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenTranscendent Group
 
Effectively managing operational risk
Effectively managing operational riskEffectively managing operational risk
Effectively managing operational riskTranscendent Group
 
Åtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarÅtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarTranscendent Group
 
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetUtvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetTranscendent Group
 

More from Transcendent Group (20)

Next generation access controls
Next generation access controlsNext generation access controls
Next generation access controls
 
Star strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrningStar strategy en inspirerande metod för mål och verksamhetsstyrning
Star strategy en inspirerande metod för mål och verksamhetsstyrning
 
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigareVarför kostnadskontroll och riskhantering av programvara blir allt viktigare
Varför kostnadskontroll och riskhantering av programvara blir allt viktigare
 
Hur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshanteringHur etablerar man en effektiv kris och kontinuitetshantering
Hur etablerar man en effektiv kris och kontinuitetshantering
 
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska bankerDen anpassningsbare överlever; den ökade regleringens effekter på svenska banker
Den anpassningsbare överlever; den ökade regleringens effekter på svenska banker
 
Vem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerierVem är personen bakom masken hur man hanterar interna bedrägerier
Vem är personen bakom masken hur man hanterar interna bedrägerier
 
Styrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvarStyrelseledamotens roll och ansvar
Styrelseledamotens roll och ansvar
 
Solvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the riskSolvency ii and return on equity; optimizing capital and manage the risk
Solvency ii and return on equity; optimizing capital and manage the risk
 
Kravställning för grc systemstöd
Kravställning för grc systemstödKravställning för grc systemstöd
Kravställning för grc systemstöd
 
How we got domain admin
How we got domain adminHow we got domain admin
How we got domain admin
 
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplanFem dataanalyser varje internrevisor bör ha med i sin revisionsplan
Fem dataanalyser varje internrevisor bör ha med i sin revisionsplan
 
Finansiering av terrorism
Finansiering av terrorismFinansiering av terrorism
Finansiering av terrorism
 
Cybersecurity inom bilindustrin
Cybersecurity inom bilindustrinCybersecurity inom bilindustrin
Cybersecurity inom bilindustrin
 
Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?Personlig integritet – möjliggörare eller hinder för verksamheten?
Personlig integritet – möjliggörare eller hinder för verksamheten?
 
Frukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhetFrukostseminarium om informationssäkerhet
Frukostseminarium om informationssäkerhet
 
Förberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementeringFörberedelser inför GRC-systemimplementering
Förberedelser inför GRC-systemimplementering
 
Mobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjarenMobila enheter och informationssäkerhetsrisker för nybörjaren
Mobila enheter och informationssäkerhetsrisker för nybörjaren
 
Effectively managing operational risk
Effectively managing operational riskEffectively managing operational risk
Effectively managing operational risk
 
Åtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringarÅtgärder mot penningtvätt och kommande förändringar
Åtgärder mot penningtvätt och kommande förändringar
 
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitetUtvecklandet av en strategisk plan för din internrevisionsaktivitet
Utvecklandet av en strategisk plan för din internrevisionsaktivitet
 

Recently uploaded

Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...pujan9679
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...meghakumariji156
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...pujan9679
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Availablepr788182
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecZurliaSoop
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSkajalroy875762
 
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book nowKALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...daisycvs
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubaijaehdlyzca
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowkapoorjyoti4444
 
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...lizamodels9
 
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...pr788182
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 

Recently uploaded (20)

Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service AvailableBerhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
Berhampur Call Girl Just Call 8084732287 Top Class Call Girl Service Available
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book nowKALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
KALYANI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur DubaiUAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
UAE Bur Dubai Call Girls ☏ 0564401582 Call Girl in Bur Dubai
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...
Only Cash On Delivery Call Girls In Sikandarpur Gurgaon ❤️8448577510 ⊹Escorts...
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...
Bangalore Call Girl Just Call♥️ 8084732287 ♥️Top Class Call Girl Service Avai...
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 

Penetration testing as an internal audit activity

  • 1. Penetration testing as an internal audit activity ECIIA conference, Stockholm, October 6th 2016
  • 2. Who am I? • I’m a hacker • I’ve hacked applications, networks, trains, lottery machines, routers, laptops, ATM:s, wireless networks, cell phones, embedded systems, production plants, stock exchanges and more… • …all with permission, which makes me a penetration tester • a fair share of the penetration tests I’ve performed were as a part of internal audits. ©TranscendentGroup2016
  • 3. What is penetration testing? A point-in-time assessment of quality of the implemented security controls within the scope of testing. ©TranscendentGroup2016
  • 5. Unfortunately, the questions answered by a penetration test are: ©TranscendentGroup2016 How vulnerable is application X? Is detection and response effective? Are our employees aware and alert? Where are we most vulnerable? Are our preventive controls effective? Are our user’s passwords strong? quite no no your entire intranet no no
  • 6. An analogy: Your house ©TranscendentGroup2016 door sensor front door key alarm sensors CCTV camera
  • 7. The burning question, modified ©TranscendentGroup2016 Are we secure enough?
  • 8. What to ask instead ©TranscendentGroup2016 Are we robust, capable, and continuously improving? • prevention • detection • response• organized • funded • right competencies • right tools and data • aligned to the business • goal-oriented • measuring and adapting to both needs and risks
  • 9. Internal audit’s role as per TLD ©TranscendentGroup2016 The third line of defence – internal audit – is responsible for ensuring that the first and second lines are functioning as designed.
  • 11. What to consider Planning • audit objective • sourcing • engage IT/service provider Execution • help the pentesters translate technical risk to business risk Reporting • do root cause analysis ©TranscendentGroup2016
  • 12. Planning and scoping • First: Ask yourself if a pentest is really a good idea? • Second: What is the question to be answered by the test? • Engage and alert your IT security function and service provider. • Make sure the consultants understand the high-level concepts of your business. ©TranscendentGroup2016 Planning Execution Reporting
  • 13. Tips on sourcing • You’ll get what you pay for. • Choose a preferred vendor, and stick with it. • Hire people, not brand: look for experience. • Certifications to look for: CEH, GIAC certs (GWAPT, GPEN, etcetera). ©TranscendentGroup2016 Planning Execution Reporting
  • 14. Execution • Don’t force your pentesters to go through detailed checklists of what to do/not to do unless absolutely necessary. • Help the pentesters escalate issues. • Set aside time for root cause analysis with the part of the business that has been audited. ©TranscendentGroup2016 Planning Execution Reporting
  • 15. Reporting What to expect: • too technical, unstructured reports • doom and gloom • no business risks • mistaking exploitable technical vulnerabilities for critical business risks How to manage: • keep your eye on the audit objective • make the pentesters rate the difficulty of getting in • challenge, challenge, challenge • understand that it is difficult for an external party to gauge your business risk • uon’t skip root cause analysis ©TranscendentGroup2016 Planning Execution Reporting
  • 16. A word on reporting ©TranscendentGroup2016
  • 18. Example from a pentest: passwords 485 142 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Percentage of passwords cracked Cracked Not cracked ©TranscendentGroup2016 • We were able to crack 77 % of all passwords within 24 hours with a standard issue laptop. • 84 % of the passwords followed the format «string + number + special character». Examples: Summer2016! (pentest performed at summer), Beograd02! (variant of the first password given by the help desk to new users).
  • 19. 5 whys Q: Why are our user’s passwords easy to crack? A: Because they are short and easy to guess. Q: Why are they short and easy to guess? A: Users don’t know what constitutes a strong password, and create short and easy to guess ones because they are also easy to remember. Q: So why do they have trouble remembering their passwords? A: Each user have 5+ different passwords they need to remember to perform their job. We also force them to change their password every 90. days. Q: Why do we force them to change their password? A: … I really don’t know, good practice I guess? Not sure if it creates stronger passwords, though… Q: Why not? A: Well, everybody just creates systems to avoid forgetting the new password. If your first password was “Beograd01!”, your second will be “Beograd02!” and so on. There’s not much security in that. ©TranscendentGroup2016
  • 20. 5 why’s Q: Why did this SQL injection vulnerability occur? A: Because it’s a legacy back-end application that has been exposed to the Internet. Q: Why was it exposed to the Internet? B: To drive and support business initiative X, which requires customer interaction with the system. Q: So why weren’t the project behind business initiative X aware of the vulnerabilities? A: Well, we [the dev team] suspected that the application had substandard security, but there was no one on the team that had the knowledge or time to have an in-depth look. Q: Why? A: Because there’s not allocated any resources to security in our project. Q: Why are there no resources? A: I guess it’s just not budgeted for, or that the business just thinks of it as something the developers and sysadmins should fix as a part of the job. But no one has been given training, and if you look at the project plans, there’s not an hour dedicated to security. ©TranscendentGroup2016
  • 22. Internal audit penetration testing can cause significant security improvement • Penetration testing does not answer the «Are we secure?» question, but provides symptoms of internal control failure. • Pentesting can provide concrete and measurable risk reduction and spark significant improvement initiatives. • Engage with your IT function/service provider/preferred consultants to evaluate the best way to leverage these types of services for your business. ©TranscendentGroup2016