SlideShare ist ein Scribd-Unternehmen logo

A Security Testing Methodology that Fits Every IT Budget

Rochester Security Summit
Rochester Security Summit

There are many different methodologies for implementing and testing security controls in an IT system to ensure that it is operating under an “acceptable level of risk.” Many of these methodologies require the use of software to aid in this measurement. While the execution of technical tools is important, it can sometimes place a financial burden on an organization (especially a small business) that may not have the resources to purchase the software or hire trained personnel to run the tools and conduct an analysis of the results. This presentation provides an overview of a security testing methodology developed by the Federal Government through the Department of Commerce’s National Institute of Standards and Technology (NIST) Computer Security Division that is available for use by the security community at no cost. The NIST methodology allows an organization to test their security posture by analyzing controls that are listed in 18 different security categories. Attendees will: 1. Be presented a comprehensive security testing approach that limits the need for using automated tools 2. Take away an understanding of National Institute of Standards and Technology (NIST) security controls and learn how to apply them to their information systems 3. Be shown techniques for documenting testing results 4. Be apprised of best practices for conducting security testing of information systems Tom Hasman, Senior Information Security Analyst, SRA International Tom is Senior Information Security Analyst on the Information Assurance team for SRA International. Tom specializes in Security Tests & Evaluations in support of the government’s Certification & Accreditation process. He performs risk assessments and makes recommendations to clients for prioritizing and mitigating vulnerabilities. Tom also develops security policies and procedures for government clients.

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
A Security Testing Methodology that Fits Every IT Budget Tom Hasman SRA International, Inc. Rochester Security Summit October 20, 2010
2 Copyright © 2010 Disclaimer Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA. Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA.
3 Copyright © 2010 About SRA SRA – Founded in 1978 – Based in Washington, DC; offices throughout the US - Durham, NC; San Diego; San Antonio; Colorado Springs; Scranton, PA, Rochester, NY ☺ – Offices in Europe too – United Kingdom, Germany, France and the Czech Republic – Work for government organizations and commercial clients serving the national security, civil government and global health markets – Expertise in areas including: air surveillance and air traffic management; contract research organization (CRO) services; cyber security; disaster response planning; enterprise resource planning; environmental strategies; IT systems, infrastructure and managed services; logistics; public health preparedness; public safety; strategic management consulting; systems engineering; and wireless integration. – Current workforce: 7,100+ employees – Website: www.sra.com
4 Copyright © 2010 Speaker Biography Tom Hasman – Senior information security analyst on Information Assurance team at SRA – Joined SRA in December 2000 – Arlington, VA office – Background in risk management and security testing; conducted over 100 risk assessments and security tests on government systems for clients including EPA, DHS, DOC, DOI, USITC, and Dept of Treasury – Advises clients on security policy and how they can implement a strong risk management program with limited security resources – Past speaker at Computer Security Institute (CSI) Conference and the RSA Security Conference – MA in Government from Johns Hopkins University and wrote/defended masters thesis on information warfare.
5 Copyright © 2010 Agenda Introduction – why test? Problems with security testing Alternate testing solution – Implement security program and controls before testing Testing security controls Creating a test report Best practices Summary Questions POC information and web site link
6 Copyright © 2010 Why Conduct Security Testing? It’s the Law! – FISMA - requires federal agencies have an effective program for protecting their data and information systems (risk management) – HIPAA Security Standards – Sarbanes-Oxley Section 404 Management of Internal Controls A key component of risk management is the implementation of a good security testing program Security Testing is part of “best practices” – It increases awareness about security of the system – Identifies system’s risks, vulnerabilities, etc. – Provides improved basis for making decisions – Provides justification of expenditures – Security Test = High confidence that assets are adequately protected - assuming the test went well ☺
7 Copyright © 2010 Problems with Security Testing Cost – Many security testing methodologies require the use of expensive software to aid in testing Expertise – Even free tools require technical expertise to analyze results Time – A lot of time spent reviewing tool output Hire an expert = $$$$ Do it yourself = lots of lost time – Too much time/money spent on technical solution, not enough time/energy on personnel
8 Copyright © 2010 Alternative Testing Solution Free “tools” from the federal government’s Department of Commerce – National Institute of Standards and Technology (NIST) Computer Security Division Requires “minimal” technical background Series of Special Publications that: – Help you categorize your system (C, I, A ratings) – Help you choose the appropriate security control to implement in your system – Help you test those controls to ensure that are implemented correctly (system operating at “acceptable level of risk.”)
9 Copyright © 2010 Questions to ask before testing What am I trying to protect? – How sensitive is the data Do I have a security program? – What methodology is used? – How mature is it? Have I implemented a minimum set of security controls? – Implemented – Planned – Accept risk
10 Copyright © 2010 Sensitivity of Data Based on three security objectives Confidentiality – Assurance that information is not disclosed to unauthorized persons, processes, or devices Integrity – Guarding against improper information modification or destruction Availability – Timely, reliable access to data and information services for authorized users
11 Copyright © 2010 What am I trying to protect? (Categorize Your System’s C, I, A Levels) FIPS 199 – security categorization of federal systems – Use is required for government information systems – Used to determine C, I, A levels of system – NIST SP 800-60 – carries out FIPS 199 requirements NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories – Revision one released in August 2008 – Contains guidelines for mapping types of information and information systems to security categories – In other words, helps determine C, I, A levels (L, M, H) based on type of information system processes All NIST SP are available at http://csrc.nist.gov/publications/nistpubs/ index.html
12 Copyright © 2010 What am I trying to protect? (cont) NIST SP 800-60 Example Financial Management Heading LMMSecurity Category Rating LMLPayments LMLAccounting LMMFunds Control AICInformation Type Overall Rating = Moderate
13 Copyright © 2010 Do I have a security program? (Risk Management Framework) NIST SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems – Latest version released in February 2010 – Old Model Conduct system certification & accreditation (C&A) once every 3 years Ignore IT security program until C&A is due again – New Model Maintains the need for a C&A every 3 years Organizations must practice continuous monitoring A subset of controls should be tested yearly Minimizes burden of C&A (controls constantly tested)
14 Copyright © 2010 Have I Implemented a minimum set of controls? NIST SP 800-53 Rev3 – Latest version is August 2009 (updates to May 1, 2010) – Establishes minimum set of security controls based on system information C, I, A levels – Document has baseline + “control enhancements” for those areas where C, I, A is medium or high – 17 families among Management, Operational and Technical controls + 1 family for Program Management – Originally designed for systems but many controls can be applied at the organization level Awareness & Training Incident Response Contingency Planning
15 Copyright © 2010 Implementing Security Controls (continued) Rev 3 removed duplicate questions in rev2 – Example: Session Termination (AC-12) and Network Disconnect (SC-10) very similar – Now under SC-10 in revision 3 New controls added – Many new controls in SC family including: Fail state, honeypots, security of information “at rest” – Program Management (PM) family also added Implementing controls at organization level Ex – appointing CISO, capital planning for security Offers the ability to designate common- and hybrid-controls – Common – implement at a organizational level (AT-2) – Hybrid – combination of organization/system (CP-2)
16 Copyright © 2010 Implementing Security Controls (cont2) Minimum Security Requirements Access Control (T) Awareness and Training (O) Audit and Accountability (T) Security Assessment and Authorization (M) Configuration Management (O) Contingency Planning (O) Identification and Authentication (T) Incident Response (O) Maintenance (O) Media Protection (O) Physical and Environmental Protection (O) Planning (M) Personnel Security (O) Risk Assessment (M) Systems and Services Acquisition (M) System and Communications Protection (T) System and Information Integrity (O) Program Management (PM) – organization-wide
17 Copyright © 2010 Implementing Security Controls (cont3) Rev3 also provides priority for control implementation – Priority Code (P1) – implement first – Priority Code (P2) – implement only after all P1 controls are in place – Priority Code (P3) – implement only after all P1 and P2 controls in place – Unspecified Priority Code (P0) – government does not require for federal systems Organization may choose to implement
18 Copyright © 2010 Implementing Security Controls (cont4) Use the priority codes to help guide what controls you will implement – Make Adjustments for: Budget Organizational/company mission Includes capability to test technical controls – Minimizes the need for security scans* *As long as your honest *Security scans still needed periodically *Big organizations should run scans on a regular basis
19 Copyright © 2010 Now tested under SC-10 Screen capture from NIST 800-53 rev3
20 Copyright © 2010 Control enhancement is optional – see next slide NIST SP 800-53 Example #1 (AT-2)
21 Copyright © 2010 No control enhancements for L, M, H NIST SP 800-53 Example #1 (AT-2) No control enhancements
22 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2)
23 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) Control enhancements for M, H
24 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) No enhancements Enhancements Control enhancements for M, H
25 Copyright © 2010 Increasing control enhancements for each level NIST SP 800-53 Example #3 (AU-3) Control enhancements increase for L, M, H
26 Copyright © 2010 NIST SP 800-53 Example #4 (AT-5) Optional control (Not selected for L, M, H)
27 Copyright © 2010 Testing Security Controls NIST SP 800-53A – used to test implemented controls Latest version published in June 2010 Three types of tests – Examine – Interview – Test (require the use of automated tools) Observe – new account with weak password, user attempting to perform administrative functions, obscuring passwords Follows the same format as NIST SP 800-53 – 17 control families + 1 program level family – Categorized under 3 classes Management, Operational, Technical Guidelines for testing vary based on sensitivity of information – Low, moderate, high system impact levels
28 Copyright © 2010 AT-2: Testing the control
29 Copyright © 2010 AC-2: Assessment Objective
30 Copyright © 2010 AC-2: Testing the baseline control System Manager, System Administrator, HR
31 Copyright © 2010 AC-2: Testing the control enhancements
32 Copyright © 2010 AU-3: Assessment Objective and Testing the baseline control
33 Copyright © 2010 AU-3: Testing the control enhancement
34 Copyright © 2010 Test Report Output of all testing activities Used to communicate to management security posture of organization Several ways to communicate results: – Table format – Paragraph format – Hybrid Paragraph format – executive summary of testing activities Table format – lists test results
35 Copyright © 2010 Pass- PowerPoint slides very detailed and easy to understand. - Security posters placed around building (elevators, kitchen) are eye catching and communicate message effectively - Training records spreadsheet includes names of all employees and date PowerPoint presentation was completed. - Training coordinator very knowledgeable - Employees discussed content of slides (verified that they actually took the training) 10/2/10 10/2/10 10/4/10 10/8/10 10/8/10 - Examined security awareness PowerPoint slides - Examined security awareness poster near elevator (wear badge and don’t let people tailgate) - Examined training records Excel spreadsheet - Interviewed Training Coordinator [Name here] - Interviewed five employees [list names here] AT-2 Fail- Account management handbook contains procedures for opening and closing accounts but often system administrator creates new accounts without system manager approval - Human resources rep not contacted on a regular basis. Result = many accounts of departed employees remain open 10/16/10 10/19/10 10/20/10 10/20/10 - Examined Account Management Handbook V1.4 dated 5/12/10 - Interviewed System Manager Abigail Hasman - Interviewed System Administrator Sam Hasman - Interviewed Human Resources Rep Linda Hasman AC-2 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report
36 Copyright © 2010 Fail- Visitor sign in log was missing information. In many cases, the name of the employee accompanying the visitor was not listed. In some other cases, the date of the visit was missing. - Front desk security officers noted that they are often overwhelmed with multiple tasks and therefore can’t always scrutinize employees when they are signing in visitors. 10/2/10 10/2/10 - Examined visitor sign in log for 9/15/10-9/30/10 - Interviewed two front desk security officers [list names here] PE-7 (Visitor Control) Pass- Audit procedures very detailed and contain list of specific events to be audited. - Sample report included the list of audited events identified in the procedure. 9/30/10 9/30/10 - Examined auditing procedures - Examined sample audit report AU-3 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report (continued)
37 Copyright © 2010 Best Practices Do not begin testing until you: – Know sensitivity of system/organizational data – Have a security methodology in place – Implemented minimum set of security controls Give interviewees background on task before conducting interview Take interview notes on a laptop – Do not use paper and pen Write up test results as you complete interviews When possible, try to include something positive in test results
38 Copyright © 2010 Summary Testing leads to a good risk management program High confidence that assets are protected from external and internal threats Following a test methodology such as NIST or OCTAVE minimizes your need to conduct expensive and time consuming vulnerability scans Practice “Continuous Monitoring” of security controls
39 Copyright © 2010 Questions
40 Copyright © 2010 Contact Information & Website for NIST Publications Tom Hasman – tom_hasman@sra.com – 585-473-6512 (office) – 585-857-3718 (cell) All NIST SP are available at: – http://csrc.nist.gov/publications/PubsS Ps.html

Empfohlen

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 

Empfohlen

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?John Gardner, CMC
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NetLockSmith
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™CPaschal
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Risk management ii
Risk management iiRisk management ii
Risk management iiDhani Ahmad
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfsulu98
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Risk management i
Risk management iRisk management i
Risk management iDhani Ahmad
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodologyciso_insights
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Skytap Cloud
 

Weitere ähnliche Inhalte

Was ist angesagt?

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Risk management ii
Risk management iiRisk management ii
Risk management iiDhani Ahmad
 
1. security management practices
1. security management practices1. security management practices
1. security management practices7wounders
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfsulu98
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Risk management i
Risk management iRisk management i
Risk management iDhani Ahmad
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Denise Tawwab
 

Was ist angesagt? (20)

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
 
Information Security
Information SecurityInformation Security
Information Security
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Risk management i
Risk management iRisk management i
Risk management i
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
Role management
Role managementRole management
Role management
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 

Andere mochten auch

Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodologyciso_insights
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Skytap Cloud
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsFernando Reiser
 
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...European Network of Living Labs (ENoLL)
 
Office cleaning
Office cleaningOffice cleaning
Office cleaningSusan Roy
 
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Tom Moore
 
Disruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford HaizlettDisruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford HaizlettBradford Haizlett
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyFitCEO, Inc. (FCI)
 
The Thin End of the Wedge: Information Security Risk Assessments based on the...
The Thin End of the Wedge: Information Security Risk Assessments based on the...The Thin End of the Wedge: Information Security Risk Assessments based on the...
The Thin End of the Wedge: Information Security Risk Assessments based on the...PECB
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Security testing activities
Security testing activitiesSecurity testing activities
Security testing activitiesDharmdev Maurya
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testingNagasahas DS
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Security Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security StudiesSecurity Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security StudiesCollege Of Security Studies
 

Andere mochten auch (20)

Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
 
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
 
Office cleaning
Office cleaningOffice cleaning
Office cleaning
 
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
 
TWK 2013_Fall_Final
TWK 2013_Fall_FinalTWK 2013_Fall_Final
TWK 2013_Fall_Final
 
Disruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford HaizlettDisruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford Haizlett
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
 
The Thin End of the Wedge: Information Security Risk Assessments based on the...
The Thin End of the Wedge: Information Security Risk Assessments based on the...The Thin End of the Wedge: Information Security Risk Assessments based on the...
The Thin End of the Wedge: Information Security Risk Assessments based on the...
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Security testing activities
Security testing activitiesSecurity testing activities
Security testing activities
 
Ajit Singh_CV
Ajit Singh_CVAjit Singh_CV
Ajit Singh_CV
 
Our Consulting Methodology
Our Consulting MethodologyOur Consulting Methodology
Our Consulting Methodology
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Security Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security StudiesSecurity Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security Studies
 
Security testing
Security testingSecurity testing
Security testing
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 

Ähnlich wie A Security Testing Methodology that Fits Every IT Budget

iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™CPaschal
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsLumension
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Tammy Clark
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxKinetic Potential
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Organizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docxOrganizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docxaman341480
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4Kevin Lucier
 

Ähnlich wie A Security Testing Methodology that Fits Every IT Budget (20)

5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Organizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docxOrganizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docx
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4
Lucier Resume 23OCT16 GS-2210-14 INFOSEC- DOI OCIO ISSO USAjobs Format v4
 

Mehr von Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

Mehr von Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Kürzlich hochgeladen

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Kürzlich hochgeladen (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

A Security Testing Methodology that Fits Every IT Budget

  • 1. A Security Testing Methodology that Fits Every IT Budget Tom Hasman SRA International, Inc. Rochester Security Summit October 20, 2010
  • 2. 2 Copyright © 2010 Disclaimer Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA. Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA.
  • 3. 3 Copyright © 2010 About SRA SRA – Founded in 1978 – Based in Washington, DC; offices throughout the US - Durham, NC; San Diego; San Antonio; Colorado Springs; Scranton, PA, Rochester, NY ☺ – Offices in Europe too – United Kingdom, Germany, France and the Czech Republic – Work for government organizations and commercial clients serving the national security, civil government and global health markets – Expertise in areas including: air surveillance and air traffic management; contract research organization (CRO) services; cyber security; disaster response planning; enterprise resource planning; environmental strategies; IT systems, infrastructure and managed services; logistics; public health preparedness; public safety; strategic management consulting; systems engineering; and wireless integration. – Current workforce: 7,100+ employees – Website: www.sra.com
  • 4. 4 Copyright © 2010 Speaker Biography Tom Hasman – Senior information security analyst on Information Assurance team at SRA – Joined SRA in December 2000 – Arlington, VA office – Background in risk management and security testing; conducted over 100 risk assessments and security tests on government systems for clients including EPA, DHS, DOC, DOI, USITC, and Dept of Treasury – Advises clients on security policy and how they can implement a strong risk management program with limited security resources – Past speaker at Computer Security Institute (CSI) Conference and the RSA Security Conference – MA in Government from Johns Hopkins University and wrote/defended masters thesis on information warfare.
  • 5. 5 Copyright © 2010 Agenda Introduction – why test? Problems with security testing Alternate testing solution – Implement security program and controls before testing Testing security controls Creating a test report Best practices Summary Questions POC information and web site link
  • 6. 6 Copyright © 2010 Why Conduct Security Testing? It’s the Law! – FISMA - requires federal agencies have an effective program for protecting their data and information systems (risk management) – HIPAA Security Standards – Sarbanes-Oxley Section 404 Management of Internal Controls A key component of risk management is the implementation of a good security testing program Security Testing is part of “best practices” – It increases awareness about security of the system – Identifies system’s risks, vulnerabilities, etc. – Provides improved basis for making decisions – Provides justification of expenditures – Security Test = High confidence that assets are adequately protected - assuming the test went well ☺
  • 7. 7 Copyright © 2010 Problems with Security Testing Cost – Many security testing methodologies require the use of expensive software to aid in testing Expertise – Even free tools require technical expertise to analyze results Time – A lot of time spent reviewing tool output Hire an expert = $$$$ Do it yourself = lots of lost time – Too much time/money spent on technical solution, not enough time/energy on personnel
  • 8. 8 Copyright © 2010 Alternative Testing Solution Free “tools” from the federal government’s Department of Commerce – National Institute of Standards and Technology (NIST) Computer Security Division Requires “minimal” technical background Series of Special Publications that: – Help you categorize your system (C, I, A ratings) – Help you choose the appropriate security control to implement in your system – Help you test those controls to ensure that are implemented correctly (system operating at “acceptable level of risk.”)
  • 9. 9 Copyright © 2010 Questions to ask before testing What am I trying to protect? – How sensitive is the data Do I have a security program? – What methodology is used? – How mature is it? Have I implemented a minimum set of security controls? – Implemented – Planned – Accept risk
  • 10. 10 Copyright © 2010 Sensitivity of Data Based on three security objectives Confidentiality – Assurance that information is not disclosed to unauthorized persons, processes, or devices Integrity – Guarding against improper information modification or destruction Availability – Timely, reliable access to data and information services for authorized users
  • 11. 11 Copyright © 2010 What am I trying to protect? (Categorize Your System’s C, I, A Levels) FIPS 199 – security categorization of federal systems – Use is required for government information systems – Used to determine C, I, A levels of system – NIST SP 800-60 – carries out FIPS 199 requirements NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories – Revision one released in August 2008 – Contains guidelines for mapping types of information and information systems to security categories – In other words, helps determine C, I, A levels (L, M, H) based on type of information system processes All NIST SP are available at http://csrc.nist.gov/publications/nistpubs/ index.html
  • 12. 12 Copyright © 2010 What am I trying to protect? (cont) NIST SP 800-60 Example Financial Management Heading LMMSecurity Category Rating LMLPayments LMLAccounting LMMFunds Control AICInformation Type Overall Rating = Moderate
  • 13. 13 Copyright © 2010 Do I have a security program? (Risk Management Framework) NIST SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems – Latest version released in February 2010 – Old Model Conduct system certification & accreditation (C&A) once every 3 years Ignore IT security program until C&A is due again – New Model Maintains the need for a C&A every 3 years Organizations must practice continuous monitoring A subset of controls should be tested yearly Minimizes burden of C&A (controls constantly tested)
  • 14. 14 Copyright © 2010 Have I Implemented a minimum set of controls? NIST SP 800-53 Rev3 – Latest version is August 2009 (updates to May 1, 2010) – Establishes minimum set of security controls based on system information C, I, A levels – Document has baseline + “control enhancements” for those areas where C, I, A is medium or high – 17 families among Management, Operational and Technical controls + 1 family for Program Management – Originally designed for systems but many controls can be applied at the organization level Awareness & Training Incident Response Contingency Planning
  • 15. 15 Copyright © 2010 Implementing Security Controls (continued) Rev 3 removed duplicate questions in rev2 – Example: Session Termination (AC-12) and Network Disconnect (SC-10) very similar – Now under SC-10 in revision 3 New controls added – Many new controls in SC family including: Fail state, honeypots, security of information “at rest” – Program Management (PM) family also added Implementing controls at organization level Ex – appointing CISO, capital planning for security Offers the ability to designate common- and hybrid-controls – Common – implement at a organizational level (AT-2) – Hybrid – combination of organization/system (CP-2)
  • 16. 16 Copyright © 2010 Implementing Security Controls (cont2) Minimum Security Requirements Access Control (T) Awareness and Training (O) Audit and Accountability (T) Security Assessment and Authorization (M) Configuration Management (O) Contingency Planning (O) Identification and Authentication (T) Incident Response (O) Maintenance (O) Media Protection (O) Physical and Environmental Protection (O) Planning (M) Personnel Security (O) Risk Assessment (M) Systems and Services Acquisition (M) System and Communications Protection (T) System and Information Integrity (O) Program Management (PM) – organization-wide
  • 17. 17 Copyright © 2010 Implementing Security Controls (cont3) Rev3 also provides priority for control implementation – Priority Code (P1) – implement first – Priority Code (P2) – implement only after all P1 controls are in place – Priority Code (P3) – implement only after all P1 and P2 controls in place – Unspecified Priority Code (P0) – government does not require for federal systems Organization may choose to implement
  • 18. 18 Copyright © 2010 Implementing Security Controls (cont4) Use the priority codes to help guide what controls you will implement – Make Adjustments for: Budget Organizational/company mission Includes capability to test technical controls – Minimizes the need for security scans* *As long as your honest *Security scans still needed periodically *Big organizations should run scans on a regular basis
  • 19. 19 Copyright © 2010 Now tested under SC-10 Screen capture from NIST 800-53 rev3
  • 20. 20 Copyright © 2010 Control enhancement is optional – see next slide NIST SP 800-53 Example #1 (AT-2)
  • 21. 21 Copyright © 2010 No control enhancements for L, M, H NIST SP 800-53 Example #1 (AT-2) No control enhancements
  • 22. 22 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2)
  • 23. 23 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) Control enhancements for M, H
  • 24. 24 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) No enhancements Enhancements Control enhancements for M, H
  • 25. 25 Copyright © 2010 Increasing control enhancements for each level NIST SP 800-53 Example #3 (AU-3) Control enhancements increase for L, M, H
  • 26. 26 Copyright © 2010 NIST SP 800-53 Example #4 (AT-5) Optional control (Not selected for L, M, H)
  • 27. 27 Copyright © 2010 Testing Security Controls NIST SP 800-53A – used to test implemented controls Latest version published in June 2010 Three types of tests – Examine – Interview – Test (require the use of automated tools) Observe – new account with weak password, user attempting to perform administrative functions, obscuring passwords Follows the same format as NIST SP 800-53 – 17 control families + 1 program level family – Categorized under 3 classes Management, Operational, Technical Guidelines for testing vary based on sensitivity of information – Low, moderate, high system impact levels
  • 28. 28 Copyright © 2010 AT-2: Testing the control
  • 29. 29 Copyright © 2010 AC-2: Assessment Objective
  • 30. 30 Copyright © 2010 AC-2: Testing the baseline control System Manager, System Administrator, HR
  • 31. 31 Copyright © 2010 AC-2: Testing the control enhancements
  • 32. 32 Copyright © 2010 AU-3: Assessment Objective and Testing the baseline control
  • 33. 33 Copyright © 2010 AU-3: Testing the control enhancement
  • 34. 34 Copyright © 2010 Test Report Output of all testing activities Used to communicate to management security posture of organization Several ways to communicate results: – Table format – Paragraph format – Hybrid Paragraph format – executive summary of testing activities Table format – lists test results
  • 35. 35 Copyright © 2010 Pass- PowerPoint slides very detailed and easy to understand. - Security posters placed around building (elevators, kitchen) are eye catching and communicate message effectively - Training records spreadsheet includes names of all employees and date PowerPoint presentation was completed. - Training coordinator very knowledgeable - Employees discussed content of slides (verified that they actually took the training) 10/2/10 10/2/10 10/4/10 10/8/10 10/8/10 - Examined security awareness PowerPoint slides - Examined security awareness poster near elevator (wear badge and don’t let people tailgate) - Examined training records Excel spreadsheet - Interviewed Training Coordinator [Name here] - Interviewed five employees [list names here] AT-2 Fail- Account management handbook contains procedures for opening and closing accounts but often system administrator creates new accounts without system manager approval - Human resources rep not contacted on a regular basis. Result = many accounts of departed employees remain open 10/16/10 10/19/10 10/20/10 10/20/10 - Examined Account Management Handbook V1.4 dated 5/12/10 - Interviewed System Manager Abigail Hasman - Interviewed System Administrator Sam Hasman - Interviewed Human Resources Rep Linda Hasman AC-2 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report
  • 36. 36 Copyright © 2010 Fail- Visitor sign in log was missing information. In many cases, the name of the employee accompanying the visitor was not listed. In some other cases, the date of the visit was missing. - Front desk security officers noted that they are often overwhelmed with multiple tasks and therefore can’t always scrutinize employees when they are signing in visitors. 10/2/10 10/2/10 - Examined visitor sign in log for 9/15/10-9/30/10 - Interviewed two front desk security officers [list names here] PE-7 (Visitor Control) Pass- Audit procedures very detailed and contain list of specific events to be audited. - Sample report included the list of audited events identified in the procedure. 9/30/10 9/30/10 - Examined auditing procedures - Examined sample audit report AU-3 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report (continued)
  • 37. 37 Copyright © 2010 Best Practices Do not begin testing until you: – Know sensitivity of system/organizational data – Have a security methodology in place – Implemented minimum set of security controls Give interviewees background on task before conducting interview Take interview notes on a laptop – Do not use paper and pen Write up test results as you complete interviews When possible, try to include something positive in test results
  • 38. 38 Copyright © 2010 Summary Testing leads to a good risk management program High confidence that assets are protected from external and internal threats Following a test methodology such as NIST or OCTAVE minimizes your need to conduct expensive and time consuming vulnerability scans Practice “Continuous Monitoring” of security controls
  • 39. 39 Copyright © 2010 Questions
  • 40. 40 Copyright © 2010 Contact Information & Website for NIST Publications Tom Hasman – tom_hasman@sra.com – 585-473-6512 (office) – 585-857-3718 (cell) All NIST SP are available at: – http://csrc.nist.gov/publications/PubsS Ps.html