SlideShare a Scribd company logo

A Security Testing Methodology that Fits Every IT Budget

Rochester Security Summit
Rochester Security Summit

There are many different methodologies for implementing and testing security controls in an IT system to ensure that it is operating under an “acceptable level of risk.” Many of these methodologies require the use of software to aid in this measurement. While the execution of technical tools is important, it can sometimes place a financial burden on an organization (especially a small business) that may not have the resources to purchase the software or hire trained personnel to run the tools and conduct an analysis of the results. This presentation provides an overview of a security testing methodology developed by the Federal Government through the Department of Commerce’s National Institute of Standards and Technology (NIST) Computer Security Division that is available for use by the security community at no cost. The NIST methodology allows an organization to test their security posture by analyzing controls that are listed in 18 different security categories. Attendees will: 1. Be presented a comprehensive security testing approach that limits the need for using automated tools 2. Take away an understanding of National Institute of Standards and Technology (NIST) security controls and learn how to apply them to their information systems 3. Be shown techniques for documenting testing results 4. Be apprised of best practices for conducting security testing of information systems Tom Hasman, Senior Information Security Analyst, SRA International Tom is Senior Information Security Analyst on the Information Assurance team for SRA International. Tom specializes in Security Tests & Evaluations in support of the government’s Certification & Accreditation process. He performs risk assessments and makes recommendations to clients for prioritizing and mitigating vulnerabilities. Tom also develops security policies and procedures for government clients.

1 of 40
Downloaded 79 times
A Security Testing Methodology that Fits Every IT Budget Tom Hasman SRA International, Inc. Rochester Security Summit October 20, 2010
2 Copyright © 2010 Disclaimer Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA. Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA.
3 Copyright © 2010 About SRA SRA – Founded in 1978 – Based in Washington, DC; offices throughout the US - Durham, NC; San Diego; San Antonio; Colorado Springs; Scranton, PA, Rochester, NY ☺ – Offices in Europe too – United Kingdom, Germany, France and the Czech Republic – Work for government organizations and commercial clients serving the national security, civil government and global health markets – Expertise in areas including: air surveillance and air traffic management; contract research organization (CRO) services; cyber security; disaster response planning; enterprise resource planning; environmental strategies; IT systems, infrastructure and managed services; logistics; public health preparedness; public safety; strategic management consulting; systems engineering; and wireless integration. – Current workforce: 7,100+ employees – Website: www.sra.com
4 Copyright © 2010 Speaker Biography Tom Hasman – Senior information security analyst on Information Assurance team at SRA – Joined SRA in December 2000 – Arlington, VA office – Background in risk management and security testing; conducted over 100 risk assessments and security tests on government systems for clients including EPA, DHS, DOC, DOI, USITC, and Dept of Treasury – Advises clients on security policy and how they can implement a strong risk management program with limited security resources – Past speaker at Computer Security Institute (CSI) Conference and the RSA Security Conference – MA in Government from Johns Hopkins University and wrote/defended masters thesis on information warfare.
5 Copyright © 2010 Agenda Introduction – why test? Problems with security testing Alternate testing solution – Implement security program and controls before testing Testing security controls Creating a test report Best practices Summary Questions POC information and web site link
6 Copyright © 2010 Why Conduct Security Testing? It’s the Law! – FISMA - requires federal agencies have an effective program for protecting their data and information systems (risk management) – HIPAA Security Standards – Sarbanes-Oxley Section 404 Management of Internal Controls A key component of risk management is the implementation of a good security testing program Security Testing is part of “best practices” – It increases awareness about security of the system – Identifies system’s risks, vulnerabilities, etc. – Provides improved basis for making decisions – Provides justification of expenditures – Security Test = High confidence that assets are adequately protected - assuming the test went well ☺
7 Copyright © 2010 Problems with Security Testing Cost – Many security testing methodologies require the use of expensive software to aid in testing Expertise – Even free tools require technical expertise to analyze results Time – A lot of time spent reviewing tool output Hire an expert = $$$$ Do it yourself = lots of lost time – Too much time/money spent on technical solution, not enough time/energy on personnel
8 Copyright © 2010 Alternative Testing Solution Free “tools” from the federal government’s Department of Commerce – National Institute of Standards and Technology (NIST) Computer Security Division Requires “minimal” technical background Series of Special Publications that: – Help you categorize your system (C, I, A ratings) – Help you choose the appropriate security control to implement in your system – Help you test those controls to ensure that are implemented correctly (system operating at “acceptable level of risk.”)
9 Copyright © 2010 Questions to ask before testing What am I trying to protect? – How sensitive is the data Do I have a security program? – What methodology is used? – How mature is it? Have I implemented a minimum set of security controls? – Implemented – Planned – Accept risk
10 Copyright © 2010 Sensitivity of Data Based on three security objectives Confidentiality – Assurance that information is not disclosed to unauthorized persons, processes, or devices Integrity – Guarding against improper information modification or destruction Availability – Timely, reliable access to data and information services for authorized users
11 Copyright © 2010 What am I trying to protect? (Categorize Your System’s C, I, A Levels) FIPS 199 – security categorization of federal systems – Use is required for government information systems – Used to determine C, I, A levels of system – NIST SP 800-60 – carries out FIPS 199 requirements NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories – Revision one released in August 2008 – Contains guidelines for mapping types of information and information systems to security categories – In other words, helps determine C, I, A levels (L, M, H) based on type of information system processes All NIST SP are available at http://csrc.nist.gov/publications/nistpubs/ index.html
12 Copyright © 2010 What am I trying to protect? (cont) NIST SP 800-60 Example Financial Management Heading LMMSecurity Category Rating LMLPayments LMLAccounting LMMFunds Control AICInformation Type Overall Rating = Moderate
13 Copyright © 2010 Do I have a security program? (Risk Management Framework) NIST SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems – Latest version released in February 2010 – Old Model Conduct system certification & accreditation (C&A) once every 3 years Ignore IT security program until C&A is due again – New Model Maintains the need for a C&A every 3 years Organizations must practice continuous monitoring A subset of controls should be tested yearly Minimizes burden of C&A (controls constantly tested)
14 Copyright © 2010 Have I Implemented a minimum set of controls? NIST SP 800-53 Rev3 – Latest version is August 2009 (updates to May 1, 2010) – Establishes minimum set of security controls based on system information C, I, A levels – Document has baseline + “control enhancements” for those areas where C, I, A is medium or high – 17 families among Management, Operational and Technical controls + 1 family for Program Management – Originally designed for systems but many controls can be applied at the organization level Awareness & Training Incident Response Contingency Planning
15 Copyright © 2010 Implementing Security Controls (continued) Rev 3 removed duplicate questions in rev2 – Example: Session Termination (AC-12) and Network Disconnect (SC-10) very similar – Now under SC-10 in revision 3 New controls added – Many new controls in SC family including: Fail state, honeypots, security of information “at rest” – Program Management (PM) family also added Implementing controls at organization level Ex – appointing CISO, capital planning for security Offers the ability to designate common- and hybrid-controls – Common – implement at a organizational level (AT-2) – Hybrid – combination of organization/system (CP-2)
16 Copyright © 2010 Implementing Security Controls (cont2) Minimum Security Requirements Access Control (T) Awareness and Training (O) Audit and Accountability (T) Security Assessment and Authorization (M) Configuration Management (O) Contingency Planning (O) Identification and Authentication (T) Incident Response (O) Maintenance (O) Media Protection (O) Physical and Environmental Protection (O) Planning (M) Personnel Security (O) Risk Assessment (M) Systems and Services Acquisition (M) System and Communications Protection (T) System and Information Integrity (O) Program Management (PM) – organization-wide
17 Copyright © 2010 Implementing Security Controls (cont3) Rev3 also provides priority for control implementation – Priority Code (P1) – implement first – Priority Code (P2) – implement only after all P1 controls are in place – Priority Code (P3) – implement only after all P1 and P2 controls in place – Unspecified Priority Code (P0) – government does not require for federal systems Organization may choose to implement
18 Copyright © 2010 Implementing Security Controls (cont4) Use the priority codes to help guide what controls you will implement – Make Adjustments for: Budget Organizational/company mission Includes capability to test technical controls – Minimizes the need for security scans* *As long as your honest *Security scans still needed periodically *Big organizations should run scans on a regular basis
19 Copyright © 2010 Now tested under SC-10 Screen capture from NIST 800-53 rev3
20 Copyright © 2010 Control enhancement is optional – see next slide NIST SP 800-53 Example #1 (AT-2)
21 Copyright © 2010 No control enhancements for L, M, H NIST SP 800-53 Example #1 (AT-2) No control enhancements
22 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2)
23 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) Control enhancements for M, H
24 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) No enhancements Enhancements Control enhancements for M, H
25 Copyright © 2010 Increasing control enhancements for each level NIST SP 800-53 Example #3 (AU-3) Control enhancements increase for L, M, H
26 Copyright © 2010 NIST SP 800-53 Example #4 (AT-5) Optional control (Not selected for L, M, H)
27 Copyright © 2010 Testing Security Controls NIST SP 800-53A – used to test implemented controls Latest version published in June 2010 Three types of tests – Examine – Interview – Test (require the use of automated tools) Observe – new account with weak password, user attempting to perform administrative functions, obscuring passwords Follows the same format as NIST SP 800-53 – 17 control families + 1 program level family – Categorized under 3 classes Management, Operational, Technical Guidelines for testing vary based on sensitivity of information – Low, moderate, high system impact levels
28 Copyright © 2010 AT-2: Testing the control
29 Copyright © 2010 AC-2: Assessment Objective
30 Copyright © 2010 AC-2: Testing the baseline control System Manager, System Administrator, HR
31 Copyright © 2010 AC-2: Testing the control enhancements
32 Copyright © 2010 AU-3: Assessment Objective and Testing the baseline control
33 Copyright © 2010 AU-3: Testing the control enhancement
34 Copyright © 2010 Test Report Output of all testing activities Used to communicate to management security posture of organization Several ways to communicate results: – Table format – Paragraph format – Hybrid Paragraph format – executive summary of testing activities Table format – lists test results
35 Copyright © 2010 Pass- PowerPoint slides very detailed and easy to understand. - Security posters placed around building (elevators, kitchen) are eye catching and communicate message effectively - Training records spreadsheet includes names of all employees and date PowerPoint presentation was completed. - Training coordinator very knowledgeable - Employees discussed content of slides (verified that they actually took the training) 10/2/10 10/2/10 10/4/10 10/8/10 10/8/10 - Examined security awareness PowerPoint slides - Examined security awareness poster near elevator (wear badge and don’t let people tailgate) - Examined training records Excel spreadsheet - Interviewed Training Coordinator [Name here] - Interviewed five employees [list names here] AT-2 Fail- Account management handbook contains procedures for opening and closing accounts but often system administrator creates new accounts without system manager approval - Human resources rep not contacted on a regular basis. Result = many accounts of departed employees remain open 10/16/10 10/19/10 10/20/10 10/20/10 - Examined Account Management Handbook V1.4 dated 5/12/10 - Interviewed System Manager Abigail Hasman - Interviewed System Administrator Sam Hasman - Interviewed Human Resources Rep Linda Hasman AC-2 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report
36 Copyright © 2010 Fail- Visitor sign in log was missing information. In many cases, the name of the employee accompanying the visitor was not listed. In some other cases, the date of the visit was missing. - Front desk security officers noted that they are often overwhelmed with multiple tasks and therefore can’t always scrutinize employees when they are signing in visitors. 10/2/10 10/2/10 - Examined visitor sign in log for 9/15/10-9/30/10 - Interviewed two front desk security officers [list names here] PE-7 (Visitor Control) Pass- Audit procedures very detailed and contain list of specific events to be audited. - Sample report included the list of audited events identified in the procedure. 9/30/10 9/30/10 - Examined auditing procedures - Examined sample audit report AU-3 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report (continued)
37 Copyright © 2010 Best Practices Do not begin testing until you: – Know sensitivity of system/organizational data – Have a security methodology in place – Implemented minimum set of security controls Give interviewees background on task before conducting interview Take interview notes on a laptop – Do not use paper and pen Write up test results as you complete interviews When possible, try to include something positive in test results
38 Copyright © 2010 Summary Testing leads to a good risk management program High confidence that assets are protected from external and internal threats Following a test methodology such as NIST or OCTAVE minimizes your need to conduct expensive and time consuming vulnerability scans Practice “Continuous Monitoring” of security controls
39 Copyright © 2010 Questions
40 Copyright © 2010 Contact Information & Website for NIST Publications Tom Hasman – tom_hasman@sra.com – 585-473-6512 (office) – 585-857-3718 (cell) All NIST SP are available at: – http://csrc.nist.gov/publications/PubsS Ps.html
Ad

Recommended

IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
Bryan Len
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?What is Enterprise Security Architecture (ESA)?
What is Enterprise Security Architecture (ESA)?
John Gardner, CMC
 
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NIST presentation on RMF 2.0 / SP 800-37 rev. 2
NetLockSmith
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™
CPaschal
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
Keyaan Williams
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
sulu98
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
sivadnolram
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Risk management i
Risk management iRisk management i
Risk management i
Dhani Ahmad
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Role management
Role managementRole management
Role management
Abidullah Zarghoon
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
ciso_insights
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development
Skytap Cloud
 
Ad

More Related Content

What's hot (20)

Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
sulu98
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
sivadnolram
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Risk management i
Risk management iRisk management i
Risk management i
Dhani Ahmad
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Role management
Role managementRole management
Role management
Abidullah Zarghoon
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
Vskills
 
Risk management ii
Risk management iiRisk management ii
Risk management ii
Dhani Ahmad
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
sulu98
 
Information Security
Information SecurityInformation Security
Information Security
chenpingling
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
sivadnolram
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
newbie2019
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Risk management i
Risk management iRisk management i
Risk management i
Dhani Ahmad
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Role management
Role managementRole management
Role management
Abidullah Zarghoon
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 

Viewers also liked (20)

Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
ciso_insights
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development
Skytap Cloud
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Fernando Reiser
 
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
European Network of Living Labs (ENoLL)
 
Office cleaning
Office cleaningOffice cleaning
Office cleaning
Susan Roy
 
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Tom Moore
 
TWK 2013_Fall_Final
TWK 2013_Fall_FinalTWK 2013_Fall_Final
TWK 2013_Fall_Final
Anastasia (Stasi) Richmond
 
Disruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford HaizlettDisruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford Haizlett
Bradford Haizlett
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
FitCEO, Inc. (FCI)
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Security testing activities
Security testing activitiesSecurity testing activities
Security testing activities
Dharmdev Maurya
 
Ajit Singh_CV
Ajit Singh_CVAjit Singh_CV
Ajit Singh_CV
Ajit Singh
 
Our Consulting Methodology
Our Consulting MethodologyOur Consulting Methodology
Our Consulting Methodology
kevin_sheppard_ict
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
Nagasahas DS
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
shwetaupadhyay
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Security Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security StudiesSecurity Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security Studies
College Of Security Studies
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Security Consulting Methodology
Security Consulting MethodologySecurity Consulting Methodology
Security Consulting Methodology
ciso_insights
 
Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development Webinar: Automate Your Environment Provisioning for Mobile App Development
Webinar: Automate Your Environment Provisioning for Mobile App Development
Skytap Cloud
 
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk AssessmentsParadigm Shift! - Customer Information Centric IT Risk Assessments
Paradigm Shift! - Customer Information Centric IT Risk Assessments
Fernando Reiser
 
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
Alvaro De Oliveira, President, European Network of Living Labs - from Policy ...
European Network of Living Labs (ENoLL)
 
Office cleaning
Office cleaningOffice cleaning
Office cleaning
Susan Roy
 
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...
Tom Moore
 
TWK 2013_Fall_Final
TWK 2013_Fall_FinalTWK 2013_Fall_Final
TWK 2013_Fall_Final
Anastasia (Stasi) Richmond
 
Disruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford HaizlettDisruptive Methodology Information Security Bradford Haizlett
Disruptive Methodology Information Security Bradford Haizlett
Bradford Haizlett
 
VIMRO Cyber Security Methodology
VIMRO Cyber Security MethodologyVIMRO Cyber Security Methodology
VIMRO Cyber Security Methodology
FitCEO, Inc. (FCI)
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Security testing activities
Security testing activitiesSecurity testing activities
Security testing activities
Dharmdev Maurya
 
Ajit Singh_CV
Ajit Singh_CVAjit Singh_CV
Ajit Singh_CV
Ajit Singh
 
Our Consulting Methodology
Our Consulting MethodologyOur Consulting Methodology
Our Consulting Methodology
kevin_sheppard_ict
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
Nagasahas DS
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
shwetaupadhyay
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Security Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security StudiesSecurity Sector- Training Methodology at College Of Security Studies
Security Sector- Training Methodology at College Of Security Studies
College Of Security Studies
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Ad

Similar to A Security Testing Methodology that Fits Every IT Budget (20)

5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
Muhammad Mazhar
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
Michael King
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
Muhammad Mazhar
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
Security Innovation
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Industry's Role in Securing Cyber Space - 2011
Industry's Role in Securing Cyber Space - 2011Industry's Role in Securing Cyber Space - 2011
Industry's Role in Securing Cyber Space - 2011
brentrrowe1
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Organizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docxOrganizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docx
aman341480
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
Muhammad Mazhar
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
Michael King
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
CPaschal
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
ciso_insights
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
Neil Matatall
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
Muhammad Mazhar
 
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Gs Us Roadmap For A World Class Information Security Management System– Isoie...
Tammy Clark
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
Security Innovation
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Industry's Role in Securing Cyber Space - 2011
Industry's Role in Securing Cyber Space - 2011Industry's Role in Securing Cyber Space - 2011
Industry's Role in Securing Cyber Space - 2011
brentrrowe1
 
Cyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptxCyber Families - Incident Response.pptx
Cyber Families - Incident Response.pptx
Kinetic Potential
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
 
Organizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docxOrganizations rely heavily on the use of information technology (IT).docx
Organizations rely heavily on the use of information technology (IT).docx
aman341480
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
RossMob1
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
Ad

More from Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
Rochester Security Summit
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
Rochester Security Summit
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
Rochester Security Summit
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
Rochester Security Summit
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
Rochester Security Summit
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
Rochester Security Summit
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
Rochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
Rochester Security Summit
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
Rochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Rochester Security Summit
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
Rochester Security Summit
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
Rochester Security Summit
 
IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
Rochester Security Summit
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
Rochester Security Summit
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
Rochester Security Summit
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
Rochester Security Summit
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
Rochester Security Summit
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
Rochester Security Summit
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
Rochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
Rochester Security Summit
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
Rochester Security Summit
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Rochester Security Summit
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
Rochester Security Summit
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
Rochester Security Summit
 

Recently uploaded (20)

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 

A Security Testing Methodology that Fits Every IT Budget

  • 1. A Security Testing Methodology that Fits Every IT Budget Tom Hasman SRA International, Inc. Rochester Security Summit October 20, 2010
  • 2. 2 Copyright © 2010 Disclaimer Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA. Points of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressedPoints of view or opinions expressed in this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarilyin this presentation do not necessarily represent the official position orrepresent the official position orrepresent the official position orrepresent the official position or policies of SRA.policies of SRA.policies of SRA.policies of SRA.
  • 3. 3 Copyright © 2010 About SRA SRA – Founded in 1978 – Based in Washington, DC; offices throughout the US - Durham, NC; San Diego; San Antonio; Colorado Springs; Scranton, PA, Rochester, NY ☺ – Offices in Europe too – United Kingdom, Germany, France and the Czech Republic – Work for government organizations and commercial clients serving the national security, civil government and global health markets – Expertise in areas including: air surveillance and air traffic management; contract research organization (CRO) services; cyber security; disaster response planning; enterprise resource planning; environmental strategies; IT systems, infrastructure and managed services; logistics; public health preparedness; public safety; strategic management consulting; systems engineering; and wireless integration. – Current workforce: 7,100+ employees – Website: www.sra.com
  • 4. 4 Copyright © 2010 Speaker Biography Tom Hasman – Senior information security analyst on Information Assurance team at SRA – Joined SRA in December 2000 – Arlington, VA office – Background in risk management and security testing; conducted over 100 risk assessments and security tests on government systems for clients including EPA, DHS, DOC, DOI, USITC, and Dept of Treasury – Advises clients on security policy and how they can implement a strong risk management program with limited security resources – Past speaker at Computer Security Institute (CSI) Conference and the RSA Security Conference – MA in Government from Johns Hopkins University and wrote/defended masters thesis on information warfare.
  • 5. 5 Copyright © 2010 Agenda Introduction – why test? Problems with security testing Alternate testing solution – Implement security program and controls before testing Testing security controls Creating a test report Best practices Summary Questions POC information and web site link
  • 6. 6 Copyright © 2010 Why Conduct Security Testing? It’s the Law! – FISMA - requires federal agencies have an effective program for protecting their data and information systems (risk management) – HIPAA Security Standards – Sarbanes-Oxley Section 404 Management of Internal Controls A key component of risk management is the implementation of a good security testing program Security Testing is part of “best practices” – It increases awareness about security of the system – Identifies system’s risks, vulnerabilities, etc. – Provides improved basis for making decisions – Provides justification of expenditures – Security Test = High confidence that assets are adequately protected - assuming the test went well ☺
  • 7. 7 Copyright © 2010 Problems with Security Testing Cost – Many security testing methodologies require the use of expensive software to aid in testing Expertise – Even free tools require technical expertise to analyze results Time – A lot of time spent reviewing tool output Hire an expert = $$$$ Do it yourself = lots of lost time – Too much time/money spent on technical solution, not enough time/energy on personnel
  • 8. 8 Copyright © 2010 Alternative Testing Solution Free “tools” from the federal government’s Department of Commerce – National Institute of Standards and Technology (NIST) Computer Security Division Requires “minimal” technical background Series of Special Publications that: – Help you categorize your system (C, I, A ratings) – Help you choose the appropriate security control to implement in your system – Help you test those controls to ensure that are implemented correctly (system operating at “acceptable level of risk.”)
  • 9. 9 Copyright © 2010 Questions to ask before testing What am I trying to protect? – How sensitive is the data Do I have a security program? – What methodology is used? – How mature is it? Have I implemented a minimum set of security controls? – Implemented – Planned – Accept risk
  • 10. 10 Copyright © 2010 Sensitivity of Data Based on three security objectives Confidentiality – Assurance that information is not disclosed to unauthorized persons, processes, or devices Integrity – Guarding against improper information modification or destruction Availability – Timely, reliable access to data and information services for authorized users
  • 11. 11 Copyright © 2010 What am I trying to protect? (Categorize Your System’s C, I, A Levels) FIPS 199 – security categorization of federal systems – Use is required for government information systems – Used to determine C, I, A levels of system – NIST SP 800-60 – carries out FIPS 199 requirements NIST SP 800-60 – Guide for Mapping Types of Information and Information Systems to Security Categories – Revision one released in August 2008 – Contains guidelines for mapping types of information and information systems to security categories – In other words, helps determine C, I, A levels (L, M, H) based on type of information system processes All NIST SP are available at http://csrc.nist.gov/publications/nistpubs/ index.html
  • 12. 12 Copyright © 2010 What am I trying to protect? (cont) NIST SP 800-60 Example Financial Management Heading LMMSecurity Category Rating LMLPayments LMLAccounting LMMFunds Control AICInformation Type Overall Rating = Moderate
  • 13. 13 Copyright © 2010 Do I have a security program? (Risk Management Framework) NIST SP 800-37 – Guide for Applying the Risk Management Framework to Federal Information Systems – Latest version released in February 2010 – Old Model Conduct system certification & accreditation (C&A) once every 3 years Ignore IT security program until C&A is due again – New Model Maintains the need for a C&A every 3 years Organizations must practice continuous monitoring A subset of controls should be tested yearly Minimizes burden of C&A (controls constantly tested)
  • 14. 14 Copyright © 2010 Have I Implemented a minimum set of controls? NIST SP 800-53 Rev3 – Latest version is August 2009 (updates to May 1, 2010) – Establishes minimum set of security controls based on system information C, I, A levels – Document has baseline + “control enhancements” for those areas where C, I, A is medium or high – 17 families among Management, Operational and Technical controls + 1 family for Program Management – Originally designed for systems but many controls can be applied at the organization level Awareness & Training Incident Response Contingency Planning
  • 15. 15 Copyright © 2010 Implementing Security Controls (continued) Rev 3 removed duplicate questions in rev2 – Example: Session Termination (AC-12) and Network Disconnect (SC-10) very similar – Now under SC-10 in revision 3 New controls added – Many new controls in SC family including: Fail state, honeypots, security of information “at rest” – Program Management (PM) family also added Implementing controls at organization level Ex – appointing CISO, capital planning for security Offers the ability to designate common- and hybrid-controls – Common – implement at a organizational level (AT-2) – Hybrid – combination of organization/system (CP-2)
  • 16. 16 Copyright © 2010 Implementing Security Controls (cont2) Minimum Security Requirements Access Control (T) Awareness and Training (O) Audit and Accountability (T) Security Assessment and Authorization (M) Configuration Management (O) Contingency Planning (O) Identification and Authentication (T) Incident Response (O) Maintenance (O) Media Protection (O) Physical and Environmental Protection (O) Planning (M) Personnel Security (O) Risk Assessment (M) Systems and Services Acquisition (M) System and Communications Protection (T) System and Information Integrity (O) Program Management (PM) – organization-wide
  • 17. 17 Copyright © 2010 Implementing Security Controls (cont3) Rev3 also provides priority for control implementation – Priority Code (P1) – implement first – Priority Code (P2) – implement only after all P1 controls are in place – Priority Code (P3) – implement only after all P1 and P2 controls in place – Unspecified Priority Code (P0) – government does not require for federal systems Organization may choose to implement
  • 18. 18 Copyright © 2010 Implementing Security Controls (cont4) Use the priority codes to help guide what controls you will implement – Make Adjustments for: Budget Organizational/company mission Includes capability to test technical controls – Minimizes the need for security scans* *As long as your honest *Security scans still needed periodically *Big organizations should run scans on a regular basis
  • 19. 19 Copyright © 2010 Now tested under SC-10 Screen capture from NIST 800-53 rev3
  • 20. 20 Copyright © 2010 Control enhancement is optional – see next slide NIST SP 800-53 Example #1 (AT-2)
  • 21. 21 Copyright © 2010 No control enhancements for L, M, H NIST SP 800-53 Example #1 (AT-2) No control enhancements
  • 22. 22 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2)
  • 23. 23 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) Control enhancements for M, H
  • 24. 24 Copyright © 2010 NIST SP 800-53 Example #2 (AC-2) No enhancements Enhancements Control enhancements for M, H
  • 25. 25 Copyright © 2010 Increasing control enhancements for each level NIST SP 800-53 Example #3 (AU-3) Control enhancements increase for L, M, H
  • 26. 26 Copyright © 2010 NIST SP 800-53 Example #4 (AT-5) Optional control (Not selected for L, M, H)
  • 27. 27 Copyright © 2010 Testing Security Controls NIST SP 800-53A – used to test implemented controls Latest version published in June 2010 Three types of tests – Examine – Interview – Test (require the use of automated tools) Observe – new account with weak password, user attempting to perform administrative functions, obscuring passwords Follows the same format as NIST SP 800-53 – 17 control families + 1 program level family – Categorized under 3 classes Management, Operational, Technical Guidelines for testing vary based on sensitivity of information – Low, moderate, high system impact levels
  • 28. 28 Copyright © 2010 AT-2: Testing the control
  • 29. 29 Copyright © 2010 AC-2: Assessment Objective
  • 30. 30 Copyright © 2010 AC-2: Testing the baseline control System Manager, System Administrator, HR
  • 31. 31 Copyright © 2010 AC-2: Testing the control enhancements
  • 32. 32 Copyright © 2010 AU-3: Assessment Objective and Testing the baseline control
  • 33. 33 Copyright © 2010 AU-3: Testing the control enhancement
  • 34. 34 Copyright © 2010 Test Report Output of all testing activities Used to communicate to management security posture of organization Several ways to communicate results: – Table format – Paragraph format – Hybrid Paragraph format – executive summary of testing activities Table format – lists test results
  • 35. 35 Copyright © 2010 Pass- PowerPoint slides very detailed and easy to understand. - Security posters placed around building (elevators, kitchen) are eye catching and communicate message effectively - Training records spreadsheet includes names of all employees and date PowerPoint presentation was completed. - Training coordinator very knowledgeable - Employees discussed content of slides (verified that they actually took the training) 10/2/10 10/2/10 10/4/10 10/8/10 10/8/10 - Examined security awareness PowerPoint slides - Examined security awareness poster near elevator (wear badge and don’t let people tailgate) - Examined training records Excel spreadsheet - Interviewed Training Coordinator [Name here] - Interviewed five employees [list names here] AT-2 Fail- Account management handbook contains procedures for opening and closing accounts but often system administrator creates new accounts without system manager approval - Human resources rep not contacted on a regular basis. Result = many accounts of departed employees remain open 10/16/10 10/19/10 10/20/10 10/20/10 - Examined Account Management Handbook V1.4 dated 5/12/10 - Interviewed System Manager Abigail Hasman - Interviewed System Administrator Sam Hasman - Interviewed Human Resources Rep Linda Hasman AC-2 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report
  • 36. 36 Copyright © 2010 Fail- Visitor sign in log was missing information. In many cases, the name of the employee accompanying the visitor was not listed. In some other cases, the date of the visit was missing. - Front desk security officers noted that they are often overwhelmed with multiple tasks and therefore can’t always scrutinize employees when they are signing in visitors. 10/2/10 10/2/10 - Examined visitor sign in log for 9/15/10-9/30/10 - Interviewed two front desk security officers [list names here] PE-7 (Visitor Control) Pass- Audit procedures very detailed and contain list of specific events to be audited. - Sample report included the list of audited events identified in the procedure. 9/30/10 9/30/10 - Examined auditing procedures - Examined sample audit report AU-3 Pass/FailTest ResultTest DateTest MethodControl Sample Test Report (continued)
  • 37. 37 Copyright © 2010 Best Practices Do not begin testing until you: – Know sensitivity of system/organizational data – Have a security methodology in place – Implemented minimum set of security controls Give interviewees background on task before conducting interview Take interview notes on a laptop – Do not use paper and pen Write up test results as you complete interviews When possible, try to include something positive in test results
  • 38. 38 Copyright © 2010 Summary Testing leads to a good risk management program High confidence that assets are protected from external and internal threats Following a test methodology such as NIST or OCTAVE minimizes your need to conduct expensive and time consuming vulnerability scans Practice “Continuous Monitoring” of security controls
  • 39. 39 Copyright © 2010 Questions
  • 40. 40 Copyright © 2010 Contact Information & Website for NIST Publications Tom Hasman – [email protected] – 585-473-6512 (office) – 585-857-3718 (cell) All NIST SP are available at: – http://csrc.nist.gov/publications/PubsS Ps.html