SlideShare a Scribd company logo

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk Management | AWA International

C
Cam Fulton

Learn how to evaluate risk, what the differences are between vulnerability assessments and penetration tests, and when to implement both. Presented by AWA International, a division of I.S. Partners, LLC https://www.ispartnersllc.com/awa-international-group/

1 of 42
Download to read offline
AWA INTERNATIONAL WHEN TO IMPLEMENT A VULNERABILITY ASSESSMENT OR PENETRATION TEST: A DISCUSSION IN THE KEY DIFFERENCES IN THE TWO TYPES OF ASSESSMENTS AND GUIDANCE ON WHEN IS THE PROPER TIME TO IMPLEMENT THESE THIRD-PARTY ASSESSMENTS BASED ON RISK JANUARY 25TH, 2021 1
Table of Contents ■ How to Evaluate Risk? ■ What is a Vulnerability Assessment? ■ What is a Penetration Test? ■ Key Differences ■ When to implement? 2
3 AWA is a division of IS Partners, LLC ▪ IS Partners has been In business since 2005 ▪ Founded by former Big 4 auditors ▪ CPA firm registered with AICPA and PCAOB ▪ Focus on Control Assessments including: ▪ SOC Audits ▪ HITRUST Certification ▪ SSAE21
4 AWA is a division of IS Partners, LLC Focus on technology and technical assessments including: ▪ PCI DSS Assessments ▪ Security Framework Assessments (ISO27001, NIST, FISMA) ▪ Penetration Testing and Vulnerability Assessments ▪ HIPAA Assessments ▪ Security Risk Assessments ▪ Cloud Security Assessments
T. Anthony Jones; MBA, QSA, CISA & CISM Partner and the leader of AWA with more than 25 years’ of Audit and Security Experience. Anthony has over 25 years of experience and has worked with a variety of industries. Anthony has extensive knowledge in IT consulting: he is also a Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Qualified Security Assessor (QSA), and Certified ISO/ IEC 27001 Lead Auditor designation holder with the expert ability to accurately understand risk and offer alternatives to current situations, develop actions plans and cultivate longstanding client relationships. 5
Michael Mariano; HITRUST CCSFP Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). 6
JOSEPH CIANCIMINO: CISA Joseph is a Manager in the IS Partners SOC practice, providing clients with SOC 1/SOC 2 audit services, as well as other various IT audit and consulting services. Joseph has over 6 years’ experience servicing clients in the Insurance, Banking, Manufacturing & Distribution, Energy & Utilities, and Financial Services industries. 7
Establishing a process for evaluating risk ■ Establishing a risk methodology is a key step for many organizations to develop an understanding of the key risks their organization is facing ■ Evaluation of likelihood and impact of risk, using a quantitative or qualitative approach 8
Risk Assessment Process - Methodology 9 Qualitative Subjective measurements of risk Use variables such as: Low, Medium, High Quantitative Objective measurements of risk Use numbering scheme based on definitions set in the Risk Management methodology
Risk Assessment Process - Identification 10 Inherent Risks Before determining if a vulnerability assessment or penetration test is the right choice for your organization, you will need to evaluate what types of inherent risk your organization is facing: Operational Risks Financial Risks Compliance Risks Fraud Risks Cybersecurity Risks
Risk Assessment Process - Analysis 11 Mitigating Inherent Risk With various types of risk at play – mitigating risk is a key responsibility for senior management at many organizations. Internal Controls for mitigation of risk come in many different forms: • Intrusion Prevention Systems • Firewalls Preventative Controls • Monthly reconciliations • Budget to Actual Comparisons Detective Controls • Auto-correcting fields during data input • Real-time replication for Disaster Recovery Corrective Controls
Risk Assessment Process - Evaluation 12 Mitigating Inherent Risk After evaluating the inherent risks your organization faces and the controls in place to mitigate those risks, you are left with either a qualitative or quantitative calculation of your residual risk. Residual risk is the “risk remaining after risk treatment” (ISO 31000:2018) But how much residual risk are you comfortable with accepting?
Risk Assessment Process – Evaluation 13 Risk Appetite Establishing internal guidelines for the acceptance of risk helps establish a balance between supporting the business needs and establishing controls for the prevention of risk. By defining your organization’s risk appetite, you can help meet that balance and establish an understanding to identify when additional controls may be needed.
Risk Assessment Process - Evaluation 14 Emerging Risks The Information Systems Audit and Control Association (ISACA) published its 2020 “State of Enterprise Risk Management” report. Key findings indicated that 29% of executives surveyed believe Cybersecurity risk to the largest emerging risk area facing organizations today. Findings also indicated that 41% of executives surveyed believe that Cybersecurity risk is difficult/very difficult to measure and quantify.
Risk Assessment Process - Evaluation 15 How to address residual and emerging risks If you’re in a position where you’re still facing residual and emerging risks, and need additional mitigating measures, third-party assessments often serve as a tool for additional mitigation to help reduce risk to acceptable levels. Two types of third-party assessments to help reduce Cybersecurity risk include: • Vulnerability Assessments • Penetration Tests But what are vulnerability assessments and penetration tests?
Major Hacks in 2020 Peekaboo Moments – January 2020 – Unsecured Database Fifth Third Bank – February 2020 – Disgruntled Employee MGM Resorts – February 2020 - Unauthorized Cloud Access U.S. Marshals – May 2020 – Server Vulnerability Cognizant – June 2020 – Ransomware Ancestry.com – July 2020 – Unsecured Database Instagram, TikTok & Youtube – August 2020 – Unsecured Database Imperium Health – September 2020 - Phishing Attack Pfizer – October 2020 – Misconfigured Cloud Database Expedia, Hotels.com & Booking.com – November 2020 – Unsecured Database 16
Vulnerability Assessment A vulnerability assessment is a structured, point in time, review of security weaknesses in an information system that rates these weaknesses based on severity levels. 17
Penetration Testing A penetration test is an authorized, point in time, simulation of a cyber attack against a computer system with a goal of identifying and exploiting vulnerabilities in the computer systems, policies and procedures surrounding the systems, and people managing the systems. 18
■ Vulnerability assessments find and measure vulnerabilities where a penetration test will find, measure, and exploit the vulnerability to discover the depth of vulnerability. This exploitation can lead to the discovery of additional vulnerabilities that a vulnerability scan cannot identify. ■ The testing phase of a vulnerability assessment takes minutes or hours, but in a penetration test, takes days. ■ Vulnerability assessments are designed to be passive where a penetration test can be as aggressive as your security controls allow. 19
VULNERABILITY ASSESSMENTS 20
Types of Vulnerability Assessments ■ External Vulnerability Assessment – Public IP Space – Publicly Accessible Sites – VPNs ■ Internal Network Vulnerability Assessment – Hosts (Servers, Workstations) – Network Equipment (Routers, Switches, Firewalls, WIFI) – Other (Phones, Printers, Cameras, Card Readers, IoT Devices) ■ Web Application Vulnerability Assessment – Dynamic (Functioning Applications) – Static (Code Review) ■ And more! 21
Steps to preform a Vulnerability Assessment 1. Determine Scope – Entire Physical Sites, Specific Networks, Single Application, etc.? 2. Scan Assets – Vulnerability Scanning Software 3. Analysis and Report Results – Rate criticality of vulnerabilities – Suggest remediation actions 4. Remediate Issues 5. Repeat 22
23
How to use a Vulnerability Assessment A vulnerability assessment should be part of your companies Vulnerability Management Program and used to track and prioritize the vulnerabilities in your companies Information Systems over a period of time. 24
Vulnerability Assessment Deliverables 25 Executive Summary (2-3 pages) • PDF Document • Date, Scope, Approach of Assessment • Number of vulnerabilities across entire scope Technical Report (50+ pages) • Excel document of scanner results • Complete breakdown of each vulnerability • Remediation Suggestions
Vulnerability Classification 26 ■ All publicly known vulnerabilities are cataloged on the National Vulnerability Database (NVD) as Common Vulnerabilities Exposure (CVE). – https://nvd.nist.gov ■ CVE Details is a website which gathers CVE data from NVD and several other prominent sources. – https://www.cvedetails.com ■ CVE criticality is graded using the Common Vulnerability Scoring System (CVSS) which is used to create a Base, Temporal, and Environmental Score.
Common Vulnerability Scoring System (CVSS) Explained 27 CVSS v1 (2005) – We don’t talk about version 1. CVSS v2 (2007) – Risk Based and widely adopted but required too much knowledge of the attack vulnerability to be practical. CVSS v3 (2015) – Risk Based and aimed to more accurately reflected the reality of the vulnerability in the real world. CVSS v3.1 (2019) – Severity based and aimed to improve clarity of concepts
Common Vulnerability Scoring System (CVSS) Explained 28 ■ Base Score – Static unchanging components of a vulnerability – Does not change overtime ■ Environmental Score – Based on specific environment the vulnerability is found. – Business Criticality vs Compensating Control ■ Temporal Score – Based on ease of exploitation and vendor patching. ■ When a vendor patch is released, the score goes down. ■ When an exploit code is released, the score goes up
Common Vulnerability Scoring System (CVSS) Explained 29
Penetration Testing An authorized simulation of a cyber attack against a computer system with a goal of identifying vulnerabilities in the computer systems, policies and procedures surrounding the systems, and people managing the systems. ■ Also known as a “Pen Test” or “Ethical Hacking” ■ Utilizes a phased based methodology ■ Point in time assessment   30
Types of Penetration Tests Infrastructure ■ Internal Network ■ External IP Space ■ WIFI 31 Application ■ Windows Mac Software ■ Web Application ■ Mobile Application Physical ■ Secure Facilities Penetration Tests are scenario based Black Box As an attacker with zero knowledge. Grey Box As an attacker with some knowledge. White Box As an attacker with complete knowledge. Social ■ Phishing ■ Vishing
Testing Layers of Security 32 ■ External Layer ■ Internal Layer ■ Application Layer ■ People Layer
Penetration Testing Frameworks 33
The phases of a Penetration Test Phase 0 – Planning Authorization Phase 1 – Information Gathering Phase 2 – Vulnerability Detection Phase 3 – Exploitation Phase 4 – Reporting Post Testing – Remediation Verification 34
Phase 0 ■ Scope and timing finalized ■ Contracts are signed ■ Rules of Engagement completed 35 Planning Authorization
Phase 0 - Continued Establishes: ■ Permission ■ Type of Testing ■ Scope & Timing ■ Sensitive Data Handling ■ Points of Contact 36 Rules of Engagement
Phase 1 37 Information Gathering Open-Source Intelligence Gathering
Phase 2 38 Vulnerability Detection ▪ Host detection ▪ Security detection ▪ Port scanning ▪ Vulnerability scanning ▪ Vulnerability classification
Phase 3 39 Exploitation ▪ Vulnerability Verification ▪ False Positive Elimination ▪ If Exploitation is possible ▪ Establish access to system or resource ▪ Attempt to pivot to additional systems
40 Executive Summary (2-3 pages) • PDF Document • Date, Scope, Approach of Assessment • Number of vulnerabilities across entire scope Technical Report (50+ pages) • Excel document of scanner results • Complete breakdown of each vulnerability • Remediation Suggestions Phase 4 Reporting Attack Narrative (50+ pages) • PDF Document • Set by step narrative of the attack
Post Testing 41 Third Party Remediation Verification ▪ Up to 60-days after report delivery ▪ Retesting of all vulnerabilities identified during testing.
Questions and Answers ■ Please send any Risk Assessment, Vulnerability Assessment, or Penetration Testing related questions from this presentation ■ If you think of a question after our webinar, please email us at: info@ispartnersllc.com 42
Ad

Recommended

Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
Ivanti
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
Jisc
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
Ad

More Related Content

What's hot (20)

QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
Ivanti
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
Jisc
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
Ivanti
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
Jisc
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
Outpost24
 
Tictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security ServicesTictaclabs Managed Cyber Security Services
Tictaclabs Managed Cyber Security Services
TicTac Data Recovery
 
Kofax Document Security
Kofax Document Security Kofax Document Security
Kofax Document Security
Kofax
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
Trish McGinity, CCSK
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
Dr. Anish Cheriyan (PhD)
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 

Similar to When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk Management | AWA International (20)

Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
AjjuSingh2
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
dotco
 
crisc Domain1 Governance PPT Slide shows
crisc Domain1 Governance PPT Slide showscrisc Domain1 Governance PPT Slide shows
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Health Catalyst
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
AjjuSingh2
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
dotco
 
crisc Domain1 Governance PPT Slide shows
crisc Domain1 Governance PPT Slide showscrisc Domain1 Governance PPT Slide shows
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Health Catalyst
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
IT Governance Ltd
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
Asad Raza
 
Ad

Recently uploaded (20)

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Ad

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk Management | AWA International

  • 1. AWA INTERNATIONAL WHEN TO IMPLEMENT A VULNERABILITY ASSESSMENT OR PENETRATION TEST: A DISCUSSION IN THE KEY DIFFERENCES IN THE TWO TYPES OF ASSESSMENTS AND GUIDANCE ON WHEN IS THE PROPER TIME TO IMPLEMENT THESE THIRD-PARTY ASSESSMENTS BASED ON RISK JANUARY 25TH, 2021 1
  • 2. Table of Contents ■ How to Evaluate Risk? ■ What is a Vulnerability Assessment? ■ What is a Penetration Test? ■ Key Differences ■ When to implement? 2
  • 3. 3 AWA is a division of IS Partners, LLC ▪ IS Partners has been In business since 2005 ▪ Founded by former Big 4 auditors ▪ CPA firm registered with AICPA and PCAOB ▪ Focus on Control Assessments including: ▪ SOC Audits ▪ HITRUST Certification ▪ SSAE21
  • 4. 4 AWA is a division of IS Partners, LLC Focus on technology and technical assessments including: ▪ PCI DSS Assessments ▪ Security Framework Assessments (ISO27001, NIST, FISMA) ▪ Penetration Testing and Vulnerability Assessments ▪ HIPAA Assessments ▪ Security Risk Assessments ▪ Cloud Security Assessments
  • 5. T. Anthony Jones; MBA, QSA, CISA & CISM Partner and the leader of AWA with more than 25 years’ of Audit and Security Experience. Anthony has over 25 years of experience and has worked with a variety of industries. Anthony has extensive knowledge in IT consulting: he is also a Certified Information Systems Auditor (CISA), Certified Information Systems Manager (CISM), Qualified Security Assessor (QSA), and Certified ISO/ IEC 27001 Lead Auditor designation holder with the expert ability to accurately understand risk and offer alternatives to current situations, develop actions plans and cultivate longstanding client relationships. 5
  • 6. Michael Mariano; HITRUST CCSFP Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). 6
  • 7. JOSEPH CIANCIMINO: CISA Joseph is a Manager in the IS Partners SOC practice, providing clients with SOC 1/SOC 2 audit services, as well as other various IT audit and consulting services. Joseph has over 6 years’ experience servicing clients in the Insurance, Banking, Manufacturing & Distribution, Energy & Utilities, and Financial Services industries. 7
  • 8. Establishing a process for evaluating risk ■ Establishing a risk methodology is a key step for many organizations to develop an understanding of the key risks their organization is facing ■ Evaluation of likelihood and impact of risk, using a quantitative or qualitative approach 8
  • 9. Risk Assessment Process - Methodology 9 Qualitative Subjective measurements of risk Use variables such as: Low, Medium, High Quantitative Objective measurements of risk Use numbering scheme based on definitions set in the Risk Management methodology
  • 10. Risk Assessment Process - Identification 10 Inherent Risks Before determining if a vulnerability assessment or penetration test is the right choice for your organization, you will need to evaluate what types of inherent risk your organization is facing: Operational Risks Financial Risks Compliance Risks Fraud Risks Cybersecurity Risks
  • 11. Risk Assessment Process - Analysis 11 Mitigating Inherent Risk With various types of risk at play – mitigating risk is a key responsibility for senior management at many organizations. Internal Controls for mitigation of risk come in many different forms: • Intrusion Prevention Systems • Firewalls Preventative Controls • Monthly reconciliations • Budget to Actual Comparisons Detective Controls • Auto-correcting fields during data input • Real-time replication for Disaster Recovery Corrective Controls
  • 12. Risk Assessment Process - Evaluation 12 Mitigating Inherent Risk After evaluating the inherent risks your organization faces and the controls in place to mitigate those risks, you are left with either a qualitative or quantitative calculation of your residual risk. Residual risk is the “risk remaining after risk treatment” (ISO 31000:2018) But how much residual risk are you comfortable with accepting?
  • 13. Risk Assessment Process – Evaluation 13 Risk Appetite Establishing internal guidelines for the acceptance of risk helps establish a balance between supporting the business needs and establishing controls for the prevention of risk. By defining your organization’s risk appetite, you can help meet that balance and establish an understanding to identify when additional controls may be needed.
  • 14. Risk Assessment Process - Evaluation 14 Emerging Risks The Information Systems Audit and Control Association (ISACA) published its 2020 “State of Enterprise Risk Management” report. Key findings indicated that 29% of executives surveyed believe Cybersecurity risk to the largest emerging risk area facing organizations today. Findings also indicated that 41% of executives surveyed believe that Cybersecurity risk is difficult/very difficult to measure and quantify.
  • 15. Risk Assessment Process - Evaluation 15 How to address residual and emerging risks If you’re in a position where you’re still facing residual and emerging risks, and need additional mitigating measures, third-party assessments often serve as a tool for additional mitigation to help reduce risk to acceptable levels. Two types of third-party assessments to help reduce Cybersecurity risk include: • Vulnerability Assessments • Penetration Tests But what are vulnerability assessments and penetration tests?
  • 16. Major Hacks in 2020 Peekaboo Moments – January 2020 – Unsecured Database Fifth Third Bank – February 2020 – Disgruntled Employee MGM Resorts – February 2020 - Unauthorized Cloud Access U.S. Marshals – May 2020 – Server Vulnerability Cognizant – June 2020 – Ransomware Ancestry.com – July 2020 – Unsecured Database Instagram, TikTok & Youtube – August 2020 – Unsecured Database Imperium Health – September 2020 - Phishing Attack Pfizer – October 2020 – Misconfigured Cloud Database Expedia, Hotels.com & Booking.com – November 2020 – Unsecured Database 16
  • 17. Vulnerability Assessment A vulnerability assessment is a structured, point in time, review of security weaknesses in an information system that rates these weaknesses based on severity levels. 17
  • 18. Penetration Testing A penetration test is an authorized, point in time, simulation of a cyber attack against a computer system with a goal of identifying and exploiting vulnerabilities in the computer systems, policies and procedures surrounding the systems, and people managing the systems. 18
  • 19. ■ Vulnerability assessments find and measure vulnerabilities where a penetration test will find, measure, and exploit the vulnerability to discover the depth of vulnerability. This exploitation can lead to the discovery of additional vulnerabilities that a vulnerability scan cannot identify. ■ The testing phase of a vulnerability assessment takes minutes or hours, but in a penetration test, takes days. ■ Vulnerability assessments are designed to be passive where a penetration test can be as aggressive as your security controls allow. 19
  • 21. Types of Vulnerability Assessments ■ External Vulnerability Assessment – Public IP Space – Publicly Accessible Sites – VPNs ■ Internal Network Vulnerability Assessment – Hosts (Servers, Workstations) – Network Equipment (Routers, Switches, Firewalls, WIFI) – Other (Phones, Printers, Cameras, Card Readers, IoT Devices) ■ Web Application Vulnerability Assessment – Dynamic (Functioning Applications) – Static (Code Review) ■ And more! 21
  • 22. Steps to preform a Vulnerability Assessment 1. Determine Scope – Entire Physical Sites, Specific Networks, Single Application, etc.? 2. Scan Assets – Vulnerability Scanning Software 3. Analysis and Report Results – Rate criticality of vulnerabilities – Suggest remediation actions 4. Remediate Issues 5. Repeat 22
  • 23. 23
  • 24. How to use a Vulnerability Assessment A vulnerability assessment should be part of your companies Vulnerability Management Program and used to track and prioritize the vulnerabilities in your companies Information Systems over a period of time. 24
  • 25. Vulnerability Assessment Deliverables 25 Executive Summary (2-3 pages) • PDF Document • Date, Scope, Approach of Assessment • Number of vulnerabilities across entire scope Technical Report (50+ pages) • Excel document of scanner results • Complete breakdown of each vulnerability • Remediation Suggestions
  • 26. Vulnerability Classification 26 ■ All publicly known vulnerabilities are cataloged on the National Vulnerability Database (NVD) as Common Vulnerabilities Exposure (CVE). – https://nvd.nist.gov ■ CVE Details is a website which gathers CVE data from NVD and several other prominent sources. – https://www.cvedetails.com ■ CVE criticality is graded using the Common Vulnerability Scoring System (CVSS) which is used to create a Base, Temporal, and Environmental Score.
  • 27. Common Vulnerability Scoring System (CVSS) Explained 27 CVSS v1 (2005) – We don’t talk about version 1. CVSS v2 (2007) – Risk Based and widely adopted but required too much knowledge of the attack vulnerability to be practical. CVSS v3 (2015) – Risk Based and aimed to more accurately reflected the reality of the vulnerability in the real world. CVSS v3.1 (2019) – Severity based and aimed to improve clarity of concepts
  • 28. Common Vulnerability Scoring System (CVSS) Explained 28 ■ Base Score – Static unchanging components of a vulnerability – Does not change overtime ■ Environmental Score – Based on specific environment the vulnerability is found. – Business Criticality vs Compensating Control ■ Temporal Score – Based on ease of exploitation and vendor patching. ■ When a vendor patch is released, the score goes down. ■ When an exploit code is released, the score goes up
  • 29. Common Vulnerability Scoring System (CVSS) Explained 29
  • 30. Penetration Testing An authorized simulation of a cyber attack against a computer system with a goal of identifying vulnerabilities in the computer systems, policies and procedures surrounding the systems, and people managing the systems. ■ Also known as a “Pen Test” or “Ethical Hacking” ■ Utilizes a phased based methodology ■ Point in time assessment   30
  • 31. Types of Penetration Tests Infrastructure ■ Internal Network ■ External IP Space ■ WIFI 31 Application ■ Windows Mac Software ■ Web Application ■ Mobile Application Physical ■ Secure Facilities Penetration Tests are scenario based Black Box As an attacker with zero knowledge. Grey Box As an attacker with some knowledge. White Box As an attacker with complete knowledge. Social ■ Phishing ■ Vishing
  • 32. Testing Layers of Security 32 ■ External Layer ■ Internal Layer ■ Application Layer ■ People Layer
  • 34. The phases of a Penetration Test Phase 0 – Planning Authorization Phase 1 – Information Gathering Phase 2 – Vulnerability Detection Phase 3 – Exploitation Phase 4 – Reporting Post Testing – Remediation Verification 34
  • 35. Phase 0 ■ Scope and timing finalized ■ Contracts are signed ■ Rules of Engagement completed 35 Planning Authorization
  • 36. Phase 0 - Continued Establishes: ■ Permission ■ Type of Testing ■ Scope & Timing ■ Sensitive Data Handling ■ Points of Contact 36 Rules of Engagement
  • 38. Phase 2 38 Vulnerability Detection ▪ Host detection ▪ Security detection ▪ Port scanning ▪ Vulnerability scanning ▪ Vulnerability classification
  • 39. Phase 3 39 Exploitation ▪ Vulnerability Verification ▪ False Positive Elimination ▪ If Exploitation is possible ▪ Establish access to system or resource ▪ Attempt to pivot to additional systems
  • 40. 40 Executive Summary (2-3 pages) • PDF Document • Date, Scope, Approach of Assessment • Number of vulnerabilities across entire scope Technical Report (50+ pages) • Excel document of scanner results • Complete breakdown of each vulnerability • Remediation Suggestions Phase 4 Reporting Attack Narrative (50+ pages) • PDF Document • Set by step narrative of the attack
  • 41. Post Testing 41 Third Party Remediation Verification ▪ Up to 60-days after report delivery ▪ Retesting of all vulnerabilities identified during testing.
  • 42. Questions and Answers ■ Please send any Risk Assessment, Vulnerability Assessment, or Penetration Testing related questions from this presentation ■ If you think of a question after our webinar, please email us at: [email protected] 42