Entrance Testing The Significance of Your Bank's Border Security.

Uploaded on:
Category: Product / Service
Testing done by an Ethical Hacker who endeavors to bypass security of PC framework or system ... Genuine programmer methodology, checks vulnerabilities however requires significant investment ...
Slide 1

Infiltration Testing The Importance of Your Bank\'s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group

Slide 2

A Brief History of Hacking

Slide 3

The Penetration Tester Testing done by an Ethical Hacker who endeavors to go around security of PC framework or system EH works under no limitations other than those that would apply to conventional clients EH will utilize same philosophy & apparatuses utilized by Hackers

Slide 4

Types of Penetration Testing External Penetration Testing Taking part of programmer to get entrance from Internet Internal Penetration Testing Taking on part of displeased representative or outsider merchant to get entrance from inside system

Slide 5

Different sorts of Penetration Testing What sorts of testing should be possible? No information – programmer from Internet. Test is performed with no data about association Knowledgeable – previous representative. Test is performed with some information however no entrance Insider – advisors or merchants. Test is performed inside with physical access to organize. Learning is restricted Knowledgeable insider – staff. Test is performed inside with information. This is to test how secure system is & whether representatives can get to assets they shouldn\'t have the capacity to

Slide 6

Security Offerings – What\'s out there? System Scanning Vulnerability Scanning Penetration Testing What is the distinction?

Slide 7

What is it? Utilizes port scanners (ex. Nmap, Superscan) Scans system to figure out what gadgets are there, what ports are open & what administrations are running on those ports Fast, productive yet doesn\'t test for vulnerabilities Network Scanning

Slide 8

Vulnerability Scanning What is it? Recognizes system has & administrations Identifies system working frameworks Identifies applications running on those gadgets Identifies potential vulnerabilities correlated to those frameworks & applications Based on a database of vulnerabilities & not real testing Fairly quick, gives rundown of vulnerabilities however has numerous false positives

Slide 9

Penetration Testing What is it? Set of methodology intended to bypass existing security controls of particular framework or association Encompasses system checking & defenselessness filtering, however incorporates human component & confirmation of vulnerabilities True programmer approach, checks vulnerabilities yet requires significant investment & ability

Slide 10

Why do I Need Penetration Testing? Hazard appraisal Verification of security controls Identify vulnerabilities Regulatory consistence Anticipate consumption

Slide 11

It Won\'t Happen to Me No one would be keen on little association like us They think IT division has everything under control or People get to be careless with their system Consider This!

Slide 12

Check This Out http://www.privacyrights.org/ar/ChronDataBreaches.htm Hacked Sites

Slide 13

Data Breaches 2006: Analysis

Slide 14

Questions to Ask What is their philosophy? Is strategy demonstrated, has it been effectively utilized some time recently? Request references—more is better! To what extent have they been performing this sort of work?

Slide 15

Things to Keep in Mind Need for autonomy Testing of any sort can be troublesome & harming Are we discussing system checking, weakness examining or entrance testing – look at extensions & techniques There is nobody standard strategy for infiltration testing, yet there has been a few institutionalizations

Slide 16

Key Methodology Steps Scope of work/engagement letter Footprinting Scanning Enumeration Penetration Privilege heightening Find delicate information Conference with customer (talk about discoveries) Report (contains discoveries & proposals)

Slide 17

Footprinting Public data social event to decide association\'s demographics, areas, address, has, and so forth. Hierarchical observation Network surveillance Domain names IP addresses Pinpoint servers (web, email, DNS, and so on.) Employee data Search newsgroups for organization data

Slide 18

Scanning Assess & distinguish listening administrations to center assault on most encouraging streets of section TCP and UDP port examining Locate freely available gadgets on IP fragment Identify open ports on gadgets Stealth is required not to ready Intrusion Detection Systems

Slide 19

Enumeration Enumerate system gadgets & figure out what is running & what it is running on Identify equipment Identify working framework Identify administrations & their adaptation Identify applications Identify potential defenselessness

Slide 20

Penetration Use data from past strides to access frameworks. Utilizing all data assembled in this way, organize focuses by the seriousness of vulnerabilities discovered Systematically address all potential vulnerabilities on all frameworks Never perform Denial of Service (DoS) assaults Demo: RPC Exploit

Slide 21

Privilege Escalation Depending on benefit level got from infiltration stage, it might be important to endeavor to expand benefit level to increase absolute control of framework Demo: RPC Exploit Demo: PWDump Demo: File

Slide 22

Find Sensitive Data – a.k.a. Steal Footprint & examine interior system Identify inner servers & their motivation Attempt to find delicate data Crack secret word records Databases Accounting programs Demo: LC4

Slide 23

Exit Meeting Meet & talk about discoveries Address biggest security discoveries so you may start quickly altering them Get all your inquiries replied

Slide 24

Report The genuine worth in entrance testing is in the report It ought to distinguish vulnerabilities It ought to give proposals on settling those vulnerabilities

Slide 25

What Will it Take to Keep Me Out? Not as much as you may think New costly hardware is not typically required Most security issues can be tended to rapidly & effectively Most time & vitality will be spent on security mindfulness

Slide 26

What Will it Take to Keep Me Out? (cont.) Understand that dangers are genuine Be proactive with your IT security Clear, succinct approaches that characterize security prerequisites & desires of workers Patches – keep all PCs & system gadgets current with most recent administration packs, fixes and overhauls

Slide 27

What Will it Take to Keep Me Out? (cont.) Configure switches & firewalls to square all superfluous activity Develop an "Occurrence Response Team" Have testing performed consistently Use interruption identification frameworks Remember, all testing/examining is preview of system by then

Slide 28

Common Entry Points When securing your system, pay consideration on most normal purposes of section for programmers Misconfigured switches Misconfigured firewalls Misconfigured Internet servers Unpatched programming Unsecured remote access Accounts with over the top consents Weak & effectively speculated passwords

Slide 29

Key Take Aways It is not a matter of "IF" but rather "WHEN" Be proactive before you should be receptive Understand the significance of the philosophy Retest after critical changes It\'s a procedure not a destination

Slide 30

How to Contact Us Brian Hunter Supervising Consultant Springfield, MO 417.865.8701 bdhunter@bkd.com Philip Diekhoff Senior Consultant Springfield, MO 417.865.8701 pdiekhoff@bkd.com

View more...