Skip to playerSkip to main content
SERIES
  • 3 months ago
Transcript
00:00:00so more on physical security controls we have premises and company surroundings so we have
00:00:18things like fences gates walls alarms closed-circuit television cameras or CCTVs intruder
00:00:25systems like you may have pressure points on the fence so that if somebody's pressing on
00:00:29the fence the pressure is sensed the change they may have pressure plates in the ground where people
00:00:35running across the ground are detected if they weigh over say 50 pounds or something in case you
00:00:39have dogs also you may have dogs also to protect the grounds panic buttons so panic buttons and
00:00:46strategically placed areas like out in the parking lot for your employees in case there's a somebody
00:00:51tries to snatch and grab in the parking lot burglar alarms windows and door bars deadbolts deadlocks
00:00:57etc and the reception area you want to lock the important files and documents don't leave them
00:01:04floating around people walk away from their desk I can go in snatch stuff take pictures of stuff and
00:01:08you want to lock equipment when it's not in use so this is important today they have contact lenses
00:01:14with little micro cameras embedded in them so I can walk around and you'll never see the camera on me
00:01:18they also have pins and watches that have cameras in them so I can just go and film stuff and you
00:01:23won't even know even if you're watching it on the camera right so we have servers and workstation
00:01:27areas we want to lock the systems when not in use disable avoid having removable media and DVD
00:01:33ROM drives CCTV cameras and these secure spaces and workstation layout design accordingly so that one
00:01:42camera can maybe see the whole room appropriately that kind of thing and then other equipment such as fax
00:01:48modem and removable media you want to lock fax machines when not in use while the fax is obtained
00:01:53properly or file the fact of the fax is obtained properly disable auto answer mode for modems do not
00:02:01place remove removable media in public places and physically destroy the corrupted removable media so
00:02:08this is an important one you'll see a couple of test questions on this and the first one premises and
00:02:13company surroundings so lock the fax machine when not in use file the faxes obtained so the incoming faxes you
00:02:21want to take those and lock them away as they come in or preferably send them to a mailbox instead of
00:02:26printing them directly so that they can be printed on demand because they're just going to sit there until
00:02:31someone grabs them right and then if somebody does send a fax and somebody snatches it how do you know
00:02:37that one is missing so you need a way to kind of check that so you got to think about that fax machines are
00:02:43a lot of people still think they're good security because it's old-school technology may be harder to
00:02:49eavesdrop on it versus getting in someone's email so like medical people still use these quite a bit
00:02:56and trust them but you know the physical access to them is usually not controlled very well at all
00:03:04even at hospitals it's incredibly I see it all the time where I'm like man I could just watch this is
00:03:08so dumb I had to fax this thing I went through all this trouble and now I could just walk up here and
00:03:12snatch this thing this is just dumb right so don't be stupid about that kind of thing don't miss that if
00:03:18you're doing an assessment and then now I want to access control separate work areas implement
00:03:25biometric access controls like fingerprints retinal scanning iris scanning vein structure recognition
00:03:30face recognition and voice recognition entry cards man traps faculty sign-in procedures identification
00:03:39badges etc so there's a lot of different stuff we could talk about in here so separate work areas
00:03:49you don't want your security team working out in the public with the rest of the organization that can
00:03:56leak information if there's a breach someone may eavesdrop on that and then go and report that to a
00:04:02public entity like a newspaper or something like that with respect to fingerprinting sometimes those
00:04:08can be faked with tape and things like that so you want to kind of take that into consideration and
00:04:13that and with respect to accuracy right so accuracy goes this way inside out so the iris the back of your
00:04:23eyeball the closest thing to your brain is the most secure the iris is the second the handprint is the
00:04:29third and the fingerprint is the fourth so the further away you get from your brain the more the
00:04:34least accurate it is so the closer you get to your brain the more accurate it is so in the order of
00:04:41accuracy from least to best it's fingerprint palm iris retina retina is a vein scan it's looking at the back of
00:04:50your eyeball on the curved part the iris scan is the outer part of your eye the front part okay so as you
00:04:57leave your brain you get less and less accurate okay so that's how you remember which one's more accurate
00:05:03with respect to badges just remember I wouldn't put my name and that I'm on I'm an elite member of a
00:05:11security team you know don't don't advertise more than you need to advertise people need to know whom
00:05:15you are what your name is that's about it and you might even abbreviate your name in other words not
00:05:22give them your full name what else do we need to rec talk discussing here so we talked about the face
00:05:28recognition so again the face is less accurate than the iris or the iris and then the retina the closer
00:05:36you get to the brain the more accurate it is from your hand upwards man traps so a man trap which today
00:05:45will probably get rebranded as a person trap um is a box and you walk into this box and then you walk out of the box so if
00:05:55you've ever been to like an equinox data center you will have traversed a man trap but these are big man traps or um most of the
00:06:03time they're going to be smaller than that they're little boxes about a little bit wider than shoulder width apart I'm a big guy so they're not much bigger not much wider than me maybe a foot
00:06:11um they're about four feet deep and they're just big enough for open a door you walk through and then
00:06:18the door closes so they're going to fit you in a door um the ones that the data centers are bigger because
00:06:23you might be carrying equipment into the into or out of the data center and the way it works is they have
00:06:29two doors and they have an access control system on the outside of each door and on the inside of each
00:06:35door so as you're coming in you go through the first door the door closes then you've got to get
00:06:41through the second door and then you get through the second door okay so i just use my same credentials
00:06:46twice why is that secure well it prevents piggybacking so people can't come in behind you but like at
00:06:52equinox data centers i piggyback all the time but people are pretty good about making me put my pen in
00:06:58i always try it just to see uh just to kind of check the security and the guards you have to sign in with
00:07:03the guards in the front and they're watching you as well and they're making notes i ask them so i'm like
00:07:08hey did you notice i just piggybacked and he's like yeah we got a note of that right here so they do
00:07:12film and everything and they record all of their videos so these are things that you want to check
00:07:17and ask about um it's important stuff and it raises the security posture so you don't want to uh just kind
00:07:24of go along you know these things are in place for a reason
00:07:38and then computer equipment maintenance appoint a person to look after the computer equipment
00:07:57maintenance so somebody needs to be keeping an eye on the gear if something's overheating or running
00:08:02hotter i used to um go in in the racks when we had physical racks before everything was in the cloud i used
00:08:06to go in and shoot the back of them with an infrared thermometer to see which ones are running hot
00:08:10today we used to keep a log of that kind of thing so you could kind of sense a problem before it was
00:08:15going to happen heat destroys electronics wiretapping inspect all the wires carrying data routinely
00:08:23and then protect the wire shielded cables never leave a wire exposed so if you cut a wire you need to
00:08:29replace it um that's another reason that neatness is important have you ever seen the pictures where
00:08:36there's um if you google um wiring mess or something like that there's a lot of different ways you can
00:08:41find these pictures they're just wires everywhere behind servers going across the room you got to
00:08:47step over them it's like you know getting through a laser beam field trying to climb and sneak into
00:08:52there behind the rack to do something inevitably inevitably you're going to step on something you're
00:08:57going to pull a wire loose these things are held in with plastic i weigh 200 pounds 250 pounds
00:09:03so uh it wouldn't be hard for me to pull the wire loose right so these are things you want to pay
00:09:09attention to and neatness is important for airflow as well not just for pulling the wires loose but
00:09:16it's more important that the wires don't get pulled loose than the airflow really so um i mean all of it's
00:09:22important but if you have to assign a priority you don't want to pull one loose because then you don't
00:09:25know which one it is you've got to go and troubleshoot it and that can be a nightmare
00:09:28uh wiretapping okay first of all wiretapping is illegal we cannot do it do not sniff voip packets
00:09:37if you do get rid of them immediately because you're not supposed to have them so if you do sniff
00:09:43if you do sniff uh voip packets accidentally do not listen to them and um you want to inspect all the
00:09:52wires carrying data and protect the shielded ones and never leave wires exposed right so we just discussed
00:09:58this and it's illegal so don't do it it's a federal offense you get in a lot of trouble even if it was
00:10:05mundane and somebody finds out about it it's going to be a big deal don't make any notes about it don't
00:10:11log it don't leave an evidence trail if you accidentally do it so don't don't go and say
00:10:18oops this happened unless you need to say oops this happened like if it's logged where you can't touch the
00:10:24data without you know a log being created then you need to raise the alarm hey i logged some void packets
00:10:30i didn't listen to them you know it was harmless you know whatever it's still not going to matter
00:10:34if somebody complains right environmental controls this is a big one so we have humidity air conditioning
00:10:40hvac which is heating ventilating ventilation and air conditioning fire suppression electromagnetic
00:10:46interference shielding and hot and cold aisles so what is all this stuff about so humidity needs to be
00:10:52around 60 percent at most 40 to 60 percent you don't want to shock the gear that means you have
00:10:59too little humidity you need more moisture in the air if you have too much moisture in the air it can
00:11:04cause corrosion and shorts in the equipment so that's a fine line you want to maintain and that's
00:11:09important that's not cheap either when you're designing a data center so that's where the hvac comes into
00:11:15play you want to have redundant systems and then you want to have the proper type of fire suppression
00:11:19obviously we're not going to squirt water on a server rack you need some the right kind of fire
00:11:24suppression fire is very likely so you need to put some thought into that fires do occur in data
00:11:29centers there's a lot of high voltage electricity running in there you got a lot of drive spinning
00:11:35so there's a little bit of vibration on that chassis which is causing chafing so you want to make sure
00:11:40you run the wires correctly so that they can they don't get chafed and then cause shorts you're more
00:11:45concerned about the high voltage than the low voltages with respect to fire but all kinds of
00:11:50things can happen um emi shielding so you want to make sure that one machine malfunctioning producing
00:11:58some electromagnetic noise doesn't interfere with something adjacent to it so you want to run shielded
00:12:03cabling through data centers there's a lot of data going through there at high speeds all kinds of
00:12:08things can happen there we talked about rf is like black magic so you want to make sure you're running
00:12:14shielded cables in these environments and then hot and cold aisles so when you have racks of servers
00:12:21again if you've ever been to an equinox data center i'm picking on them today you have the fronts
00:12:26of the servers facing each other and then you'll have a row of so we have the fronts of the servers
00:12:32here in this aisle and then we have the backs of the servers here on this aisle this aisle is where
00:12:38all the air is being sucked into and it goes up so then the cold air comes up out of the floor and
00:12:44the or it's dumped into the front of the server so you have a front server aisle and you have a rear
00:12:49server aisle and it oscillates like that so front back front back front back like that so the cold air
00:12:57is dumped in front of the servers and the hot air is pulled so you have a supply and a return so that's
00:13:03what they mean by hot and cold aisles so you have a cold air aisle fresh air where it's coming out of
00:13:08the ac system it gets sucked through the server rack and then right back up into the return and then
00:13:14recycled so on and so forth so that's if you walk down the data center you'll see that that's how
00:13:19they're arranged all the cages are set up according to that kind of thing in a good data center so that's
00:13:24important so you don't want to build a data closet in a closet right so it's good because all the
00:13:30equipment's out of the way i can lock it and that's wonderful but now you've got a heating problem
00:13:33you're going to blow up the machines because you're going to add one rack one server it's going to be
00:13:39fine then all of a sudden your business grows and now you got 10 servers and now it's not fine
00:13:45so it's going to heat up the room to a point where it can no longer tolerate the temperature
00:13:49and then you're going to have all kinds of problems
00:14:03incident management so one more thing i want to say about this is that you add
00:14:21server server servers so you you're going to end up with a rack and a closet and you've got enough room
00:14:25to run the wires and everything you can fit two or three people in there working it's a pretty big
00:14:29closet right might be like a laundry room type of situation and you're like oh this is going to
00:14:35work timber is full of it he doesn't know what he's talking about so then a few months goes by
00:14:41you've modified the air conditioner and it's it's dumping cold air in the front you have a return in
00:14:46the back so you're feeding the system properly and now all of a sudden the ac goes out and now you
00:14:51can no longer cool the room so you get a call in the middle of the night you come in you open the
00:14:56door and you're feeding air with fans and everything trying to keep everything cool
00:15:00but it's not enough right because the room is too small it's not designed for that
00:15:04so the problem is with these kind of closets is that you don't have redundant ac systems so this
00:15:10is a problem and not only does it have to be a redundant system but it has to have the same
00:15:14capacity as the main supply system so just keep these things in mind if you're going to do the data
00:15:19closet thing versus putting it in the cloud you know many people for secure applications they want
00:15:24to keep it on premise make sure you're following all the best practices for a data center when
00:15:29you're building your stuff if you can't afford it do it in the cloud until you can and just
00:15:33figure out the security however you can or you know you need to plan accordingly for budgeting
00:15:40incident management so now we're going to get into handling incidents incident management is a
00:15:46set of defined processes to identify analyze prioritize and resolve security incidents
00:15:54so an incident may be false it may be real most of the time hopefully they'll be false and then
00:16:01we we're going to do these things identify analyze prioritize and handle or resolve them to restore
00:16:08normal service operations as quickly as possible and to prevent further recurrences of the incident
00:16:14so we don't want the same kinds of incidents for example say they're false positives you don't want to
00:16:19be dealing with those over and over and over and over you want to find out what happened there right
00:16:24so you want to have some kind of a review and prevention process for figuring out what happened
00:16:32characterize it is it a one-off or is it something we're going to need to put another policy change
00:16:37in place for something like that so how do we handle incidents we have vulnerability handling
00:16:43so somebody reports a vulnerability what do we do with it we find it ourselves we've got a
00:16:48vulnerability what do we do with it can we mitigate it can we resolve it can we just say we're going to accept
00:16:54it so you need a process in place for all three of those options right artifact handling so we've
00:16:59got a hard drive that was used to store something that's illegal what how do we do that what's our
00:17:05process for that you need a process in place for that you need to have a chain of custody mechanism
00:17:10a safe place to store this stuff announcements how are you going to socialize things to the
00:17:15organization whom is going to socialize it right it has to be the right people for people to respect
00:17:20the message and if they don't respect the message all the little minions in the company are going to
00:17:26go running outside the org and reporting it to everybody and their brother which is what you do not
00:17:30want you want to have a good coherent workforce you want them to trust you a sign of that is that
00:17:36they won't go run and report it to the next reporter down the street okay and then alerts um how do we
00:17:43alert how do we handle alerts right so do we want to alert our workforce via an announcement or are we
00:17:51going to handle alerts how do we handle them so we got an alert it's 3am what do we do what happens
00:17:58so we need to understand all these things we got an alert and it's lunchtime what happens it's 9am what
00:18:03happens okay so with respect to incident handling we want to triage like we want to go just take a look
00:18:09at everything gather all the facts and then we want to go on to report reporting and detection
00:18:16we want to go on to incident response so how we're actually going to respond to this incident and then
00:18:20analysis you know what actually happened do we have all the facts right and then other incident
00:18:26management services so there's other things that you need to do like responsible reporting if you're a
00:18:31public company if you're a PCI whom do you reportedly uh you responsibly report to who needs to know about
00:18:38this incident um do we have insurance matters do we have legal matters that we need to be concerned
00:18:43with you can't just go run out and report this stuff it's not how it works you know unless it's
00:18:48something like kitty porn even in the case of kitty porn this is what i always tell people if you find
00:18:54kitty porn on your boss's machine then you go to your boss's boss but let's say that your boss and his
00:19:01boss are in on it together and they're producing kitty porn and storing it on their work computers
00:19:06so you reported it to his boss because you discovered it on his machine in some kind of a
00:19:12way you don't go run to the police and report that you report it to his boss if the boss doesn't do
00:19:18anything about it in a very quick amount of time then you go to the highest person in the organization
00:19:24that you can find you report it to them and if nothing's done then you go and report it to the
00:19:29police you try to get it kicked off internally first and let the right people go and report you do not
00:19:35want to be drug into this any more than you have to be so the right thing to do on the test okay so
00:19:42for the test the ceh test you go to the police immediately that's what they tell you to do but
00:19:48in real life that's not how these things are handled you want to find you want to report it internally
00:19:53first they will jump all over this they should jump all over this if they're not then you go up the
00:19:59chain as high as you can don't go to everybody up the chain you you go one two steps and then you go to
00:20:05the highest step and if nothing's being done then you go outside that's the responsible thing to
00:20:10do you need to protect the company and they will take care of it in most cases they will take care
00:20:15of it and what they're going to do is go and report it and they'll have their old legal team will jump
00:20:21all over it that kind of thing and then that's the responsible way to report okay but for the test you
00:20:27go directly to the police okay you report it right to the police you don't report it to your manager
00:20:34there's a test question about this so for the test you report it to the police in real life
00:20:39you try to report it internally first and let them take care of it and that way you're out of the loop
00:20:44and just keep all the information that you have you already have the evidence that it happened
00:20:49they're not going to be able to delete that right they're not going to change that
00:21:04okay the incident management process preparation for incident handling and response
00:21:25we want to detect and analyze we want to classify and prioritize notifications containment forensic
00:21:33investigations eradication and recovery and post incident activities so this is the general process
00:21:42for incident management managing incidents right so earlier we talked about a good security program
00:21:54so a good security program detects it quickly and eradicates it quickly right that's a good security
00:21:59program a good security program is not one that's never been breached that's not necessarily a good
00:22:05security program it probably means that they just haven't been tested yet if they want to get in
00:22:10they will get in they will fish the organization which is a common thing to do today because it's
00:22:16getting harder and harder to get in the front door so they're going to go in the back door they're
00:22:20going to start doing fishing and serving up ransomware things like that that's probably the number one threat
00:22:27today is fishing and ransomware and in that order so um or it's the most common anyway the most common
00:22:34successful ones at least that people are finding out about but that's an easy one to find out about it
00:22:38because everything's encrypted right so um it's like the old back in the old day where we had data
00:22:44destruction that kind of went away for a while and now it's back because they just want the cash to
00:22:48release your gear most of the time when you try to pay ransomware they they don't give you the keys
00:22:54so it's not a good idea to do that um what else can we say about this so we talked about um
00:23:02detect it early and eradicate it so there's a lot more stuff that goes on you can see from this right
00:23:09we have forensic investigations eradication and recovery post-incent activities but timber you said
00:23:14all we need to do is detect it early and get rid of it right that's it no you need to do all this other
00:23:19stuff too but what i'm telling you is the ability to do those two things is a good security program
00:23:24it does not replace all of this stuff right we still have to do all this stuff so just prepare
00:23:31yourself for that as well so you need tools for containment you need tools for forensic investigations
00:23:37you need eradication and recovery tools so you can see that you've got to have a lot of stuff in
00:23:43place on your network so if you go to work for a company that doesn't have a lot of money this is going
00:23:48to be a problem right you might be able to help them with some open source tools but you really
00:23:51need again i tell people all the time when you go for an interview that's a two-way street you need
00:23:56to interview them and they need to interview you are you a good fit are they a good fit for you
00:24:01so just keep these things in mind you don't want to work at a company well it might be good to get
00:24:05experienced at working at a company that gets breached every hour and there's nothing you can do
00:24:09about it just to kind of go through all the fire drills but it's not a place where you're going to
00:24:13find long-term success responsibilities of an incident response team so as a team what are
00:24:22our responsibilities and by the way in this field you're always going to be working in teams you're
00:24:26going to need to work very closely with people so if you're anti-social which a lot of elite people in
00:24:33this field tend to have some kind of deficit in one facet or another it's just a feature right the
00:24:40smarter you are you're missing something else most likely not everyone but you know it's common to
00:24:45find that so you're going to need to be able to work with other people and you're going to have to
00:24:50find a way to do that so it may not be pretty but you can do it right so you need to keep that in mind
00:24:56so if you find that you're one of these people just keep that in the back of your mind that hey i
00:25:00need to work with these people not in competition but in concert right we need to work with them
00:25:05not like oh i told you to do that no no no that's the last thing you tell someone even if you did
00:25:11tell them that you don't point it out right so you're going to be managing security issues by taking
00:25:16a proactive approach towards the customer's security vulnerabilities and by responding effectively to
00:25:22potential information security incidents so we're going to take a proactive response we want to
00:25:27actively pursue these things and then we want to provide a single point of contact for reporting
00:25:32security incidents and issues so we need a policy in place for that that's going to tell us whom
00:25:37is responsible for handling incidents many soc teams or security teams will have a phone number
00:25:44and that phone number will ring any number of people depending on how they've set it up
00:25:48but always someone will answer not a machine someone will answer if it's an email system then
00:25:55whoever gets that email better call within 15 minutes you know you better call pretty quickly
00:26:00if somebody's looking because they're panicking right and you don't want to do that you don't
00:26:04want to panic when there's an incident you got to be calm and collective and think it through
00:26:08before you act or do anything developing before anything comes out of your mouth completely
00:26:13think it through don't open your mouth until you've thought about it don't do the knee-jerk
00:26:17reaction it's very easy to do developing or reviewing the processes and procedures that must be
00:26:23followed in response to an incident so you want to be trained before this stuff kicks in you don't
00:26:27want to have to go through the fire drill and be sitting there reading the policy at the same time
00:26:32so you want to review changes and legal and regulatory requirements to ensure that all
00:26:35processes and procedures are valid so someone on your team might be doing this in parallel to the
00:26:41team working hey are we doing this properly are we were there any new updates to the policy i mean
00:26:46you should know that beforehand if anything changes it needs to be socialized but what if it happens at
00:26:51the same time right so then managing the response to an incident and ensuring that all procedures are
00:26:56followed correctly in order to minimize and control the damage so we want to minimize and control the
00:27:03damage if somebody's stealing a database maybe we turn the database connection off or at least block
00:27:11that user's ip where the data is being hemorrhaged right because it takes time to steal a terabyte of
00:27:16data and then we want to be reviewing existing controls and recommending steps and technologies to
00:27:21prevent future security incidents but we do that after right we don't do it at the same time
00:27:26and then identifying and analyzing what has happened during the incident include the impact
00:27:33and threat so you want all the facts so it's a fact finding mission incident response is a fact
00:27:38finding mission get the facts and then deal with the problem and then you come back and say did we
00:27:43miss anything after it's all done after you've got the hacker out of your network or block their access
00:27:48at least the malware may still be present on your network but you're null routing all the communication
00:27:52okay or the dns is being null router for that machine whatever it is or that actual connection
00:27:59if you have the ability to do that and then lastly you want to be establishing relationships with local
00:28:05law enforcement agencies government agencies key partners and suppliers well how do we do that i don't
00:28:09know anybody at the police department you know you may find that there's other ways you can do that you can
00:28:15join groups and things like that there's different organizations that you can join to report to the
00:28:21government and it's just a website that you fill in the stuff and hit submit
00:28:45so what is vulnerability assessment so we have a security assessment which consists of hunting for
00:28:56vulnerabilities doing a lot of stuff that's looking for security problems might be physical security
00:29:02and then another little piece of that puzzle is a pin test right so these are all in parallel so what is
00:29:07a vulnerability assessment a vulnerability assessment is an examination of the ability of a system or
00:29:13application including current security procedures and controls to withstand assault okay that's a
00:29:19pretty good definition if it recognizes measures and classify security vulnerabilities in a computer
00:29:25system network or communication channels so it recognizes certain problems so people publish known
00:29:32vulnerabilities so part of a vulnerability assessment is to go and look those up and see if any of them
00:29:38are present on your network and those are almost always vulnerability scanners right they're tools
00:29:43a vulnerability assessment may be used to do one of the following identify weaknesses that could be
00:29:48exploited so we have a known vulnerability there is an exploit out for it there's no evidence of
00:29:53it in our logs so we haven't been hit yet so let's go ahead and remove the vulnerability let's patch that
00:29:58program or whatever it is that needs to be done to remove the vulnerability might be something in a router
00:30:03needs a new firmware update you know something like that and then vulnerability assessments may be used to
00:30:09predict the effectiveness of additional security measures and protecting information resources from
00:30:14attack for example denial of service vulnerabilities we went and bought akamai or something like that
00:30:20now we're bulletproof for dos right well no because denial of service if they're attacking your dns akamai
00:30:30will help if they're attacking a certain system that akamai is watching there that will help but what if they
00:30:35skip akamai and go right to your ip address versus coming through the dns then you've still you're
00:30:41still susceptible right so there's many ways to scan the dos cat as far as beating the protection
00:30:48so you want to make sure that the stuff's not routable that it's being handled and set up properly
00:30:54through the proper routing protocols and then it wouldn't be susceptible right because there's no way to
00:30:59get to your ip unless you go through the dns that kind of thing so there's many different ways to do
00:31:05that we won't speak specific to specific technologies there but just keep that in mind also for applications
00:31:13you may be able to handle a million incoming connections per second or a billion or 500 megabits
00:31:20let's just say a gigabit per second sustained connections um but then somebody finds a flaw in
00:31:29the program and then starts exploiting that flaw and then they only needed three connections to do it
00:31:34now you're still you're still susceptible to dos because you put all of your money into that bucket
00:31:39instead of a good wide security research program okay so vulnerabilities can be can manifest themselves in
00:31:46many many many different ways a vulnerability scanner will not catch them all a penetration test is
00:31:51pretty good but only as good as the people performing the test so that's another weakness with penetration
00:31:56testing so you have to kind of balance it right security in depth put a little bit here a little
00:32:01bit here a little bit here hopefully we catch them right that's kind of what you want to look at
00:32:09so there's different types of vulnerability assessment there's an active assessment uses a network
00:32:13scanner to find hosts services and vulnerabilities so this is a thing that's been pre-programmed with
00:32:18all of the known vulnerabilities today for all the known programs today and it's going to go out and
00:32:22just troll your network and look for these vulnerabilities and then we have a passive assessment it's a
00:32:28technique used to sniff the network traffic to find out the active systems network services applications
00:32:34and vulnerabilities present so you may not have a list of all the machines on your network this thing
00:32:38will listen to the traffic and figure out who's talking and when but what if you have a couple of
00:32:43zombie machines there that aren't doing anything which is the definition of a zombie machine right
00:32:47it's just not doing anything there's no active communication so maybe your passive assessment missed
00:32:52that computer all together so there's no replacement for knowing your network but what if you don't
00:33:00there's no way to know your network because it's huge you just started last week and now you've been
00:33:05told to go do an assessment on this network but nobody knows what the footprint is
00:33:09so you got to go scan you got to work with the the operations team and figure out what the inventory
00:33:17is and what they know about and stuff like that and just start building lists and then we have host
00:33:23based assessments which determines the vulnerabilities in a specific workstation or server so we have the
00:33:31host based version versus a network based and then you have internal assessments a technique used to scan the
00:33:37internal infrastructure to find out the exploits and vulnerabilities so really you want to find out
00:33:46what vulnerabilities exist and then you go look up are there exploits for these vulnerabilities if there
00:33:51are those need to be fixed right away because those are known and then external assessments addresses the
00:33:58network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the
00:34:04outside world so this is literally what's exposed to the outside world now a lot of organizations will
00:34:11just go and say oh well that's internal we're going to focus on the external well that's a big problem
00:34:16because it's not that difficult to break into an org there's a lot of ways to do it right we talked
00:34:22about fishing earlier that's just one so uh there's no one-stop-shop fixes all you need to do a balance of
00:34:31all these different techniques and kind of spread your security in depth right don't discount the
00:34:36internal systems if you want to prioritize the external versus internal that's fine we all have
00:34:41limited resources and budgets but don't forget the internal so application assessments test the web
00:34:48server's infrastructure for misconfigurations and known vulnerabilities you need to be constantly scanning
00:34:53for these things right um some organizations push um new software updates constantly so you need
00:35:00to be constantly checking to make sure the configuration is still intact they didn't miss
00:35:04something they didn't push something out in debug mode or something like that network assessments
00:35:09determine the possible network security attacks that may occur on the organization's systems and then
00:35:15wireless network assessments determines the vulnerabilities in the organization's wireless networks
00:35:21so this is a big one as well because people can be sitting in the parking lot and still accessing your
00:35:26network the home depot and target breaches occurred because of some flaws in their wireless
00:35:56network vulnerability assessment methodology so we have a methodology here we have phase one two and
00:36:03three so one is acquisition collect documents required to review laws and procedures related to network
00:36:09vulnerability assessment so this is an assessment vulnerable uh methodology right so this is how to
00:36:16conduct an assessment so we're going to collect documents required to review laws and procedures for this
00:36:22organization maybe they're uh susceptible or require to adhere to pci you know this kind of thing
00:36:27so they need to follow these rules which means you as the tester or assessor or someone on
00:36:32your team needs to understand those laws and regulations for example pci and then you want to identify
00:36:38and review documents related to network security you want to review the list of previously discovered vulnerabilities
00:36:45what was found before did they fix it is it back that's acquisition and then we move on to phase two
00:36:51identification so we want to conduct interviews with customers and employees good luck no one will let you do this
00:36:58involved in system architecture design and administration so rarely will you have a chance to do that
00:37:03maybe on the phone with the guy that you're talking to maybe you can get some of this information
00:37:09you want to gather technical information about all network components again you're going to do that
00:37:14electronically you're going to do discovery scanning that kind of thing you want to identify different industry
00:37:20standards which network security systems comply to so what industry standards are they trying to adhere
00:37:27to and then you want to test against that as well find out what they missed and then phase three
00:37:32analyzing you want to review the interviews analyze the results of previous vulnerability assessments
00:37:38analyze security vulnerabilities and identify risks perform threat and risk analysis analyze the
00:37:43effectiveness of existing security controls in other words we found a vulnerability there is an exploit for
00:37:49it were we able to successfully launch that exploit or did something take care of it that's what they're
00:37:55getting at here and then analyze the effectiveness of existing security policies are they following their
00:38:01policies did they react accordingly they saw my scans what did they do
00:38:07phase four evaluation determine the probability of exploitation of identified vulnerabilities so you need to
00:38:14figure out how they want to consume that what calculation models are they using that kind of thing or you're
00:38:20going to need to create one for them identify the gaps and existing and required security measures so are
00:38:26there gaps you want to do the gap assessment right and then determine the controls required to mitigate identified
00:38:31vulnerabilities so you've got some vulnerabilities what do they need to do to prevent it what's the cheapest thing the
00:38:38least path of least resistance they need to follow to get that thing remedied
00:38:42then you want to identify upgrades required to the network vulnerability assessment process so what do
00:38:47they need to do to prevent some of this stuff in the future right that's what they're getting at there
00:38:52and then phase five generating reports the results of analysis must be presented in a draft report to be
00:38:58evaluated for further variations the report should contain tasks rendered by each team member method and used and findings
00:39:06they're going to want proof of this and you need to keep proof of this because if you're the one doing this and the network is
00:39:11breached at the same time they're going to blame you so you better have a cya in place of everything
00:39:18you did so that you can say hey that wasn't me here's the screenshots of the machines i was in this
00:39:22is what i was doing at that time now but they're going to be very suspicious of you so you better be able
00:39:27to back up what you did don't go oh yeah that wasn't me and don't have any screenshots or anything like
00:39:32that they're not going to believe you um that's happened to people that i know so um terms and
00:39:39their definitions if something's not an industry standard term for those people like i t for
00:39:44example then you need to put it in your book make sure you define all the stuff that you're discussing
00:39:49make sure it's clear um so that there's no ambiguities there's everything's clearly understood
00:39:55clearly defined information collected from all the phases this is very important you have to include
00:40:00all of that in the report they're going to they're going to want to see this for two reasons one
00:40:05we're cyaing right cover your butt and then the other thing is so that they know you did the work
00:40:13what if what if this guy just paid him a whole bunch of money to scan my network but he didn't do
00:40:17anything he never stepped foot in my place this guy is in china how do i know he did this work well
00:40:22here he did here's the work he did and then all documents must be stored in a central database for
00:40:27generating the final report so you want to have all of your information in one place which is
00:40:32incredibly important because it needs to be encrypted this is very sensitive information
00:40:37treat it accordingly if you've never worked with classified data this is it treat it like
00:40:42classified data it's very very sensitive store it encrypted keep it password protected don't leave
00:40:48the repo open unless you're actively using it because the keys are in memory so people can steal this
00:40:54stuff you don't have millions of dollars of protection on your network so make sure you
00:40:59keep this data safe if there's a problem and this is leaked it'll be bad news for you
00:41:24so vulnerability research the process of discovering vulnerabilities and design flaws that will open an
00:41:37operating system and applications to attack or misuse so vulnerabilities are classified based on
00:41:44security level low medium or high and exploit range local or remote do i need to be on the system or remote to
00:41:52the system so an administrator needs vulnerability research so to gather information about security
00:42:00trends threats and attacks then they want to go and find weaknesses and alert the network administrator
00:42:06before a network attack hopefully you want to get information that helps to prevent the security problem
00:42:12and then learn how to recover from a network attack so that you have a good holistic program
00:42:18you're trying to prevent stuff from the front end in the event that something does happen something will
00:42:23happen you have a way to mitigate the threats so vulnerability research websites where can we find
00:42:30information so i'm going to tell you right now most of the stuff in these slides they just updated this
00:42:35deck but most of this stuff is old so don't trust only these sites do your own research so we have the code red
00:42:42center microsoft vulnerability research security magazine security focus health net security hacker
00:42:48storm sc magazine computer world hacker journals windows security this is a drop in the bucket there are a
00:42:54thousand good reads out there and you need to be checking them every day i warned you already to become a
00:43:00doctor but you said no and now you're subject to learning every day just like you would be or you're gonna be
00:43:07studying more than a doctor would be so penetration testing uh we have a couple of different things
00:43:16we're going to talk about here so let's dive in penetration testing is a method of evaluating the
00:43:19security of an information system or network by simulating an attack to find out vulnerabilities
00:43:24an attacker could exploit so yes and no that's kind of what you do in a nutshell it's definitely one
00:43:32piece is a vulnerability scan but you scan for vulnerabilities that you may know about looking
00:43:39for an easy way in do i have a boxed exploit that i can take off the shelf and just fire at this network
00:43:45or do i need to come up with some one of my own and then you look at the security measures are they
00:43:50actively analyzed for design weaknesses technical flaws and vulnerabilities so is their security posture
00:43:56proper are they properly protecting things can they detect what i'm doing a penetration test will
00:44:02not only point out vulnerabilities but it will also document how the weaknesses can be exploited
00:44:08okay and then the results are delivered comprehensively in a report to executive
00:44:12management and technical audiences okay that's fine for the test but that's not what happens in real life
00:44:18you need to go in and do all kinds of additional work um as far as simulating an attack yes to find out
00:44:24vulnerabilities yes that that's that's true that an attacker could exploit but it's more than just a
00:44:30vulnerability scan don't don't mistake that for what that means okay it's a lot more than that
00:44:37and you're trying to exercise the controls you want to tickle those controls that they have on the
00:44:40back end and make sure that they're going off okay one of the reasons they're going to ask you to say
00:44:48okay you're going to do a pin test or a security assessment whatever it is whatever kind of test
00:44:52you're assessing performing they're going to say what ip address are you coming from one of the reasons they
00:44:57need to know that is for it's twofold one if you start attacking the systems they know that it's not
00:45:02a real attack but also so that they don't blacklist your ip they're going to whitelist you and let you
00:45:08attack their systems they're going to let you keep going okay so uh why penetration testing so identify
00:45:16the threats facing an organization's information assets reduce an organization's expenditure on it
00:45:22security security and enhance return on security investment by identifying and remedying or
00:45:27remediating vulnerabilities or weaknesses providing in assurance with comprehensive assessment of an
00:45:34organization's security including policies procedures design and implementation so you're providing
00:45:40assurance that everything's working properly you're going to tickle those controls and make sure that they
00:45:44are firing off and you're going to gain and maintain certification to an industry regulation
00:45:51make sure that they're adhering to whatever controls they're trying to adhere to right
00:45:54whatever hipaa controls are in place that kind of thing they might not be subject to all of the
00:45:59hipaa controls they might only need to adhere to five same for pci whatever it is they're trying to
00:46:03adhere to you should be checking so one of the questions you ask why do you want a pen test it's
00:46:09one of the very first questions you ask well we're trying to adhere to hipaa you know controls a through z
00:46:15okay you want to adhere to all the hipaa controls got it so your report should be
00:46:20kind of honed to show what they are or are not adhering to with respect to hipaa you might want to
00:46:26focus on that because that's the point of the test and you need to discuss that what do you need out of
00:46:32the report and then you want to they may say well we don't want to tell you that just give us a report
00:46:37that you you know go do your thing and let us know what you're finding you'd be like okay well that's
00:46:40okay well that's fine i'll do that
00:46:54so then you want to adopt the best practices and compliance to legal and industry regular regulations
00:47:12right so whatever hipaa says you need to do by best practices you should be checking for at least that
00:47:17stuff plus probably a lot more just adhering to pci will not keep you safe most people know this most
00:47:23people set up the controls to adhere to the rules instead of security and there's a two very
00:47:31separate trains of thought and the the protections that they put in place are completely disparately
00:47:38different so adhering you know security for check boxing a set of requirements is one thing
00:47:49security for security is a completely separate thing you'll see that when you're conducting your
00:47:55tests so for testing and validating the efficiency of security protection and controls again we're
00:48:00seeing this over and over and over want to tickle those controls and make sure that they're going off
00:48:04that they're reporting properly did everyone see this happening and then for changing and upgrading
00:48:10existing infrastructure or software hardware or network design so if you're going to change something
00:48:15you might want to do a follow-up test instead of a full-blown test maybe you just had one done
00:48:20early in the year and you can say hey johnny i i know you guys just did that test for us can you
00:48:25come back and do a follow-on we had some upgrades and it might be cheaper it might be cheaper instead
00:48:29of recon doing the whole entire test you've already got a relationship with them they've already got
00:48:34information on you stuff like that you can give them the information that they gave you in the report
00:48:39and they can just go back and hit the highlights it can be very cost effective
00:48:43and then you want to focus on high severity vulnerabilities and emphasize application
00:48:47level security issues to development teams and management so we're testing firewalls we're testing
00:48:53infrastructure load balancers this kind of thing and then we're actually testing applications as well
00:49:00a lot of times a request may be only to test an application we don't care about our infrastructure we test
00:49:05that all the time we know what the security posture is for that just test our application
00:49:11so you may need the proper tools for that application you know like there's programs
00:49:16like out there that are open source you can do like built with what is this application built with
00:49:22so you can stick this tool on it you feed it the url and it'll go and analyze it and tell you it's using
00:49:28you know php it's using this version it's using a mario database you know whatever it is it'll tell
00:49:34you what the the network stack is the the full stack as much as it can detect about the application
00:49:43so you can glean a lot of information with built with b-u-i-l-t-w-i-t-h gives you a lot of information
00:49:50that's just one example there are many out there so you go and evaluate the application you figure out
00:49:56what's weak about it um say you know this thing's really susceptible to sql injection i suggest you put a
00:50:01WAF in front of it a web application firewall to filter out any sql injection attacks until you can
00:50:07fix it in the software itself which is typically a major change then you want to provide a comprehensive
00:50:14approach of preparation steps that can be taken to prevent upcoming exploitation hey this is
00:50:20exploitable here's the solution usually you're just going to copy and paste the solution that you
00:50:24found with the vulnerability right evaluate the efficiency of network security devices such as
00:50:29firewalls routers and web servers evaluate the efficiency of network security devices such as
00:50:36firewalls routers and web servers and then we want to compare security audit vulnerability assessments
00:50:45and penetration testing so what is the difference between the three okay a security audit a security
00:50:50audit just checks whether the organization is following a set of standard policies and procedures
00:50:54a security audit if i were you and someone says hey i want you to conduct a security audit you need
00:51:01to go through the definition with them because a lot of people get these mixed up all the time
00:51:06so make sure you're clear about this with the customer before you jump in a vulnerability assessment
00:51:13a vulnerability assessment focuses on focuses on discovering the vulnerabilities in the information
00:51:18system but provides no indications of the vulnerabilities that can be exploited or the amount of damage that may
00:51:24result from the successful exploitation of vulnerability you won't know that anyway they know their own
00:51:29server so you have to work with them to figure out what are the impacts of a successful exploit
00:51:36unless you're doing the exploitation yourself which is the penetration test right and the penetration
00:51:41testing is a methodological methodological approach to security assessments that encompasses the security audit
00:51:48and vulnerability assessment and demonstrate if the vulnerabilities on a system can be successfully exploited by a
00:51:53attackers and what's available to them in the event the system was exploited so there you go that's
00:52:00it's soup to nuts so this is a good security assessment may comprise all this stuff or it may comprise only two parts
00:52:08so you need to get clear definitions of what the client expectations are when you go to conduct a pin test
00:52:13or if you're going to order one these are things that the assessor should be asking you
00:52:43blue teaming and red teaming so blue teaming what is blue teaming an approach where a set of security
00:52:49responders performs analysis and information systems to assess the adequacy and efficiency of its security
00:52:56controls the blue team has access to all the organizational resources and information the primary role is to
00:53:04detect and mitigate red team or attackers activities to anticipate how surprise attacks might occur
00:53:13and how they would impact their network so the blue team is the defenders the red team are the attackers
00:53:20so the red team or the attacking team is an approach where a team of ethical hackers performs penetration
00:53:26tests on an information system with a no or very limited access with no or very limited access to an
00:53:32organization's internal resources so they're just going to attack they may or may not know anything about
00:53:37the network they might have limited information so have you it may be conducted with or with
00:53:43warning it is proposed to detect network and system vulnerabilities and check security from an
00:53:51attacker's perspective approach to network system or information access so they're going to go and
00:53:57probably scan your dns and then start from that so you can kind of see how the attack will spread
00:54:02so it'll give you a good exercise and how your company can respond to an attack right so blue teaming
00:54:11and red teaming that's what this is about
00:54:15so types of penetration testing we have a black box white box and a gray box so we discussed some of
00:54:21these earlier and we talked about how we had the hard hat and stuff like that so this is specific to
00:54:26penetration testing so we only have three black box white box gray box what's the difference black box you
00:54:31have no knowledge of the network you're just given one url of the company and they tell you go to town
00:54:37so this is common this you're commonly going to conduct a black box testing of the network
00:54:42and you're blind testing and double blind testing so you may not know anything about the network so
00:54:47white box you have complete knowledge of the infrastructure that infrastructure that needs to be
00:54:51tested they may provide you with engineering diagrams and so on and so forth and then a gray box test of the
00:54:58infrastructure you have limited knowledge of the network so they may give you some information
00:55:04like ips and a url something like that they may give you um a specific sub url on a server you know
00:55:13stuff like that so the phases of penetration testing what are the phases of penetration testing you have
00:55:21a pre-attack phase you have an attack phase and then a post-attack phase and all of these are incredibly
00:55:27important to understand so the pre-attack phase you want to plan and prep and prepare you have a
00:55:33methodology of designing the attack and you want to get network information gathering so you want to
00:55:38know what kind of systems you're going to attack and you want to tool accordingly and then you start
00:55:43your attack phase so you gather all the information that you know you know you're going to be attacking
00:55:48you know linux systems only so then we go on and we start firing off all of our exploits for
00:55:52that that we've gathered in the pre-attack phase and then you want to penetrate the perimeter you want
00:55:57to acquire targets you want to escalate privileges wherever possible you want execution implantation
00:56:03and retracting right so you want to execute you want to implant something on the server some kind of
00:56:08backdoor remote access and then you want to retract that when you're done and then you want to report
00:56:14clean up and artifact destruction so you want to destroy anything that you're not supposed to keep
00:56:18after you've socialized it to the customer but you should keep this for a while in case there are
00:56:23questions about what happened which is very common so you don't you don't want to destroy everything
00:56:30but we did talk about that you need to encrypt everything heavily right
00:56:33don't mess around with that make sure you're keeping all of your drives heavily encrypted
00:56:38security testing methodology this is going to you're going to see some test questions from this for
00:56:44sure as well as this and this the types of penetration testing the phases of penetration testing
00:56:50you know what goes on and what phase what phase is reporting in it's going to be and the post attack
00:56:55phase right so a security testing or pin testing methodology refers to a methodology methodological
00:57:02approach to discover and verify vulnerabilities in the security mechanism of an information system so
00:57:10okay thus enabling administrators to apply appropriate security controls to protect critical data and
00:57:15business functions you might find something that they missed so that's kind of the point so examples
00:57:21of security testing methodologies all of these you should know every single one of these you should know
00:57:26probably more of them than this right so OWASP the open web application security project or OWASP is an
00:57:33open source application security project that assists the organization
00:57:37application to purchase develop and maintain software tools software applications and knowledge-based
00:57:44documentation for web application security so this deals with mostly web application security full
00:57:51stack web application security what does full stack means full stack means has a web server has a php
00:57:58database or maria database or i'm sorry my sequel or maria database it might have some add-on
00:58:05applications it might have web services it might have a python stack in there doing some work it might
00:58:12have some cgi scripts you know that's the stack of stuff that you're using and then the osstmm the open
00:58:19source security testing methodology manual osstmm open source security testing methodology manual is a
00:58:26peer-reviewed methodology for performing high quality security tests such as methodology tests
00:58:34uh data controls fraud and social engineering uh control levels computer networks wireless devices
00:58:42mobile devices physical security access controls and various security processes you should review both
00:58:48of these at a bare minimum before you conduct any kind of an assessment make sure that you're following
00:58:54something like this and then the isaf information security uh system information system security
00:59:00assessment framework is an open source project aimed to provide a security assistance for professionals
00:59:08the mission of isaf is to research develop publish and promote a complete set of practical
00:59:15generally accepted information security system assessment framework okay so all of these have a lot of
00:59:23people's input so they're going to be pretty comprehensive and they're going to be pretty good and well
00:59:28uh received on the other end so the ec council also has an lpt methodology the lpt methodology is an
00:59:35industry extended uh industry accepted comprehensive information security auditing framework so the lpt methodology
00:59:53so the pen testing methodology what is it so we're going to gather information we're going to go over
01:00:14vulnerability analysis or we're going to conduct a vulnerability analysis we're going to have external
01:00:17pen testing we're going internal network pen testing so where we're going around and bouncing around the internal
01:00:22network firewall pen testing so we're going to test the firewall rules and configurations and see if
01:00:28we're allowing malware through can i get to any ip that i want so on and so forth
01:00:34we're going to test the ids and we're going to see if we can penetrate that if we overload it if we're just
01:00:39is it logging everything that we're doing so on so forth we want to perform password cracking and
01:00:44penetration testing on whatever passwords they're going to give us or that we can steal
01:00:48and then social engineering penetration testing we're going to perform some phishing maybe
01:00:53and then web application penetration testing we're going to go after the web apps themselves
01:00:58we may look for some sql databases and try to get into those or is it acceptable to
01:01:04structure query language attacks like sql injection router and switch testing wireless network testing
01:01:11denial of service testing which very rarely will people let you do very incredibly rarely will they
01:01:17let you do that then we're going to see how they handle stolen laptops pdas cell phones that kind
01:01:23of thing source code penetration testing so we're going to go over the source code and analyze that
01:01:28in a methodological way like for example static analysis and then we have physical security
01:01:33penetration testing like lock picking and that kind of thing do people notice that i'm picking a lock in
01:01:38broad daylight what happens if i pick a lock does the alarm go off you know that kind of thing
01:01:44then we have security camera pen testing can they see my face can they see my license plate are the
01:01:51cameras focused properly that's a whole separate class on that alone and then database pen testing
01:01:58so we talked about that earlier with sql injection this is going to be i steal a table did they notice
01:02:02that i stole the table voip pen testing so we talked about this earlier that snooping voip traffic is in
01:02:10is considered wiretapping and we have to be very careful what we do in voip penetration testing
01:02:16then we also have virtual private network pin testing or vpn pin testing cloud penetration testing
01:02:21what's the difference between what we normally do in the cloud right virtual machine pin testing war
01:02:26dialing we talked about that dialing random phone numbers if the area if the company is located in area
01:02:32code 305 maybe we dial every 305 area code number right and see if how many modems we get remember
01:02:40that is not exactly legal you may generate a lot of complaints doing that kind of thing so be careful
01:02:45with that too plus it's annoying to people so be responsible with the war dialing that you're doing
01:02:51virus and trojan detection log management penetration testing so what happens if i get into the logs do
01:02:57they detect it what if i change something is it detected then along those same lines we get into file
01:03:03integrity checking do they have tripwire things like this are they detecting that i'm messing around with
01:03:08these files i changed something did they detect it or did it get socialized all the way up
01:03:13mobile devices penetration testing so what happens if i taint a phone what happens if i bring my own
01:03:19phone in the building what happens can i get on their land can i ping for my cell phone do they detect
01:03:24this kind of thing telecom and broadband pen testing so we want to test their actual data providers email
01:03:33security penetration testing so we talked about phishing and things of that nature uh security
01:03:38patches penetration testing so with email security penetration testing maybe you send a virus in an
01:03:42email do they get it like e-car e-i-c-a-r it's a uh free virus you can get and use for testing and then
01:03:51security patches penetration testing are they applying the proper patches are the patches legit
01:03:57so there's some malware out there that will fake that the systems are patched at a certain level
01:04:02so a pen test will catch that they are not patched at that certain level data leakage penetration testing
01:04:08what happens if i start sending out w2 data off the network or social security numbers or
01:04:14credit card numbers through the network from the inside out is it detected and then sap penetration
01:04:21testing so you want to test their sap applications and things like that
01:04:27so the next module flow will be information security laws and standards
01:04:32so pci data security standard so the payment card industry data security standard pci dss if you
01:04:39don't know that acronym you need to know it commit it to memory know it backwards and forwards
01:04:44the payment card industry data security standard is a proprietary information security standard for
01:04:49organizations that handle cardholder information for the major debit credit prepaid
01:04:54e-purse atm and point of sale cards pci dss applies to all entities involved in the payment card processing
01:05:05including merchants processors acquirers issuers and service providers as well as all other entities that
01:05:12store process transmit cardholder data high level overview of the pci dss requirements developed and
01:05:19maintained by the pci css or dss council so what is that the pci data security standard high level overview
01:05:28build and maintain a secure network implement strong access control measures protect cardholder data
01:05:35regularly monitor and test networks maintain a vulnerability management program and maintain an
01:05:40information security policy so these are just a few things that you need to do um also we talked about
01:05:45most people will implement pci dss just to adhere there's a huge difference between implementing pci dss because you care about security and you really want to harden the network
01:05:58versus just trying to comply there's a huge disparity between the two and that is why most payment card industry
01:06:04providers are breached because they do it just to adhere the check boxes so there's a lot of loopholes for them if they want to exploit them they can
01:06:13so they're cheating uh them you and making more security problems on the network than there needs to be
01:06:21so just keep that in mind that when you test this kind of thing don't assume that they've done it properly
01:06:26assume that they have not and try to get them to do it properly so bring those things to their
01:06:33knowledge you know make them aware that you're doing it for check boxing not for real security implementation
01:06:40like i said there's a huge disparity between the two
01:06:44so iso iec 27001-213 so obviously this was updated
01:06:50it specifies the requirements for establishing okay so this is also a test question
01:06:56also you see some questions about the pci dss as well
01:07:00the iso iec 27001-213 specifies the requirements for establishing
01:07:06implementing maintaining and continually improving information security management system
01:07:11within the context of the organization it is intended to be suitable for several different
01:07:15types of use including the following use with organizations to formulate security requirements
01:07:20and objectives use within organizations as a way to ensure that the security risks are cost
01:07:28effectively managed used within organizations to ensure compliance with laws and regulation
01:07:33and the definition of new information security management processes so they're going to define
01:07:38them and then identification and clarification of existing information security management processes
01:07:44used by management of organizations to determine the status of information security management
01:07:49activities and implementation of business enabling information security used by organizations to provide
01:07:56relevant information about information security to customers so this is a very broad standard right
01:08:03it's a lot of stuff
Be the first to comment
Add your comment

Recommended

1:03:10
Up next
certified ethical hacking part 3
SERIES
3 months ago
1:23:56
certified ethical hacking part 4
SERIES
3 months ago
1:06:27
certified ethical hacking part 1
SERIES
3 months ago
39:09
02-Ethical Hacking - Lecture 2
Courses
2 years ago
0:55
ethical hacking
LuckyCat
5 years ago
26:59
Security Academy Practical Ethical Hacking - Subnetting Part 1
Tutorials Arena
3 years ago
2:28
Pentesting Demo 2 -Ethical Hacking-06
Rahnan Tech
8 years ago
1:07
Conclusion-Ethical Hacking-13
Rahnan Tech
8 years ago
1:33:49
Ethical Hacking class 3 part 1
Global National Updates
2 years ago
16:49
Security Academy] Practical Ethical Hacking - A Day in the Life of an Ethical Hacker
Tutorials Arena
3 years ago
0:43
Mastering Web Enumeration Ethical Hacking Tips
CyberGuard
9 months ago
0:38
1. Virtual machines
COURSE HUB
3 years ago
2:46
Methodology for Penetration Testing-Ethical Hacking-09
Rahnan Tech
8 years ago
3:33
Defense in depthit-Ethical Hacking-03
Rahnan Tech
8 years ago
40:46
Forensic Part 2
Latest Movies
5 years ago
2:17
38. Overview of Hacking Concepts
Asif Ali Movie
3 years ago
16:50
Manik and Nandini Confession Kiss Scene
Scene Spotlight
3 weeks ago
26:56
Manik and Nandini Confession Scene
Scene Spotlight
3 weeks ago
5:54
11 line efficient for middle side abs🔥5MIN WORKOUT
Gateway to Relax
4 weeks ago
11:52
No muscle training lost -2.3kg in 10 days🔥only way to reset after binge eating every day
Gateway to Relax
4 weeks ago
6:24
Lower abdominal training to make your belly endlessly thinner👹🔥
Gateway to Relax
4 weeks ago
3:23
Armaan Ridhimma Basketball Scene
Scene Spotlight
7 weeks ago
1:41:22
CERTIFIED ETHICAL HACKING FULL COURSE (CEH) V9 COURSE TUTORIAL FOR BEGINNERS PART 9
SERIES
3 months ago
1:40:46
CERTIFIED ETHICAL HACKING FULL COURSE (CEH) V9 COURSE TUTORIAL FOR BEGINNERS PART 8
SERIES
3 months ago
1:50:59
CERTIFIED ETHICAL HACKING FULL COURSE (CEH) V9 COURSE TUTORIAL FOR BEGINNERS PART 7
SERIES
3 months ago