Fault Management

Configuration Management

Network Management Accounting management

Performance Management

Security Management

Repeaters

Hub

Layer 2 Switches
Componen
Routers

Layer 3 and Layer 4 Switchers

Layer 4-7 Switches

LAN
LAN/WAN Security

NAC ( Network Access Control)

LAN Risk and Issues

WLAN ( Wireless Local Area Network)

Wireless Network Protections Wireless

Port Number
Port and Protocols
Network Security
Tunelling

PP2P

L2TP

Secure Socket Layer VPN VPN

IPSec VPN

Voice Over Internet Protocol (VOIP)

DoS

Malicious third Parties

Misconfigured communication software

Risk
Misconfigured devices on the coorporate computing infrastructure

Host system not secure appropriately

Physical security issues over remote user computers

Remote Access
Policies and standards

Proper authorizations

Identidication and authentication mechanism Control include

Encryption tools and techniques, such as use of a VPN

Restrict access to controll system, networks and application

Authentication and authorization

File system permissions

Access privileges

Logging and system monitoring SYSTEM/ PLATFORM HARDENING

System services

Configuration restrictions

MODES OF OPERATIONS
Asset

FILE SYSTEM PERMISSIONS Threat

Risk Analysis
Vulnerability
CREDENTIALS AND PRIVILEGES Operating System Security
Evaluating Security Control
PLATFORM HARDENING

Risk Assesment success Criteria

COMMAND LINE KNOWLEDGE Risk?
Risk Reduction
VIRTUALIZATION
Risk Avoidance
Managing Risk Risk Transfer or Sharing
SPECIALIZED SYSTEMS
Risk Acceptance
Process Controls -- Risk Assessments
IT processes for managing and controlling project activity Using the result of the risk asssesment

An objective for each phase of the life cycle that is typically Vulnerability?
described with key deliverables, a description of recommended
tasks and a summary of related control objectives for effective Include Cyberrisk assesment?
management

Incremental steps or deliverables that lay the foundation for the

Vulnerability Scan
next phase

Firewalls

Encryption programs Technical

Anti-malware programs Include Application Control Process

Vulnerability Assesment ( Figure 4.5) Type of Vulnerability
Process Controls -- Vulnerability Management
Security of Netwroks,
Spyware detection/removal programs Organizational

Biometric authentication Emergent

Define application security requirements.

OWASP Top 10 Systems, Applications and Remediation

Use good application security architecture practices from the start Data Reporting and metric

of the application design.

Reduce Application Security Risk by OWASP
Build strong and usable security controls. Confirm Exposures

Integrate security into the development life cycle Assess the level of effectiveness and quality of existing security
control
What penetration testing do?
Stay current on application vulnerabilities.
Identify how specific vulnerabilities expose IT resource and assets
Verification and validation that a program, subsystem or application
and the designed security controls perform the functions for which Ensure Compliance
they have been designed

Determination of whether the units being tested operate without

any malfunction or adverse effect on other Security Within SDLC
components of the system Phase SDLC Testing include Design Requirement

A variety of development methodologies and organizational Prior condition before penetration testing?
requirements to provide for a large range of testing schemes or Process Controls -- Penetration Testing
Testing PCI Penetration Testing Guide
levels
System Development Life Cycle (SDLC) Application Security PTES (Penetration Testing Execuruion Standard)
Review Process
Penetration Testing Framewrork Penetration Testing Framework
Agile Development
ISSAF ( Information Systems Security Assessment Framework
Reduced time to market
OSSTMM ( Open Source Security Testing Methodology Manual)
Faster return on investment

High performance PENETRATION TESTER

Increased quality Planning

SEPARATION OF DEVELOPMENT, TESTING AND PRODUCTION
Benefit DevOps
ENVIRONMENTS Discovery
Customer satisfaction
Penetration Testing Common Phase ( Figure 4.7)
Reduced IT waste Attack

Improved supplier and business partner performance Reporting

Reduction to the human factor threat

Development and IT Operations (DevOps)
Misconception about what DevOps means

Belief that DevOps is not concerned with compliance and security

Need for automation

Lack of skills Challange DevOps

Organizational culture

Fear of change

Silo mentality

Covert Channel

Race Condition

Return-oriented programming attack Additional Threat

Steganography

Authentication and authorization of access

Access controls limiting or controlling the type of data that can be

accessed and what types of accesses are allowed (such as read-only,
read and write, or delete)
Database level control
Logging and other transactional monitoring

Encryption and integrity controls

Backup

Data Classification

Access and authentication

Confidentiality

Privacy

Availability
consider
Ownership and distribution

Integrity
figure 4.14
Data retention Data Owner Data Security
Auditability

Data lifecycle ( Figure 4.15)

Unauthorized activity by authorized users

Malware infections or interactions

Capacity issues
vulnerable type of risk
Physical damage

Design flaws

Data corruption

Encryption of sensitive data in the database

Use of database views to restrict information available to a user

Database Security
Secure protocols to communicate with the database

Content-based access controls that restrict access to sensitive

records

Restricting administrator-level access

Efficient indexing to enhance data retrieval

Provided through the following
Backups of databases (shadowing, mirroring)

Backups of transaction journals (remote journaling)

Referential integrity

Entity integrity

Validation of input

Defined data fields (schema)

Layered network access restrictions or segregation