67
Network Security Testing— Are There Really Different Types of Testing? July 28, 2015 Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time WebCONFERENCES #ISSAWebConf
Network Security Testing—Are There Really Different Types of Testing?July 28, 2015Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
WebCONFERENCES
#ISSAWebConf
Brought to you by:
Title goes here 2Web CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
Welcome Conference Moderator
July 28, 2015Start Time: 9 am US Pacific12 noon US Eastern5 pm London Time
#ISSAWebConf WebCONFERENCES
Jorge OrchillesVice President, South Florida ISSA
Network Security Testing—Are There Really Different Types of Testing?
• John KindervagVice President & Principal Analyst, Forrrester Research
• Eric RaistersCISSP, CSSLP
• Ira WinklerPresident, Secure Mentem, CISSP
• Donald ShinSr. Technical Business Development Manager, IXIA
Speaker Introduction
Title goes here 4Web CONFERENCE:
#ISSAWebConf
To ask a question:Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
+1 [email protected]@Kindervag
#ISSAWebConf
WebCONFERENCES
John KindervagVice President, Principal Analyst serving Security & Risk Professionals at Forrester Research
Materials omitted due to licensing and reproduction rights.
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
#ISSAWebConf
WebCONFERENCES
Eric RaistersCISSP, CSSLP
Approach SUT as an attacker Process (from SANS Ethical Hacking)
Planning Scoping Reconnaissance Scanning Exploitation Documentation/Reporting
Pen Test Basics
Network Testing—Are There Really Different Types of Testing? 8
Approach SUT as an attacker In-house developed apps/services
White-box testing Deployed systems/purchased products
Includes virtual servers and cloud deployments
Pen Test Purpose
Network Testing—Are There Really Different Types of Testing? 9
SUT object Network – mis-configs, weak settings Web apps/services – OWASP Top 10 Mobile apps/services – permissions,
data leakage Attack methods
Known vulnerability scans - automated Exploitation proof - manual
Pen Test Types
Network Testing—Are There Really Different Types of Testing? 10
Kali Linux Samurai Web Test Framework Pwnie Express
Pen Test Toolkits
Network Testing—Are There Really Different Types of Testing? 11
Look for known vulnerabilities Nessus (OpenVAS) Nexpose Core Impact Burp Suite (free and commercial) Zed Attack Proxy (OWASP)
Vulnerability Scan
Network Testing—Are There Really Different Types of Testing? 12
Prove a found vulnerability is exploitable Metasploit (freed and commercial) CANVAS
Network Exploits
Network Testing—Are There Really Different Types of Testing? 13
Burp Suite (free and commercial) Zed Attack Proxy (OWASP) Paros proxy w3af Netsparker
Web App Exploits
Network Testing—Are There Really Different Types of Testing? 14
Pwnie Express zANTI Hackcode AndroRAT
Android Exploits
Network Testing—Are There Really Different Types of Testing? 15
Standard Linux pentest tools iNalyser
iPhone Exploits
Network Testing—Are There Really Different Types of Testing? 16
Pen testing is important Vulnerability scans are not enough Exploit testing proves that a
vulnerability is important enough to fix Consider contracting experts Consider a bug bounty program
If you don’t do it, the hackers will
Summary
Network Testing—Are There Really Different Types of Testing? 17
sectools.org n0where.net/directory OWASP.prg kali.org
Eric Raisters
Resources
Network Testing—Are There Really Different Types of Testing? 18
19
Thank you!
Network Testing—Are There Really Different Types of Testing?
Eric RaistersCISSP, CSSLP
Question and Answer
Title goes here 20Web CONFERENCE:
#ISSAWebConf
To ask a question:Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Eric RaistersCISSP, CSSLP
Thank You
Title goes here 21Web CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
#ISSAWebConf
WebCONFERENCES
Ira WinklerPresident, Secure Mentem, CISSP
23Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
24Network Testing—Are There Really Different Types of Testing?
25Network Testing—Are There Really Different Types of Testing?
26Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
27Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
28Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
29Network Testing—Are There Really Different Types of Testing?
30Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
31Network Testing—Are There Really Different Types of Testing?
Copyright Secure Mentem
32Network Testing—Are There Really Different Types of Testing?
33Network Testing—Are There Really Different Types of Testing?
34Network Testing—Are There Really Different Types of Testing?
35Network Testing—Are There Really Different Types of Testing?
36Network Testing—Are There Really Different Types of Testing?
37Network Testing—Are There Really Different Types of Testing?
38Network Testing—Are There Really Different Types of Testing?
Thank You
Ira WinklerPresident, Secure Mentem, CISSP
@irawinkler
Question and Answer
Title goes here 39Web CONFERENCE:
#ISSAWebConfTo ask a question:Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Ira WinklerPresident, Secure Mentem, CISSP
@irawinkler
Thank You
Title goes here 40Web CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—Are There Really Different Types of Testing?
www.ixiacom.com
#ISSAWebConf
WebCONFERENCES
Donald ShinSr. Technical Business Development Manager, IXIA
42Network Testing—Are There Really Different Types of Testing?
43Network Testing—Are There Really Different Types of Testing?
44Network Testing—Are There Really Different Types of Testing?
45Network Testing—Are There Really Different Types of Testing?
46Network Testing—Are There Really Different Types of Testing?
47Network Testing—Are There Really Different Types of Testing?
48Network Testing—Are There Really Different Types of Testing?
49Network Testing—Are There Really Different Types of Testing?
50Network Testing—Are There Really Different Types of Testing?
51Network Testing—Are There Really Different Types of Testing?
52Network Testing—Are There Really Different Types of Testing?
53Network Testing—Are There Really Different Types of Testing?
54Network Testing—Are There Really Different Types of Testing?
55Network Testing—Are There Really Different Types of Testing?
56Network Testing—Are There Really Different Types of Testing?
57Network Testing—Are There Really Different Types of Testing?
58Network Testing—Are There Really Different Types of Testing?
59Network Testing—Are There Really Different Types of Testing?
60Network Testing—Are There Really Different Types of Testing?
61Network Testing—Are There Really Different Types of Testing?
62Network Testing—Are There Really Different Types of Testing?
Donald ShinSr. Technical Business Development Manager
IXIAwww.ixiacom.com
Question and Answer
Title goes here 63Web CONFERENCE:
#ISSAWebConfTo ask a question:Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Donald Shin Sr. Technical Business Development Manager
IXIAwww.ixiacom.com
Thank You
Title goes here 64Web CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
• John KindervagVice President & Principal Analyst, Forrester Research
• Eric Raisters CISSP, CSSLP
• Ira WinklerPresident, Secure Mentem, CISSP
• Donald ShinSr. Technical Business Development Manager, IXIA
Open Panel with Audience Q&A
Title goes here 65Web CONFERENCE:
#ISSAWebConf
To ask a question:Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
Network Testing—Are There Really Different Types of Testing?
Thank you Citrix for donatingthe Webcast service
Closing Remarks
Title goes here 66Web CONFERENCE:
#ISSAWebConf
Thank You
Network Testing—Are There Really Different Types of Testing?
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link:http://www.surveygizmo.com/s3/2241426/ISSA-Web-Conference-July-28-2015-Network-Security-Testing-Are-There-Really-Different-Types-of-Testing
CPE Credit
Title goes here 67Web CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
