Vulnerability Assessment And Penetration Testing To Secure .

Transcription

Vulnerability Assessment and PenetrationTesting (VAPT) to Secure Datadatabracketsinfo@databrackets.com866-276-8309

WHO WE ARE We assist organizations indeveloping and implementingpractices to secure sensitivedata and comply withregulatory requirements.DIY TOOLKITDIY assessment, training,customized policies & proceduresand much more CONSULTINGMANAGED SERVICESProfessional servicesto help you with yourCompliance needsManaged compliance andsecurity services to focus onyour key business outcome.1

DISCLAIMERConsult your attorneyThis webinar has been provided for educational andinformational purposes only and is not intended andshould not be construed to constitute legal advice.Please consult your attorneys in connection with any factspecific situation under federal law and the applicable stateor local laws that may impose additional obligations on youand your company.ALL WEBINARS ARE RECORDED AND AVAILABLE AS AN “ON DEMAND” SUBSCRIPTION2

Srini’s BackgroundSrini KolathurCISSP, CISA, CISM, MBADirector, databrackets Security andCompliance Cisco IT Infrastructure HIPAA, PCI, SarbanesOxley and ISO 27kSeries A member of RotaryClub of Morrisville Interests: Running,healthy living andgiving back3

AGENDA1BACKGROUND8ATTACKS & PENETRATION2VAPT WORKFLOW9PREVILEGE ESCALATION3GOAL & OBJECTIVE10RESULT ANALYSIS4SCOPE11REPORTING & CLEAN-UP5INFORMATION GATHERING12SUMMARY6VULNERABILITY DETECTION13NEXT STEPS7INFORMATION ANALYSIS & PLANNING14Q&AAlways available via email to answer any questions

WHY VAPT Required to protect your critical information assets Many of B2B customers might demand it Compliance requirement (NY Cybersecurity, GDPR, ISO27k, etc.) Insurance claims/due-diligence Best business practiceHow frequently to conduct VAPT vs. why you should conduct VAPT5

2015 EHR 2.0. All rights reserved. To purchase reprints ofthis document, please email info@ehr20.com.

WHO DOES IT APPLY TO Anyone having sensitive data: Customer data Employee data Financial data Health dataException for HIPAA,CMIA (BYODCaliforniaInformationAct), GLBA(GrammLeachBlileydataAct ) statuesDeveloppolicyMedicalto allowuse of personaldevicesto accesspatient

VAPT WORKFLOWWorkflow steps might vary based on the scope, objectives and architecture

1. GOAL & OBJECTIVESTwo distinct objectives- Vulnerability assessment tools discover which vulnerabilities arepresent- Penetration test attempt to utilize the vulnerabilities in a system todetermine if any unauthorized access or other malicious activity ispossible and identify the threatsSample Goal Statement: One of the major goals of the project is to educate developersin the field of application software securityIs the Goal StatementstatedBYODas a SMARTDeveloppolicy togoal?allow use of personal devices to access patient data

2. SCOPEThe scope for each test depends on the company, industry, compliancestandards, etc. Any and all devices with an IP address can be considered for a VAPTactivity Penetration testing should focus on your organization's externalparameters (IP Addresses, Offices, People, etc.) Vulnerability assessment should focus on your internal infrastructure(servers, databases, switches, routers, desktops, firewalls, laptops, etc.) Anything out of bounds for the projectCustomer needs, complianceandsecurityvalidationmain driversto definethe patientscope ofdataVAPT exerciseDevelopBYODpolicyto allow areuse theof personaldevicesto access

SCOPE Cont’d.Types of Penetration Testing : Network Application Security Physical Social Engineeringpolicy toofallowuse of personalmethoddevices to access patient dataTesting is Developusually aBYODcombinationmanual/automated

3. INFORMATION GATHERING Black Box/White box/Gray BoxGathering intelligence (e.g., network and domain names, mailserver) to better understand how a target works and its potentialvulnerabilitiesNeed to include all Developof informationassetstotoallowidentifyrisks duringthis discoveryBYOD policyusetheof personaldevicesto access phasepatient data

4. VULNERABILITY DETECTIONThe most important step :Gathering intelligence (e.g., network and domain names, mailserver) to better understand how a target works and its potentialvulnerabilitiesMostly automated Developvulnerabilityscanningareuseusedfor identifyingthetovulnerabilitiesBYODpolicy totoolsallowof personaldevicesaccess patient data

5. ATTACKS & ReconnaissanceDiscoveryPublic Domain SourcesPort ScanningIdentification of ServicesShort Listing of Crucial IPsIdentification of Operating SystemIdentification of VulnerabilitiesExploitation of VulnerabilitiesPrivilege EscalationOther Attacks Nessus Meta Spoilt Burp Suite And many other tools Depending on the complexityof thesystemadditionalmightbe requiredDevelop BYODpolicyto allowuse ofstepspersonaldevicesto access patient data

6. RESULT ANALYSIS- False positive- Prioritized issues- Follow-up testingThe key is to eliminateall unwatednoisesthatuseorganizationcanfocus onkey infrastructure/riskson a timely manner.DevelopBYOD policytosoallowof personaldevicesto accesspatient data

7. REPORTINGReport format: Introduction Objectives of the assignment Scope of the assignment Standards followed Duration of the assignment Management Summary High-level findings High-level recommendations Graphical summary Technical Report This report will contain the vulnerabilities discovered with CVE ratings and the mitigationrecommendations ConclusionHigh level summaryDevelopreportsBYODare policy to sharedallow useof allpersonaldevicestotoshareaccessdata

8. CLEAN-UP Removing any executables, scripts and temporary files from compromisedsystems Reconfiguring settings back to the original parameters prior to the pentest Eliminating any rootkits installed in the environment Removing any user accounts created to connect to the compromised systemClean-up is one of themost BYODimportantduringDeveloppolicystepsto allowuseVAPTof personal devices to access patient data

NEXT STEPSContact databrackets for free no-obligation evaluation onyour penetration testing and vulnerability assessmentneeds866-276 8309 or info@databrackets.com18

2015 EHR 2.0. All rights reserved. To purchase reprints ofthis document, please email info@ehr20.com.

UPCOMING EVENTS Business Continuity and Disaster Recovery – 11/7Register now databrackets.com/webinars20

FIND USCALL US866-276 8309SERVICEinfo@databrackets.comTwitter: @databracketsLOCATIONSOCIALIZE150, Cornerstone Dr.Cary, NCFacebookTwitterFacebook: databrackets21

QuestionsPlease don’t hesitate to ask22

Thank Youfor your attention!23

To purchase reprints of this document, pleaseemail info@databrackets.com.Thank you for joining us today23 October, 201924

Penetration testing should focus on your organization's external parameters (IP Addresses, Offices, People, etc.) Vulnerability assessment should focus on your internal infrastructure (servers, data