© 2014 IBM Corporation 1
© 2014 IBM Corporation
IBM Security Services
- Penetration Testing -
© 2014 IBM Corporation 2
THE EVOLVING THREAT
LANDSCAPE
© 2014 IBM Corporation 3
Success in today’s dynamic, data driven global marketplace
requires effective enterprise IT security management
© 2014 IBM Corporation 4 M O T I V A T I O N
Motivations and sophistication are rapidly evolving
S O P H I S T I C A T I O N
National Security,
Economic Espionage
Notoriety, Activism,
Defamation
Hacktivists Lulzsec, AnonymousMonetary
Gain
Organized crime Zeus, ZeroAccess, Blackhole Exploit PackNuisance,
Curiosity
Insiders, Spammers, Script-kiddies
Nigerian 419 Scams, Code Red
Nation-state actors, APTs
Stuxnet, Aurora, APT-1
© 2014 IBM Corporation 5
Monthly
7,647,121
Security events
Annual
16,857
Monthly
1,405
Security attacks
Annual
109
Monthly
9
Security incidents
Security Intelligence
Correlation and analytics
tools
Security Intelligence
Human security analysts
Security Incidents are rising: Data from the IBM 2014 Cyber Security
Index
Weekly
1,764,121
Weekly
324
Weekly
2
Annual
91,765,453
Attacks: Increased
efficiencies achieved
More efficiency in security
processing to help clients
focus on identified
malicious events
Events: up 12% year
on year to 91m
Observable
occurrences in a
system or network
Incidents: up 22% year
on year
Attacks deemed
worthy of deeper
investigation
© 2014 IBM Corporation 6
At the same time, according to Ponemon Institute, the cost of a
data breach to global organizations is on the rise
NEW DATA from the
2014 Ponemon Institute Cost of Data Breach
Study: United States, sponsored by IBM
www.ibm.com/services/costofbreach
$145
Average cost per
record compromised
15% increase
up 9%
year-to-year in rate of
customer churn
up 15%
$3.5 million
Average total cost
per data breach
© 2014 IBM Corporation 7 IBM Confidential
According to 2014 Ponemon Institute the average cost of a data
breach per record varies from country to country
Source 2014 Ponemon Institute Cost of Data Breach Study: Italy
In
Italy
the cost of data breach
increased from €95 in 2013 to €102 in
2014 for one compromised record
In
Italy
the total organizational cost of
data breach increased from €1.73
© 2014 IBM Corporation 8 IBM Confidential
What happens in Italy?
- Data from latest Clusit Report -
Hacktivism
: Hacktivism is the act of hacking a website or computer
network in an effort to convey a social or political message. The person
who carries out the act of hacktivism is known as a hacktivist.
© 2014 IBM Corporation 9
IT Security is a board-room discussion
Increasingly, companies are appointing CROs and CISOs
with a direct line to the Audit Committee
Loss of market share and reputation Legal exposure
Audit failure
Fines and criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation
CEO
CFO/COO
CIO
CHRO
CMO
© 2014 IBM Corporation 10
© 2014 IBM Corporation 11
IBM has a commitment to security research, development,
monitoring & analysis
4,300
strategic
outsourcing security
delivery resources
1,200
professional
services security
consultants
650
field security
specialists
400
security operations
analysts
10
security research
centers
10
security operations
centers (SOCs)
14
security development
labs
IBM X-Force Expertise
•
150M intrusion attempts monitored daily
•
46,000 documented vulnerabilities
•
40M unique phishing/spam attacks
•
Millions of unique malware samples
•
Billions of analyzed web pages
•
1000+ security patents
Managed Services Excellence
•
Tens of thousands of devices under
management
•
Thousands of MSS clients worldwide
•
Billions of events managed per day
•
Countries monitored in all geographies
•
Industry-leading research and reports
© 2014 IBM Corporation 12
Sources:
Forrester Research Inc. “Forrester WaveTM”: Information Security Consulting Services, Q1 2013“ Forester Wave: Managed Security Services providers Q1, 2012.
IBM is widely recognized as a leader in this market
“IBM has the largest client base of the participants... Clients praised the flexibility, knowledge, and responsiveness …while also noting the company’s excellent documentation. Organizations
looking for a high-quality vendor that can do it all and manage it afterwards should consider IBM.”
© 2014 IBM Corporation 13
© 2014 IBM Corporation 14
IBM Security Services Portfolio
People Data Applications Infrastructure
Identity
Assessment & Strategy Crown Jewels Discovery & Protection SDLC Program Development Security Optimization User Provisioning/Access Mgmt Database Security Dynamic and Static Testing Design, Deployment & Migration
Total Authentication Solution Encryption and Data Loss Prevention
Embedded Device Testing
Staff Augmentation Managed/Cloud Identity Mobile Application Testing
Strategy, Risk & Compliance
Security Maturity Benchmarking
Security Strategy & Roadmap Development
Security Risk Assessment & Program Design
Industrial Controls
(NIST, SCADA) PCI Advisory
Firewall / Unified Threat Management
Intrusion Detection & Prevention
Web Protection & Managed DDoS
Hosted E-Mail & Web Vulnerability Mgmt
Managed SIEM & Log Management
Powered by IBM’s Next Generation Threat Monitoring and Analytics Platform
Security Operations
Security Intelligence Operations Center Design & Build Out Services
Cloud and Managed Services
Cybersecurity Assessment & Response
Threat Intelligence Advisory X-Force Threat Analysis Penetration Testing Incident Preparation Emergency Response
IBM Secuity Services Portfolio Overview
Built to address the Security Essentials, within context of the
integrated Security Framework
© 2014 IBM Corporation 15
Questo servizio effettua prove che mostrano le tecniche di attacco e
identificano i sistemi vulnerabili
I servizi di penetration test dimostrano, per mezzo di scenari reali, il modo in
cui gli attaccanti possono impattare significativamente sul business.
Durante delle prove controllate, i consulenti degli IBM Professional Security
Services (PSS) tentano di penetrare remotamente i dispositivi di rete e di
fornire l’evidenza che i sistemi e i dati critici possono essere compromessi.
Si documentano le scoperture di sicurezza insieme alle soluzioni
raccomandate per eliminarle o contenerle.
Al di là di un semplice assessment di vulnerabilità (scan), un penetration test
può mostrare l’impatto reale delle vulnerabilità piuttosto che indicare delle
debolezze teoriche.
Descrizione dei servizi:
Requisiti dei clienti
Soddisfare i requisiti normativi
Validare l’efficacia dei controlli
di sicurezza implementati
Aiutare a definire le priorità
degli investimenti di sicurezza
© 2014 IBM Corporation 16
I clienti comprendono meglio l’impatto di un attacco sul proprio
business e possono decidere di conseguenza le azioni a rimedio
La dimostrazione di come degli attaccanti possano
impattare in modo significativo sul business del Cliente
La validazione dell’efficacia della attuali contromisure di
sicurezza del Cliente
Estendere e approfondire la prospettiva sulle tecniche e le
motivazioni degli hacker
Incoraggiare il supporto del top management alla strategia
e alle risorse di sicurezza
Identificare la azioni raccomandate per ridurre
efficacemente il rischio
Facilitare la gestione della conformità alle normative
industriali e statali
© 2014 IBM Corporation 17
Project Initiation
– The purpose of this activity is to finalize the project team members, develop a common understanding of the project objectives, roles and responsibilities, and assess your readiness to implement the Services by confirming that the appropriate information is documented.
Network Discovery and Assessment
– The purpose of this activity is to identify active hosts and services within the target network range(s) and assess the security posture of those systems.
Network Attack and Exploitation
– The purpose of this activity is to attempt to exploit identified vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios for the target network range(s), IP addresses, and in-scope active Devices specified in the Schedule.
Web Application Testing (Add-on)
– The purpose of this activity is to attempt to identify and exploit web application vulnerabilities and demonstrate the impact of those vulnerabilities in terms of successful attack scenarios against in-scope websites.
Internal Network Exploitation (Add-on)
– The purpose of this activity is to utilize discovered successful attacks to initiate mutually agreed upon breach scenarios for the target network range(s).
Network Vulnerability Assessment (Add-on)
– The purpose of this activity is to identify active host systems and associated services within the targeted network range, assess such systems for known vulnerabilities, and evaluate the identified vulnerabilities.
Onsite Internal Penetration Test (Add-on)
– The purpose of this activity is to attempt to investigate weaknesses in the internal network by mimicking malicious behaviors that could be exhibited by a trusted user with access to the network.
© 2014 IBM Corporation 18
Penetration Test – Scope and Methodology
Scope
– Identify active services, their nature and the published services
– Identify the current vulnerabilities
– Analyze Web security exposures
– Leverage the identified vulnerabilities to access the Client’s
systems and provide actual risks entity and evidence
– Document the possible countermeasures and exposures
resolutions
Phases*
–
Discovery:
get an overview of the tested systems and their
usage
–
Vulnerabilities
assessment:
perform network, host and port
mapping, run vulnerability scanners to identify any existing
network, operating system or service vulnerabilities, manual
vulnerability mapping, application testing.
–
Penetration (or exploiting):
exploit vulnerabilities found
–
Keep access:
ensure constant access to exploited systems
–
Cover tracks:
hide presence on exploited systems
–
Final reports:
Executive summary, Main Observations,
Vulnerabilities technical details, Recommendations
© 2014 IBM Corporation 19
4) Next:
- crack passwords of domain users
- Attack other domains
Penetration Test - Typical Exploit Sequence
1) Exploit
2) Crack local passwords
Vulnerable Server Domain Systems DOMAIN COMPROMISED Domain Controller 3) Exploit
© 2014 IBM Corporation 20
Penetration Testing Summary
IBM Penetration testing services perform safe and controlled exercises that demonstrate covert and hostile attack techniques designed to identity vulnerable systems. It validates existing security controls and quantifies real-world risks, providing clients with a detailed security roadmap that prioritizes the weaknesses in the network environment.
Helps to prevent network compromise and downtime by identifying
vulnerabilities, validating current safeguards and outlining steps for remediation
Raises executive awareness of corporate liability to emphasize the importance of IT security efforts
Validates effectiveness of the security measures currently in place
Quantifies system and business critical data risk
Provides recommendations to resolve identified security vulnerabilities to prevent network downtime.
Helps to protect integrity of online assets
Supports efforts and investiments to reach and maintain compliancy with security regulations and industry standards
Key Features
Provides a detailed analysis of your network security, including
demonstrated attacks and their effects on your online operations
Delivers a quality service designed to be safely conducted by expert security professionals, through manual
penetration techniques and automated scanning
Conducts real-life simulations of covert and hostile activities typical of malicious attackers’ attempts to compromise perimeter devices and security controls
Final reports show, for priorities,
identified risks and set out the elements for immediate action to resolve identified vulnerabilities
Customer Pain Points
Address and maintain security needs satisfying regulatory compliance
Lack of skill and resources to build an efficient and effective security program
Needs to protect business critical data
Maintain network and application availability during hostile activities typical of malicious attackers
© 2014 IBM Corporation 21