Network Security Testing—
Are There Really Different Types of Testing?
July 28, 2015
Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
Web
CONFERENCES
Brought to you by:
Title goes here 2
Web
CONFERENCE:
#ISSAWebConf
Network Testing—Are There Really Different Types of Testing?
Network Security Testing—
Welcome Conference Moderator
July 28, 2015
Start Time: 9 am US Pacific
12 noon US Eastern
5 pm London Time
#ISSAWebConf
Web
CONFERENCES
Jorge Orchilles
Vice President, South Florida ISSA
Network Security Testing—
•
John Kindervag
Vice President & Principal Analyst, Forrrester
Research
•
Eric Raisters
CISSP, CSSLP
•
Ira Winkler
President, Secure Mentem, CISSP
•
Donald Shin
Sr. Technical Business Development Manager, IXIA
Speaker Introduction
Title goes here 4
Web
CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the
Chat
area of your screen.
You may need to click on the double arrows to open this function.
Network Security Testing—
Are There Really Different Types of Testing?
+1 469.221.5372
@Kindervag
#ISSAWebConf
Web
CONFERENCES
John Kindervag
Vice President, Principal Analyst serving Security & Risk
Professionals at Forrester Research
Materials omitted
due to licensing and
reproduction rights.
Network Security Testing—
Are There Really Different Types of Testing?
#ISSAWebConf
Web
CONFERENCES
Eric Raisters
Approach SUT as an attacker
Process (from SANS Ethical Hacking)
Planning
Scoping
Reconnaissance
Scanning
Exploitation
Documentation/Reporting
Pen Test Basics
Approach SUT as an attacker
In-house developed apps/services
White-box testing
Deployed systems/purchased products
Includes virtual servers and cloud
deployments
Pen Test Purpose
SUT object
Network – mis-configs, weak settings
Web apps/services – OWASP Top 10
Mobile apps/services – permissions,
data leakage
Attack methods
Known vulnerability scans - automated
Exploitation proof - manual
Pen Test Types
Kali Linux
Samurai Web Test Framework
Pwnie Express
Pen Test Toolkits
Look for known vulnerabilities
Nessus (OpenVAS)
Nexpose
Core Impact
Burp Suite (free and commercial)
Zed Attack Proxy (OWASP)
Vulnerability Scan
Prove a found vulnerability is
exploitable
Metasploit (freed and commercial)
CANVAS
Network Exploits
Burp Suite (free and commercial)
Zed Attack Proxy (OWASP)
Paros proxy
w3af
Netsparker
Web App Exploits
Pwnie Express
zANTI
Hackcode
AndroRAT
Android Exploits
Standard Linux pentest tools
iNalyser
iPhone Exploits
Pen testing is important
Vulnerability scans are not enough
Exploit testing proves that a
vulnerability is important enough to fix
Consider contracting experts
Consider a bug bounty program
If you don’t do it, the hackers will
Summary
sectools.org
n0where.net/directory
OWASP.prg
kali.org
Eric Raisters
Resources
19
Thank you!
Eric Raisters
CISSP, CSSLP
Question and Answer
Title goes here 20
Web
CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the
Chat
area of your screen.
You may need to click on the double arrows to open this function.
Eric Raisters
CISSP, CSSLP
Thank You
Title goes here 21
Web
CONFERENCE:
#ISSAWebConf
Network Security Testing—
Are There Really Different Types of Testing?
#ISSAWebConf
Web
CONFERENCES
Ira Winkler
23 Network Testing—Are There Really Different Types of Testing?
24 Network Testing—Are There Really Different Types of Testing?
25 Network Testing—Are There Really Different Types of Testing?
26 Network Testing—Are There Really Different Types of Testing?
27 Network Testing—Are There Really Different Types of Testing?
28 Network Testing—Are There Really Different Types of Testing?
29 Network Testing—Are There Really Different Types of Testing?
30 Network Testing—Are There Really Different Types of Testing?
31 Network Testing—Are There Really Different Types of Testing?
32 Network Testing—Are There Really Different Types of Testing?
33 Network Testing—Are There Really Different Types of Testing?
34 Network Testing—Are There Really Different Types of Testing?
35 Network Testing—Are There Really Different Types of Testing?
36 Network Testing—Are There Really Different Types of Testing?
37 Network Testing—Are There Really Different Types of Testing?
38 Network Testing—Are There Really Different Types of Testing?
Ira Winkler
President, Secure Mentem, CISSP
+1-443-603-0200
@irawinkler
Question and Answer
Title goes here 39
Web
CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the
Chat
area of your screen.
You may need to click on the double arrows to open this function.
Ira Winkler
President, Secure Mentem, CISSP
+1-443-603-02500
@irawinkler
Thank You
Title goes here 40
Web
CONFERENCE:
#ISSAWebConf
Network Security Testing—
Are There Really Different Types of Testing?
www.ixiacom.com
#ISSAWebConf
Web
CONFERENCES
Donald Shin
42 Network Testing—Are There Really Different Types of Testing?
43 Network Testing—Are There Really Different Types of Testing?
44 Network Testing—Are There Really Different Types of Testing?
45 Network Testing—Are There Really Different Types of Testing?
46 Network Testing—Are There Really Different Types of Testing?
47 Network Testing—Are There Really Different Types of Testing?
48 Network Testing—Are There Really Different Types of Testing?
49 Network Testing—Are There Really Different Types of Testing?
50 Network Testing—Are There Really Different Types of Testing?
51 Network Testing—Are There Really Different Types of Testing?
52 Network Testing—Are There Really Different Types of Testing?
53 Network Testing—Are There Really Different Types of Testing?
54 Network Testing—Are There Really Different Types of Testing?
55 Network Testing—Are There Really Different Types of Testing?
56 Network Testing—Are There Really Different Types of Testing?
57 Network Testing—Are There Really Different Types of Testing?
58 Network Testing—Are There Really Different Types of Testing?
59 Network Testing—Are There Really Different Types of Testing?
60 Network Testing—Are There Really Different Types of Testing?
61 Network Testing—Are There Really Different Types of Testing?
62 Network Testing—Are There Really Different Types of Testing?
Donald Shin
Sr. Technical Business Development Manager
IXIA
www.ixiacom.com
Question and Answer
Title goes here 63
Web
CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the
Chat
area of your screen.
You may need to click on the double arrows to open this function.
Donald Shin
Sr. Technical Business Development Manager
IXIA
www.ixiacom.com
Thank You
Title goes here 64
Web
CONFERENCE:
#ISSAWebConf
•
John Kindervag
Vice President & Principal Analyst, Forrester
Research
•
Eric Raisters
CISSP, CSSLP
•
Ira Winkler
President, Secure Mentem, CISSP
•
Donald Shin
Sr. Technical Business Development Manager, IXIA
Open Panel with Audience Q&A
Title goes here 65
Web
CONFERENCE:
#ISSAWebConf
To ask a question:
Type in your question in the
Chat
area of your screen.
You may need to click on the double arrows to open this function.
Thank you Citrix for donating
the Webcast service
Closing Remarks
Title goes here 66
Web
CONFERENCE:
#ISSAWebConf
Thank You
•
Within
24 hours of the conclusion
of this webcast, you
will receive a link via email to a post Web Conference
quiz.
•
After the successful completion of the quiz you will be
given an opportunity to
a certificate of attendance
to use for the submission of CPE credits.
•
On-Demand Viewers Quiz Link:
http://www.surveygizmo.com/s3/2241426/ISSA-Web-
Conference-July-28-2015-Network-Security-Testing-Are-There-Really-Different-Types-of-Testing
CPE Credit
Title goes here 67
Web
CONFERENCE:
#ISSAWebConf
