• Home

  • Documents

  • HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING...
4
HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing aspects of Trustwave Managed Security Testing (MST) to help you decide what level of scanning or penetration testing is right for your needs. Overview Trustwave Managed Security Testing (MST) identifies vulnerabilities in networks, applications and databases to identify where and how data could be compromised to help IT teams measure and manage risk. MST blends vulnerability scanning and penetration testing into a complete vulnerability assessment and security testing service. Different assets are valued differently and have different risks associated with them. A low value asset may only require scanning to identify potential threats. A mission-critical asset, however, needs deeper testing to determine the ramifications of the actual exploitation of its vulnerabilities. MST fulfills each of those needs and also illustrates how the chaining together of multiple vulnerabilities across multiple assets may clear an attacker’s path to the compromise of systems and data. With MST, users can enroll targets in, schedule and review and manage the results of scanning and penetration testing of the following types: Scanning o Applications o Databases o External network infrastructure o Internal network infrastructure Penetration Testing o Applications o External network infrastructure o Internal network infrastructure Scanning MST provides flexible scanning options based on your needs. Depending on the expertise of your resources, users can choose to schedule and manage scans and interpret results themselves (self-service scanning) or have Trustwave SpiderLabs experts do it for them (managed scanning). Self-Service Scanning Users of self-service scanning can schedule, configure and run scans themselves. Upon completion of a scan, the user receives a list of raw results from our scanning tools that they interpret on their own. Managed Scanning Managed scanning consists of Trustwave SpiderLabs experts validating and interpreting scan results for the user. Upon completion of a scan, the user receives a report of validated results. Self-Service Scanning Managed Scanning Scheduling: User User Configuration: User User Scan kick-off: User User False-positive filtering: User Trustwave SpiderLabs Validation of results: User Trustwave SpiderLabs Interpretation of results: User Trustwave SpiderLabs

HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing

HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT

This document will describe the various scanning and testing aspects of Trustwave Managed Security Testing (MST) to help you decide what level of scanning or penetration testing is right for your needs.

Overview Trustwave Managed Security Testing (MST) identifies vulnerabilities in networks, applications and databases to identify where and how data could be compromised to help IT teams measure and manage risk. MST blends vulnerability scanning and penetration testing into a complete vulnerability assessment and security testing service. Different assets are valued differently and have different risks associated with them. A low value asset may only require scanning to identify potential threats. A mission-critical asset, however, needs deeper testing to determine the ramifications of the actual exploitation of its vulnerabilities. MST fulfills each of those needs and also illustrates how the chaining together of multiple vulnerabilities across multiple assets may clear an attacker’s path to the compromise of systems and data. With MST, users can enroll targets in, schedule and review and manage the results of scanning and penetration testing of the following types:

• Scanning o Applications o Databases o External network infrastructure o Internal network infrastructure

• Penetration Testing

o Applications o External network infrastructure o Internal network infrastructure

Scanning MST provides flexible scanning options based on your needs. Depending on the expertise of your resources, users can choose to schedule and manage scans and interpret results themselves (self-service scanning) or have Trustwave SpiderLabs experts do it for them (managed scanning). Self-Service Scanning Users of self-service scanning can schedule, configure and run scans themselves. Upon completion of a scan, the user receives a list of raw results from our scanning tools that they interpret on their own. Managed Scanning Managed scanning consists of Trustwave SpiderLabs experts validating and interpreting scan results for the user. Upon completion of a scan, the user receives a report of validated results.

Self-Service Scanning Managed Scanning Scheduling: User User

Configuration: User User Scan kick-off: User User

False-positive filtering: User Trustwave SpiderLabs Validation of results: User Trustwave SpiderLabs

Interpretation of results: User Trustwave SpiderLabs

Page 2: HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing

Page 2 of 4

Levels and Types of Scanning Application Scanning

Service Number of Tests Description

Self-Service Compliance Scan Enrollment

Four (4) Application Compliance scans

—unlimited scanning available

Cloud-based application scanning that will perform the minimum required checks to meet compliance requirements. The client will setup, configure and manage the scans and review and manage the results on their own.

Self-Service Best Practices Scan Enrollment

Four (4) Application Best Practices scans

—unlimited scanning available

Cloud-based application scanning that will fulfill compliance requirements but extend beyond to run a set of vulnerability checks designed to address a broader array of security concerns to assist organizations in protecting their information systems. The client will setup, configure and manage the scans and review and manage the results on their own.

Managed Compliance Review Scan Enrollment

Four (4) Managed Application Compliance Review Scans

Cloud-based managed application scanning that will perform the minimum required checks to meet compliance requirements. The client will enroll the target and schedule the scan, and Trustwave SpiderLabs experts will configure and execute the scans and review and manage the results in order to provide a report of validated findings.

Managed Best Practices Assessment Scan

Enrollment

Four (4) Managed Application Best Practices Assessment Scans

Cloud-based application scanning that will fulfill compliance requirements but extend beyond to run a set of vulnerability checks designed to address a broader array of security concerns to assist organizations in protecting their information systems. The client will enroll the target and schedule the scan, and Trustwave SpiderLabs experts will configure and execute the scans and review and manage the results in order to provide a report of validated findings.

Database Scanning

Service Number of Tests Description

Managed Compliance Review Scan Enrollment

Four (4) Managed Database Assessment Scans

Cloud-based managed database scanning that will perform the minimum required checks to meet compliance requirements. The client will enroll the target and schedule the scan, and Trustwave SpiderLabs experts will configure and execute the scans and review and manage the results in order to provide a report of validated findings.

Managed Best Practices Assessment Scan

Enrollment (Tier 0)

Four (4) Managed Database Best Practices Assessment Scans

Cloud-based database scanning that will fulfill compliance requirements but extend beyond to run a set of vulnerability checks designed to address a broader array of security concerns to assist organizations in protecting their information systems. The client will enroll the target and schedule the scan, and Trustwave SpiderLabs experts will configure and execute the scans and review and manage the results in order to provide a report of validated findings.

Internal or External Network Scanning

Service Number of Tests Description

Managed Best Practices Assessment Scan

Enrollment (Tier 0)

Four (4) Managed Network Best Practices Assessment Scans

Cloud-based network scanning that will fulfill compliance requirements but extend beyond to run a set of vulnerability checks designed to address a broader array of security concerns to assist organizations in protecting their information systems. The client will enroll the target and schedule the scan, and Trustwave SpiderLabs experts will configure and execute the scans and review and manage the results in order to provide a report of validated findings.

Page 3: HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing

Page 3 of 4

Non-MST, Licensed Scanning Options Trustwave delivers MST scanning via the cloud. For licensed options, see product and service descriptions for Trustwave AppDetectivePRO or DbProtect for databases and for Trustwave App Scanner Enterprise. Licensed options are not available for internal vulnerability scanning or external vulnerability scanning for networks.

Penetration Testing With penetration testing, MST provides different levels of testing based on your needs. Testing tiers start with basic tests designed for small environments with minimal requirements (i.e. PCI Compliance) and can expand to our most thorough advanced tests for larger and more complex environments with no constraints on the level of testing.

Levels and Types of Penetration Testing Application Penetration Testing

Service Number of Tests Description

Tier 1 Basic Test Enrollment

Four (4) Managed Application Best Practices Assessment Scans

One (1) Application Tier 1 Basic Test

Managed Application Best Practices Assessment Scans

Tier 1 Application Test: Basic Test—This test will simulate a basic attack executed by an attacker of limited sophistication with minimal skills. This class of attacker (often referred to as “script kiddies”) typically use freely available automated attack tools.

Tier 2 Opportunistic Threats Test Enrollment

Four (4) Managed Application Best Practices Assessment Scans

One (1) Application Tier 2 Opportunistic Threat Test

Managed Application Best Practices Assessment Scans

Tier 2 Application Test: Opportunistic Threat—This test will build upon the basic test described above and simulate an opportunistic attack executed by a skilled attacker that does not spend the time to execute highly sophisticated attacks. This type of attacker seeks easy targets (“low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets.

Tier 3 Targeted Threats Test Enrollment

Four (4) Managed Application Best Practices Assessment Scans

One (1) Application Tier 3 Targeted Threat Test including uncredentialed and credentialed testing

Managed Application Best Practices Assessment Scans

Tier 3 Application Test: Targeted Threat—This test will simulate a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant effort trying to compromise an organization’s systems.

Tier 4 Advanced Threats Test Enrollment

Four (4) Managed Application Best Practices Assessment Scans

One (1) Application Tier 4 Advanced Threat Test including uncredentialed and credentialed testing

Managed Application Best Practices Assessment Scans

Tier 4 Application Test: Advanced Threat—This test will simulate an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

Page 4: HOW TO CHOOSE THE RIGHT SCANNING OR TESTING … · 2017. 2. 8. · HOW TO CHOOSE THE RIGHT SCANNING OR TESTING ENROLLMENT This document will describe the various scanning and testing

Page 4 of 4

Network Penetration Testing Service Number of Tests Description

Tier 1 Basic Test Enrollment

Four (4) Managed Network Best Practices Assessment Scans

One (1) Network Tier 1 Basic Test

Managed Network Best Practices Assessment Scans

Tier 1 Network Test: Basic Test—This test will simulate a basic attack executed by an attacker of limited sophistication with minimal skills. This class of attacker (often referred to as “script kiddies”) typically use freely available automated attack tools.

Tier 2 Opportunistic Threats Test Enrollment

Four (4) Managed Network Best Practices Assessment Scans

One (1) Network Tier 2 Opportunistic Threat Test

Managed Network Best Practices Assessment Scans

Tier 2 Network Test: Opportunistic Threat—This test will build upon the basic test described above and simulate an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets (“low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets.

Tier 3 Targeted Threats Test Enrollment

Four (4) Managed Network Best Practices Assessment Scans

One (1) Network Tier 3 Targeted Threat Test including uncredentialed and credentialed testing

Managed Network Best Practices Assessment Scans

Tier 3 Network Test: Targeted Threat—This test will simulate a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant effort trying to compromise an organization’s systems.

Tier 4 Advanced Threats Test Enrollment

Four (4) Managed Network Best Practices Assessment Scans

One (1) Network Tier 4 Advanced Threat Test including uncredentialed and credentialed testing

Managed Network Best Practices Assessment Scans

Tier 4 Network Test: Advanced Threat—This test will simulate an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

About Trustwave Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper® portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com.

AUG2014


How to choose the right penetration testing company

How to choose the right penetration testing company

Documents
Choose the best HP device for your scanning needsh20195. · scanning devices that can meet your needs. Let’s look at a few hardware selection questions. ... and types such as letter,

Choose the best HP device for your scanning needsh20195. · scanning devices that can meet your needs. Let’s look at a few hardware selection questions. ... and types such as letter,

Documents
Choose the best HP device for your scanning needs€¦ · Whatever your business environment, HP has a scanning device that’s right for your document workflow: HP LaserJet and PageWide

Choose the best HP device for your scanning needs€¦ · Whatever your business environment, HP has a scanning device that’s right for your document workflow: HP LaserJet and PageWide

Documents
Beyond Testing: What Really Matters · 2018. 6. 19. · is Dead 2007 'Dynamic Detection' Testing (Real World) 2009 'In-the-cloud' Scanning 2009 Exploit Prevention Testing (Real World)

Beyond Testing: What Really Matters · 2018. 6. 19. · is Dead 2007 'Dynamic Detection' Testing (Real World) 2009 'In-the-cloud' Scanning 2009 Exploit Prevention Testing (Real World)

Documents
Differential Scanning Calorimetry of Epoxy Curing …...Title Differential Scanning Calorimetry of Epoxy Curing Using DSC 6000 Author PerkinElmer Keywords When testing materials using

Differential Scanning Calorimetry of Epoxy Curing …...Title Differential Scanning Calorimetry of Epoxy Curing Using DSC 6000 Author PerkinElmer Keywords When testing materials using

Documents
Tensile testing and scanning electron microscope examination

Tensile testing and scanning electron microscope examination

Documents
Comparative Testing of Radiographic Testing, Ultrasonic ... · inspected using a procedure that also included supplemental manual and raster scanning. Using this testing procedure

Comparative Testing of Radiographic Testing, Ultrasonic ... · inspected using a procedure that also included supplemental manual and raster scanning. Using this testing procedure

Documents
Use of Differential Scanning Calorimetry Testing to ... · intumescent firestop were examined in a test series using differential scanning calorimetry (DSC). The samples were heated

Use of Differential Scanning Calorimetry Testing to ... · intumescent firestop were examined in a test series using differential scanning calorimetry (DSC). The samples were heated

Documents
How to choose the right software testing methodology?

How to choose the right software testing methodology?

Technology
How to choose the right penetration testing firm netragard

How to choose the right penetration testing firm netragard

Business
ADMINISTRATION HANDS-ON. Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning

ADMINISTRATION HANDS-ON. Page 2 Agenda Task 1: Initial Configuration Task 2: Testing disinfection with eicar.com HTTP traffic scanning, manual scanning

Documents
How to choose the right penetration testing company by Netragard

How to choose the right penetration testing company by Netragard

Technology
Key Reasons to Choose an Independent Software Testing Company

Key Reasons to Choose an Independent Software Testing Company

Software
INFORMATION SHEET PENETRATION TESTING...Vulnerability scanning VS penetration testing Penetration testing distinguishes itself from general vulnerability scanning but the two phrases

INFORMATION SHEET PENETRATION TESTING...Vulnerability scanning VS penetration testing Penetration testing distinguishes itself from general vulnerability scanning but the two phrases

Documents
When to Use Laser Scanning in Building Construction€¦ · choose to outsource laser scanning services, you can still manage your own point clouds with a minimal investment in software

When to Use Laser Scanning in Building Construction€¦ · choose to outsource laser scanning services, you can still manage your own point clouds with a minimal investment in software

Documents
Information Packet - Arizona State University...University Testing and Scanning Services CLASSROOM EXAMINATIONS Information Packet Arizona State University University Testing and Scanning

Information Packet - Arizona State University...University Testing and Scanning Services CLASSROOM EXAMINATIONS Information Packet Arizona State University University Testing and Scanning

Documents
Web Application Scanning · Web Application Scanning A Modern Approach to Dynamic Application Security Testing Modern web applications continue to be a challenge for organizations

Web Application Scanning · Web Application Scanning A Modern Approach to Dynamic Application Security Testing Modern web applications continue to be a challenge for organizations

Documents
Non Destructive Testing Report - United Scanning Scanning Service _ Non... · Non Destructive Testing Report ... United Scanning Services were instructed to undertake NDT on the underside

Non Destructive Testing Report - United Scanning Scanning Service _ Non... · Non Destructive Testing Report ... United Scanning Services were instructed to undertake NDT on the underside

Documents
Scanning Arts USER’S MANUAL · 2-2 Scanning Arts Chapter 2 Setup (3) The "Choose Destination Location" window is displayed next. Select a folder for installation. Unless there is

Scanning Arts USER’S MANUAL · 2-2 Scanning Arts Chapter 2 Setup (3) The "Choose Destination Location" window is displayed next. Select a folder for installation. Unless there is

Documents
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing

PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing

Education
Product family guide Choose the best HP device for your small business scanning needsh20195. · Product family guide. Choose the best HP device for your small business scanning needs

Product family guide Choose the best HP device for your small business scanning needsh20195. · Product family guide. Choose the best HP device for your small business scanning needs

Documents
Resistive vs Reactive – Reasons to Choose Reactive Load Bank Testing Solutions

Resistive vs Reactive – Reasons to Choose Reactive Load Bank Testing Solutions

Business
Accessories for Differential Scanning Calorimeters and ...Analyzing & Testing Accessories for Differential Scanning Calorimeters and Thermobalances Crucibles, Sensors, Sample Carriers,

Accessories for Differential Scanning Calorimeters and ...Analyzing & Testing Accessories for Differential Scanning Calorimeters and Thermobalances Crucibles, Sensors, Sample Carriers,

Documents
Scanning & Penetration Testing

Scanning & Penetration Testing

Internet
Modal testing using impact excitation and a scanning …downloads.hindawi.com/journals/sv/2000/527389.pdf91 Modal testing using impact excitation and a scanning LDV1 A.B. Stanbridge∗,

Modal testing using impact excitation and a scanning …downloads.hindawi.com/journals/sv/2000/527389.pdf91 Modal testing using impact excitation and a scanning LDV1 A.B. Stanbridge∗,

Documents
Scanning: how to Plustek › blogs.brighton.ac.uk › ...K Gillies for the University of Brighton 2015. When you’re happy, 14 Make a Scan Now choose your output settings: Choose

Scanning: how to Plustek › blogs.brighton.ac.uk › ...K Gillies for the University of Brighton 2015. When you’re happy, 14 Make a Scan Now choose your output settings: Choose

Documents
SeeGull IBflex Scanning Receiver - PCTEL · The SeeGull IBflex scanning receiver is designed for in-building, NB-IoT, CBRS, and small cell testing. Use IBflex’s thorough testing

SeeGull IBflex Scanning Receiver - PCTEL · The SeeGull IBflex scanning receiver is designed for in-building, NB-IoT, CBRS, and small cell testing. Use IBflex’s thorough testing

Documents
Scalable Asset Discovery, Vulnerability Scanning, and Penetration … · 2017-05-16 · Scalable Asset Discovery, Vulnerability Scanning, and Penetration Testing for Remote Sites

Scalable Asset Discovery, Vulnerability Scanning, and Penetration … · 2017-05-16 · Scalable Asset Discovery, Vulnerability Scanning, and Penetration Testing for Remote Sites

Documents
Scanning electron microscopy detection of seed-borne … · Scanning electron microscopy detection of seed-borne fungi in blotter test ... in relation to seed health testing methods

Scanning electron microscopy detection of seed-borne … · Scanning electron microscopy detection of seed-borne fungi in blotter test ... in relation to seed health testing methods

Documents
Automated Security Scanning in Payment Industry · Automated Security Scanning in Payment Industry Michał Buczko. Michał Buczko Test Consultant ... to start security testing. Automated

Automated Security Scanning in Payment Industry · Automated Security Scanning in Payment Industry Michał Buczko. Michał Buczko Test Consultant ... to start security testing. Automated

Documents