Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
00th of DateFelix Lai
Why Your Existing Penetration Testing is Not Enough
21 November, 2019
Cybersecurity ConsultantCustomer Experience, HK
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2019 Cost of a Security Breach
Ponemon Institute, 2019 Cost of a Data Breach Study: Global Overview
Average total cost of a data breach
$3.86 MPer breach
Chance of recurrence in the next two years
28%
Recurrence
Average mean time to identify a breach with ~ 60 days to contain the breach
197 days
Failure to Identify
Inability to deliver promised applications would create a loss of trust and damage to reputation
142%
Financial Industry
Higher costs than the average breach due to
regulation
247%Healthcare Industry
Higher costs than the average breach due to
regulation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Is my network well protected?
Network
Users
HQ
Data Center
Admin
Branch
• What are your risk areas?
• Are my security solutions good enough?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Who is Your Target Audience?
CAKE NETWORK
INFRASTRUCTURE
NETWORK
DEFENSE
You, Friends & Families
End Users Hackers!
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
x
Fixed methods
Do not think like a hacker
Already assumed it’s secure and validation only
Compliance
x
Traditional Pen Tests = Checklist
Standard scope
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Cisco Vulnerability Mining Service
Security Assessment Services Comparison
Vulnerability Mining
Traditional Pen Test Red Team
Complexity, Extensiveness, Completeness
Scan tools to ID vulnerabilities without
exploitation verification
No manual vulnerability discovery
Not business relevant
Exploitable vulnerabilities
Identify security weaknesses using
automated and manual vulnerability
discovery techniques
Focus on business impact
Capture actual valuable info. E.g. PII,
sensitive files
Sophisticated and comprehensive attack
vector span across Physical, Digital and
Social security penetration
Take most effort and resources
Case study: e-commerce Web Search BarScenario
▪ Internet web server hosts an e-commerce web page with a search bar
▪ Security assessment is performed on the target web server for potential risks
Traditional Pen Test
Search bar can be used to retrieve sensitive info via SQL injection
Personal Identifiable Info (PII), Credit cards, passwords can be retrieved
Potential Data Leakage and Compliance Violation
No vulnerability found
Clean Report
Vulnerability Mining Service
Apache server ver 2.2.14
Vulnerable to known security holes or CVEs (Common Vulnerabilities & Exposures)
No verification if vulnerabilities have real impact to business
Case study: e-commerce Web Application FormScenario
▪ An Internet web server hosts an e-commerce application form
▪ Security assessment is performed on the target web server for potential risks
Traditional Pen Test
Any file types can be uploaded
Potentially lead to malware infection for the entire network
Vulnerability Mining Service
Security Vulnerability Mining Approach
Hacking TeamA team of White/Ethical Hackers to access targets via public internet
Critical ImpactVulnerabilities which not usually discovered by tools and business relevant
Insights All findings are documentedRemediation and validation
Threat Driven From Attackers point of view
Risk Levels – Threat and Business Impact Driven
MediumLow High
• Can obtain root system level access
or complete compromise of the
system
• Sensitive info is identified and
revealed
• Service of the system can be taken
down if exploited
• Possible vulnerability that can be
used to expose sensitive info or take
down the service but unconfirmed
• Limited service disruption if exploited
• Low impact
• Does not disrupt service of the system
if exploited
• Maybe identified by regular scanning
tools
• No sensitive info is revealed if
exploited
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Benefits
Reduce Risks
Focus on hunting vulnerabilities
with real business impact
Find More Vulnerabilities
Uncover more vulnerabilities
which can’t be discovered by
traditional scanning tools
Identify Security Gaps
Enhance existing security controls
Prioritize Business Risks
Helps prioritize resources to
address most critical ones based
on business risk
Mitigation
Recommendations for mitigating
issues and gaps
Have Higher Confidence
In finding vulnerabilities than
traditional Pen Tests
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Takeaways
Hacker-minded Approach
Discover vulnerabilities like a real hacker
would and real impact to business
Supplement to Pen Tests
Discover vulnerabilities that might be
missed from traditional Pen Tests
Improve Overall Security
Identifying vulnerabilities that they did
not know existed and enhance
security controls
Cisco Customer Experience Security Services: Securing the New Digital Economy
Security
Advisory
Services
Expert security guidance to drive
business outcomes
Security
Optimization
Service
Maximize operational
excellence and performance
Security
Managed
Services
Experts and advanced analytics to
lower OpEx
Security
Technical
Services
Minimize business disruption
Security
Implementation
Services
Maximize solution value
Cisco $3.5B Securityinvestment
20B Threats blocked per day
18.5B Malwarequeries daily
60B DNS queriesdaily
Advisory Implementation Optimization Managed Technical Training
Security
Certifications
and Learning
Programs
Build skills and reduce time to value
Thank you