Penetration Testing and Vulnerability Management

Document Sample
Penetration Testing and Vulnerability Management Powered By Docstoc
					 Penetration Testing and
Vulnerability Management
Penetration testing
                                • The objective of a penetration test is for an
                                  ethical hacker to simulate all known
Reconnaissance     Scanning       techniques used in real life situations to
                                  gain unauthorised access to a target
                                  system. This would include identifying and
                                  exploiting vulnerabilities.

                                • It provides assurance that security
Maintain Access   Gain Access
                                  measures taken actually work in real-life

                                • It is not necessarily limited to networks and
                                  systems. It could include social engineering
                                  and gaining physical access to facilities.

 Clear Tracks                   • It is a point-in-time assessment.
Vulnerability management
Vulnerability management is a proactive
approach to identifying and closing down                 Inventory

It uses similar methods to penetration
testing with the objective being to             Verify               Prioritise

identifying all known vulnerabilities, either
visible to the outside world, or visible
internally to the organisation.                          Ongoing
Threats to a companies security changes on
a daily basis. Vulnerability management is
                                                Action                Assess
an ongoing programme of security scanning,
security auditing and remediation allowing
you to stay one step ahead.
    Prevention is cheaper and more
          effective than cure.
Don’t neglect the processes
Security vulnerabilities can also be caused
by poor internal processes, for example:

 • poor user access management (joiners,
   movers, leavers)

 • poor patch management

 • lack of robust configuration

 • uncontrolled changes and a host of
   other operational IT activities.

These are often easy to fix and will result
in a significant improvement of your
‘security posture’.
                           When to consider penetration testing
                                    Reduction in vulnerabilities over
                                      time as a result of effective
                                      vulnerability management.
Number of known vulnerabilities

                                                      Once vulnerability gaps have
                                                      been addressed, a penetration
                                                       test can be used to provide
                                                                                                Continue with
                                                    assurance that all serious security
                                                                                          vulnerability management
                                                        gaps have been resolved.
                                                                                                to address new
                                                                                          vulnerabilities as they arise
Our services
• Vulnerability scanning and penetration
  testing services – through our strategic
  partnerships, we can provide technical
  vulnerability scanning and penetration
  testing services at a competitive price.
• We can provide you with complementary
  security services, from coordinating
  scanning and penetration testing activities
  on your behalf, performing security process
  reviews and technical security audits,
  providing prioritisation and decision-
  making support, through to managing the
  end-to-end vulnerability remediation
• We can help you design and implement your
  security vulnerability management
About us
CS Risk Management & Compliance is a consultancy company specialising in helping
organisations achieve compliance with standards such as PCI:DSS and ISO27001, as
well as adherence to legislation such as the Data Protection Act and Sarbanes Oxley.

With over 20 years in the IT and security industry, and experience in multiple business
sectors such as financial, telecoms and service industries, our consultants have the in-
depth understanding of IT systems to help translate standards and legislation and
introduce practical, workable changes to meet them, all with little disruption to your
daily operations.

At CS Risk Management & Compliance it is essential to us that we stay abreast of all the
latest developments in the IT industry and that we have the knowledge to deliver the
best service. Continuous professional development is essential for our consultants and
this has lead to them holding many industry recognised qualifications such as ISC2’s
Certified Information Systems Security Professional, ISACA’s Certified in the
Governance of Enterprise Information Technology, Certified Information Systems
Manager and Certified Information Systems Auditor , the Business Continuity Institute’s
professional certifications, and BSI’s ISO27001 Lead Implementer.

Shared By: