Overview of Security Testing in Management Processes

 
Security Testing
 
Outside Looking In
 
Nigel Pentland
@nigelpentland
Testing – what and why
 
https://www.nist.gov/cyberframework
 
Security is part of a management process
 
Motoring / MOT analogy
What is PCI DSS
 
Payment Card Industry Data Security Standard
 
The payment standard has 12 high level requirements which fall into the six categories below:
1.) Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
2.) Protect Cardholder Data
Protect stored data (use encryption)
Encrypt transmission of cardholder data and sensitive information across public net
3.) Maintain a Vulnerability Management Program
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
4.) Implement Strong Access Control Measures
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
5.) Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
6.) Maintain an Information Security Policy
Maintain a policy that addresses Information Security
 
https://www.virtualbox.org/wiki/Downloads
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/
 
Cute command: 
kali-undercover
 
Be sure to get 
.ova
 file!
 
Add following entry to hosts file
192.168.0.15
 
local.apache
Demo local website DNS configuration:
Using some wpscan commands
 
Image for demo time!
 
Any questions?
 
Some additional content follows,
i.e. some other useful Kali programs
 
nikto -host local.apache -port 443 -root wordpress -ssl
 
Nmap certificate scanning
 
nmap -sV --script ssl-cert -p 443 local.apache
 
nmap -sV --script ssl-enum-ciphers -p 443 local.apache
 
openssl s_client local.apache:443
Slide Note
Embed
Share

Exploring the importance of security testing in management processes, the Payment Card Industry Data Security Standard (PCI DSS) requirements, and practical demonstrations using tools like VirtualBox and wpscan for testing and securing websites.

  • Security Testing
  • Management Processes
  • PCI DSS
  • VirtualBox
  • wpscan
mkhu
mkhu Follow

Uploaded on Sep 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Security Testing Outside Looking In Nigel Pentland @nigelpentland

  2. Testing what and why Security is part of a management process https://www.nist.gov/cyberframework Motoring / MOT analogy

  3. Payment Card Industry Data Security Standard What is PCI DSS The payment standard has 12 high level requirements which fall into the six categories below: 1.) Build and Maintain a Secure Network Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters 2.) Protect Cardholder Data Protect stored data (use encryption) Encrypt transmission of cardholder data and sensitive information across public net 3.) Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications 4.) Implement Strong Access Control Measures Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data 5.) Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes 6.) Maintain an Information Security Policy Maintain a policy that addresses Information Security

  4. https://www.virtualbox.org/wiki/Downloads

  5. https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/ Be sure to get .ova file! Cute command: kali-undercover

  6. Demo local website DNS configuration: Kali Windows sudo nano /etc/hosts As administrator c: cd \windows\system32\drivers\etc notepad++ hosts Add following entry to hosts file 192.168.0.15 local.apache

  7. Using some wpscan commands wpscan --url local.apache/wordpress/ wpscan --url local.apache/wordpress/ --enumerate u cd /usr/share/wordlists sudo gunzip rockyou.txt.gz wpscan --url local.apache/wordpress/ --passwords rockyou.txt

  8. Image for demo time!

  9. Any questions?

  10. Some additional content follows, i.e. some other useful Kali programs

  11. nikto -host local.apache -port 443 -root wordpress -ssl

  12. Nmap certificate scanning nmap -sV --script ssl-cert -p 443 local.apache nmap -sV --script ssl-enum-ciphers -p 443 local.apache

  13. openssl s_client local.apache:443

Related


Role of Security Champions in Organizations

Role of Security Champions in Organizations

irvin
Roles of a Security Partner

Roles of a Security Partner

zaara
Software Testing Metrics and Tools

Software Testing Metrics and Tools

scarlett
Fundamentals of Software Testing Explained

Fundamentals of Software Testing Explained

nico
Equivalence Class Testing and Its Application in Software Testing

Equivalence Class Testing and Its Application in Software Testing

apple
Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program

Uganda's Successes in Reaching Men with HIV Testing Through Assisted Partner Notification Program

junius
Software Testing Foundation Level: Testing Throughout the SDLC Quiz

Software Testing Foundation Level: Testing Throughout the SDLC Quiz

avani
Importance of Software Testing in Preventing Catastrophic Failures

Importance of Software Testing in Preventing Catastrophic Failures

eyre
Automated Security Testing Using ZAP API

Automated Security Testing Using ZAP API

buttercup
Testing Approach in SCREAM for E3SM Fall All-Hands 2019

Testing Approach in SCREAM for E3SM Fall All-Hands 2019

filip
Zimbabwe HIV Viral Load Testing Overview

Zimbabwe HIV Viral Load Testing Overview

shir_492
NSCAS Test Administration Orientation 2022-2023 Overview

NSCAS Test Administration Orientation 2022-2023 Overview

maudlin_a
Enhancing Mobile App Testing Strategies for Quality Assurance

Enhancing Mobile App Testing Strategies for Quality Assurance

mel_bow
Testing in Software Engineering

Testing in Software Engineering

redu_sha
Gray Box Testing in Software Development

Gray Box Testing in Software Development

angele
Network Management Processes in Computer Networks

Network Management Processes in Computer Networks

yzul
Requirements-Based Testing in Software Development

Requirements-Based Testing in Software Development

elch741
Guidelines for HIV Testing During Pregnancy and Postpartum

Guidelines for HIV Testing During Pregnancy and Postpartum

sha_sta
Comprehensive Overview of Fault Modeling and Fault Simulation in VLSI

Comprehensive Overview of Fault Modeling and Fault Simulation in VLSI

kaiy_2
Unit Testing in Software Engineering

Unit Testing in Software Engineering

laas
Integration Testing and Levels of Testing

Integration Testing and Levels of Testing

brugger_c
Revolutionizing Security Testing with BDD-Security

Revolutionizing Security Testing with BDD-Security

sbre

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#