00th of DateFelix Lai

Why Your Existing Penetration Testing is Not Enough

21 November, 2019

Cybersecurity ConsultantCustomer Experience, HK

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

2019 Cost of a Security Breach

Ponemon Institute, 2019 Cost of a Data Breach Study: Global Overview

Average total cost of a data breach

$3.86 MPer breach

Chance of recurrence in the next two years

28%

Recurrence

Average mean time to identify a breach with ~ 60 days to contain the breach

197 days

Failure to Identify

Inability to deliver promised applications would create a loss of trust and damage to reputation

142%

Financial Industry

Higher costs than the average breach due to

regulation

247%Healthcare Industry

Higher costs than the average breach due to

regulation

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Is my network well protected?

Network

Users

HQ

Data Center

Admin

Branch

• What are your risk areas?

• Are my security solutions good enough?

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Who is Your Target Audience?

CAKE NETWORK

INFRASTRUCTURE

NETWORK

DEFENSE

You, Friends & Families

End Users Hackers!

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

x

Fixed methods

Do not think like a hacker

Already assumed it’s secure and validation only

Compliance

x

Traditional Pen Tests = Checklist

Standard scope

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Introducing Cisco Vulnerability Mining Service

Security Assessment Services Comparison

Vulnerability Mining

Traditional Pen Test Red Team

Complexity, Extensiveness, Completeness

Scan tools to ID vulnerabilities without

exploitation verification

No manual vulnerability discovery

Not business relevant

Exploitable vulnerabilities

Identify security weaknesses using

automated and manual vulnerability

discovery techniques

Focus on business impact

Capture actual valuable info. E.g. PII,

sensitive files

Sophisticated and comprehensive attack

vector span across Physical, Digital and

Social security penetration

Take most effort and resources

Case study: e-commerce Web Search BarScenario

▪ Internet web server hosts an e-commerce web page with a search bar

▪ Security assessment is performed on the target web server for potential risks

Traditional Pen Test

Search bar can be used to retrieve sensitive info via SQL injection

Personal Identifiable Info (PII), Credit cards, passwords can be retrieved

Potential Data Leakage and Compliance Violation

No vulnerability found

Clean Report

Vulnerability Mining Service

Apache server ver 2.2.14

Vulnerable to known security holes or CVEs (Common Vulnerabilities & Exposures)

No verification if vulnerabilities have real impact to business

Case study: e-commerce Web Application FormScenario

▪ An Internet web server hosts an e-commerce application form

▪ Security assessment is performed on the target web server for potential risks

Traditional Pen Test

Any file types can be uploaded

Potentially lead to malware infection for the entire network

Vulnerability Mining Service

Security Vulnerability Mining Approach

Hacking TeamA team of White/Ethical Hackers to access targets via public internet

Critical ImpactVulnerabilities which not usually discovered by tools and business relevant

Insights All findings are documentedRemediation and validation

Threat Driven From Attackers point of view

Risk Levels – Threat and Business Impact Driven

MediumLow High

• Can obtain root system level access

or complete compromise of the

system

• Sensitive info is identified and

revealed

• Service of the system can be taken

down if exploited

• Possible vulnerability that can be

used to expose sensitive info or take

down the service but unconfirmed

• Limited service disruption if exploited

• Low impact

• Does not disrupt service of the system

if exploited

• Maybe identified by regular scanning

tools

• No sensitive info is revealed if

exploited

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Key Benefits

Reduce Risks

Focus on hunting vulnerabilities

with real business impact

Find More Vulnerabilities

Uncover more vulnerabilities

which can’t be discovered by

traditional scanning tools

Identify Security Gaps

Enhance existing security controls

Prioritize Business Risks

Helps prioritize resources to

address most critical ones based

on business risk

Mitigation

Recommendations for mitigating

issues and gaps

Have Higher Confidence

In finding vulnerabilities than

traditional Pen Tests

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Key Takeaways

Hacker-minded Approach

Discover vulnerabilities like a real hacker

would and real impact to business

Supplement to Pen Tests

Discover vulnerabilities that might be

missed from traditional Pen Tests

Improve Overall Security

Identifying vulnerabilities that they did

not know existed and enhance

security controls

Cisco Customer Experience Security Services: Securing the New Digital Economy

Security

Advisory

Services

Expert security guidance to drive

business outcomes

Security

Optimization

Service

Maximize operational

excellence and performance

Security

Managed

Services

Experts and advanced analytics to

lower OpEx

Security

Technical

Services

Minimize business disruption

Security

Implementation

Services

Maximize solution value

Cisco $3.5B Securityinvestment

20B Threats blocked per day

18.5B Malwarequeries daily

60B DNS queriesdaily

Advisory Implementation Optimization Managed Technical Training

Security

Certifications

and Learning

Programs

Build skills and reduce time to value

Thank you