Cyber Security

Vulnerability Assessment &

Penetration Testing (VAPT)

Abdus Saboor
a.saboor@EuropeanITC.com
Agenda

Cyber Security Assessment & Penetration

Quantifying with Assessments

Specic Emerging Threats in MiddleEast
Types of VAPT

Why VAPT

Best Practices

Assessment Promo
Failure to Protect (examples) more coming soon!
Quantifying with Assessments
The Process
Project Process

Secure & optimize Analyze Scope

Analyze Client needs

Measure results Evalute

Implementation Research

Security Strategy
Even they invested in Firewalls

Whether we like it or not, hackers will get in and they do get in, every day. The
challenge is, yes, to minimize the Risk. But as we get more sophisticated, how do we
operate in an environment if we know theyre in our systems?
Heather Crofford, CFO of Northrop Grumman

Approx Costs associated with the Targetted data breach that occurred in 2013
reached $148 million by the second quarter of 2014.

NASA hacked 21-day shutdown - ot Hacked badly, assumable approx. around 100
Terabytes of data was compromised & stolen.
(2014)
Types of VAPT
- Web-Application (WVAPT)
- Application (AVAPT)
- Network (NVAPT)
Cyber Attack Lifecycle

COMBO

/
Attack Chain

Local Malicious
execution activity
Download malware
Physical access Exploit Escalate privilege Propagation
Phishing email Social engineering Persist on System Bot activity
Malicious URL Configuration error Self-Preservation Identity Theft
Network access Finance Fraud
Tampering
Establish
First Contact
presence
 Web Application (W-VAPT)

Assess the security of the application by focusing on

Remotely exploitable weakness
Application Architecture
Design & Implementation

We assess the controls with

Privilege levels
Development and delivery
Design validation
Total Threat Profile of your web application
Application (A-VAPT)

4 out of 5 applications fail even the OWASP methodology

90% of the third-party software compromising flaws

Application Security Imperfections

Application Design Flaws

Secure Code Analysis
Network (N-VAPT)
Network Configuration Analysis
 Why VAPT

/
Benefits of VAPT
(cont..)

Avoid Loss of Breach

Avoid damaged Reputation

Why not identify and address the risks

now while you can?
 How many times to Assess

New vulnerabilities everyday, dont

stop just your business, they
compromise your image too.
Reviews should be performed on a
Weaknesses

regular basis
This reveals newly discovered
threats or emerging vulnerabilities
that may potentially be attacked

Additionally to regular analysis and assessment, you should Review whenever:

New lines of code are added
Significant upgrades or modifications are applied to the core application
New features are established
Security patches are applied
End user policies are modified
etc
Assessment Roadmap

Quality Infrastructures across the Region

Assessment Focus Spectrum

Wide spectrum of application penetration testing capabilities

Java (Java SE, Java EE, JSP)
.NET (C#, ASP.NET, VB.NET)
Web Platforms: JavaScript (including AngularJS,
Node.js, and jQuery), Python, PHP, Ruby on Rails,
ColdFusion, and Classic ASP
C/C++ (Windows, RedHat Linux, OpenSUSE,
Solaris)
Legacy Business Applications (COBOL, Visual Basic 6,
RPG)
 Best Practices

/
EITCs CMM Cycle

CLASSIFY MEASURE MITIGATE

Analyze your Gaps

Domains of ISO 27001:2013

Manage your Risk
Prevent from Exploitation

Anti-Malware
Application Protection Malicious
Application Protection
Hardening Against OS Memory Caller
Behavior
Security Bypass Protection
Protection

Techniques which
generically harden Advanced memory Multiple 32 & 64bit Block sandbox escapes Real-time and on-
outdated or un- techniques prevents memory exploit (i.e. Java exploits) and demand
patched applications to exploit shellcode from mitigation techniques malicious payloads from Advanced Heuristics
be less susceptible to executing by detecting prevent exploits from application design abuse and Behavior Based
vulnerability exploit attempts to bypass DEP executing payload code exploits like Word Rules
attacks. and/or using ROP. from malicious memory Macros, PowerPoint Proven ability to
areas (Heap, RW, etc). exploits, etc. remediate

Signatureless
Some more Best Practices

Fine Grained Least Logging Access Policies Robust Reduce

Controls Privilege Authentication Complexity
 Assessment Promo

/
 MultiLevel Offer

LEVEL 1 LEVEL 2 LEVEL 3

FREE for 1 resource FREE for 1 resource FREE for 1 resource

Agreement signed Agreement signed Agreement signed

Proof of Concept only Audits, Assessments Audits & Assessments

OS, Server, App, ERP OS, Server, App, ERP, Infra OS, Server, App, ERP, Infra,
Network

Only the extent of Assessments, Risks,

penetration (wakeup call) Remediation Assessments, Risks, Remediation

No Report Compliance Level Reporting for

Basic Level Reporting ISO 27001, OWASP Risks,
Executive Level, Developers.. Etc
Proof Of Concept only

Testimonial with Thanks

w w w .E u r o p e a n I T C . com

Thank You