Objectives Who I Am The Company I Interned
Objectives • Who I Am • The Company I Interned With • The Projects I Worked On • Project Details • How The Experience Relates To My Education • Conclusions Drawn
• PNC Financial Service Group • Pittsburgh, Pa (Downtown) • May 12, 2008 – Jan 9, 2009 • Corporate Information Security (Security Operations) • Previously Interned In 2007 & 2008 In Their MIS Department
Projects • Many Very Interesting Projects – Anti-Virus – Penetration Testing – Employee Monitoring – Cyber Crime Prevention – Technology Risk Evaluations – IBM RDZ Pilot
Penetration Testing • Penetration Test – A test method where the security of a computer program or network is subjected to deliberate simulated attack. • A common form of White Hat hacking – White Hat – Grey Hat – Black Hat • Related to vulnerability scanning or assessments but not the same thing
Penetration Testing • During my internship I categorized my penetration testing work in two ways – Manual (Traditional) Penetration Testing – Automated Penetration Testing
Penetration Testing • There are many different types of penetration testing – Black Box – Grey Box – White Box – Authenticated – Partially Authenticated – Non-Authenticated – + Many More
Penetration Testing • Who does the penetration tests? – – Internal Employees 2 nd or 3 rd Party Vendors Business Partners Outsiders? • It is important to ensure the proper clearance before testing • When a vendor is involved you should have a Mutual Discloser Agreement (MDA) in place before discussing any details. • It is also important to thoroughly define the Rules of Engagement
Penetration Testing • You may need corporate or governmental clearance • Make sure your specific test is permitted, documented, and approved by the right people.
Penetration Testing • What level are you testing – Network level – OS level – Application level • You may be vulnerable at any level of the seven layer OSI model. – Physical, Data Link, Network, Transport, Session, Presentation, Application
Penetration Testing • Since you can be vulnerable at any level it is important to test all levels to mitigate risk and maintain a positive security posture • The criticality of the system should determine the depth of the testing
Penetration Testing • There is a general work flow that typically surrounds penetration testing. – Planning – Approval – Execution – Reporting – Review – Remediation – Retest
Technology Risk Evaluations • A business in PNC wants to take on a vendor as a business partner • This opens up our systems to risks • The goal is to ensure that the risk we take on is acceptable
Technology Risk Evaluations • The level of security we require usually depends on the sensitivity of the data being passed between us and the vendor • Sensitive Data – Personally Identifiable Information (PII) – Medical Data – Financial Information – User names – Passwords
Technology Risk Evaluations • We consider the risk from every angle • Examples – – – – Authentication Mechanism Data Encryption Protocols Used (SSL) Host Side Security Client Side Security Physical Security Disaster Recovery (DR) Plan
Technology Risk Evaluations • How is an organization’s level security Determined? • Discussions with their security personal, administrators, technicians, business analysts (BA’s) • Statement on Auditing Standards No. 70 (SAS 70) Type I & II • Vulnerability Scans • Penetration Tests
Technology Risk Evaluations • Which organization changes when the security level is not satisfactory? • Usually the smaller organization will make the change • When two organizations are close in size they each have bend a little • The idea is not to make unreasonable demands but to work with the organization to find a solution the makes sense for both
Classes That Were Helpful • • Crim 101 – Crime & Justice Systems Crim 102 – Survey of Criminology Crim 323 – Cybersecurity & the Law Cosc 316 – Host Computer Security Cosc 300 – Assembly Language Programming Cosc 319 – Software Engineering Concepts Math 219 – Discrete Math 216 – Probability & Stats for Natural Science and Mathematics Majors • Cosc 220 – Applied Computer Programming (COBOL)
Classes I Wish I Had Taken Cosc 352 – LAN Design & Installation Cosc 356 – Network Security Cosc 427 – Intro to Cryptography Crim 403 – Dilemmas in Crime & Criminal Justice Crim 401 – Contemporary Issues in Criminology Engl 322 – Technical Writing I
Conclusions • I learned what is involved in corporate information security • I learned I would enjoy a career in the information assurance/information security field • I learned a lot about project management • I learned new areas I need to learn more about and improve in to prepare myself for this field.
Questions?
- Slides: 21