Upload
sanura
View
42
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Penetration Testing Training Day. Penetration Testing Careers Mike Westmacott, Chair YPISG, Consultant IRM plc. Where to begin?. Here! Show an interest! Understand the role Disadvantages to it are… …nothing compared to the benefits! It’s not easy! Plenty of different roles. 2. - PowerPoint PPT Presentation
Citation preview
Penetration Testing Training DayPenetration Testing Careers
Mike Westmacott, Chair YPISG, Consultant IRM plc
Presentation to insert name here 2
Where to begin?
•Here! Show an interest!
•Understand the role
•Disadvantages to it are…
•…nothing compared to the benefits!
•It’s not easy!
•Plenty of different roles
Presentation to insert name here 3
The Industry
•Not a huge number of players
•Pure pentest
•Pure consultancy
•Hybrids
Presentation to insert name here 4
What to clients require?
•Assurance
•Box ticking
•Expertise
•Understanding
•Help!
•Ultimately: Value
Presentation to insert name here 5
What’s the value chain?
•We provide reports
•We have expertise to quickly create outcomes
•The reports we provide cost less than employing full time specialists
•We are the experts
Presentation to insert name here 6
How are consultancy companies structured?
•Trainees
•Junior Consultants
•Consultants
•Senior Consultants
•Managing Consultants
•Project Services
•Sales•Back Office•Board
Presentation to insert name here 7
Who provides training?
•Many…
•BCS, ISC2, SANS
•Crest, Tiger
•Offensive Security, MDSec, 7Safe, IRM
•Professional Groups•BCS, IISP
Presentation to insert name here 8
Ongoing training and requirements
•Government Work
•The National Technical Authority for Information Assurance
•Check
•Security Clearance
•Police
•PCI
•QSA (Qualified Security Assessor)
Presentation to insert name here 9
Clearance
•Types
•Various different categories of information and operations
•Levels
•Multiple levels for degree of information privilege
•Multiple organisations may hold and maintain clearances for individuals
•Only limited numbers provide them
Presentation to insert name here 10
Clearance
•Government
•Baseline Personnel Security Standard (BPSS) are not formal security clearances; they are a package of pre-employment checks that represent good recruitment and employment practice.
•Counter Terrorist Check (CTC) is required for personnel whose work involves close proximity to public figures, gives access to information or material vulnerable to terrorist attack or involves unrestricted access to certain government or commercial establishments. A (CTC) does not allow access, or knowledge, or custody, of protectively marked assets and information. The check includes a Baseline Personnel Security Standard Check (BPSS) and also a check against national security records. To gain (CTC) clearance you will normally have had to have been a resident in the UK for a minimum of 3 years.
Presentation to insert name here 11
Clearance
•Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.
•Developed Vetting (DV) is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.
Presentation to insert name here 12
Clearance
•Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.
•Developed Vetting (DV) is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.
Presentation to insert name here 13
Activities
•Board
•Define what strategy the organisation will follow to be successful
•Executive
•Implement the strategy and report on BAU, develop new strategic ideas
•Marketing
•Construct services and products that fulfill the strategy
•Sales
•Identify clients and markets where products and services
Presentation to insert name here 14
Activities
•Consultancy Floor
•Technical Account Managers
•Team Leads
•Penetration Testers, Auditors, Analysts
•Quality Assurance
•Trainers
Presentation to insert name here 15
Presentation to insert name here 16
Testing and The Law
Computer Misuse Act 1990
•Unauthorised use or interference
•Data Protection Act 2000
•Personally Identifiable Information
•The Communications Act 2003
•Improper use of public communications services
•Regulation of Investigatory Powers Act 2000
•Control of lawful interception of traffic
Presentation to insert name here 17
International Law
PIPEDA – Canada's Data Protection Act
•Safe Harbour
•US Initiative to mitigate EU's strict data protection – US companies apply to be safe harbours for EU PII
•US Cryptographic Export Controls
•Also import of encrypted data and systems
Presentation to insert name here 18
Presentation to insert name here 19
International Law
PIPEDA – Canada's Data Protection Act
•Safe Harbour
•US Initiative to mitigate EU's strict data protection – US companies apply to be safe harbours for EU PII
•US Cryptographic Export Controls
•Also import of encrypted data and systems
Presentation to insert name here 20
International Law
PIPEDA – Canada's Data Protection Act
•Safe Harbour
•US Initiative to mitigate EU's strict data protection – US companies apply to be safe harbours for EU PII
•US Cryptographic Export Controls
•Also import of encrypted data and systems