Penetration Testing Training Day

Penetration Testing Training DayPenetration Testing Careers

Mike Westmacott, Chair YPISG, Consultant IRM plc

Presentation to insert name here 2

Where to begin?

•Here! Show an interest!

•Understand the role

•Disadvantages to it are…

•…nothing compared to the benefits!

•It’s not easy!

•Plenty of different roles


The Industry

•Not a huge number of players

•Pure pentest

•Pure consultancy

•Hybrids


What to clients require?

•Assurance

•Box ticking

•Expertise

•Understanding

•Help!

•Ultimately: Value


What’s the value chain?

•We provide reports

•We have expertise to quickly create outcomes

•The reports we provide cost less than employing full time specialists

•We are the experts


How are consultancy companies structured?

•Trainees

•Junior Consultants

•Consultants

•Senior Consultants

•Managing Consultants

•Project Services

•Sales•Back Office•Board


Who provides training?

•Many…

•BCS, ISC2, SANS

•Crest, Tiger

•Offensive Security, MDSec, 7Safe, IRM

•Professional Groups•BCS, IISP


Ongoing training and requirements

•Government Work

•The National Technical Authority for Information Assurance

•Check

•Security Clearance

•Police

•PCI

•QSA (Qualified Security Assessor)


Clearance

•Types

•Various different categories of information and operations

•Levels

•Multiple levels for degree of information privilege

•Multiple organisations may hold and maintain clearances for individuals

•Only limited numbers provide them


Clearance

•Government

•Baseline Personnel Security Standard (BPSS) are not formal security clearances; they are a package of pre-employment checks that represent good recruitment and employment practice.

•Counter Terrorist Check (CTC) is required for personnel whose work involves close proximity to public figures, gives access to information or material vulnerable to terrorist attack or involves unrestricted access to certain government or commercial establishments. A (CTC) does not allow access, or knowledge, or custody, of protectively marked assets and information. The check includes a Baseline Personnel Security Standard Check (BPSS) and also a check against national security records. To gain (CTC) clearance you will normally have had to have been a resident in the UK for a minimum of 3 years.


Clearance

•Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.

•Developed Vetting (DV) is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.


Clearance

•Security Check (SC) is for people who have substantial access to SECRET, or occasional access to TOP SECRET assets and information. This level of clearance involves a (BPSS) check plus UK criminal and security checks and a credit check. To gain (SC) clearance you will normally have had to have been a resident in the UK for a minimum of 5 years.

•Developed Vetting (DV) is the highest level of Security Clearance and is required for people with substantial unsupervised access to TOP SECRET assets, or for working in the intelligence or security agencies. This level of clearance involves Security Check (SC) and, in addition, completion of a (DV) questionnaire, financial checks, checking of references and a detailed interview with a vetting officer. To gain (DV) clearance you will normally have had to have been a resident in the UK for a minimum of 10 years.


Activities

•Board

•Define what strategy the organisation will follow to be successful

•Executive

•Implement the strategy and report on BAU, develop new strategic ideas

•Marketing

•Construct services and products that fulfill the strategy

•Sales

•Identify clients and markets where products and services


Activities

•Consultancy Floor

•Technical Account Managers

•Team Leads

•Penetration Testers, Auditors, Analysts

•Quality Assurance

•Trainers



Testing and The Law

Computer Misuse Act 1990

•Unauthorised use or interference

•Data Protection Act 2000

•Personally Identifiable Information

•The Communications Act 2003

•Improper use of public communications services

•Regulation of Investigatory Powers Act 2000

•Control of lawful interception of traffic


International Law

PIPEDA – Canada's Data Protection Act

•Safe Harbour

•US Initiative to mitigate EU's strict data protection – US companies apply to be safe harbours for EU PII

•US Cryptographic Export Controls

•Also import of encrypted data and systems



International Law


•Safe Harbour





International Law


•Safe Harbour




Documents

Penetration Testing Training Day