ISO PI20E

AVA Penetration Test

Overview - What is the purpose of Penetration Tests? How are Pen Tests conducted? How Often? What are the SLAs associated with Pen Test Findings? What is the risk associated to CFA business if findings are not remediated? How do Pen Tests improve information security at CFA?

Overview
What is the purpose of Penetration Tests?
The purpose of a penatration test is to simulate a cyber attack against an organizations resources to check for exploitable vulnerabilies. For the purposes of the AVA pentration test, we are looking for web application vulnerabilities affected our customer facing websites.



How are Pen Tests conducted?

Penatration tests are conducted by an outside firm (Verizon). Over an agreed upon windows of time, they perform scanning against our customer facing resources looking for common web application vulnerabilities to determine which we are vulnerable too. Once the test is completed, they will provide a report to disclose any found vulerabilites and the severity level. It is then the ISO team's job with work with the applicable internal team to make sure these vulnerabilities are patched



How Often? What are the SLAs associated with Pen Test Findings?

The AVA penetration tests are run twice a year.


What is the risk associated to CFA business if findings are not remediated?

An unpatched vulnerability could lead to a breach where an outside attacher could gain access to CFA Institute inoformation. This is why patching publically known vulnerabilties disclosed from penetration test results is critical.



How do Pen Tests improve information security at CFA?

Pen tests help us learn information about our systems we otherwise would not necessarily know. It also allows us to increase our overall security posture and as a whole.

Goals

Blockers

What resources are needed? Dev, SysTeam, Ops, Prod Support? What are the specific tasks that each group will need to contribute to see that goals are met?

CRITICAL FINDINGS

JQUERY

CloudFlare App Service OnBoarding/Block Mode

Overview - What is the purpose of CloudFlare Web Applicaiton Firewall? How does it work? What are the benefits of a WAF and how does it improve Information Security at CFA?

Overview -

What is the purpose of CloudFlare Web Applicaiton Firewall?

The Cloudflare WAF is designed to protect web applications from a variety of application layer 7 attacks such as cross-site scripting (XSS), cross-site request forgery, SQL injection, and cookie poisoning.



How does it work?

The WAF works to protect web applications by filtering and monitoring HTTP/HTTPS traffic between web applications and the internet. For the purposes of CFA Institute Azure web applications, the WAF sits in front of these applications first inspecting internet traffic before it is delivered to the customer facing web application. If malicious traffic is seen, it has the capability to block the traffic.



What are the benefits of a WAF and how does it improve Information Security at CFA?



Since the WAF has the capability to inspect for malicious traffic and then subsequently block, this is critical to prevent attacks from bad actors who attempt to exploit vulnerabilities on our website. The WAF combined with our AVA penetration testing act together as defense in depth to provide us a layered approach to cyber security.

Goals

Blockers

What resources are needed? Dev, SysTeam, Ops, Prod Support? What are the specific tasks that each group will need to contribute to see that goals are met?

What resources are needed? Dev, SysTeam, Ops, Prod Support?
From a testing standpoint, the web applications first need to be onboarding into Cloudflare. To date both dev and stage apps have been onboarded to develop a blueprint for how production applications will be onboarded in the near future.


What are the specific tasks that each group will need to contribute to see that goals are met?

Assistance with troubleshooting errors that arise related to Cloudflare sitting in front of our website applications.