Embed Size (px)
Citation preview
CipherTechs Audit Practice Overview
Security Lifecycle Security Lifecycle
Risk Assessment
Step 1: Define Information
Security objectives
Step 2: Define how objectives will be
accomplished
Security Policy Development
Step 3: Deploy controls to
accomplish the objectives
Step 4: Verify that the deployed controls match
the set objectives Does #2 = #3?
Firewalls
VPNs
Authentication
Intrusion Detection
Content Security
Application Security
Router/Switch
Auditing/LoggingEvent CorrelationDesktop Security
C-Level
Medium durationC-Level/Director
Med/Long durationDirector/Operations
Short DurationC-Level/Director
Medium/Long DurationA
djus
tmen
ts
External Network Audit
Wireless Audit
Web Application Audit
Internal Network Audit
PBX Audit
Periodic Network Audit
What is Audit?
–In theory verifying that you have met your objectives –In practice: Compliance, Policy, Assessments, Forensics –Compliance with government or business regulations including:
• PCI• HIPAA • Sarbanes Oxley• Gramm Leach
–Policy usually defined as written standards, guidelines, and procedures (defined differently by a Firewall engineer)
–Assessments: A variety of tests to provide assurance• To test an IDS or a Managed Service or Firewall or IT staff• Required by compliance• Required by a business partner• As a best security practice
–Forensics
Compliance
–Help clients understand and react to a variety of terminology and requirements
–Ultimately allows the business to manage risk–Specific task to be performed might include:
• Actual compliance work• Help in preparation for an audit• Help in remediation from an audit• Accompany a client to an audit
Policy
–Might be tailored to a particular group or management level• Desktop policy for desktop support, termination policy for HR
–Sometimes required by a compliance requirement• As an example PCI mandates that a plan exist to test incident handling response and that it be tested annually
–Policy development related to product implementation• Corporate policy might first be established to ban skype and then firewalls and NACs will be configured to implement that policy
Assessments
– External Network Assessments– Internal Network Assessments– Web Assessments–Rapid Risk Assessment–Security Health Survey–Infrastructure Device Review–Wireless Assessment–War Dial–Social Engineering
Assessment can vary greatly depending on the requirement. Ultimately Statements of Work will be written that govern the assessment to be performed.
External Network Vulnerability Assessments
“For the External portion of the assessment CipherTechs will assume a role of an outside party attempting to gather information about and/or gain unauthorized access to the information resources contained in CLIENT’s protected network segments. “
–Required by compliance–Required by a business partner–To test an IDS or a Managed Service or Firewall …–To test the response of IT staff–As a best security practice
Internal Network Assessments
“CipherTechs will assume the role of an internal user with average permissions who seeks to escalate privileges or otherwise gain access to confidential data or resources “
– Might be required by compliance–To test an IDS/IPS or staff or user –To discover what is in your network–As a best security practice
Web Assessments
“Objective of this web application security vulnerability assessment was to discover deficiencies from both an authorized and an unauthorized standpoint in the Web Application. Once the full testing had been completed, CipherTechs was expected to provide recommendations for technical and process improvements and assist in resolution of any major security issues and improvement in security strategy.”
• Unauthenticated, Authenticated, and Admin perspectives• Code Analysis possible• CipherTechs typically uses a methodology that closely follows
the OWASP Top Ten Web Application Vulnerabilities
Miscellaneous
• CipherTechs is a Security Solutions Provider• Participates in RFP bids• Meet n Greets• Redacted documents are available• www.ciphertechs.com
