Embed Size (px)
Citation preview
Donald HesterOctober 21, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 158313
IT Best Practices: IT Security Assessments
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Housekeeping
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Donald Hester
IT Best Practices: IT Security Assessments
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
Situation
Organizations are becoming increasingly
dependent on technology and the
Internet
The loss of technology or the Internet
would bring operations to a halt
The need for security increases as our
dependence on technology increases
Management wants to have assurance
that technology has the attention it
deserves 8
Questions
Does our current security posture
address what we are trying to protect?
Do we know what we need to protect?
Where can we improve?
Where do we start?
Are we compliant with laws, rules,
contracts and organizational policies?
What are your risks?
9
Reason
Provide Assurance
Demonstrate due diligence
Make risk based decisions
10
Terms
Assessment
Audit
Review
ST&E = Security Test & Evaluation
Testing
Evaluation
11
Assessment Lifecycle
Planning
Information Gathering
Business Process
Assessment
Technology Assessment
Risk Analysis & Reporting
12
Common Types of Assessments
Vulnerability Assessment
Penetration Test
Application Assessment
Code Review
Standard Audit/Review
Compliance Assessment/Audit
Configuration Audit
Wireless Assessment
Physical/Environmental Assessment
Policy Assessment13
Determine your Scope
What will be the scope of the
assessment?
• Network (Pen Test, Vul Scan, wireless)
• Application (Code or Vul scan)
• Process (business or automated)
How critical is the system you are
assessing?
• High, medium – use independent assessor
• Low – self assessment
14
Identify and Select Automated Tools
Computer Assisted Audit Techniques or
Computer Aided Audit Tools (CAATS)
Computer Assisted Audit Tools and
Techniques (CAATTs)
• SQL queries
• Scanners
• Excel programs
• Live CDs
• Checklists
15
Checklists
AuditNet
• www.auditnet.org
ISACA & IIA
• Member Resources
DoD Checklists
• iase.disa.mil/stigs/checklist/
NIST Special Publications
• csrc.nist.gov/publications/PubsSPs.html
16
Live CD Distributions for Security Testing
BackTrack
Knoppix Security Tool Distribution
F.I.R.E.
Helix
17
Review Techniques
Documentation Review
Log Review
Ruleset Review
System Configuration Review
Network Sniffing
File Integrity Checking
18
Target Identification and Analysis Techniques
Network Discovery
Network Port and Service Identification
• OS fingerprinting
Vulnerability Scanning
Wireless Scanning
• Passive Wireless Scanning
• Active Wireless Scanning
• Wireless Device Location Tracking (Site Survey)
• Bluetooth Scanning
• Infrared Scanning
19
Target Vulnerability Validation Techniques
Password Cracking
• Transmission / Storage
Penetration Testing
• Automated / Manual
Social Engineering
• Phishing
20
Checklists / MSAT
Microsoft Security Assessment Tool
(MSAT)
21
GRC Tools
Governance
RiskCompliance
22
Dashboards
Metrics
Checklists
Reporting
Trend Analysis
Remediation
Test Types
Black Box Testing
• Assessor starts with no
knowledge
White Box Testing
• Assessor starts with knowledge
of the system, i.e. the code
Grey Box Testing
• Assessor has some knowledge,
not completely blind
23
Verification Testing
Input • Data Entry
Data Collection
• Database Storage
Output • Reports
24
Verification
Match
Application testing
Code Review
• Automated/Manual
Vulnerability scanning
Configuration review
Verification testing
Authentication
Information leakage
Input/output Manipulation
25
Database Auditing
Native Audit (Provided by DB)
SIEM & Log Management
Database Activity Monitoring
Database Audit Platforms
• Remote journaling & analytics
Compliance testing
Performance
26
Intrusion Detection/Prevention
Configuration
Verification testing
Log and Alert review
27
28
EMR Testing
Electromagnetic Radiation
Emissions Security
(EMSEC)
Van Eck phreaking
Tempest
Tempest surveillance
prevention
Faraday Cage
29
Green Computing
Assessment on the use of resources
Power Management
Virtualization Assessment
30
Business Continuity
Plan Testing, Training, and Exercises
(TT&E)
Tabletop Exercises
• Checklist Assessment
• Walk Through
Functional Exercises
• Remote Recovery
• Full Interruption Test
31
Vulnerability Scanning
Vulnerability: Weakness in an
information system, or in system security
procedures, internal controls, or
implementation, that could be exploited
or triggered by a threat source.
Vulnerability Scanning: A technique used
to identify hosts/host attributes and
associated vulnerabilities. (Technical)
32
MBSA
Microsoft Baseline Security Analyzer 2.2
33
Vulnerability Reports
34 Sample from Qualys
External and Internal
35
Where is the best place to scan from?
External scan
found 2 critical
vulnerabilities
Internal scan
found 15 critical
vulnerabilities
Vulnerability Scanners
36
Source:
http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
Red, White and Blue Teams
37
Penetration
TestersIncident Responders
Mimic real-world attacks
Unannounced
Observers and
Referees
Red and Blue Teams
38
Penetration
TestersIncident Responders
Mimic real-world attacks
Announced
Penetration Test Phases
39
Penetration Assessment Reports
40
Sample from CoreImpact
Vulnerability Information
Open Source Vulnerability DB
• http://osvdb.org/
National Vulnerability Database
• http://nvd.nist.gov/
Common Vulnerabilities and Exposures
• http://cve.mitre.org/
Exploit Database
• http://www.exploit-db.com/
41
Physical Assessments
Posture Review
Access Control Testing
Perimeter review
Monitoring review
Alarm Response review
Location review (Business Continuity)
Environmental review (AC / UPS)
42
KSAs
Knowledge
SkillAbility
43
Assessor Competence
Priority Certifications
• Certified Information Systems Auditor
(CISA)*
• GIAC Systems and Network Auditor (GSNA)
Secondary Certifications
• Vendor Neutral: CISSP, Security+, GIAC,
CISM, etc…
• Vendor Specific: Microsoft, Cisco, etc…
44
*GAO 65% of audit staff to be CISA
Legal Considerations
At the discretion of the organization
Legal Review
• Reviewing the assessment plan
• Providing indemnity or limitation of liability
clauses (Insurance)
• Particularly for tests that are intrusive
• Nondisclosure agreements
• Privacy concerns
45
Post-Testing Activities
Mitigation Recommendations
• Technical, Managerial or Operational
Reporting
• Draft and Final Reports
Remediation / Mitigation
• Not enough to finds problems need to have
a process to fix them
46
Organizations that can help
Information Systems Audit and Control
Association (ISACA)
American Institute of Certified Public
Accountants (AICPA)
Institute of Internal Auditors (IIA)
SANS
National State Auditors Association (NSAA)
U.S. Government Accountability Office (GAO)
47
Resources
Gartner Report on Vulnerability
Assessment Tools
Twenty Critical Controls for Effective
Cyber Defense
48
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/IT-SecurityAssessments
Thanks for attending
For upcoming events and links to recently archived seminars, check the @ONE Web site at:
http://onefortraining.org/
IT Best Practices: IT Security Assessments
