Presentation Slides

Report
IT Best Practices:
IT Security Assessments
Donald Hester
October 21, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 158313
Housekeeping
• Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
IT Best Practices:
IT Security Assessments
Donald Hester
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
[email protected]
Situation
8
 Organizations are becoming increasingly
dependent on technology and the
Internet
 The loss of technology or the Internet
would bring operations to a halt
 The need for security increases as our
dependence on technology increases
 Management wants to have assurance
that technology has the attention it
deserves
Questions
 Does our current security posture
address what we are trying to protect?
 Do we know what we need to protect?
 Where can we improve?
 Where do we start?
 Are we compliant with laws, rules,
contracts and organizational policies?
 What are your risks?
9
Reason
 Provide Assurance
 Demonstrate due diligence
 Make risk based decisions
10
Terms






11
Assessment
Audit
Review
ST&E = Security Test & Evaluation
Testing
Evaluation
Assessment Lifecycle
Planning
Risk
Analysis &
Reporting
Technology
Assessment
12
Information
Gathering
Business
Process
Assessment
Common Types of Assessments










13
Vulnerability Assessment
Penetration Test
Application Assessment
Code Review
Standard Audit/Review
Compliance Assessment/Audit
Configuration Audit
Wireless Assessment
Physical/Environmental Assessment
Policy Assessment
Determine your Scope
 What will be the scope of the
assessment?
• Network (Pen Test, Vul Scan, wireless)
• Application (Code or Vul scan)
• Process (business or automated)
 How critical is the system you are
assessing?
• High, medium – use independent assessor
• Low – self assessment
14
Identify and Select Automated Tools
 Computer Assisted Audit Techniques or
Computer Aided Audit Tools (CAATS)
 Computer Assisted Audit Tools and
Techniques (CAATTs)
• SQL queries
• Scanners
• Excel programs
• Live CDs
• Checklists
15
Checklists
 AuditNet
• www.auditnet.org
 ISACA & IIA
• Member Resources
 DoD Checklists
• iase.disa.mil/stigs/checklist/
 NIST Special Publications
• csrc.nist.gov/publications/PubsSPs.html
16
Live CD Distributions for Security
Testing




17
BackTrack
Knoppix Security Tool Distribution
F.I.R.E.
Helix
Review Techniques






18
Documentation Review
Log Review
Ruleset Review
System Configuration Review
Network Sniffing
File Integrity Checking
Target Identification and Analysis
Techniques
 Network Discovery
 Network Port and Service Identification
• OS fingerprinting
 Vulnerability Scanning
 Wireless Scanning
• Passive Wireless Scanning
• Active Wireless Scanning
• Wireless Device Location Tracking (Site Survey)
• Bluetooth Scanning
• Infrared Scanning
19
Target Vulnerability Validation
Techniques
 Password Cracking
• Transmission / Storage
 Penetration Testing
• Automated / Manual
 Social Engineering
• Phishing
20
Checklists / MSAT
 Microsoft Security Assessment Tool
(MSAT)
21
GRC Tools
Governance
Compliance
22
Risk
Dashboards
Metrics
Checklists
Reporting
Trend Analysis
Remediation
Test Types
 Black Box Testing
• Assessor starts with no
knowledge
 White Box Testing
• Assessor starts with knowledge
of the system, i.e. the code
 Grey Box Testing
• Assessor has some knowledge,
not completely blind
23
Verification Testing
Input
Verification
Match
• Data
Entry
Data
Collection
• Database
Storage
Output
24
• Reports
Application testing
 Code Review
• Automated/Manual
 Vulnerability scanning
 Configuration review
 Verification testing
 Authentication
 Information leakage
 Input/output Manipulation
25
Database Auditing




Native Audit (Provided by DB)
SIEM & Log Management
Database Activity Monitoring
Database Audit Platforms
• Remote journaling & analytics
 Compliance testing
 Performance
26
Intrusion Detection/Prevention
 Configuration
 Verification testing
 Log and Alert review
27
28
EMR Testing
 Electromagnetic Radiation
 Emissions Security
(EMSEC)
 Van Eck phreaking
 Tempest
 Tempest surveillance
prevention
 Faraday Cage
29
Green Computing
 Assessment on the use of resources
 Power Management
 Virtualization Assessment
30
Business Continuity
 Plan Testing, Training, and Exercises
(TT&E)
 Tabletop Exercises
• Checklist Assessment
• Walk Through
 Functional Exercises
• Remote Recovery
• Full Interruption Test
31
Vulnerability Scanning
 Vulnerability: Weakness in an
information system, or in system security
procedures, internal controls, or
implementation, that could be exploited
or triggered by a threat source.
 Vulnerability Scanning: A technique used
to identify hosts/host attributes and
associated vulnerabilities. (Technical)
32
MBSA
 Microsoft Baseline Security Analyzer 2.2
33
Vulnerability Reports
34
Sample from Qualys
External and Internal
Where is the best place to scan from?
Internal scan
found 15 critical
vulnerabilities
35
External scan
found 2 critical
vulnerabilities
Vulnerability Scanners
Source:
http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
36
Red, White and Blue Teams
Mimic real-world attacks
Unannounced
Penetration
Testers
Incident Responders
Observers and
Referees
37
Red and Blue Teams
Mimic real-world attacks
Announced
Penetration
Testers
38
Incident Responders
Penetration Test Phases
39
Penetration Assessment Reports
Sample from CoreImpact
40
Vulnerability Information
 Open Source Vulnerability DB
• http://osvdb.org/
 National Vulnerability Database
• http://nvd.nist.gov/
 Common Vulnerabilities and Exposures
• http://cve.mitre.org/
 Exploit Database
• http://www.exploit-db.com/
41
Physical Assessments







42
Posture Review
Access Control Testing
Perimeter review
Monitoring review
Alarm Response review
Location review (Business Continuity)
Environmental review (AC / UPS)
KSAs
Knowledge
Ability
43
Skill
Assessor Competence
 Priority Certifications
• Certified Information Systems Auditor
(CISA)*
GIAC Systems and Network Auditor (GSNA)
•
 Secondary Certifications
• Vendor Neutral: CISSP, Security+, GIAC,
•
CISM, etc…
Vendor Specific: Microsoft, Cisco, etc…
*GAO 65% of audit staff to be CISA
44
Legal Considerations
 At the discretion of the organization
 Legal Review
• Reviewing the assessment plan
• Providing indemnity or limitation of liability
•
•
•
45
clauses (Insurance)
Particularly for tests that are intrusive
Nondisclosure agreements
Privacy concerns
Post-Testing Activities
 Mitigation Recommendations
• Technical, Managerial or Operational
 Reporting
• Draft and Final Reports
 Remediation / Mitigation
• Not enough to finds problems need to have
a process to fix them
46
Organizations that can help
 Information Systems Audit and Control
Association (ISACA)
 American Institute of Certified Public
Accountants (AICPA)
 Institute of Internal Auditors (IIA)
 SANS
 National State Auditors Association (NSAA)
 U.S. Government Accountability Office (GAO)
47
Resources
 Gartner Report on Vulnerability
Assessment Tools
 Twenty Critical Controls for Effective
Cyber Defense
48
Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
[email protected]
Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/IT-SecurityAssessments
IT Best Practices:
IT Security Assessments
Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/

similar documents