520 likes | 665 Views
IT Best Practices: IT Security Assessments. Donald Hester October 21, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/ code 158313. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.
E N D
IT Best Practices: IT Security Assessments Donald Hester October 21, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 158313
Housekeeping • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window.
Adjusting Audio • If you’re listening on your computer, adjust your volume using the speaker slider. • If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.
Saving Files & Open/close Captions • Save chat window with floppy disc icon • Open/close captioning window with CC icon
Emoticons and Polling • Raise hand and Emoticons • Polling options
Donald Hester IT Best Practices: IT Security Assessments
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
Situation • Organizations are becoming increasingly dependent on technology and the Internet • The loss of technology or the Internet would bring operations to a halt • The need for security increases as our dependence on technology increases • Management wants to have assurance that technology has the attention it deserves
Questions • Does our current security posture address what we are trying to protect? • Do we know what we need to protect? • Where can we improve? • Where do we start? • Are we compliant with laws, rules, contracts and organizational policies? • What are your risks?
Reason • Provide Assurance • Demonstrate due diligence • Make risk based decisions
Terms • Assessment • Audit • Review • ST&E = Security Test & Evaluation • Testing • Evaluation
Common Types of Assessments • Vulnerability Assessment • Penetration Test • Application Assessment • Code Review • Standard Audit/Review • Compliance Assessment/Audit • Configuration Audit • Wireless Assessment • Physical/Environmental Assessment • Policy Assessment
Determine your Scope • What will be the scope of the assessment? • Network (Pen Test, Vul Scan, wireless) • Application (Code or Vul scan) • Process (business or automated) • How critical is the system you are assessing? • High, medium – use independent assessor • Low – self assessment
Identify and Select Automated Tools • Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS) • Computer Assisted Audit Tools and Techniques (CAATTs) • SQL queries • Scanners • Excel programs • Live CDs • Checklists
Checklists • AuditNet • www.auditnet.org • ISACA & IIA • Member Resources • DoD Checklists • iase.disa.mil/stigs/checklist/ • NIST Special Publications • csrc.nist.gov/publications/PubsSPs.html
Live CD Distributions for Security Testing • BackTrack • Knoppix Security Tool Distribution • F.I.R.E. • Helix
Review Techniques • Documentation Review • Log Review • RulesetReview • System Configuration Review • Network Sniffing • File Integrity Checking
Target Identification and Analysis Techniques • Network Discovery • Network Port and Service Identification • OS fingerprinting • Vulnerability Scanning • Wireless Scanning • Passive Wireless Scanning • Active Wireless Scanning • Wireless Device Location Tracking (Site Survey) • Bluetooth Scanning • Infrared Scanning
Target Vulnerability Validation Techniques • Password Cracking • Transmission / Storage • Penetration Testing • Automated / Manual • Social Engineering • Phishing
Checklists / MSAT • Microsoft Security Assessment Tool (MSAT)
GRC Tools Dashboards Metrics Checklists Reporting Trend Analysis Remediation
Test Types • Black Box Testing • Assessor starts with no knowledge • White Box Testing • Assessor starts with knowledge of the system, i.e. the code • Grey Box Testing • Assessor has some knowledge, not completely blind
Verification Testing Verification Match
Application testing • Code Review • Automated/Manual • Vulnerability scanning • Configuration review • Verification testing • Authentication • Information leakage • Input/output Manipulation
Database Auditing • Native Audit (Provided by DB) • SIEM & Log Management • Database Activity Monitoring • Database Audit Platforms • Remote journaling & analytics • Compliance testing • Performance
Intrusion Detection/Prevention • Configuration • Verification testing • Log and Alert review
EMR Testing • Electromagnetic Radiation • Emissions Security (EMSEC) • Van Eck phreaking • Tempest • Tempest surveillance prevention • Faraday Cage
Green Computing • Assessment on the use of resources • Power Management • Virtualization Assessment
Business Continuity • Plan Testing, Training, and Exercises (TT&E) • Tabletop Exercises • Checklist Assessment • Walk Through • Functional Exercises • Remote Recovery • Full Interruption Test
Vulnerability Scanning • Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source. • Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical)
MBSA • Microsoft Baseline Security Analyzer 2.2
Vulnerability Reports Sample from Qualys
External and Internal Where is the best place to scan from? Internal scan found 15 critical vulnerabilities External scan found 2 critical vulnerabilities
Vulnerability Scanners Source: http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
Red, White and Blue Teams Mimic real-world attacks Unannounced Penetration Testers Incident Responders Observers and Referees
Red and Blue Teams Mimic real-world attacks Announced Penetration Testers Incident Responders
Penetration Assessment Reports Sample from CoreImpact
Vulnerability Information • Open Source Vulnerability DB • http://osvdb.org/ • National Vulnerability Database • http://nvd.nist.gov/ • Common Vulnerabilities and Exposures • http://cve.mitre.org/ • Exploit Database • http://www.exploit-db.com/
Physical Assessments • Posture Review • Access Control Testing • Perimeter review • Monitoring review • Alarm Response review • Location review (Business Continuity) • Environmental review (AC / UPS)
Assessor Competence • Priority Certifications • Certified Information Systems Auditor (CISA)* • GIAC Systems and Network Auditor (GSNA) • Secondary Certifications • Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… • Vendor Specific: Microsoft, Cisco, etc… *GAO 65% of audit staff to be CISA
Legal Considerations • At the discretion of the organization • Legal Review • Reviewing the assessment plan • Providing indemnity or limitation of liability clauses (Insurance) • Particularly for tests that are intrusive • Nondisclosure agreements • Privacy concerns
Post-Testing Activities • Mitigation Recommendations • Technical, Managerial or Operational • Reporting • Draft and Final Reports • Remediation / Mitigation • Not enough to finds problems need to have a process to fix them
Organizations that can help • Information Systems Audit and Control Association (ISACA) • American Institute of Certified Public Accountants (AICPA) • Institute of Internal Auditors (IIA) • SANS • National State Auditors Association (NSAA) • U.S. Government Accountability Office (GAO)
Resources • Gartner Report on Vulnerability Assessment Tools • Twenty Critical Controls for Effective Cyber Defense
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com
Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments