1 / 51

IT Best Practices: IT Security Assessments

IT Best Practices: IT Security Assessments. Donald Hester October 21, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/ code 158313. Housekeeping. Maximize your CCC Confer window. Phone audio will be in presenter-only mode.

quinto
Download Presentation

IT Best Practices: IT Security Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Best Practices: IT Security Assessments Donald Hester October 21, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 158313

  2. Housekeeping • Maximize your CCC Confer window. • Phone audio will be in presenter-only mode. • Ask questions and make comments using the chat window.

  3. Adjusting Audio • If you’re listening on your computer, adjust your volume using the speaker slider. • If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

  4. Saving Files & Open/close Captions • Save chat window with floppy disc icon • Open/close captioning window with CC icon

  5. Emoticons and Polling • Raise hand and Emoticons • Polling options

  6. Donald Hester IT Best Practices: IT Security Assessments

  7. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com

  8. Situation • Organizations are becoming increasingly dependent on technology and the Internet • The loss of technology or the Internet would bring operations to a halt • The need for security increases as our dependence on technology increases • Management wants to have assurance that technology has the attention it deserves

  9. Questions • Does our current security posture address what we are trying to protect? • Do we know what we need to protect? • Where can we improve? • Where do we start? • Are we compliant with laws, rules, contracts and organizational policies? • What are your risks?

  10. Reason • Provide Assurance • Demonstrate due diligence • Make risk based decisions

  11. Terms • Assessment • Audit • Review • ST&E = Security Test & Evaluation • Testing • Evaluation

  12. Assessment Lifecycle

  13. Common Types of Assessments • Vulnerability Assessment • Penetration Test • Application Assessment • Code Review • Standard Audit/Review • Compliance Assessment/Audit • Configuration Audit • Wireless Assessment • Physical/Environmental Assessment • Policy Assessment

  14. Determine your Scope • What will be the scope of the assessment? • Network (Pen Test, Vul Scan, wireless) • Application (Code or Vul scan) • Process (business or automated) • How critical is the system you are assessing? • High, medium – use independent assessor • Low – self assessment

  15. Identify and Select Automated Tools • Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS) • Computer Assisted Audit Tools and Techniques (CAATTs) • SQL queries • Scanners • Excel programs • Live CDs • Checklists

  16. Checklists • AuditNet • www.auditnet.org • ISACA & IIA • Member Resources • DoD Checklists • iase.disa.mil/stigs/checklist/ • NIST Special Publications • csrc.nist.gov/publications/PubsSPs.html

  17. Live CD Distributions for Security Testing • BackTrack • Knoppix Security Tool Distribution • F.I.R.E. • Helix

  18. Review Techniques • Documentation Review • Log Review • RulesetReview • System Configuration Review • Network Sniffing • File Integrity Checking

  19. Target Identification and Analysis Techniques • Network Discovery • Network Port and Service Identification • OS fingerprinting • Vulnerability Scanning • Wireless Scanning • Passive Wireless Scanning • Active Wireless Scanning • Wireless Device Location Tracking (Site Survey) • Bluetooth Scanning • Infrared Scanning

  20. Target Vulnerability Validation Techniques • Password Cracking • Transmission / Storage • Penetration Testing • Automated / Manual • Social Engineering • Phishing

  21. Checklists / MSAT • Microsoft Security Assessment Tool (MSAT)

  22. GRC Tools Dashboards Metrics Checklists Reporting Trend Analysis Remediation

  23. Test Types • Black Box Testing • Assessor starts with no knowledge • White Box Testing • Assessor starts with knowledge of the system, i.e. the code • Grey Box Testing • Assessor has some knowledge, not completely blind

  24. Verification Testing Verification Match

  25. Application testing • Code Review • Automated/Manual • Vulnerability scanning • Configuration review • Verification testing • Authentication • Information leakage • Input/output Manipulation

  26. Database Auditing • Native Audit (Provided by DB) • SIEM & Log Management • Database Activity Monitoring • Database Audit Platforms • Remote journaling & analytics • Compliance testing • Performance

  27. Intrusion Detection/Prevention • Configuration • Verification testing • Log and Alert review

  28. EMR Testing • Electromagnetic Radiation • Emissions Security (EMSEC) • Van Eck phreaking • Tempest • Tempest surveillance prevention • Faraday Cage

  29. Green Computing • Assessment on the use of resources • Power Management • Virtualization Assessment

  30. Business Continuity • Plan Testing, Training, and Exercises (TT&E) • Tabletop Exercises • Checklist Assessment • Walk Through • Functional Exercises • Remote Recovery • Full Interruption Test

  31. Vulnerability Scanning • Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source. • Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical)

  32. MBSA • Microsoft Baseline Security Analyzer 2.2

  33. Vulnerability Reports Sample from Qualys

  34. External and Internal Where is the best place to scan from? Internal scan found 15 critical vulnerabilities External scan found 2 critical vulnerabilities

  35. Vulnerability Scanners Source: http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html

  36. Red, White and Blue Teams Mimic real-world attacks Unannounced Penetration Testers Incident Responders Observers and Referees

  37. Red and Blue Teams Mimic real-world attacks Announced Penetration Testers Incident Responders

  38. Penetration Test Phases

  39. Penetration Assessment Reports Sample from CoreImpact

  40. Vulnerability Information • Open Source Vulnerability DB • http://osvdb.org/ • National Vulnerability Database • http://nvd.nist.gov/ • Common Vulnerabilities and Exposures • http://cve.mitre.org/ • Exploit Database • http://www.exploit-db.com/

  41. Physical Assessments • Posture Review • Access Control Testing • Perimeter review • Monitoring review • Alarm Response review • Location review (Business Continuity) • Environmental review (AC / UPS)

  42. KSAs

  43. Assessor Competence • Priority Certifications • Certified Information Systems Auditor (CISA)* • GIAC Systems and Network Auditor (GSNA) • Secondary Certifications • Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… • Vendor Specific: Microsoft, Cisco, etc… *GAO 65% of audit staff to be CISA

  44. Legal Considerations • At the discretion of the organization • Legal Review • Reviewing the assessment plan • Providing indemnity or limitation of liability clauses (Insurance) • Particularly for tests that are intrusive • Nondisclosure agreements • Privacy concerns

  45. Post-Testing Activities • Mitigation Recommendations • Technical, Managerial or Operational • Reporting • Draft and Final Reports • Remediation / Mitigation • Not enough to finds problems need to have a process to fix them

  46. Organizations that can help • Information Systems Audit and Control Association (ISACA) • American Institute of Certified Public Accountants (AICPA) • Institute of Internal Auditors (IIA) • SANS • National State Auditors Association (NSAA) • U.S. Government Accountability Office (GAO)

  47. Resources • Gartner Report on Vulnerability Assessment Tools • Twenty Critical Controls for Effective Cyber Defense

  48. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com

  49. Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments

More Related