10 fa it_security-1
TRANSCRIPT
![Page 1: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/1.jpg)
Donald HesterOctober 21, 2010
For audio call Toll Free 1-888-886-3951and use PIN/code 158313
IT Best Practices: IT Security Assessments
![Page 2: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/2.jpg)
• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.
Housekeeping
![Page 3: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/3.jpg)
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
![Page 4: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/4.jpg)
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon2. Open/close captioning window with CC icon
![Page 5: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/5.jpg)
Emoticons and Polling
1) Raise hand and Emoticons 2) Polling options
![Page 6: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/6.jpg)
Donald Hester
IT Best Practices: IT Security Assessments
![Page 7: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/7.jpg)
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:[email protected]
![Page 8: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/8.jpg)
Situation
Organizations are becoming increasingly dependent on technology and the Internet
The loss of technology or the Internet would bring operations to a halt
The need for security increases as our dependence on technology increases
Management wants to have assurance that technology has the attention it deserves
8
![Page 9: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/9.jpg)
Questions
Does our current security posture address what we are trying to protect?
Do we know what we need to protect? Where can we improve? Where do we start? Are we compliant with laws, rules,
contracts and organizational policies? What are your risks?
9
![Page 10: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/10.jpg)
Reason
Provide Assurance Demonstrate due diligence Make risk based decisions
10
![Page 11: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/11.jpg)
Terms
Assessment Audit Review ST&E = Security Test & Evaluation Testing Evaluation
11
![Page 12: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/12.jpg)
Assessment Lifecycle
Planning
Information Gathering
Business Process
Assessment
Technology Assessment
Risk Analysis & Reporting
12
![Page 13: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/13.jpg)
Common Types of Assessments
Vulnerability Assessment Penetration Test Application Assessment Code Review Standard Audit/Review Compliance Assessment/Audit Configuration Audit Wireless Assessment Physical/Environmental Assessment Policy Assessment
13
![Page 14: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/14.jpg)
Determine your Scope
What will be the scope of the assessment?• Network (Pen Test, Vul Scan, wireless)• Application (Code or Vul scan)• Process (business or automated)
How critical is the system you are assessing?• High, medium – use independent assessor• Low – self assessment
14
![Page 15: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/15.jpg)
Identify and Select Automated Tools
Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)
Computer Assisted Audit Tools and Techniques (CAATTs)• SQL queries• Scanners• Excel programs• Live CDs• Checklists
15
![Page 16: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/16.jpg)
Checklists
AuditNet• www.auditnet.org
ISACA & IIA• Member Resources
DoD Checklists• iase.disa.mil/stigs/checklist/
NIST Special Publications• csrc.nist.gov/publications/PubsSPs.html
16
![Page 17: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/17.jpg)
Live CD Distributions for Security Testing
BackTrack Knoppix Security Tool Distribution F.I.R.E. Helix
17
![Page 18: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/18.jpg)
Review Techniques
Documentation Review Log Review Ruleset Review System Configuration Review Network Sniffing File Integrity Checking
18
![Page 19: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/19.jpg)
Target Identification and Analysis Techniques
Network Discovery Network Port and Service Identification
• OS fingerprinting Vulnerability Scanning Wireless Scanning
• Passive Wireless Scanning• Active Wireless Scanning• Wireless Device Location Tracking (Site Survey)• Bluetooth Scanning• Infrared Scanning
19
![Page 20: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/20.jpg)
Target Vulnerability Validation Techniques
Password Cracking• Transmission / Storage
Penetration Testing• Automated / Manual
Social Engineering• Phishing
20
![Page 21: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/21.jpg)
Checklists / MSAT
Microsoft Security Assessment Tool (MSAT)
21
![Page 22: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/22.jpg)
GRC Tools
Governance
RiskCompliance
22
DashboardsMetricsChecklistsReportingTrend AnalysisRemediation
![Page 23: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/23.jpg)
Test Types
Black Box Testing• Assessor starts with no
knowledge White Box Testing
• Assessor starts with knowledge of the system, i.e. the code
Grey Box Testing• Assessor has some knowledge,
not completely blind
23
![Page 24: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/24.jpg)
Verification Testing
Input •Data Entry
Data Collection
•Database Storage
Output
24
VerificationMatch
![Page 25: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/25.jpg)
Application testing
Code Review• Automated/Manual
Vulnerability scanning Configuration review Verification testing Authentication Information leakage Input/output Manipulation
25
![Page 26: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/26.jpg)
Database Auditing
Native Audit (Provided by DB) SIEM & Log Management Database Activity Monitoring Database Audit Platforms
• Remote journaling & analytics Compliance testing Performance
26
![Page 27: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/27.jpg)
Intrusion Detection/Prevention
Configuration Verification testing Log and Alert review
27
![Page 28: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/28.jpg)
28
![Page 29: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/29.jpg)
EMR Testing
Electromagnetic Radiation Emissions Security
(EMSEC) Van Eck phreaking Tempest Tempest surveillance
prevention Faraday Cage
29
![Page 30: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/30.jpg)
Green Computing
Assessment on the use of resources Power Management Virtualization Assessment
30
![Page 31: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/31.jpg)
Business Continuity
Plan Testing, Training, and Exercises (TT&E)
Tabletop Exercises• Checklist Assessment• Walk Through
Functional Exercises• Remote Recovery• Full Interruption Test
31
![Page 32: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/32.jpg)
Vulnerability Scanning
Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.
Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical)
32
![Page 33: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/33.jpg)
MBSA
Microsoft Baseline Security Analyzer 2.2
33
![Page 34: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/34.jpg)
Vulnerability Reports
34 Sample from Qualys
![Page 35: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/35.jpg)
External and Internal
35
Where is the best place to scan from?
External scan found 2 critical vulnerabilities
Internal scan found 15 critical vulnerabilities
![Page 36: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/36.jpg)
Vulnerability Scanners
36
Source:http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
![Page 37: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/37.jpg)
Red, White and Blue Teams
37
Penetration Testers Incident
Responders
Mimic real-world attacksUnannounced
Observers and Referees
![Page 38: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/38.jpg)
Red and Blue Teams
38
Penetration Testers Incident
Responders
Mimic real-world attacksAnnounced
![Page 39: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/39.jpg)
Penetration Test Phases
39
![Page 40: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/40.jpg)
Penetration Assessment Reports
40
Sample from CoreImpact
![Page 41: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/41.jpg)
Vulnerability Information
Open Source Vulnerability DB• http://osvdb.org/
National Vulnerability Database• http://nvd.nist.gov/
Common Vulnerabilities and Exposures• http://cve.mitre.org/
Exploit Database• http://www.exploit-db.com/
41
![Page 42: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/42.jpg)
Physical Assessments
Posture Review Access Control Testing Perimeter review Monitoring review Alarm Response review Location review (Business Continuity) Environmental review (AC / UPS)
42
![Page 43: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/43.jpg)
KSAs
Knowledge
SkillAbility
43
![Page 44: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/44.jpg)
Assessor Competence
Priority Certifications• Certified Information Systems Auditor
(CISA)*• GIAC Systems and Network Auditor (GSNA)
Secondary Certifications• Vendor Neutral: CISSP, Security+, GIAC,
CISM, etc…• Vendor Specific: Microsoft, Cisco, etc…
44
*GAO 65% of audit staff to be CISA
![Page 45: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/45.jpg)
Legal Considerations
At the discretion of the organization Legal Review
• Reviewing the assessment plan• Providing indemnity or limitation of liability
clauses (Insurance)• Particularly for tests that are intrusive• Nondisclosure agreements• Privacy concerns
45
![Page 46: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/46.jpg)
Post-Testing Activities
Mitigation Recommendations• Technical, Managerial or Operational
Reporting• Draft and Final Reports
Remediation / Mitigation• Not enough to finds problems need to have
a process to fix them
46
![Page 47: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/47.jpg)
Organizations that can help
Information Systems Audit and Control Association (ISACA)
American Institute of Certified Public Accountants (AICPA)
Institute of Internal Auditors (IIA) SANS National State Auditors Association (NSAA) U.S. Government Accountability Office (GAO)
47
![Page 48: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/48.jpg)
Resources
Gartner Report on Vulnerability Assessment Tools
Twenty Critical Controls for Effective Cyber Defense
48
![Page 49: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/49.jpg)
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:[email protected]
![Page 50: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/50.jpg)
Evaluation Survey Link
Help us improve our seminars by filing out a short online evaluation survey at:
http://www.surveymonkey.com/s/IT-SecurityAssessments
![Page 51: 10 fa it_security-1](https://reader034.vdocument.in/reader034/viewer/2022042707/58e58fd61a28abdd148b5209/html5/thumbnails/51.jpg)
Thanks for attendingFor upcoming events and links to recently archived
seminars, check the @ONE Web site at:http://onefortraining.org/
IT Best Practices: IT Security Assessments