Donald HesterOctober 21, 2010

For audio call Toll Free 1-888-886-3951and use PIN/code 158313

IT Best Practices: IT Security AssessmentsIT Best Practices: IT Security Assessments

• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.

Housekeeping

Adjusting Audio

1) If you’re listening on your computer, adjust your volume using the speaker slider.

2) If you’re listening over the phone, click on phone headset.

Do not listen on both computer and phone.

Saving Files & Open/close Captions

1. Save chat window with floppy disc icon

2. Open/close captioning window with CC icon

Emoticons and Polling

1) Raise hand and Emoticons

2) Polling options

Donald Hester

IT Best Practices: IT Security Assessments

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College

www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486

Email:

DonaldH@MazeAssociates.com

SituationSituation

Organizations are becoming increasingly dependent on technology and the Internet

The loss of technology or the Internet would bring operations to a halt

The need for security increases as our dependence on technology increases

Management wants to have assurance that technology has the attention it deserves

8

QuestionsQuestions

Does our current security posture address what we are trying to protect?

Do we know what we need to protect? Where can we improve? Where do we start? Are we compliant with laws, rules,

contracts and organizational policies? What are your risks?

9

ReasonReason

Provide Assurance Demonstrate due diligence Make risk based decisions

10

TermsTerms

Assessment Audit Review ST&E = Security Test & Evaluation Testing Evaluation

11

Assessment LifecycleAssessment Lifecycle

Planning

Information Gathering

Business Process

Assessment

Technology Assessment

Risk Analysis & Reporting

12

Common Types of AssessmentsCommon Types of Assessments

Vulnerability Assessment Penetration Test Application Assessment Code Review Standard Audit/Review Compliance Assessment/Audit Configuration Audit Wireless Assessment Physical/Environmental Assessment Policy Assessment

13

Determine your ScopeDetermine your Scope

What will be the scope of the assessment?• Network (Pen Test, Vul Scan, wireless)

• Application (Code or Vul scan)

• Process (business or automated) How critical is the system you are

assessing?• High, medium – use independent assessor

• Low – self assessment

14

Identify and Select Automated ToolsIdentify and Select Automated Tools

Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)

Computer Assisted Audit Tools and Techniques (CAATTs)• SQL queries

• Scanners

• Excel programs

• Live CDs

• Checklists

15

ChecklistsChecklists

AuditNet• www.auditnet.org

ISACA & IIA• Member Resources

DoD Checklists• iase.disa.mil/stigs/checklist/

NIST Special Publications• csrc.nist.gov/publications/PubsSPs.html

16

Live CD Distributions for Security TestingLive CD Distributions for Security Testing

BackTrack Knoppix Security Tool Distribution F.I.R.E. Helix

17

Review TechniquesReview Techniques

Documentation Review Log Review Ruleset Review System Configuration Review Network Sniffing File Integrity Checking

18

Target Identification and Analysis TechniquesTarget Identification and Analysis Techniques

Network Discovery Network Port and Service Identification

• OS fingerprinting

Vulnerability Scanning Wireless Scanning

• Passive Wireless Scanning

• Active Wireless Scanning

• Wireless Device Location Tracking (Site Survey)

• Bluetooth Scanning

• Infrared Scanning

19

Target Vulnerability Validation TechniquesTarget Vulnerability Validation Techniques

Password Cracking• Transmission / Storage

Penetration Testing• Automated / Manual

Social Engineering• Phishing

20

Checklists / MSATChecklists / MSAT

Microsoft Security Assessment Tool (MSAT)

21

GRC ToolsGRC Tools

Governance

RiskCompliance

22

DashboardsMetricsChecklistsReportingTrend AnalysisRemediation

Test TypesTest Types

Black Box Testing• Assessor starts with no

knowledge White Box Testing

• Assessor starts with knowledge of the system, i.e. the code

Grey Box Testing• Assessor has some knowledge,

not completely blind

23

Verification TestingVerification Testing

Input• Data

Entry

Data Collection

• Database Storage

Output • Reports

24

VerificationMatch

Application testingApplication testing

Code Review• Automated/Manual

Vulnerability scanning Configuration review Verification testing Authentication Information leakage Input/output Manipulation

25

Database AuditingDatabase Auditing

Native Audit (Provided by DB) SIEM & Log Management Database Activity Monitoring Database Audit Platforms

• Remote journaling & analytics Compliance testing Performance

26

Intrusion Detection/PreventionIntrusion Detection/Prevention

Configuration Verification testing Log and Alert review

27

28

EMR TestingEMR Testing

Electromagnetic Radiation Emissions Security

(EMSEC) Van Eck phreaking Tempest Tempest surveillance

prevention Faraday Cage

29

Green ComputingGreen Computing

Assessment on the use of resources Power Management Virtualization Assessment

30

Business ContinuityBusiness Continuity

Plan Testing, Training, and Exercises (TT&E)

Tabletop Exercises• Checklist Assessment

• Walk Through Functional Exercises

• Remote Recovery

• Full Interruption Test

31

Vulnerability ScanningVulnerability Scanning

Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.

Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical)

32

MBSAMBSA

Microsoft Baseline Security Analyzer 2.2

33

Vulnerability ReportsVulnerability Reports

34 Sample from Qualys

External and InternalExternal and Internal

35

Where is the best place to scan from?

External scan found 2 critical vulnerabilities

Internal scan found 15 critical vulnerabilities

Vulnerability ScannersVulnerability Scanners

36

Source:http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html

Red, White and Blue TeamsRed, White and Blue Teams

37

Penetration Testers

Incident Responders

Mimic real-world attacksUnannounced

Observers and Referees

Red and Blue TeamsRed and Blue Teams

38

Penetration Testers

Incident Responders

Mimic real-world attacksAnnounced

Penetration Test PhasesPenetration Test Phases

39

Penetration Assessment ReportsPenetration Assessment Reports

40

Sample from CoreImpact

Vulnerability InformationVulnerability Information

Open Source Vulnerability DB• http://osvdb.org/

National Vulnerability Database• http://nvd.nist.gov/

Common Vulnerabilities and Exposures• http://cve.mitre.org/

Exploit Database• http://www.exploit-db.com/

41

Physical AssessmentsPhysical Assessments

Posture Review Access Control Testing Perimeter review Monitoring review Alarm Response review Location review (Business Continuity) Environmental review (AC / UPS)

42

KSAsKSAs

Knowledge

SkillAbility

43

Assessor CompetenceAssessor Competence

Priority Certifications• Certified Information Systems Auditor

(CISA)*

• GIAC Systems and Network Auditor (GSNA) Secondary Certifications

• Vendor Neutral: CISSP, Security+, GIAC, CISM, etc…

• Vendor Specific: Microsoft, Cisco, etc…

44

*GAO 65% of audit staff to be CISA

Legal ConsiderationsLegal Considerations

At the discretion of the organization Legal Review

• Reviewing the assessment plan

• Providing indemnity or limitation of liability clauses (Insurance)

• Particularly for tests that are intrusive

• Nondisclosure agreements

• Privacy concerns

45

Post-Testing ActivitiesPost-Testing Activities

Mitigation Recommendations• Technical, Managerial or Operational

Reporting• Draft and Final Reports

Remediation / Mitigation• Not enough to finds problems need to have

a process to fix them

46

Organizations that can helpOrganizations that can help

Information Systems Audit and Control Association (ISACA)

American Institute of Certified Public Accountants (AICPA)

Institute of Internal Auditors (IIA) SANS National State Auditors Association (NSAA) U.S. Government Accountability Office (GAO)

47

ResourcesResources

Gartner Report on Vulnerability Assessment Tools

Twenty Critical Controls for Effective Cyber Defense

48

Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+

Director, Maze & Associates

University of San Francisco / San Diego City College / Los Positas College

www.LearnSecurity.org

http://www.linkedin.com/in/donaldehester

http://www.facebook.com/group.php?gid=245570977486

Email:

DonaldH@MazeAssociates.com

Evaluation Survey Link

Help us improve our seminars by filing out a short online evaluation survey at:

http://www.surveymonkey.com/s/IT-SecurityAssessments

Thanks for attendingFor upcoming events and links to recently archived

seminars, check the @ONE Web site at:

http://onefortraining.org/

IT Best Practices: IT Security Assessments