Oissg

A not-for-profit OrganizationA not-for-profit OrganizationOpen Information Systems Security Group

….Share and Build your knowledge

Christian Martorella

[email protected]

[email protected]

mailto:[email protected]

A not-for-profit OrganizationA not-for-profit Organization

Presentación

• Qué es la OISSG?

• Visión

• Misión

• Objetivos para el 2006

• Estrategia

• ProjectosDesarrollo de Frameworks

Conferencias

Capítulos locales

Desafíos de seguridad

Security Awareness

Security Research & Labs

Acreditaciones

• Open Forum


Que es la OISSG?

• Organización independiente, manejada por voluntarios , sin fines de lucro.

• Brinda de manera libre recursos a la comunidad.

Framework, metodologias, estandares, artículos.

Herramientas para las auditorías de seguridad y la implementacion de la seguridad.

Conferencias y listas de correos

Base de conocimientos

• Enfocada principalemente a resolver los problemas relacionados con las evaluaciones de seguridad.


Que es la OISSG?...

• Que proveemos?

Frameworks

Information Systems Security Assessment Framework (ISSAF)

Computer Crime Investigation Framework (CCIF)

Security Essentials Framework

Software

Password Auditing (LeptonCrack)

Database Security (Metacoretex-NG)

Windows, Linux and Solaris Security

Iniciativas de investigación

Capítulos locales


Nuestra Vision

Difundir la concienciación de la

seguridad de la información. Brindar un

medio donde los entusiastas y

profesionales de la seguridad de todo el mundo compartan y

construyan conocimiento.


Nuestra Misión

Para alcanzar nuestra vision la OISSG

determinara cuales son las necesidades

profesionales, y asignará recursos para crear

procesos para desarrollar

To achieve its Vision OISSG will determine utmost

professional need, it will allocate resources to set process to develop and

deliver program that will add value to Infosec

community.


Objetivos 2006

• Objetivos primariosLiberar la próxima versión del draft de ISSAF.

Facilitar la aceptacion de los ejecutivos claves de que ISSAF es un framework comprensivo para realizar analisis de seguridad.

Acreditar profesionales en Análisis de Seguridad.

Hacer público la primer versión del draft Computer Crime Investigation Framework (CCIF)


Objetivos 2006…

• Objetivos secundarios• Aumentar el numero de miembros

Develop localized presence

Setup 50 Local Chapters

Organisar (expandir) Conferencias

Setup on-line research labs for members

Organize Security Assessment challenges

Build Computer Security Incident Response Teams (CSIRT)

Spread Security Awareness


• Identificar areas criticas parcialmente o no exploradas de la seguridad de la informacion.

• Crear equipos para trabajar en esas areas.

• Lograr que el resultado final de esos trabajos lleguen a los usuarios finales.

• Trabajar con otros grupos que compartan los mismos objetivos y recursos.

Estrategia


Misión:

Investigar, desarrollar, publicar y promover un Framework completo, práctico y aceptado por la comunidad, para realizar Análisis de Seguridad de Sistemas.

Information Systems Security Assessment Framework (ISSAF)


ISSAF…

• Estandares ya establecidos:

NSA IAM: http://www.nsa.gov/isso/iam/index.htm

CESG CHECK: http://www.cesg.gov.uk/site/check/index.cfm

• Todos las metodologías y frameworks hablan del “Que”, en cambio ISSAF habla del “Que, Cuando, Donde, y Porque” y también del COMO.

• ISSAF trata problemas practicos del mundo real.

• Añade valor con un analisis de seguridad estructurado, efectivo y con un acercamiento efectivo.

http://www.nsa.gov/isso/iam/index.htm

http://www.nsa.gov/isso/iam/index.htm

http://www.cesg.gov.uk/site/check/index.cfm

http://www.cesg.gov.uk/site/check/index.cfm


ISSAF…

• It’s primary value will derive from the fact that it frees security practitioners from having to invest in commercial resources or extensive internal research to address their information security needs.

• Will evolve into a comprehensive body of knowledge for organizations seeking to conduct their assessments independently and neutrally.

• It will be the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as an audit checklist for information policies.


Framework structure Enterprise Assessment FrameworkEnterprise Assessment Framework

Evaluate Enterprise Information Security Policy

Evaluate Enterprise Information Security Organization & Management

Assess Enterprise Security & Controls

Evaluate Enterprise Security Operations Management

Assess Business Continuity and Disaster Recovery Planning

Evaluate Legal and Regulatory Compliance

Manage Residual Risks

Identify Gross Risk

Physical and Environmental SecurityTechnical Controls AssessmentSecure Application Development

Security Awareness

Capacity ManagementVulnerability Management

Release ManagementEnterprise Incident Management

Security Awareness Program

Patch ManagementConfiguration Management

Change Management


• About ISSAF

• Assessment Framework

• Engagement Management

• Best Practices– Pre Assessment, Assessment And Post Assessment

• Enterprise Security Policy

• Enterprise Security Organization & Management

• Assess Enterprise Security & ControlsPenetration Testing - Methodology

Penetration Testing Methodology: Descriptive – (Continue….)

Password Security

Password Cracking Strategies

Unix /Linux System Security Assessment

Windows System Security Assessment

Novell Netware Security Assessment

Database Security Assessment

ISSAF – Tabla de Contenidos


WLAN Security Assessment

Switch Security Assessment

Router Security Assessment

Firewall Security Assessment

Intrusion Detection System Security Assessment

VPN Security Assessment

Anti-virus System Security Assessment And Management Strategy

Web Application Security Assessment

Web Application Security (Continue…) SQL Injections

Web Application Security (Continue…) Web Server Security Assessment

Storage Area Network (San) Security

Internet User Security

As 400 Security

Lotus Notes Security

ISSAF – Tabla de contenidos…


Source Code Auditing

Binary Auditing

Application Security Evaluation Checks

• Social Engineering

• Physical Security Assessment

• Enterprise Security Operations Management

• Security Awareness

• Outsourcing Security Concerns

• Business Continuity Planning And Disaster Recovery

ISSAF – Tabla de contenidos…


• Legal And Regulatory Compliance

• Incident Analysis

• Knowledge Base

Build Foundation

Desktop Security Check-list - Windows

Linux Security Check-list

Solaris Operating System Security Check-list

Penetration Testing Lab Design

Links

Templates / Others

ISSAF – Tabla de Contenidos…


• Se crearon comites mapear ISSAF con standares existentes.

SAS70

COBIT

SOX

BS7799

BASEL-II (coming soon)

ISSAF - Relaciones con otros estandares


Computer Crime Investigation Framework (CCIF)

• Que cubre el CCIF:

Procesos para la Administración de Incidentes.

Windows Forensics

*nix Forensics

Router Forensics

Hacking Tool Forensics

• Fecha de lanzamiento?


Capitulos locales

• Objective - Share and Build knowledge

Established 39 Chapters in 22 countries

• Activities by local chapters

Organizing periodic conferences/seminars

and Workshops for sharing and building knowledge

Organizing periodic informal meetings for

each others developments

Discuss contribution in security projects

Visibility by representation in Media

Promotions

• How OISSG local chapters will help you?

Knowledge Sharing

Building and managing knowledge by documentation

Know what your other friends are doing

Introduce you to experts in information

security industry

Keep yourself updated with latest

happening in security industry


Investigación en seguridad

• Investigando en:Vulnerability Research

Password Security Research

Flawless Port Scanning

Database Security (Metacoretex-NG)

• Investigadores de primer nivel.


• Vulnerability Research team is actively working on:

Software Code Auditing

Reverse Engineering

Exploit Code/Proof-of-concept Analysis and Development

• Key achievementsDeveloped standard for Binary Auditing

Found one Vulnerability in one Anti-Virus product

Process for Vulnerability Disclosure is developed

• How to become part of this team:Contact [email protected]

Subscribe to [email protected]

• Tools DevelopmentTools development plan is in process for automation of ISSAF





• Password Security Research Team

Lepton Crack – One of the best password cracking tool in the world

Process for Password Security Audit is developed

Project Director – Bernardo Reino (aka Lepton)

• Flawless Port Scanning

• Information Risk Management

• Business Continuity Management



• HoneyNet’s in multiple locations

• Identification of emerging security needs

• Delivering solutions on critical security needs

Laboratorios de Investigación


• Proposed CertificationOISSG Certified Penetration Tester (OCPT)

OISSG Certified Security Assessor (OCSA)

Certificaciones


Muchas gracias

Fire at Will!

Date post:	26-Dec-2014
Category:	Technology
Upload:	conferencias-fist
View:	215 times
Download:	0 times

Oissg

Technology