Date post: | 26-Dec-2014 |
Category: |
Technology |
Upload: | conferencias-fist |
View: | 215 times |
Download: | 0 times |
A not-for-profit OrganizationA not-for-profit OrganizationOpen Information Systems Security Group
….Share and Build your knowledge
Christian Martorella
A not-for-profit OrganizationA not-for-profit Organization
Presentación
• Qué es la OISSG?
• Visión
• Misión
• Objetivos para el 2006
• Estrategia
• ProjectosDesarrollo de Frameworks
Conferencias
Capítulos locales
Desafíos de seguridad
Security Awareness
Security Research & Labs
Acreditaciones
• Open Forum
A not-for-profit OrganizationA not-for-profit Organization
Que es la OISSG?
• Organización independiente, manejada por voluntarios , sin fines de lucro.
• Brinda de manera libre recursos a la comunidad.
Framework, metodologias, estandares, artículos.
Herramientas para las auditorías de seguridad y la implementacion de la seguridad.
Conferencias y listas de correos
Base de conocimientos
• Enfocada principalemente a resolver los problemas relacionados con las evaluaciones de seguridad.
A not-for-profit OrganizationA not-for-profit Organization
Que es la OISSG?...
• Que proveemos?
Frameworks
Information Systems Security Assessment Framework (ISSAF)
Computer Crime Investigation Framework (CCIF)
Security Essentials Framework
Software
Password Auditing (LeptonCrack)
Database Security (Metacoretex-NG)
Windows, Linux and Solaris Security
Iniciativas de investigación
Capítulos locales
A not-for-profit OrganizationA not-for-profit Organization
Nuestra Vision
Difundir la concienciación de la
seguridad de la información. Brindar un
medio donde los entusiastas y
profesionales de la seguridad de todo el mundo compartan y
construyan conocimiento.
A not-for-profit OrganizationA not-for-profit Organization
Nuestra Misión
Para alcanzar nuestra vision la OISSG
determinara cuales son las necesidades
profesionales, y asignará recursos para crear
procesos para desarrollar
To achieve its Vision OISSG will determine utmost
professional need, it will allocate resources to set process to develop and
deliver program that will add value to Infosec
community.
A not-for-profit OrganizationA not-for-profit Organization
Objetivos 2006
• Objetivos primariosLiberar la próxima versión del draft de ISSAF.
Facilitar la aceptacion de los ejecutivos claves de que ISSAF es un framework comprensivo para realizar analisis de seguridad.
Acreditar profesionales en Análisis de Seguridad.
Hacer público la primer versión del draft Computer Crime Investigation Framework (CCIF)
A not-for-profit OrganizationA not-for-profit Organization
Objetivos 2006…
• Objetivos secundarios• Aumentar el numero de miembros
Develop localized presence
Setup 50 Local Chapters
Organisar (expandir) Conferencias
Setup on-line research labs for members
Organize Security Assessment challenges
Build Computer Security Incident Response Teams (CSIRT)
Spread Security Awareness
A not-for-profit OrganizationA not-for-profit Organization
• Identificar areas criticas parcialmente o no exploradas de la seguridad de la informacion.
• Crear equipos para trabajar en esas areas.
• Lograr que el resultado final de esos trabajos lleguen a los usuarios finales.
• Trabajar con otros grupos que compartan los mismos objetivos y recursos.
Estrategia
A not-for-profit OrganizationA not-for-profit Organization
Misión:
Investigar, desarrollar, publicar y promover un Framework completo, práctico y aceptado por la comunidad, para realizar Análisis de Seguridad de Sistemas.
Information Systems Security Assessment Framework (ISSAF)
A not-for-profit OrganizationA not-for-profit Organization
ISSAF…
• Estandares ya establecidos:
NSA IAM: http://www.nsa.gov/isso/iam/index.htm
CESG CHECK: http://www.cesg.gov.uk/site/check/index.cfm
• Todos las metodologías y frameworks hablan del “Que”, en cambio ISSAF habla del “Que, Cuando, Donde, y Porque” y también del COMO.
• ISSAF trata problemas practicos del mundo real.
• Añade valor con un analisis de seguridad estructurado, efectivo y con un acercamiento efectivo.
A not-for-profit OrganizationA not-for-profit Organization
ISSAF…
• It’s primary value will derive from the fact that it frees security practitioners from having to invest in commercial resources or extensive internal research to address their information security needs.
• Will evolve into a comprehensive body of knowledge for organizations seeking to conduct their assessments independently and neutrally.
• It will be the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as an audit checklist for information policies.
A not-for-profit OrganizationA not-for-profit Organization
Framework structure Enterprise Assessment FrameworkEnterprise Assessment Framework
Evaluate Enterprise Information Security Policy
Evaluate Enterprise Information Security Organization & Management
Assess Enterprise Security & Controls
Evaluate Enterprise Security Operations Management
Assess Business Continuity and Disaster Recovery Planning
Evaluate Legal and Regulatory Compliance
Manage Residual Risks
Identify Gross Risk
Physical and Environmental SecurityTechnical Controls AssessmentSecure Application Development
Security Awareness
Capacity ManagementVulnerability Management
Release ManagementEnterprise Incident Management
Security Awareness Program
Patch ManagementConfiguration Management
Change Management
A not-for-profit OrganizationA not-for-profit Organization
• About ISSAF
• Assessment Framework
• Engagement Management
• Best Practices– Pre Assessment, Assessment And Post Assessment
• Enterprise Security Policy
• Enterprise Security Organization & Management
• Assess Enterprise Security & ControlsPenetration Testing - Methodology
Penetration Testing Methodology: Descriptive – (Continue….)
Password Security
Password Cracking Strategies
Unix /Linux System Security Assessment
Windows System Security Assessment
Novell Netware Security Assessment
Database Security Assessment
ISSAF – Tabla de Contenidos
A not-for-profit OrganizationA not-for-profit Organization
WLAN Security Assessment
Switch Security Assessment
Router Security Assessment
Firewall Security Assessment
Intrusion Detection System Security Assessment
VPN Security Assessment
Anti-virus System Security Assessment And Management Strategy
Web Application Security Assessment
Web Application Security (Continue…) SQL Injections
Web Application Security (Continue…) Web Server Security Assessment
Storage Area Network (San) Security
Internet User Security
As 400 Security
Lotus Notes Security
ISSAF – Tabla de contenidos…
A not-for-profit OrganizationA not-for-profit Organization
Source Code Auditing
Binary Auditing
Application Security Evaluation Checks
• Social Engineering
• Physical Security Assessment
• Enterprise Security Operations Management
• Security Awareness
• Outsourcing Security Concerns
• Business Continuity Planning And Disaster Recovery
ISSAF – Tabla de contenidos…
A not-for-profit OrganizationA not-for-profit Organization
• Legal And Regulatory Compliance
• Incident Analysis
• Knowledge Base
Build Foundation
Desktop Security Check-list - Windows
Linux Security Check-list
Solaris Operating System Security Check-list
Penetration Testing Lab Design
Links
Templates / Others
ISSAF – Tabla de Contenidos…
A not-for-profit OrganizationA not-for-profit Organization
• Se crearon comites mapear ISSAF con standares existentes.
SAS70
COBIT
SOX
BS7799
BASEL-II (coming soon)
ISSAF - Relaciones con otros estandares
A not-for-profit OrganizationA not-for-profit Organization
Computer Crime Investigation Framework (CCIF)
• Que cubre el CCIF:
Procesos para la Administración de Incidentes.
Windows Forensics
*nix Forensics
Router Forensics
Hacking Tool Forensics
• Fecha de lanzamiento?
A not-for-profit OrganizationA not-for-profit Organization
Capitulos locales
• Objective - Share and Build knowledge
Established 39 Chapters in 22 countries
• Activities by local chapters
Organizing periodic conferences/seminars
and Workshops for sharing and building knowledge
Organizing periodic informal meetings for
each others developments
Discuss contribution in security projects
Visibility by representation in Media
Promotions
• How OISSG local chapters will help you?
Knowledge Sharing
Building and managing knowledge by documentation
Know what your other friends are doing
Introduce you to experts in information
security industry
Keep yourself updated with latest
happening in security industry
A not-for-profit OrganizationA not-for-profit Organization
Investigación en seguridad
• Investigando en:Vulnerability Research
Password Security Research
Flawless Port Scanning
Database Security (Metacoretex-NG)
• Investigadores de primer nivel.
A not-for-profit OrganizationA not-for-profit Organization
• Vulnerability Research team is actively working on:
Software Code Auditing
Reverse Engineering
Exploit Code/Proof-of-concept Analysis and Development
• Key achievementsDeveloped standard for Binary Auditing
Found one Vulnerability in one Anti-Virus product
Process for Vulnerability Disclosure is developed
• How to become part of this team:Contact [email protected]
Subscribe to [email protected]
• Tools DevelopmentTools development plan is in process for automation of ISSAF
Investigación en seguridad
A not-for-profit OrganizationA not-for-profit Organization
• Password Security Research Team
Lepton Crack – One of the best password cracking tool in the world
Process for Password Security Audit is developed
Project Director – Bernardo Reino (aka Lepton)
• Flawless Port Scanning
• Information Risk Management
• Business Continuity Management
Investigación en seguridad
A not-for-profit OrganizationA not-for-profit Organization
• HoneyNet’s in multiple locations
• Identification of emerging security needs
• Delivering solutions on critical security needs
Laboratorios de Investigación
A not-for-profit OrganizationA not-for-profit Organization
• Proposed CertificationOISSG Certified Penetration Tester (OCPT)
OISSG Certified Security Assessor (OCSA)
Certificaciones
A not-for-profit OrganizationA not-for-profit Organization
Muchas gracias
Fire at Will!