Transcript Presentation Slides
IT Best Practices: IT Security Assessments Donald Hester October 21, 2010 For audio call Toll Free 1 888-886-3951 and use PIN/code 158313
Housekeeping • • • Maximize your CCC Confer window.
Phone audio will be in presenter-only mode.
Ask questions and make comments using the chat window.
Adjusting Audio 1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions 1.
2.
Save chat window with floppy disc icon Open/close captioning window with CC icon
Emoticons and Polling 1) 2) Raise hand and Emoticons Polling options
IT Best Practices: IT Security Assessments Donald Hester
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: [email protected]
Situation 8 Organizations are becoming increasingly dependent on technology and the Internet The loss of technology or the Internet would bring operations to a halt The need for security increases as our dependence on technology increases Management wants to have assurance that technology has the attention it deserves
9 Questions Does our current security posture address what we are trying to protect?
Do we know what we need to protect?
Where can we improve?
Where do we start?
Are we compliant with laws, rules, contracts and organizational policies?
What are your risks?
10 Reason Provide Assurance Demonstrate due diligence Make risk based decisions
11 Terms Assessment Audit Review ST&E = Security Test & Evaluation Testing Evaluation
12 Assessment Lifecycle Planning Risk Analysis & Reporting Information Gathering Technology Assessment Business Process Assessment
Common Types of Assessments 13 Vulnerability Assessment Penetration Test Application Assessment Code Review Standard Audit/Review Compliance Assessment/Audit Configuration Audit Wireless Assessment Physical/Environmental Assessment Policy Assessment
Determine your Scope 14 What will be the scope of the assessment?
• • • Network (Pen Test, Vul Scan, wireless) Application (Code or Vul scan) Process (business or automated) How critical is the system you are assessing?
• • High, medium – use independent assessor Low – self assessment
Identify and Select Automated Tools 15 Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS) Computer Assisted Audit Tools and Techniques (CAATTs) • • • • • SQL queries Scanners Excel programs Live CDs Checklists
16 Checklists AuditNet • www.auditnet.org
ISACA & IIA • Member Resources DoD Checklists • iase.disa.mil/stigs/checklist/ NIST Special Publications • csrc.nist.gov/publications/PubsSPs.html
17 Live CD Distributions for Security Testing BackTrack Knoppix Security Tool Distribution F.I.R.E.
Helix
18 Review Techniques Documentation Review Log Review Ruleset Review System Configuration Review Network Sniffing File Integrity Checking
19 Target Identification and Analysis Techniques Network Discovery Network Port and Service Identification • OS fingerprinting Vulnerability Scanning Wireless Scanning • • • • • Passive Wireless Scanning Active Wireless Scanning Wireless Device Location Tracking (Site Survey) Bluetooth Scanning Infrared Scanning
20 Target Vulnerability Validation Techniques Password Cracking • Transmission / Storage Penetration Testing • Automated / Manual Social Engineering • Phishing
21 Checklists / MSAT Microsoft Security Assessment Tool (MSAT)
22 GRC Tools Governance Compliance Risk Dashboards Metrics Checklists Reporting Trend Analysis Remediation
23 Test Types Black Box Testing • Assessor starts with no knowledge White Box Testing • Assessor starts with knowledge of the system, i.e. the code Grey Box Testing • Assessor has some knowledge, not completely blind
24 Verification Testing Input • Data Entry Data Collection • Database Storage Verification Match Output • Reports
Application testing 25 Code Review • Automated/Manual Vulnerability scanning Configuration review Verification testing Authentication Information leakage Input/output Manipulation
26 Database Auditing Native Audit (Provided by DB) SIEM & Log Management Database Activity Monitoring Database Audit Platforms • Remote journaling & analytics Compliance testing Performance
27 Intrusion Detection/Prevention Configuration Verification testing Log and Alert review
28
29 EMR Testing Electromagnetic Radiation Emissions Security (EMSEC) Van Eck phreaking Tempest Tempest surveillance prevention Faraday Cage
30 Green Computing Assessment on the use of resources Power Management Virtualization Assessment
31 Business Continuity Plan Testing, Training, and Exercises (TT&E) Tabletop Exercises • • Checklist Assessment Walk Through Functional Exercises • • Remote Recovery Full Interruption Test
32 Vulnerability Scanning Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.
Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical)
33 MBSA Microsoft Baseline Security Analyzer 2.2
Vulnerability Reports 34 Sample from Qualys
External and Internal Where is the best place to scan from?
35 Internal scan found 15 critical vulnerabilities External scan found 2 critical vulnerabilities
Vulnerability Scanners 36 Source: http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html
Red, White and Blue Teams Mimic real-world attacks Unannounced 37 Penetration Testers Observers and Referees Incident Responders
Red and Blue Teams Mimic real-world attacks Announced 38 Penetration Testers Incident Responders
39 Penetration Test Phases
Penetration Assessment Reports 40 Sample from CoreImpact
41 Vulnerability Information Open Source Vulnerability DB • http://osvdb.org/ National Vulnerability Database • http://nvd.nist.gov/ Common Vulnerabilities and Exposures • http://cve.mitre.org/ Exploit Database • http://www.exploit-db.com/
42 Physical Assessments Posture Review Access Control Testing Perimeter review Monitoring review Alarm Response review Location review (Business Continuity) Environmental review (AC / UPS)
43 KSAs Knowledge Ability Skill
Assessor Competence Priority Certifications • Certified Information Systems Auditor (CISA)* • GIAC Systems and Network Auditor (GSNA) Secondary Certifications • Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… • Vendor Specific: Microsoft, Cisco, etc… 44 *GAO 65% of audit staff to be CISA
45 Legal Considerations At the discretion of the organization • • • Legal Review • • Reviewing the assessment plan Providing indemnity or limitation of liability clauses (Insurance) Particularly for tests that are intrusive Nondisclosure agreements Privacy concerns
46 Post-Testing Activities Mitigation Recommendations • Technical, Managerial or Operational Reporting • Draft and Final Reports Remediation / Mitigation • Not enough to finds problems need to have a process to fix them
47 Organizations that can help Information Systems Audit and Control Association (ISACA) American Institute of Certified Public Accountants (AICPA) Institute of Internal Auditors (IIA) SANS National State Auditors Association (NSAA) U.S. Government Accountability Office (GAO)
48 Resources Gartner Report on Vulnerability Assessment Tools Twenty Critical Controls for Effective Cyber Defense
Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: [email protected]
Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments
IT Best Practices: IT Security Assessments
Thanks for attending
For upcoming events and links to recently archived seminars, check the @ONE Web site at:
http://onefortraining.org/