Your SlideShare is downloading. ×
Cost effective auditing of web applications and networks in smb
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cost effective auditing of web applications and networks in smb

976
views

Published on

Published in: Education

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
976
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cost Effective Auditing of Web Applications and Networks in Small, Medium Business Enterprises Shalu Mrs. Neha Garg Department of Computer Science and Engineering Department of Computer Science and Engineering Graphic Era University Graphic Era University Dehradun, India Dehradun, India ABSTRACTSmall and Medium Businesses (SMBs) do not have the personnel or resources available to largerorganizations - SMBs have to do more with less. Because of these constraints, SMBs need to focuson the issues that represent the highest risk to their businesses. This webcast will review webapplication vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) that represent themost risk and why the impact of these vulnerabilities is so great. A review of options for identifyingthese vulnerabilities and common approaches to addressing them will also be discussed. With thisinformation SMBs will have the information they need to get the most risk reduction at the lowestcost possible.Small and medium sized businesses may need to adapt their web application security strategy tofocus on those aspects that best utilize their time, budget and resources.There are many tools for available for web applications testing Web Application testing with SAHItool which has been showcased already is a tool for automating web application testing. It alsoexposes the ability to be exact when needed, making it very suitable for any web application. It evenworks with older scripts. Thereby it fits into the auditing requirements of the SMB’s.Information Security Management Systems (ISMS) standards known colloquially as "ISO27k" andbased at ISO27001security.com. The primary aim of ISMS is to contribute to the development of thenew standard ISO/IEC 27007 by providing what is experienced ISMS implementers and IT/ISMSauditors. A secondary aim is to provide a pragmatic and useful guideline for those involved inauditing ISMSs.The ISMS standard is preferred for auditing network environment as it ensures highest optimalusage, efficiency and ISO specified practices.The SMB’s by using a range of open source tools in an integrated environment as discussed in thisproject can cover most of the activities done by an auditor before an audit. 1
  • 2. A large range of tasks which form the first three phases can be covered by the proposed integratedtool environment.Technical compliance tests may be necessary to verify that IT systems are configured in accordancewith the organization’s information security policies, standards and guidelines. Automatedconfiguration checking and vulnerability assessment tools may speed up the rate at which technicalcompliance checks are performed but potentially introduce their own security issues that need to betaken into account.Advantages:i) Cost effectiveii) Reduce time of auditingiii) Reduction in number of man days charged by the network auditor.iv) Pre-closing of vulnerabilities thereby pro-actively protecting the hardware environment.v) Pre-closing of vulnerabilities thereby pro-actively protecting the web applications.During the fieldwork phase, audit evidence is gathered by the auditor/s working methodicallythrough the work plan or checklist, for example interviewing staff, managers and other stakeholdersassociated with the ISMS, reviewing ISMS documents, printouts and data (including records ofISMS activities such as security log reviews), observing ISMS processes in action and checkingsystem security configurations etc. Pre-Audit tests which are already performed by the systemadministrator of SMB’s to validate reduces to a great extent the work and the audit test to beperformed by the auditor.The integrated test tool environment discussed in this project combines the effective performance ofopen source tools used for both the hardware and software aspects of SMB’s. Thus reducing a lot oftime which is required for independent testing of web applications on one hand and networkenvironment on the other.KEYWORDS: Web application, java scripts, DOM, multithread 2
  • 3. Table of Contents Page No.1. Introduction 7 1.1 Scope 7 1.2 Principles of auditing 7 1.3 Managing an audit programme 72. Technique description 9 2.1 Sahi Architecture 93. Description of the tool used for simulation 10 3.1 Getting Started 10 3.2 Prerequisites 10 3.3 Download Sahi OS 10 3.4 Installation of Sahi 10 3.5 Sahi starting 104. Experiments and Results 11 4.1 Recording through Sahi 11 4.2 Playing back through Sahi 12 4.3 View Logs 125. Problem extended for dissertation 136. Timeline Chart of work done and work to be completed 147. References 158. Figures Fig-1 8 Fig-2 9 Fig-3 10 Fig-4 11 Fig-5 12 3
  • 4. Chapter 11. Introduction, Background1.1 ScopeThe ISMS guideline provides advice to IT auditors reviewing compliance with the ISO/IEC 27000family of standards, principally ISO/IEC 27001 (the ISMS certification standard) and to a lesserextent ISO/IEC 27002 (the code of practice for information security management). It is also meantto help those who are implementing or have implemented the ISO/IEC 27000 family of standards, toconduct internal audits and management reviews of their ISMS. Like the other related standards, it isgeneric and needs to be tailored to the specific requirements of each situation. In particular, it pointout that audits are best planned and conducted in relation to the risks facing the organization beingaudited, in other words the starting point for audit planning is an initial assessment of the main risks(commonly known as a pre-audit survey or gap analysis). As with ISO/IEC 27001 and ISO/IEC27002, being risk-based provides a natural priority to the audit tests and relates directly to theorganizations business requirements for information security.1.2 Principles of auditing Important but generic audit principles e.g. independent evaluation against agreed criteria, plus more specific principles aimed at ISMS audits In all matters related to the audit, the ISMS auditor should be independent of the auditee in both attitude and appearance. The ISMS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment. Information security is a dynamic field with frequent changes to the risks (i.e. the threats, vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors auditing information security controls should maintain knowledge of the state of the art (e.g. emerging information security threats and currently-exploited vulnerabilities) and the organizational situation (e.g. changing business processes and relationships, technology changes).1.3 Managing an audit programme Advice on planning and scoping individual ISMS audits within the overall audit work programme, e.g. the idea of combining wide but shallow ISMS audits with more narrow but deeper audits on areas of particular concern. ISMS audits at multi-site organizations including multinationals and ‘group’ structures, where comparisons between the ISMSs in operation within individual business units can help share and promote good practices Auditing business partners ISMSs, emphasizing the value of ISO/IEC 27001 certification as a means of gaining a level of confidence in the status of their ISMSs without necessarily having to do the audit work Developing an internal program for auditing the ISMS. From an IRCA point of view you develop an Audit Plan when preparing to audit an organization. This plan is derived from the "Scope of Registration" document that an individual fills out when requesting a certification audit from a registrar. Besides the scope of registration the domain definition will also feed the audit plan. 4
  • 5. The activities performed by a network auditor as per the Information Security Management Systems(ISMS) standards is as below : Fig-1: Audi Activities of NetworksThe following checklist is common. It reflects and refers to ISO/IEC 27001s requirements forInformation Security Management Systems without regard to any specific ISMS requirements that anindividual organization might have (for example if they are subject to legal, regulatory or contractualobligations to implement particular information security controls).The checklist is primarily intended to guide, or to be adapted and used by, competent auditorsincluding those working for internal audit functions, external audit bodies and ISMS certificationbodies. It can also be used for internal management reviews of the ISMS including pre-certificationchecks to determine whether the ISMS is in a fit state to be formally audited. Finally, it serves as ageneral guide to the likely depth and breadth of coverage in ISMS certification audits, helping theorganization to prepare the necessary records and information (identified in bold below) that theauditors will probably want to review.The audit tests noted below are intended as prompts or reminders of the main aspects to be checkedby competent, qualified and experienced IT auditors. They do not cover every single aspect ofISO/IEC 27001. They are not meant to be asked verbatim or checked-off piecemeal. They are notsuitable for use by inexperienced auditors working without supervision. 5
  • 6. Chapter 22. Technique description2.1 Sahi Architecture:The architecture of Sahi allows Sahi to be used on any browser or operating system. Sahi relies ontwo core technologies/concepts: 1. HTTP proxy – to inject code 2. Javascript code – to find elements and emulate actionsBoth these technologies are basic building blocks of internet technologies and will necessarily besupported by all browsers, making Sahi very easily extensible to newer browsers or newer versionsof browsers.Sahi uses a HTTP proxy at its core to inject javascript into web pages. The injected Javascript usescustom code to identify elements on the browser and simulate actions like click, type etc. on them.Fig-2: Java based proxy server injects java scripts codeHtml responses which pass through the proxy are modified such that JavaScript is injected at the startand the end of the response. This allows the browser to record and playback scripts and talk back tothe proxy when needed. Apart from handling requests for pages that the browser requests, Sahi’sproxy also handles custom commands related to recording, playback etc. which the browser sends. 6
  • 7. Chapter 33. Description of the tool used for simulation3.1 Getting Started3.2 PrerequisitesJava 1.5 or above is needed for running Sahi.3.3 Download Sahi OSDownload Sahi OS from http://sahi.co.in3.4 Installation of SahiOnce Sahi is downloaded, double click on the jar file to run the installer.Fig-3: Sahi dashboard3.5 Starting SahiStart Sahi Dashboard by any of the following methods:1) Double click on the desktop shortcut2) Go to Start -> All Programs -> Sahi -> Start Sahi3) Start from the command line.Windows: – Go to <Sahi>userdatabin and run start_dashboard.batThe Sahi Dashboard starts the Sahi proxy, and allows launching of different browsers. Sahiautomatically modifies the browser’s proxy settings, so that requests go through the Sahi Proxy(localhost:9999) 7
  • 8. Chapter 44. Experiments and Results4.1 Recording through Sahi Click on any browser on the Dashboard. A browser window should open with the following screenFig-4: Sahi controllerPress ALT and double click on the window which you want to record. The Sahi Controller willpop up. (If that does not work, press CTRL and ALT keys together and then double click. Makesure popup blockers are turned off) On the controller, go to the Record tab. Give a name for the script, and click ‘Record’. (.sah is optional) Navigate on your website like you normally would. Most actions on the page will now get recorded. Add an assertion: i) Move the mouse over any html element while pressing Ctrl key. The Accessor field will get populated in the controller. ii) Click the “Assert” button to generate assertions for the element. They will appear in the “Evaluate Expression” box. iii) Click “Test —>” to check that the assertions are true. You can evaluate any javascript using “Evaluate Expression” and “Test —>”. Actions performed via the controller will not be automatically recorded. Only actions performed directly on the page are automatically recorded. This lets you experiment on the webpage at recording time without impacting the script. iv) Once satisfied, click on “Append to Script”. This will add the assertions to the script. v) Click “Stop” to finish recording. 8
  • 9. Fig-5: Sahi recordingNote that the controller can be closed and reopened at any time, without disrupting recording. Therecorded script is stored in <sahi_pro>userdatascripts directory. The recorded script can beviewed and edited easily through any text editor. Sahi Scripts are simple text files which useJavascript syntax.The script can be edited even while recording, so that logical segregation into functions etc. can bedone as recording happens.4.2 Playing back through SahiRunning a test from the controller Open the Sahi controller (ALT-Dbl click on the page). Click on “Playback” tab Enter the script name in the “File:” field (with the help of the auto completion feature) Enter the start URL of the test. Eg. If you had started recording from http://sahi.co.in/demo/training/, use that URL. Click ‘Set’. Click ‘Play’.Steps will start executing, and the controller will be updated accordingly. Once finished, SUCCESSor FAILURE will be displayed at the end of the steps.4.3 View LogsOn the controller, go to Playback tab and click on “View Logs” link at the bottom right. It will opena window with the results neatly formatted in HTML.Clicking on a line in the logs will drill down to exact line in script. Logs show all the assertion ingreen. If the assertion has failed it will show in red. You can click on any of these lines to go into theline of script to debug. 9
  • 10. Chapter 55. Problem extended for dissertationSmall, medium business enterprises have financial constrained and for them is it difficult to pay lotsof money to auditor. And there are many Legal and regulatory requirements which aim at protectingsensitive or personal data as well as general public security requirements impel them to devote theutmost attention and priority to information security risks. If a service is not tested then there will beno information about its security or insecurity. A security auditing is unlikely to provide informationabout new vulnerabilities, especially those discovered after the test is carried out. Vulnerabilityassessments that include careful diagnostic reviews of all servers and network devices will definitelyidentify more issues faster than a "black box" test.The chief objective of work is to do pre auditing in order to minimize the cost of auditing, time ofauditing in Small, medium business enterprises. 10
  • 11. Chapter 66. Timeline Chart of work done and work to be completedi) Testing of web application, records, and playbacks has been completed.ii) Survey of network auditing tools available and their efficiency vis-a-vis each other has been completed.iii) Study of ISMS standards for network auditing has been completed.iv) Performance of network audit tools has to be checked.v) Integration and assimilation of tools has to be done for the selected SMBvi) Cost effective report of the environment developed has to be made. 11
  • 12. References[1] Ramy K. Khalil, Fayez W. Zaki , Mohamed M. Ashour, and Mohamed A. Mohamed, “A study of network security systems,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.6, June 2010, pp. 204–212.[2] Mr. V. K. Pachghare and Dr. Parag kulkarni, “Network security based on pattern matching: an overview,” IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.10, October 2008, pp. 314–318.[3] Kapil Kumar Gupta, Baikunth Nath (Sr. Member IEEE) and Kotagiri Ramamohanarao, “Network security framework,” IJCSNS International Journal of Computer Science and Network Security, VOL. 6 No.7B, July 2006, pp. 151–157.[4] Kulvinder Singh, Rakesh Kumar and Iqbal Kaur, “Testing web based applications using finite state machines employing genetic algorithm,” Faculty of Computer Science & Engineering, published in International Journal of Engineering Science and Technology, Vol. 2(12), 6931-6941, 2010.[5] Hazlifah Mohd Rusli, Suhaimi Ibrahim and Mazidah Puteh, “Testing web services composition: a mapping study,” IBIMA Publishing, Communications of the IBIMA, Article ID 598357, Vol. 2, 12 pages, 2011.[6] Mohd. Ehmer Khan, “Different forms of software testing techniques for finding errors,” Department of Information Technology, Al Musanna College of Technology, Sultanate of Oman, IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 3, No 1, May 2010.[7] Los Alamitos, CA: IEEE Computer Society Press, “IEEE Standard Glossary of Software Engineering Terminology,” IEEE Std 610.12- 28 sep 1990.[8] Young Gun Jang, Hoon Il Choi and Chan Kon Park, “Implementation of home network security system based on remote management server,” IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.2, February 2007, pp. 267–274.[9] W Makasiranondh, S P Maj and D Veal, “An integrated multimedia based platform for teaching network security,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010[10] Igor Kotenko and Mikhail Stepashkin, “Analyzing network security using malefactor action graphs,” IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.6, June 2006, pp. 226–235. 12