SlideShare a Scribd company logo

Oissg

Conferencias FIST
Conferencias FIST
Technology
1 of 26
Download to read offline
Open Information Systems A not-for-profit Organization Security Group ….Share and Build your knowledge Christian Martorella christian.martorella@oissg.org laramies@gmail.com
Presentación • Qué es la OISSG? • Visión • Misión A not-for-profit Organization • Objetivos para el 2006 • Estrategia • Projectos Desarrollo de Frameworks Conferencias Capítulos locales Desafíos de seguridad Security Awareness Security Research & Labs Acreditaciones
Que es la OISSG? • Organización independiente, manejada por voluntarios , sin fines de lucro. • Brinda de manera libre recursos a la A not-for-profit Organization comunidad. Framework, metodologias, estandares, artículos. Herramientas para las auditorías de seguridad y la implementacion de la seguridad. Conferencias y listas de correos Base de conocimientos • Enfocada principalemente a resolver los problemas relacionados con las evaluaciones de seguridad.
Que es la OISSG?... • Que proveemos? Frameworks Information Systems Security Assessment Framework (ISSAF) Computer Crime Investigation Framework (CCIF)A not-for-profit Organization Security Essentials Framework Software Password Auditing (LeptonCrack) Database Security (Metacoretex-NG) Windows, Linux and Solaris Security Iniciativas de investigación Capítulos locales
Nuestra Vision Difundir la concienciación de la A not-for-profit Organization seguridad de la información. Brindar un medio donde los entusiastas y profesionales de la seguridad de todo el mundo compartan y construyan
Nuestra Misión Para alcanzar nuestra vision la OISSG determinara cuales son A not-for-profit Organization las necesidades profesionales, y asignará recursos para crear procesos para desarrollar To achieve its Vision OISSG will determine utmost professional need, it will
Objetivos 2006 • Objetivos primarios Liberar la próxima versión del draft de ISSAF. Facilitar la aceptacion de los A not-for-profit Organization ejecutivos claves de que ISSAF es un framework comprensivo para realizar analisis de seguridad. Acreditar profesionales en Análisis de Seguridad. Hacer público la primer versión del draft Computer Crime Investigation Framework (CCIF)
Objetivos 2006… • Objetivos secundarios • Aumentar el numero de miembros A not-for-profit Organization Develop localized presence Setup 50 Local Chapters Organisar (expandir) Conferencias Setup on-line research labs for members Organize Security Assessment challenges Build Computer Security Incident Response Teams (CSIRT) Spread Security Awareness
Estrategia • Identificar areas criticas parcialmente o no exploradas de la seguridad de la informacion. A not-for-profit Organization • Crear equipos para trabajar en esas areas. • Lograr que el resultado final de esos trabajos lleguen a los usuarios finales. • Trabajar con otros grupos que compartan los mismos objetivos y recursos.
Information Systems Security Assessment Framework (ISSAF) Misión: Investigar, A not-for-profit Organization desarrollar, publicar y promover un Framework completo, práctico y aceptado por la comunidad, para realizar Análisis de Seguridad de Sistemas.
ISSAF… • Estandares ya establecidos: NSA IAM: http:// www.nsa.gov/isso/iam/index.htm CESG CHECK: http:// www.cesg.gov.uk/site/check/index.cfm A not-for-profit Organization • Todos las metodologías y frameworks hablan del “Que”, en cambio ISSAF habla del “Que, Cuando, Donde, y Porque” y también del COMO. • ISSAF trata problemas practicos del mundo real. • Añade valor con un analisis de seguridad estructurado, efectivo y con un acercamiento efectivo.
ISSAF… • It’s primary value will derive from the fact that it frees security practitioners from having to invest in commercial resources or extensive internal research A not-for-profit Organization to address their information security needs. • Will evolve into a comprehensive body of knowledge for organizations seeking to conduct their assessments independently and neutrally. • It will be the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as an audit checklist for information policies.
Framework structure Enterprise Assessment Framework Identify Gross Risk Evaluate Enterprise Information Security Policy Evaluate Enterprise Information Security Organization & Management A not-for-profit Organization Assess Enterprise Security & Evaluate Enterprise Security Controls Operations Management Physical and Environmental Security Capacity Management Technical Controls Assessment Vulnerability Management Patch Management Secure Application Development Release Management Configuration Management Security Awareness Enterprise Incident Management Change Management Security Awareness Program Assess Business Continuity and Disaster Recovery Planning Evaluate Legal and Regulatory Compliance Manage Residual Risks
ISSAF – Tabla de Contenidos • About ISSAF • Assessment Framework • Engagement Management • Best Practices– Pre Assessment, Assessment And Post Assessment A not-for-profit Organization • Enterprise Security Policy • Enterprise Security Organization & Management • Assess Enterprise Security & Controls Penetration Testing - Methodology Penetration Testing Methodology: Descriptive – (Continue….) Password Security Password Cracking Strategies Unix /Linux System Security Assessment Windows System Security Assessment Novell Netware Security Assessment Database Security Assessment
ISSAF – Tabla de contenidos… WLAN Security Assessment Switch Security Assessment Router Security Assessment Firewall Security Assessment Intrusion Detection System Security Assessment A not-for-profit Organization VPN Security Assessment Anti-virus System Security Assessment And Management Strategy Web Application Security Assessment Web Application Security (Continue…) SQL Injections Web Application Security (Continue…) Web Server Security Assessment Storage Area Network (San) Security Internet User Security As 400 Security Lotus Notes Security
ISSAF – Tabla de contenidos… Source Code Auditing Binary Auditing Application Security Evaluation Checks A not-for-profit Organization • Social Engineering • Physical Security Assessment • Enterprise Security Operations Management • Security Awareness • Outsourcing Security Concerns • Business Continuity Planning And Disaster Recovery
ISSAF – Tabla de Contenidos… • Legal And Regulatory Compliance • Incident Analysis • Knowledge Base A not-for-profit Organization Build Foundation Desktop Security Check-list - Windows Linux Security Check-list Solaris Operating System Security Check-list Penetration Testing Lab Design Links Templates / Others
ISSAF - Relaciones con otros estandares • Se crearon comites mapear ISSAF con standares existentes. A not-for-profit Organization SAS70 COBIT SOX BS7799 BASEL-II (coming soon)
Computer Crime Investigation Framework (CCIF) • Que cubre el CCIF: Procesos para la A not-for-profit Organization Administración de Incidentes. Windows Forensics *nix Forensics Router Forensics Hacking Tool Forensics • Fecha de lanzamiento?
Capitulos locales • Objective - Share and Build knowledge Established 39 Chapters in 22 countries • Activities by local chapters Organizing periodic conferences/seminars and Workshops for sharing and building knowledge Organizing periodic informal meetings for A not-for-profit Organization each others developments Discuss contribution in security projects Visibility by representation in Media Promotions • How OISSG local chapters will help you? Knowledge Sharing Building and managing knowledge by documentation Know what your other friends are doing Introduce you to experts in information security industry Keep yourself updated with latest happening in security industry
Investigación en seguridad • Investigando en: Vulnerability Research Password Security Research A not-for-profit Organization Flawless Port Scanning Database Security (Metacoretex-NG) • Investigadores de primer nivel.
Investigación en seguridad • Vulnerability Research team is actively working on: Software Code Auditing Reverse Engineering Exploit Code/Proof-of-concept Analysis and Development A not-for-profit Organization • Key achievements Developed standard for Binary Auditing Found one Vulnerability in one Anti-Virus product Process for Vulnerability Disclosure is developed • How to become part of this team: Contact research@oissg.org Subscribe to vuln@oissg.org • Tools Development Tools development plan is in process for automation of ISSAF
Investigación en seguridad • Password Security Research Team Lepton Crack – One of the best password cracking tool in the A not-for-profit Organization world Process for Password Security Audit is developed Project Director – Bernardo Reino (aka Lepton) • Flawless Port Scanning • Information Risk Management • Business Continuity
Laboratorios de Investigación • HoneyNet’s in multiple locations • Identification of emerging security needs A not-for-profit Organization • Delivering solutions on critical security needs
Certificaciones • Proposed Certification OISSG Certified A not-for-profit Organization Penetration Tester (OCPT) OISSG Certified Security Assessor (OCSA)
Muchas gracias A not-for-profit Organization Fire at Will!

Recommended

PenTest+: Everything you need to know about CompTIA’s new certification
PenTest+: Everything you need to know about CompTIA’s new certificationPenTest+: Everything you need to know about CompTIA’s new certification
PenTest+: Everything you need to know about CompTIA’s new certification
Infosec
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organization
Infosec
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
Infosec
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessment
Infosec
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
Infosec
 
CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA Managed Services Community Meeting: ChannelCon 2013CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 

Recommended

PenTest+: Everything you need to know about CompTIA’s new certification
PenTest+: Everything you need to know about CompTIA’s new certificationPenTest+: Everything you need to know about CompTIA’s new certification
PenTest+: Everything you need to know about CompTIA’s new certification
Infosec
 
CMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organizationCMMC rollout: How CMMC will impact your organization
CMMC rollout: How CMMC will impact your organization
Infosec
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
Infosec
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessment
Infosec
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
Infosec
 
CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA Managed Services Community Meeting: ChannelCon 2013CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA Managed Services Community Meeting: ChannelCon 2013
CompTIA
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
Kaspersky
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
LabSharegroup
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
martinvoelk
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
ShivamSharma909
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg
 
Skills that make network security training easy
Skills that make network security training easySkills that make network security training easy
Skills that make network security training easy
EC-Council
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
alexbe
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)
Rogerio Ferraz
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
Rob Arnold
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 

More Related Content

What's hot

NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 

What's hot (19)

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
IIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended UseIIC IoT Security Maturity Model: Description and Intended Use
IIC IoT Security Maturity Model: Description and Intended Use
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Software Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
 
Skills that make network security training easy
Skills that make network security training easySkills that make network security training easy
Skills that make network security training easy
 
OWASP - Building Secure Web Applications
OWASP - Building Secure Web ApplicationsOWASP - Building Secure Web Applications
OWASP - Building Secure Web Applications
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)
 

Similar to Oissg

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Denim Group
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 

Similar to Oissg (20)

Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
Conferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
Conferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
Conferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
Conferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
Conferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
Conferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
Conferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
Conferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Oissg

  • 1. Open Information Systems A not-for-profit Organization Security Group ….Share and Build your knowledge Christian Martorella christian.martorella@oissg.org laramies@gmail.com
  • 2. Presentación • Qué es la OISSG? • Visión • Misión A not-for-profit Organization • Objetivos para el 2006 • Estrategia • Projectos Desarrollo de Frameworks Conferencias Capítulos locales Desafíos de seguridad Security Awareness Security Research & Labs Acreditaciones
  • 3. Que es la OISSG? • Organización independiente, manejada por voluntarios , sin fines de lucro. • Brinda de manera libre recursos a la A not-for-profit Organization comunidad. Framework, metodologias, estandares, artículos. Herramientas para las auditorías de seguridad y la implementacion de la seguridad. Conferencias y listas de correos Base de conocimientos • Enfocada principalemente a resolver los problemas relacionados con las evaluaciones de seguridad.
  • 4. Que es la OISSG?... • Que proveemos? Frameworks Information Systems Security Assessment Framework (ISSAF) Computer Crime Investigation Framework (CCIF)A not-for-profit Organization Security Essentials Framework Software Password Auditing (LeptonCrack) Database Security (Metacoretex-NG) Windows, Linux and Solaris Security Iniciativas de investigación Capítulos locales
  • 5. Nuestra Vision Difundir la concienciación de la A not-for-profit Organization seguridad de la información. Brindar un medio donde los entusiastas y profesionales de la seguridad de todo el mundo compartan y construyan
  • 6. Nuestra Misión Para alcanzar nuestra vision la OISSG determinara cuales son A not-for-profit Organization las necesidades profesionales, y asignará recursos para crear procesos para desarrollar To achieve its Vision OISSG will determine utmost professional need, it will
  • 7. Objetivos 2006 • Objetivos primarios Liberar la próxima versión del draft de ISSAF. Facilitar la aceptacion de los A not-for-profit Organization ejecutivos claves de que ISSAF es un framework comprensivo para realizar analisis de seguridad. Acreditar profesionales en Análisis de Seguridad. Hacer público la primer versión del draft Computer Crime Investigation Framework (CCIF)
  • 8. Objetivos 2006… • Objetivos secundarios • Aumentar el numero de miembros A not-for-profit Organization Develop localized presence Setup 50 Local Chapters Organisar (expandir) Conferencias Setup on-line research labs for members Organize Security Assessment challenges Build Computer Security Incident Response Teams (CSIRT) Spread Security Awareness
  • 9. Estrategia • Identificar areas criticas parcialmente o no exploradas de la seguridad de la informacion. A not-for-profit Organization • Crear equipos para trabajar en esas areas. • Lograr que el resultado final de esos trabajos lleguen a los usuarios finales. • Trabajar con otros grupos que compartan los mismos objetivos y recursos.
  • 10. Information Systems Security Assessment Framework (ISSAF) Misión: Investigar, A not-for-profit Organization desarrollar, publicar y promover un Framework completo, práctico y aceptado por la comunidad, para realizar Análisis de Seguridad de Sistemas.
  • 11. ISSAF… • Estandares ya establecidos: NSA IAM: http:// www.nsa.gov/isso/iam/index.htm CESG CHECK: http:// www.cesg.gov.uk/site/check/index.cfm A not-for-profit Organization • Todos las metodologías y frameworks hablan del “Que”, en cambio ISSAF habla del “Que, Cuando, Donde, y Porque” y también del COMO. • ISSAF trata problemas practicos del mundo real. • Añade valor con un analisis de seguridad estructurado, efectivo y con un acercamiento efectivo.
  • 12. ISSAF… • It’s primary value will derive from the fact that it frees security practitioners from having to invest in commercial resources or extensive internal research A not-for-profit Organization to address their information security needs. • Will evolve into a comprehensive body of knowledge for organizations seeking to conduct their assessments independently and neutrally. • It will be the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as an audit checklist for information policies.
  • 13. Framework structure Enterprise Assessment Framework Identify Gross Risk Evaluate Enterprise Information Security Policy Evaluate Enterprise Information Security Organization & Management A not-for-profit Organization Assess Enterprise Security & Evaluate Enterprise Security Controls Operations Management Physical and Environmental Security Capacity Management Technical Controls Assessment Vulnerability Management Patch Management Secure Application Development Release Management Configuration Management Security Awareness Enterprise Incident Management Change Management Security Awareness Program Assess Business Continuity and Disaster Recovery Planning Evaluate Legal and Regulatory Compliance Manage Residual Risks
  • 14. ISSAF – Tabla de Contenidos • About ISSAF • Assessment Framework • Engagement Management • Best Practices– Pre Assessment, Assessment And Post Assessment A not-for-profit Organization • Enterprise Security Policy • Enterprise Security Organization & Management • Assess Enterprise Security & Controls Penetration Testing - Methodology Penetration Testing Methodology: Descriptive – (Continue….) Password Security Password Cracking Strategies Unix /Linux System Security Assessment Windows System Security Assessment Novell Netware Security Assessment Database Security Assessment
  • 15. ISSAF – Tabla de contenidos… WLAN Security Assessment Switch Security Assessment Router Security Assessment Firewall Security Assessment Intrusion Detection System Security Assessment A not-for-profit Organization VPN Security Assessment Anti-virus System Security Assessment And Management Strategy Web Application Security Assessment Web Application Security (Continue…) SQL Injections Web Application Security (Continue…) Web Server Security Assessment Storage Area Network (San) Security Internet User Security As 400 Security Lotus Notes Security
  • 16. ISSAF – Tabla de contenidos… Source Code Auditing Binary Auditing Application Security Evaluation Checks A not-for-profit Organization • Social Engineering • Physical Security Assessment • Enterprise Security Operations Management • Security Awareness • Outsourcing Security Concerns • Business Continuity Planning And Disaster Recovery
  • 17. ISSAF – Tabla de Contenidos… • Legal And Regulatory Compliance • Incident Analysis • Knowledge Base A not-for-profit Organization Build Foundation Desktop Security Check-list - Windows Linux Security Check-list Solaris Operating System Security Check-list Penetration Testing Lab Design Links Templates / Others
  • 18. ISSAF - Relaciones con otros estandares • Se crearon comites mapear ISSAF con standares existentes. A not-for-profit Organization SAS70 COBIT SOX BS7799 BASEL-II (coming soon)
  • 19. Computer Crime Investigation Framework (CCIF) • Que cubre el CCIF: Procesos para la A not-for-profit Organization Administración de Incidentes. Windows Forensics *nix Forensics Router Forensics Hacking Tool Forensics • Fecha de lanzamiento?
  • 20. Capitulos locales • Objective - Share and Build knowledge Established 39 Chapters in 22 countries • Activities by local chapters Organizing periodic conferences/seminars and Workshops for sharing and building knowledge Organizing periodic informal meetings for A not-for-profit Organization each others developments Discuss contribution in security projects Visibility by representation in Media Promotions • How OISSG local chapters will help you? Knowledge Sharing Building and managing knowledge by documentation Know what your other friends are doing Introduce you to experts in information security industry Keep yourself updated with latest happening in security industry
  • 21. Investigación en seguridad • Investigando en: Vulnerability Research Password Security Research A not-for-profit Organization Flawless Port Scanning Database Security (Metacoretex-NG) • Investigadores de primer nivel.
  • 22. Investigación en seguridad • Vulnerability Research team is actively working on: Software Code Auditing Reverse Engineering Exploit Code/Proof-of-concept Analysis and Development A not-for-profit Organization • Key achievements Developed standard for Binary Auditing Found one Vulnerability in one Anti-Virus product Process for Vulnerability Disclosure is developed • How to become part of this team: Contact research@oissg.org Subscribe to vuln@oissg.org • Tools Development Tools development plan is in process for automation of ISSAF
  • 23. Investigación en seguridad • Password Security Research Team Lepton Crack – One of the best password cracking tool in the A not-for-profit Organization world Process for Password Security Audit is developed Project Director – Bernardo Reino (aka Lepton) • Flawless Port Scanning • Information Risk Management • Business Continuity
  • 24. Laboratorios de Investigación • HoneyNet’s in multiple locations • Identification of emerging security needs A not-for-profit Organization • Delivering solutions on critical security needs
  • 25. Certificaciones • Proposed Certification OISSG Certified A not-for-profit Organization Penetration Tester (OCPT) OISSG Certified Security Assessor (OCSA)
  • 26. Muchas gracias A not-for-profit Organization Fire at Will!