2. Verification & Validation
the process of checking that a product,
service, or system meets specifications and
that it fulfills its intended purpose. These are
critical components of a quality management
system such as ISO 9000. Sometimes
preceded with "Independent" (or IV&V) to
ensure the validation is performed by a
disinterested third party.
3. Verification
Quality control process that is used to
evaluate whether or not a product, service,
or system complies with regulations,
specifications, or conditions imposed at the
start of a development phase. Verification
can be in development, scale-up, or
production. This is often an internal process
4. Validation
Quality assurance process of
establishing evidence that provides a
high degree of assurance that a product,
service, or system accomplishes its
intended requirements. This often
involves acceptance of fitness for
purpose with end users and other
product stakeholders
5. Evaluation
a) analysis and checking of process(es) and procedure(s);
b) checking that process(es) and procedure(s) are being applied;
c) analysis of the correspondence between TOE design
representations;
d) analysis of the TOE design representation against the
requirements;
e) verification of proofs;
f) analysis of guidance documents;
g) analysis of functional tests developed and the results provided;
h) independent functional testing;
i) analysis for vulnerabilities (including flaw hypothesis);
j) penetration testing.
6.
7.
8. CC Paradigm System Acquisition Observations Regarding
Paradigm Commonality Among CC
and Acquisition
Paradigms
Protection Profile (PP) Request for Proposals Provides customer
desires, needs, and
requirements: "What is
wanted"
Security Target (ST) Proposals Indicates how the above
will be satisfied by
suppliers: "What will be
provided"
Target of Evaluation Delivered System Is the supplier's physical
(TOE) manifestation of above
Evaluated System Accepted System Shows that the three
preceding
representations are
sufficiently consistent
9.
10.
11. Significant of Vulneralability
a) eliminated -- that is, active steps should be taken to
expose, and remove or neutralize, all exercisable
vulnerabilities;
b) minimised -- that is, active steps should be taken to
reduce, to an acceptable residual level, the potential
impact of any exercise of a vulnerability;
c) monitored -- that is, active steps should be taken to
ensure that any attempt to exercise a residual
vulnerability will be detected so that steps can be taken
to limit the damage
12. Cause of Vulneralability
a) requirements -- that is, an IT product may possess
all the functions and features required of it and still
contain vulnerabilities that render it unsuitable or
ineffective with respect to security;
b) development -- that is, an IT product does not meet
its specifications and/or vulnerabilities have been
introduced as a result of poor development standards or
incorrect design choices;
c) operation -- that is, an IT product has been
constructed correctly to a correct specification but
vulnerabilities have been introduced as a result of
inadequate controls upon the operation
13. CC: Level Penjaminan Evaluasi
(EAL)
EAL1 : Fuctionality Tested
EAL2 : Structurally Tested
EAL3 : Methodically tested and checked
EAL4 : Methodically designed, tested, and
reviewed
EAL5 : Semi-formally designed and tested
EAL6 : Semi-formally verified, designed, and
tested
EAL7 : Formally verified, designed, and tested.
Diterapkan sesuai dengan keadaan atau kriteria
yang ditetapkan oleh kebutuhan pemakai.
15. Class in CC
Security Audit
Communication
Cryptographic
User Data Protection
Identification and Authentication
Security Management
Privacy
Protection of TSF
Resource Utilization
TOE Access
Trusted Path/Channel
16. Class in ASVS
Security Architecture
Authentication
Session Management
Access Control
Input Validation
Coding
Cryptography
Error Handling and Logging
Data Protection
Communication Security
HTTP Security
Security Configuration
Malicious Finding
Internal Security
17.
18. Information Security Testing and
Assesment Methodology (NIST,2008)
Planning
Information gathering about TOE, Ancaman, pengendalian akses
menangani ancaman, pendekatan evaluasi.
Pembuatan manajemen proyek untuk mencapai tujuan , lingkup,
kebutuhan, peran dan tanggung jawab tim, batasan, indikator
sukses, asumsi, sumber daya, timeline dan delivery.
Execution
Indentifikasi vulnerability dan melakukan validasi dengan benar.
Menjalankan metode dan teknik penilaian keamanan.
Hasil akhir berupa identifikasi vulnerability pada system komputer
dan proses organisasi.
Post-Execution
Analysis dan identifikasi vulnerability untuk menentukan akar
masalah, penetapan rekomendasi mitigasi, dan pembuatan
laporan akhir.
19. Teknik Penilaian
Review
Teknik pemeriksaan yang digunakan untuk
mengevaluasi sistem, aplikasi, jaringan, kebijakan,
prosedur untuk mencari vulnerability
Identifikasi dan Analysis Target
Identifikasi sistem, port, service, potensi vulnerability
Bisa dilakukan secara manual atau menggunakan
alat
Validasi Vunerability Target
Pembuktian Vulnerability yang ditemukan
Ex: password cracking, penetration testing, dan
social engineering
26. Trifecta
How do current Operation Work?
Penggunaan metrik untuk menentukan domain
masalah
How do they work differently from how
management think they works?
Akses ke kebijakan dan trust/resiko penilaian
dimap ke metrik masalah
How do they need to work?
Kalau ada gap antara metrik dan kebijakan atau
resiko penilaian
27.
28. Methodology (OSSTM)
1. Passively collect data of normal operations to comprehend the target.
2. Actively test operations by agitating operations beyond the normal
baseline.
3. Analyze data received directly from the operations tested.
4. Analyze indirect data from resources and operators (i.e. workers,
programs).
5. Correlate and reconcile intelligence from direct (step 3) and indirect
(step 4) data test results to determine operational security processes.
6. Determine and reconcile errors.
7. Derive metrics from both normal and agitated operations.
8. Correlate and reconcile intelligence between normal and agitated (steps
1 and 2) operations todetermine the optimal level of protection and
control which would best be implemented.
9. Map the optimal state of operations (step 8) to processes (step 5).
10. Create a gap analysis to determine what enhancements are needed for
processes governingnecessary protection and controls (step 5) to
achieve the optimal operational state (step 8) from the current one.
29. 6 langkah Analisis Keamanan
1. Build your knowledge of the target from a variety of the most
contemporary, factual resources while avoiding commercially biased
and speculative information.
2. Determine the global level of experience for the type of target and the
amount of information possibly known about it.
3. Determine any bias or ulterior motives in the information sources.
4. Translate jargon from information sources to similar or known words
for comparison because what may sound new or complicated may just
be a trick to differentiate something common.
5. Be sure the test equipment has been properly calibrated and the test
environment verified to assure the results are not contaminated by the
test itself.
6. Assure that the translation state of tools or test processes has been
removed as much as possible so that the results do not come from the
indirect sources in a process or the pre-analysis from some tools.
30. Keputusan Verifiksi
Unknown
Untested Target
Identified and Verified Limitation
False Positive and The means to generate
them
Failed Security Process and Procedure
Good Practices
Compliance
31. Network Sniffing
Merekam semua trafik jaringan untuk bahan analisis
Tools
TCPDUMP
WIRESHARK/TSHARK
Penempatan peralatan menjadi penting karena harus
betul-betul dapat menyadap komunikasi yang diinginkan
Harus dipasang setempat, tidak dapat secara remote
Contoh teknologi NetFlow dapat dilakukan secara
remote
32. Network Discovery
Test Target yang hidup
Simple test using ‘ping’, fail to detect firewall
because firewall reject ping request.
33. Port and Services Scanning
Try for all possible ports, 1 – 11000 for example
Test using standart communication to determine TCP or UDP
TCP test
Send SYN packet to target
Target replay by sending ACK packet
Send SYN ACK to target to start communication
Connection established.
UDP Test
If send UDP packet is not response assumed the port open
If send UDP packet is response assumed the port is closed or
open but not UDP services
Tools: Nmap and Hping