This document discusses IT security assessments. It defines assessments and common assessment types like vulnerability assessments and penetration tests. It outlines the assessment lifecycle of planning, information gathering, assessments of business processes and technology, risk analysis, and reporting. It provides details on determining assessment scope, identifying tools, techniques for various types of assessments, legal considerations, and post-assessment activities. The goal of assessments is to provide assurance and make risk-based security decisions.

1. Donald Hester
October 21, 2010
For audio call Toll Free 1-888-886-3951
and use PIN/code 158313
IT Best Practices:
IT Security Assessments

2. • Maximize your CCC Confer window.
• Phone audio will be in presenter-only mode.
• Ask questions and make comments using the chat window.
Housekeeping

3. Adjusting Audio
1) If you’re listening on your computer, adjust your volume using
the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.

4. Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon

5. Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options

6. Donald Hester
IT Best Practices:
IT Security Assessments

7. Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
DonaldH@MazeAssociates.com

8. Situation
 Organizations are becoming increasingly
dependent on technology and the
Internet
 The loss of technology or the Internet
would bring operations to a halt
 The need for security increases as our
dependence on technology increases
 Management wants to have assurance
that technology has the attention it
deserves8

9. Questions
 Does our current security posture
address what we are trying to protect?
 Do we know what we need to protect?
 Where can we improve?
 Where do we start?
 Are we compliant with laws, rules,
contracts and organizational policies?
 What are your risks?
9

10. Reason
 Provide Assurance
 Demonstrate due diligence
 Make risk based decisions
10

11. Terms
 Assessment
 Audit
 Review
 ST&E = Security Test & Evaluation
 Testing
 Evaluation
11

12. Assessment Lifecycle
Planning
Information
Gathering
Business
Process
Assessment
Technology
Assessment
Risk
Analysis &
Reporting
12

13. Common Types of Assessments
 Vulnerability Assessment
 Penetration Test
 Application Assessment
 Code Review
 Standard Audit/Review
 Compliance Assessment/Audit
 Configuration Audit
 Wireless Assessment
 Physical/Environmental Assessment
 Policy Assessment
13

14. Determine your Scope
 What will be the scope of the
assessment?
• Network (Pen Test, Vul Scan, wireless)
• Application (Code or Vul scan)
• Process (business or automated)
 How critical is the system you are
assessing?
• High, medium – use independent assessor
• Low – self assessment
14

15. Identify and Select Automated Tools
 Computer Assisted Audit Techniques or
Computer Aided Audit Tools (CAATS)
 Computer Assisted Audit Tools and
Techniques (CAATTs)
• SQL queries
• Scanners
• Excel programs
• Live CDs
• Checklists
15

16. Checklists
 AuditNet
• www.auditnet.org
 ISACA & IIA
• Member Resources
 DoD Checklists
• iase.disa.mil/stigs/checklist/
 NIST Special Publications
• csrc.nist.gov/publications/PubsSPs.html
16

17. Live CD Distributions for Security
Testing
 BackTrack
 Knoppix Security Tool Distribution
 F.I.R.E.
 Helix
17

18. Review Techniques
 Documentation Review
 Log Review
 Ruleset Review
 System Configuration Review
 Network Sniffing
 File Integrity Checking
18

19. Target Identification and Analysis
Techniques
 Network Discovery
 Network Port and Service Identification
• OS fingerprinting
 Vulnerability Scanning
 Wireless Scanning
• Passive Wireless Scanning
• Active Wireless Scanning
• Wireless Device Location Tracking (Site Survey)
• Bluetooth Scanning
• Infrared Scanning
19

20. Target Vulnerability Validation
Techniques
 Password Cracking
• Transmission / Storage
 Penetration Testing
• Automated / Manual
 Social Engineering
• Phishing
20

21. Checklists / MSAT
 Microsoft Security Assessment Tool
(MSAT)
21

22. GRC Tools
Governance
RiskCompliance
22
Dashboards
Metrics
Checklists
Reporting
Trend Analysis
Remediation

23. Test Types
 Black Box Testing
• Assessor starts with no
knowledge
 White Box Testing
• Assessor starts with knowledge
of the system, i.e. the code
 Grey Box Testing
• Assessor has some knowledge,
not completely blind
23

24. Verification Testing
Input • Data
Entry
Data
Collection
• Database
Storage
Output • Reports
24
Verification
Match

25. Application testing
 Code Review
• Automated/Manual
 Vulnerability scanning
 Configuration review
 Verification testing
 Authentication
 Information leakage
 Input/output Manipulation
25

26. Database Auditing
 Native Audit (Provided by DB)
 SIEM & Log Management
 Database Activity Monitoring
 Database Audit Platforms
• Remote journaling & analytics
 Compliance testing
 Performance
26

27. Intrusion Detection/Prevention
 Configuration
 Verification testing
 Log and Alert review
27

28. 28

29. EMR Testing
 Electromagnetic Radiation
 Emissions Security
(EMSEC)
 Van Eck phreaking
 Tempest
 Tempest surveillance
prevention
 Faraday Cage
29

30. Green Computing
 Assessment on the use of resources
 Power Management
 Virtualization Assessment
30

31. Business Continuity
 Plan Testing, Training, and Exercises
(TT&E)
 Tabletop Exercises
• Checklist Assessment
• Walk Through
 Functional Exercises
• Remote Recovery
• Full Interruption Test
31

32. Vulnerability Scanning
 Vulnerability: Weakness in an
information system, or in system security
procedures, internal controls, or
implementation, that could be exploited
or triggered by a threat source.
 Vulnerability Scanning: A technique used
to identify hosts/host attributes and
associated vulnerabilities. (Technical)
32

33. MBSA
 Microsoft Baseline Security Analyzer 2.2
33

34. Vulnerability Reports
34 Sample from Qualys

35. External and Internal
35
Where is the best place to scan from?
External scan
found 2 critical
vulnerabilities
Internal scan
found 15 critical
vulnerabilities

36. Vulnerability Scanners
36
Source:
http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html

37. Red, White and Blue Teams
37
Penetration
Testers
Incident Responders
Mimic real-world attacks
Unannounced
Observers and
Referees

38. Red and Blue Teams
38
Penetration
Testers
Incident Responders
Mimic real-world attacks
Announced

39. Penetration Test Phases
39

40. Penetration Assessment Reports
40
Sample from CoreImpact

41. Vulnerability Information
 Open Source Vulnerability DB
• http://osvdb.org/
 National Vulnerability Database
• http://nvd.nist.gov/
 Common Vulnerabilities and Exposures
• http://cve.mitre.org/
 Exploit Database
• http://www.exploit-db.com/
41

42. Physical Assessments
 Posture Review
 Access Control Testing
 Perimeter review
 Monitoring review
 Alarm Response review
 Location review (Business Continuity)
 Environmental review (AC / UPS)
42

43. KSAs
Knowledge
SkillAbility
43

44. Assessor Competence
 Priority Certifications
• Certified Information Systems Auditor
(CISA)*
• GIAC Systems and Network Auditor (GSNA)
 Secondary Certifications
• Vendor Neutral: CISSP, Security+, GIAC,
CISM, etc…
• Vendor Specific: Microsoft, Cisco, etc…
44
*GAO 65% of audit staff to be CISA

45. Legal Considerations
 At the discretion of the organization
 Legal Review
• Reviewing the assessment plan
• Providing indemnity or limitation of liability
clauses (Insurance)
• Particularly for tests that are intrusive
• Nondisclosure agreements
• Privacy concerns
45

46. Post-Testing Activities
 Mitigation Recommendations
• Technical, Managerial or Operational
 Reporting
• Draft and Final Reports
 Remediation / Mitigation
• Not enough to finds problems need to have
a process to fix them
46

47. Organizations that can help
 Information Systems Audit and Control
Association (ISACA)
 American Institute of Certified Public
Accountants (AICPA)
 Institute of Internal Auditors (IIA)
 SANS
 National State Auditors Association (NSAA)
 U.S. Government Accountability Office (GAO)
47

48. Resources
 Gartner Report on Vulnerability
Assessment Tools
 Twenty Critical Controls for Effective
Cyber Defense
48

49. Donald E. Hester
CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
DonaldH@MazeAssociates.com

50. Evaluation Survey Link
Help us improve our seminars by filing
out a short online evaluation survey at:
http://www.surveymonkey.com/s/IT-SecurityAssessments

51. Thanks for attending
For upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
IT Best Practices:
IT Security Assessments