SlideShare a Scribd company logo
http://www.enterprisegrc.com
Security Assessment – Concept Review with
a hint of CISSP Exam Prep
Contribution to ISACA-SV January 2016
Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP
Which items are elements of “security”?
2
The Mission: Resilience
 What are our critical assets?
 Who is responsible for them?
 Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
 Are we prepared for when there is a successful attack?
 Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?
3
Types of Security Assessment
 Technical Security Testing (ONE)
 Security Process Assessment (TWO)
 Security Audit (THREE)
4
Audit Velocity increases Maturity
 Approach: Find a flaw, fix
a flaw
 Approach: Find a lot of
flaws and keep a list
 Approach: align
vulnerability metrics into
a continual service
improvement model
5
Root Cause Analysis
 What is the root cause for any failure
 Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
 What were the steps to create the finding?
 What are the expectations as a result of this finding?
 What is the measure of Security Program health?
6
Technical (one)
 Looking for security weaknesses
 Vulnerability Assessment
 Network Penetration Testing
 Web Application Penetration Testing
 Source Code Analysis
7
Vulnerability Assessment
 Scanning systems looking for a set of vulnerabilities
(a list)
 Looks for common and known vulnerabilities
 Uses a scanning tool
 Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP
8
Penetration Tests
 Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
 We know we have flaws - pen test seeks to exploit them
 Simulates attacker (does not cause harm)
 Output: Identification of susceptible assets (sites)
 In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia
12
Penetration Testing – Operations Evaluation
 War Dialing (looking for modems – especially plugged into older
enterprise hardware)
 Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
 Eavesdropping
 Radiation monitoring
 Dumpster diving
 Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget
13
Security Process Review (two)
 Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process
14
Security Process
 Process is more than policy, although we start with
policy
 What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
 Cobit5 and NIST Cybersecurity Framework
 http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
 National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)
15
Download NIST Assessment Tool
http://www.nist.gov/cyberframework/csf_
reference_tool.cfm
17
U Need to Use: NIST Framework for
Improving Critical Infrastructure
Cybersecurity; Annex A
18
Determine Alignment
to ISMS and CobiT or
ITGCC program
19
Cobit 5: Process Area Assessment
 APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
 APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
 DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”
20
Assessment (two) v. Audit (three)
 Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/ CISM)
 Security assessments normally include use of
testing tools and goes beyond automated scanning
 Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
 The output of assessment is a report addressed to
management with recommendations in both
technical and non technical language
21
Auditing Security Assessment & Verification
 Compliance checks
 Internal and external
 Frequency of review
 Standard of due care
 Internal Audit typically performs assessment for
internal audience
 External Audits are performed for external investors
and as part of third party due diligence requirements
 Third Party review is emphasized to avoid “conflict of
interest”
22
Security Audit – Raising the right Bar
 Cloud Security Alliance Control Matrix – Cloud
Operational Security
 Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
 United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
 PCI-DSS – The Payment Card Industry Data Standard
 Associated to credit card processing – however should be
true in general – 12 tenants
23
What are the “Related Metrics” from Manage Risk APO12
 Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
 Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
 Related Metrics
 Degree of visibility and
recognition in the current
environment
 Number of loss events with
key characteristics captured
in repositories
 Percent of audits, events and
trends captured in
repositories
 Percent of key business
processes included in the risk
profile
 Completeness of attributes
and values in the risk profile
 Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
 Number of significant
incidents not identified and
included in the risk
management portfolio
 Percent of IT risk action plans
executed as designed
 Number of measures not
reducing residual risk
*Align, Plan and Organize
24
What are the “Related Metrics” from Manage Security APO13
 Define, operate and
monitor a system for
information security
management.
 Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
 Related Metrics
 Number of key security
roles clearly defined
 Number of security
related incidents
 Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
 Number of security
solutions deviating from
the plan
 Number of security
solutions deviating from
the enterprise
architecture
 Number of services with
confirmed alignment to
the security plan
 Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize
25
What are the “Related Metrics” from Manage Security Services DSS05
 Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
 Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
 Related Metrics
 Number of vulnerabilities
discovered
 Number of firewall
breaches
 Percent of individuals
receiving awareness
training relating to use of
endpoint devices
 Number of incidents
involving endpoint devices
 Number of unauthorized
devices detected on the
network or in the end-
user environment
 Average time between
change and update of
accounts
 Number of accounts (vs.
number of authorized
users/staff)
 Percent of periodic tests
of environmental security
devices
 Average rating for physical
security assessments
 Number of physical
security-related incidents
 Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support
26
Technical Security Testing (one)
Goal: assess risk by discovering flaws that
persist in systems and applications
 Technical testing is looking for security flaws, specifically impacts to
confidentiality, integrity or availability, ways to steal, alter or destroy
information
 Vulnerability Assessments are looking for weakness
 Penetration testing adds human factor
 Code review includes errors that make it susceptible, e.g. to buffer overflow,
SQL insertion, etc.
 Phishing is to see what users do when presented with typical malicious email
scenarios
 Password assessments evaluate password settings and practices, (sometimes as
a part of scanning)
27
Threat Vectors – Attack surface
 Methods attackers use to touch or exploit vulnerabilities
 A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
 If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
 One way to reduce risk is to minimize the attack vectors
 Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities
28
Shift in attack vectors:
Server Side v. Client Side Attacks
 Attacks against a listening service are called “Server-side
attacks”
 TCP server side attacks are initiated by an attacker (client)
 Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
 We have to understand the environment from the
perspective of an adversary.
 We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”
29
STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
 Spoofing v. Authentication
 Tampering v. Integrity
 Repudiation v. Non-Repudiation
 Information Disclosure v. Confidentiality
 Denial of Service v. Availability
 Elevation of Privilege v. Authorization
30
How they get us drives how we protect
against them
 External or internal actor is able to
perform host discovery
 Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities
31
Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
 Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
 Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
 Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
 The MetaSploit Framework (metasploit)
 Core Impact (coresecurity)
 Immunity Canvas (immunitysec.com)
 For Linux, Backtrack and Kali
34
What do you call a person who uses attack
tools without permission?
 inmate
 Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation
35
Source Code Review – White Box (v.
Blackbox) Testing
 Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
 Code review discovers security vulnerabilities by inspecting the source
code of a target application.
 Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
 Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
 Compiled code review should be “blackbox”
36
Fuzzing is Blackbox – sends unexpected inputs
 Automated cramming, exploits poorly
constructed interface constraints
 Web Application Testing
 HTTP Interception Proxy
 Code Analysis
 Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps
37
Questions?
 Reach out on LinkedIn and we can continue the dialogue.
 Good luck in your studies. Hope this was helpful.
39

More Related Content

What's hot

Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Phil Agcaoili
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
Priyanka Aash
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
Tony Moroney
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
SALIH AHMED ISLAM
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
Jim Meyer
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
paulharry03
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj Purandare ☁
 

What's hot (20)

Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Rothke secure360 building a security operations center (soc)
Rothke   secure360 building a security operations center (soc)Rothke   secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Integrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk ManagementIntegrating Cybersecurity into Supply Chain Risk Management
Integrating Cybersecurity into Supply Chain Risk Management
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Comodo SOC service provider
Comodo SOC service providerComodo SOC service provider
Comodo SOC service provider
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
 

Viewers also liked

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
 
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Intel IT Center
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
Bijay Bhandari
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
Lipsita Behera
 

Viewers also liked (8)

Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
Unveiling the Early Universe with Intel Xeon Processors and Intel Xeon Phi at...
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to Security assessment isaca sv presentation jan 2016

Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
EnterpriseGRC Solutions, Inc.
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
Alan Holyoke
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
Philippe A. R. Schaeffer
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
jatniwalafizza786
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
ISAA
ISAAISAA
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdfVulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Cyber Security Experts
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
46 102-112
46 102-11246 102-112
46 102-112
idescitation
 
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital AssetsVulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Ahad
 
web application penetration testing.pptx
web application penetration testing.pptxweb application penetration testing.pptx
web application penetration testing.pptx
Fayemunoz
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
Ryan Faircloth
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 

Similar to Security assessment isaca sv presentation jan 2016 (20)

Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
 
ISAA
ISAAISAA
ISAA
 
Vulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdfVulnerability Assessment and Penetration Testing (VAPT).pdf
Vulnerability Assessment and Penetration Testing (VAPT).pdf
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
46 102-112
46 102-11246 102-112
46 102-112
 
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital AssetsVulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
Vulnerability Assessment and Penetration Testing: Safeguarding Digital Assets
 
web application penetration testing.pptx
web application penetration testing.pptxweb application penetration testing.pptx
web application penetration testing.pptx
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 

More from EnterpriseGRC Solutions, Inc.

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
EnterpriseGRC Solutions, Inc.
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
EnterpriseGRC Solutions, Inc.
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
EnterpriseGRC Solutions, Inc.
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
EnterpriseGRC Solutions, Inc.
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
EnterpriseGRC Solutions, Inc.
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
EnterpriseGRC Solutions, Inc.
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
The value of our data
The value of our dataThe value of our data
The value of our data
EnterpriseGRC Solutions, Inc.
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
EnterpriseGRC Solutions, Inc.
 
Green Tech
Green TechGreen Tech

More from EnterpriseGRC Solutions, Inc. (14)

CobiT Foundation Free Training
CobiT Foundation Free TrainingCobiT Foundation Free Training
CobiT Foundation Free Training
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
ISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference BrochureISACA SV 2013 Winter Conference Brochure
ISACA SV 2013 Winter Conference Brochure
 
2012 Summer Conference Brochure
2012 Summer Conference Brochure2012 Summer Conference Brochure
2012 Summer Conference Brochure
 
2011 Summer Conference Brochure
2011 Summer Conference Brochure2011 Summer Conference Brochure
2011 Summer Conference Brochure
 
The Perils of Mount Must Read
The Perils of Mount Must ReadThe Perils of Mount Must Read
The Perils of Mount Must Read
 
Procedures and Controls Documentation Guidelines
Procedures and Controls Documentation GuidelinesProcedures and Controls Documentation Guidelines
Procedures and Controls Documentation Guidelines
 
Cryptographic lifecycle security training
Cryptographic lifecycle security trainingCryptographic lifecycle security training
Cryptographic lifecycle security training
 
Networking and communications security – network architecture design
Networking and communications security – network architecture designNetworking and communications security – network architecture design
Networking and communications security – network architecture design
 
CISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studiesCISSP Study Exercises, Just some good will to help my peers with their studies
CISSP Study Exercises, Just some good will to help my peers with their studies
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
Virtualization and cloud impact overview auditor spin   enterprise gr-cv3Virtualization and cloud impact overview auditor spin   enterprise gr-cv3
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
 
The value of our data
The value of our dataThe value of our data
The value of our data
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin   Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Green Tech
Green TechGreen Tech
Green Tech
 

Recently uploaded

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 

Recently uploaded (20)

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 

Security assessment isaca sv presentation jan 2016

  • 1. http://www.enterprisegrc.com Security Assessment – Concept Review with a hint of CISSP Exam Prep Contribution to ISACA-SV January 2016 Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP
  • 2. Which items are elements of “security”? 2
  • 3. The Mission: Resilience  What are our critical assets?  Who is responsible for them?  Is everyone involved in cyber-resilience? Do they have the knowledge and autonomy to make good decisions?  Are we prepared for when there is a successful attack?  Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos? 3
  • 4. Types of Security Assessment  Technical Security Testing (ONE)  Security Process Assessment (TWO)  Security Audit (THREE) 4
  • 5. Audit Velocity increases Maturity  Approach: Find a flaw, fix a flaw  Approach: Find a lot of flaws and keep a list  Approach: align vulnerability metrics into a continual service improvement model 5
  • 6. Root Cause Analysis  What is the root cause for any failure  Example: “metrics indicate 80% of malicious code infections are attributed to vulnerable versions of Java”  What were the steps to create the finding?  What are the expectations as a result of this finding?  What is the measure of Security Program health? 6
  • 7. Technical (one)  Looking for security weaknesses  Vulnerability Assessment  Network Penetration Testing  Web Application Penetration Testing  Source Code Analysis 7
  • 8. Vulnerability Assessment  Scanning systems looking for a set of vulnerabilities (a list)  Looks for common and known vulnerabilities  Uses a scanning tool  Performed in house and by third party Let’s look at common and recommended scanning tools. Source is OWASPVulnerability Scanning Tools - OWASP 8
  • 9. Penetration Tests  Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue team, but not yet.)  We know we have flaws - pen test seeks to exploit them  Simulates attacker (does not cause harm)  Output: Identification of susceptible assets (sites)  In short: As good as the people who perform them and as valuable as the reduced risk on the items that get remediated A red team is an independent group that challenges an organization to improve its effectiveness. The United States intelligence community (military and civilian) has red teams that explore alternative futures and write articles as if they were foreign world leaders. Red team - Wikipedia, the free encyclopedia 12
  • 10. Penetration Testing – Operations Evaluation  War Dialing (looking for modems – especially plugged into older enterprise hardware)  Sniffing – Wireshark -Configuring a monitor port on a managed switch - network tap  Eavesdropping  Radiation monitoring  Dumpster diving  Social Engineering http://www.lawtechnologytoday.org/2015/03/information-security-threat- social-engineering-and-the-human-element/ You typically insert a network tap inline between two nodes in a network, such as between your firewall and your first switch. $$$ Not typically in audit budget 13
  • 11. Security Process Review (two)  Looking for weaknesses and vulnerabilities Security Assessment Report Deficient Security Posture Technology People Process 14
  • 12. Security Process  Process is more than policy, although we start with policy  What are two great frameworks for establishing necessary procedure and work product to show that the processes are effective?  Cobit5 and NIST Cybersecurity Framework  http://www.nist.gov/cyberframework/upload/cybersec urity-framework-021214.pdf  National Institute of Standards and Technology, U.S. Department of Commerce (Not copyrightable in the United States.) 15
  • 13. Download NIST Assessment Tool http://www.nist.gov/cyberframework/csf_ reference_tool.cfm 17
  • 14. U Need to Use: NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A 18
  • 15. Determine Alignment to ISMS and CobiT or ITGCC program 19
  • 16. Cobit 5: Process Area Assessment  APO12: Manage Risk, “Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.”  APO13: Manage Security, “Define, operate and monitor a system for information security management.”  DSS05: Manage Security Services, “Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.” 20
  • 17. Assessment (two) v. Audit (three)  Security assessment is comprehensive review of systems and applications performed by trained security professionals (CISSP/ CCIE/ CCNA/ CISM)  Security assessments normally include use of testing tools and goes beyond automated scanning  Involves thoughtful review of the threat environment, current and future risk, and value definition of the targeted environments  The output of assessment is a report addressed to management with recommendations in both technical and non technical language 21
  • 18. Auditing Security Assessment & Verification  Compliance checks  Internal and external  Frequency of review  Standard of due care  Internal Audit typically performs assessment for internal audience  External Audits are performed for external investors and as part of third party due diligence requirements  Third Party review is emphasized to avoid “conflict of interest” 22
  • 19. Security Audit – Raising the right Bar  Cloud Security Alliance Control Matrix – Cloud Operational Security  Controls Domain and Controls Matrix (98 Controls with Mappings) Value – architecture, portability and interoperability; physical, network, compute, storage, applications, and data, differentiates service provider versus tenants  United States NIST Publication 200, NIST SP 800-54 rev4 – (mentioned earlier)  PCI-DSS – The Payment Card Industry Data Standard  Associated to credit card processing – however should be true in general – 12 tenants 23
  • 20. What are the “Related Metrics” from Manage Risk APO12  Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.  Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT- related enterprise risk.  Related Metrics  Degree of visibility and recognition in the current environment  Number of loss events with key characteristics captured in repositories  Percent of audits, events and trends captured in repositories  Percent of key business processes included in the risk profile  Completeness of attributes and values in the risk profile  Percent of risk management proposals rejected due to lack of consideration of other related risk  Number of significant incidents not identified and included in the risk management portfolio  Percent of IT risk action plans executed as designed  Number of measures not reducing residual risk *Align, Plan and Organize 24
  • 21. What are the “Related Metrics” from Manage Security APO13  Define, operate and monitor a system for information security management.  Keep the impact and occurrence of information security incidents within the enterprise’s risk appetite levels.  Related Metrics  Number of key security roles clearly defined  Number of security related incidents  Level of stakeholder satisfaction with the security plan throughout the enterprise  Number of security solutions deviating from the plan  Number of security solutions deviating from the enterprise architecture  Number of services with confirmed alignment to the security plan  Number of security incidents caused by non- adherence to the security plan Number of solutions developed with confirmed alignment to the security plan *Align, Plan and Organize 25
  • 22. What are the “Related Metrics” from Manage Security Services DSS05  Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.  Minimize the business impact of operational information security vulnerabilities and incidents.  Related Metrics  Number of vulnerabilities discovered  Number of firewall breaches  Percent of individuals receiving awareness training relating to use of endpoint devices  Number of incidents involving endpoint devices  Number of unauthorized devices detected on the network or in the end- user environment  Average time between change and update of accounts  Number of accounts (vs. number of authorized users/staff)  Percent of periodic tests of environmental security devices  Average rating for physical security assessments  Number of physical security-related incidents  Number of incidents relating to unauthorized access to information * Deliver, Service and Support 26
  • 23. Technical Security Testing (one) Goal: assess risk by discovering flaws that persist in systems and applications  Technical testing is looking for security flaws, specifically impacts to confidentiality, integrity or availability, ways to steal, alter or destroy information  Vulnerability Assessments are looking for weakness  Penetration testing adds human factor  Code review includes errors that make it susceptible, e.g. to buffer overflow, SQL insertion, etc.  Phishing is to see what users do when presented with typical malicious email scenarios  Password assessments evaluate password settings and practices, (sometimes as a part of scanning) 27
  • 24. Threat Vectors – Attack surface  Methods attackers use to touch or exploit vulnerabilities  A systems attack surface represents all of the ways in which an attacker could attempt to introduce data to exploit a vulnerability  If you look at a list of vulnerabilities, you get too much information, so we have to start by analyzing our network, our data, evaluating our assets and their attack surface, then their vulnerabilities to known threats  One way to reduce risk is to minimize the attack vectors  Once we know those vectors, we remediate prioritized threats by reducing the likelihood of exploiting vulnerabilities 28
  • 25. Shift in attack vectors: Server Side v. Client Side Attacks  Attacks against a listening service are called “Server-side attacks”  TCP server side attacks are initiated by an attacker (client)  Client-side attacks work in reverse, where victim initiates the traffic, usually by clicking on a link or email.  We have to understand the environment from the perspective of an adversary.  We use threat modelling and ask “Who is the adversary and what does the adversary want to accomplish?” 29
  • 26. STRIDE – Microsoft Privacy Standard (MPSD) in response to FIPS  Spoofing v. Authentication  Tampering v. Integrity  Repudiation v. Non-Repudiation  Information Disclosure v. Confidentiality  Denial of Service v. Availability  Elevation of Privilege v. Authorization 30
  • 27. How they get us drives how we protect against them  External or internal actor is able to perform host discovery  Live systems can be discovered via ARP, ICMP, TCP, UDP traffic, IPv6 neighbor discovery, Sniffing packets and reviewing contents Any person with administrative privilege to network and systems can perform these functions Many general users can perform some of these functions Perform reconnaissance Network enumeration Port scanning Determine version of OS and services Determine vulnerable service versions Exploit vulnerabilities 31
  • 28. Attackers shouldn’t know our weaknesses before we do – We should do something about our weaknesses  Vulnerability assessment determines weakness across our actual attack surface or threat vectors  Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina  Once vulnerable systems are identified, procedures to perform limited exploits can involve use of:  The MetaSploit Framework (metasploit)  Core Impact (coresecurity)  Immunity Canvas (immunitysec.com)  For Linux, Backtrack and Kali 34
  • 29. What do you call a person who uses attack tools without permission?  inmate  Penetration testing is a process of HIRING or assigning a whitehat to penetrate an application, system or network Business Process, Scope Reconnaissance Port scanning, VA Exploitation Post Exploitation 35
  • 30. Source Code Review – White Box (v. Blackbox) Testing  Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from blackbox has high probability of impacting systems, is expensive and time consuming  Code review discovers security vulnerabilities by inspecting the source code of a target application.  Certain C Functions are commonly associated to buffer overflow “-get(), strcpy(),strcat()”  Compilers usually include security checks, but they need to be run by policy and results need to be understood.  Compiled code review should be “blackbox” 36
  • 31. Fuzzing is Blackbox – sends unexpected inputs  Automated cramming, exploits poorly constructed interface constraints  Web Application Testing  HTTP Interception Proxy  Code Analysis  Beyond the proxy, Dynamic web application scanners code attempt to automate assess the security of customer web apps 37
  • 32. Questions?  Reach out on LinkedIn and we can continue the dialogue.  Good luck in your studies. Hope this was helpful. 39

Editor's Notes

  1. How is this possible? What missing?
  2. STRIDE Spoofing v. Authentication Tampering v. Integrity Repudiation v. Non-Repudiation Information Disclosure v. Confidentiality Denial of Service v. Availability Elevation of Privilege v. Authorization
  3. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization. Process, Purpose, Metrics
  4. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
  5. Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.