This document discusses various types of security assessments, including technical security testing, security process assessments, and security audits. It provides details on vulnerability assessments, network penetration testing, web application penetration testing, and source code analysis. It also discusses security process reviews and the differences between security assessments and security audits.

1. http://www.enterprisegrc.com
Security Assessment – Concept Review with
a hint of CISSP Exam Prep
Contribution to ISACA-SV January 2016
Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP (pending)

2. Which items are elements of “security”?

3. Resilience
 What are our critical assets?
 Who is responsible for them?
 Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
 Are we prepared for when there is a successful attack?
 Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?

4. Types of Security Assessment
 Technical Security Testing
 Security Process Assessment
 Security Audit

5. Technical
 Looking for security weaknesses
 Vulnerability Assessment
 Network Penetration Testing
 Web Application Penetration Testing
 Source Code Analysis

6. Vulnerability Assessment
 Scanning systems looking for a set of vulnerabilities
(a list)
 Looks for common and known vulnerabilities
 Uses a scanning tool
 Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP

7. OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows
AppScan IBM Commercial Windows
AVDS Beyond Security Commercial / Free (Limited Capability) N/A
BugBlast Buguroo Offensive Security Commercial SaaS or On-Premises
Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported
Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises
GamaScan GamaSec Commercial Windows
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh
GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh
Hailstorm Cenzic Commercial Windows
IKare ITrust Commercial N/A
IndusGuard Web Indusface Commercial SaaS
N-Stealth N-Stalker Commercial Windows
Netsparker MavitunaSecurity Commercial Windows
Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux
Nikto CIRT Open Source Unix/Linux

8. OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
AppSpider Rapid7 Commercial Windows
ParosPro MileSCAN Commercial Windows
Proxy.app Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
Vega Subgraph Open Source Windows, Linux and Macintosh
Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh
WebApp360 TripWire Commercial Windows
WebInspect HP Commercial Windows
SOATest Parasoft Commercial Windows / Linux / Solaris
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh
Wikto Sensepost Open Source Windows
w3af w3af.org GPLv2.0 Linux and Mac
Xenotix XSS Exploit Framework OWASP Open Source Windows
Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh

9. What to do with a list of known vulnerabilities
 Scanners provide a score of 1 to 5 (relative to what?)
 CVSS Common Vulnerability Scoring System is method used to classify
 OCTAVE Operational Critical Threat, Asset, and Vulnerability Evaluation
 OCTAVE defines three phases, is criticized as complex and not providing
detailed quantitative analysis of security exposure.
Phase 1: Build
Asset-Based
Threat Profiles
Phase 2: Identify
Infrastructure
Vulnerabilities
Phase 3: Develop
Security Strategy
and Plans

10. Penetration Tests
 Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
 We know we have flaws - pen test seeks to exploit them
 Simulates attacker (does not cause harm)
 Output: Identification of susceptible assets (sites)
 In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia

11. Penetration Testing – Operations Evaluation
 War Dialing (looking for modems – especially plugged into older
enterprise hardware)
 Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
 Eavesdropping
 Radiation monitoring
 Dumpster diving
 Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget

12. Security Process Review
 Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process

13. Security Process
 Process is more than policy, although we start with
policy
 What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
 Cobit5 and NIST Cybersecurity Framework
 http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
 National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)

14. You Need to U Read
 International Organization for Standardization, Risk management – Principles and
guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm
 International Organization for Standardization/International Electrotechnical Commission,
Information technology – Security techniques – Information security risk management,
ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742
 Joint Task Force Transformation Initiative, Managing Information Security Risk:
Organization, Mission, and Information System View, NIST Special Publication 800-39,
March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
 U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process,
DOE/OE-0003, May 2012.
http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20
Guideline%20%20Final%20-%20May%202012.pdf

15. U Need to Use: NIST Framework for
Improving Critical Infrastructure
Cybersecurity; Annex A

16. Cobit 5: Process Area Assessment
 APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
 APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
 DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”

17. Assessment v. Audit
 Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/
CISM)
 Security assessments normally include use of
testing tools and goes beyond automated
scanning
 Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
 The output of assessment is a report addressed
to management with recommendations in both
technical and non technical language

18. Auditing Security Assessment & Verification
 Compliance checks
 Internal and external
 Frequency of review
 Standard of due care
 Internal Audit typically performs assessment
for internal audience
 External Audits are performed for external
investors and as part of third party due
diligence requirements
 Third Party review is emphasized to avoid
“conflict of interest”

19. What are the “Related Metrics” from Manage Risk APO12
 Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
 Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
 Related Metrics
 Degree of visibility and
recognition in the current
environment
 Number of loss events with
key characteristics captured
in repositories
 Percent of audits, events and
trends captured in
repositories
 Percent of key business
processes included in the risk
profile
 Completeness of attributes
and values in the risk profile
 Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
 Number of significant
incidents not identified and
included in the risk
management portfolio
 Percent of IT risk action plans
executed as designed
 Number of measures not
reducing residual risk
*Align, Plan and Organize

20. What are the “Related Metrics” from Manage Security APO13
 Define, operate and
monitor a system for
information security
management.
 Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
 Related Metrics
 Number of key security
roles clearly defined
 Number of security
related incidents
 Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
 Number of security
solutions deviating from
the plan
 Number of security
solutions deviating from
the enterprise
architecture
 Number of services with
confirmed alignment to
the security plan
 Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize

21. What are the “Related Metrics” from Manage Security Services DSS05
 Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
 Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
 Related Metrics
 Number of vulnerabilities
discovered
 Number of firewall
breaches
 Percent of individuals
receiving awareness
training relating to use of
endpoint devices
 Number of incidents
involving endpoint devices
 Number of unauthorized
devices detected on the
network or in the end-
user environment
 Average time between
change and update of
accounts
 Number of accounts (vs.
number of authorized
users/staff)
 Percent of periodic tests
of environmental security
devices
 Average rating for physical
security assessments
 Number of physical
security-related incidents
 Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support

22. Technical Security Testing
 Technical testing is looking for security flaws, specifically
impacts to confidentiality, integrity or availability, ways to
steal, alter or destroy information
 Vulnerability Assessments are looking for weakness
 Penetration testing adds human factor
 Code review includes errors that make it susceptible, e.g. to
buffer overflow, SQL insertion, etc.
 Phishing is to see what users do when presented with typical
malicious email scenarios
 Password assessments evaluate password settings and
practices, (sometimes as a part of scanning)
 Goal: assess risk by discovering flaws that persist in
systems and applications

23. Threat Vectors – Attack surface
 Methods attackers use to touch or exploit vulnerabilities
 A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
 If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
 One way to reduce risk is to minimize the attack vectors
 Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities

24. Shift in attack vectors:
Server Side v. Client Side Attacks
 Attacks against a listening service are called “Server-side
attacks”
 TCP server side attacks are initiated by an attacker (client)
 Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
 We have to understand the environment from the
perspective of an adversary.
 We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”

25. STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
 Spoofing v. Authentication
 Tampering v. Integrity
 Repudiation v. Non-Repudiation
 Information Disclosure v. Confidentiality
 Denial of Service v. Availability
 Elevation of Privilege v. Authorization

26. How they get us drives how we protect
against them
 External or internal actor is able to
perform host discovery
 Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities

27. Port Scanners
 Open ports on systems is an attack
surface
 Port scanners evaluates all TCP / UDP
ports (scans twice) to determine which
are open (there are 65535 ports)
 Nmap is a well-known open source port
scanner
 Question:
 Who should be allowed to run a port
scanner?
 What should happen when we detect a
port scan is in progress?
 How long should we take to respond to
that information?

28. Its just a port – how much damage could be done?
 Hacker scans to find vulnerabilities
to target – ports, services, versions
 Hacker injects a virus, Trojan
 Infected machines further scan and
infect (worm) – spreading from
internal network (bypassing DMZ)
 Hacker issues commands to infected
hosts, able to send spam, effect
DDoS (denial of service)
 Intrusion Prevention Systems (IPS),
IDS, NIDS, NIPS… architecture could
have prevented all this
https://www.cityu.edu.hk/csc/netcomp/dec2006-5p.htm

29. Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
 Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
 Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
 Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
 The MetaSploit Framework (metasploit)
 Core Impact (coresecurity)
 Immunity Canvas (immunitysec.com)
 For Linux, Backtrack and Kali

30. What do you call a person who uses attack
tools without permission?
 inmate
 Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation

31. Source Code Review – White Box (v.
Blackbox) Testing
 Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
 Code review discovers security vulnerabilities by inspecting the source
code of a target application.
 Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
 Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
 Compiled code review should be “blackbox”

32. Fuzzing is Blackbox – sends unexpected inputs
 Automated cramming, exploits poorly
constructed interface constraints
 Web Application Testing
 HTTP Interception Proxy
 Code Analysis
 Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps

33. Audit Velocity increases Maturity
 Approach: Find a flaw, fix
a flaw
 Approach: Find a lot of
flaws and keep a list
 Approach: align
vulnerability metrics into
a continual service
improvement model

34. Root Cause Analysis
 What is the root cause for any failure
 Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
 What were the steps to create the finding?
 What are the expectations as a result of this finding?
 What is the measure of Security Program health?

35. Security Audit – Raising the right Bar
 Cloud Security Alliance Control Matrix – Cloud
Operational Security
 Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
 United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
 PCI-DSS – The Payment Card Industry Data Standard
 Associated to credit card processing – however should be
true in general – 12 tenants

36. Federal Information Processing Standards (FIPS) Publications
 FIPS 202 SHA-3 Standard: Permutation-
Based Hash and Extendable-Output
Functions
 FIPS 201-2 Personal Identity Verification
(PIV) of Federal Employees and Contractors
 FIPS 200 Minimum Security Requirements
for Federal Information and Information
Systems
 FIPS 199 Standards for Security
Categorization of Federal Information and
Information Systems
 FIPS 198-1 The Keyed-Hash Message
Authentication Code (HMAC)
 FIPS 197Advanced Encryption Standard
(AES)
 FIPS 186-4 Digital Signature Standard (DSS)
 FIPS 180-4 Secure Hash Standard (SHS)
 FIPS 140-2 Security Requirements for
Cryptographic Modules
Standards issued by NIST after approval by the Secretary of Commerce
pursuant to the Federal Information Security Management Act (FISMA).
http://csrc.nist.gov/publications/PubsFIPS.html

37. Questions?
 Reach out on LinkedIn and we can continue the dialogue.
 Good luck in your studies. Hope this was helpful.