This document discusses various types of security assessments, including technical security testing, security process assessments, and security audits. It provides details on vulnerability assessments, network penetration testing, web application penetration testing, and source code analysis. It also discusses security process reviews and the differences between security assessments and security audits.
3. Resilience
What are our critical assets?
Who is responsible for them?
Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
Are we prepared for when there is a successful attack?
Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?
4. Types of Security Assessment
Technical Security Testing
Security Process Assessment
Security Audit
6. Vulnerability Assessment
Scanning systems looking for a set of vulnerabilities
(a list)
Looks for common and known vulnerabilities
Uses a scanning tool
Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP
7. OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows
AppScan IBM Commercial Windows
AVDS Beyond Security Commercial / Free (Limited Capability) N/A
BugBlast Buguroo Offensive Security Commercial SaaS or On-Premises
Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported
Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises
GamaScan GamaSec Commercial Windows
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh
GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh
Hailstorm Cenzic Commercial Windows
IKare ITrust Commercial N/A
IndusGuard Web Indusface Commercial SaaS
N-Stealth N-Stalker Commercial Windows
Netsparker MavitunaSecurity Commercial Windows
Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux
Nikto CIRT Open Source Unix/Linux
8. OWASP Listed Vulnerability Scanning Tools
Name Owner Licence Platforms
AppSpider Rapid7 Commercial Windows
ParosPro MileSCAN Commercial Windows
Proxy.app Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
Vega Subgraph Open Source Windows, Linux and Macintosh
Wapiti Informática Gesfor Open Source Windows, Unix/Linux and Macintosh
WebApp360 TripWire Commercial Windows
WebInspect HP Commercial Windows
SOATest Parasoft Commercial Windows / Linux / Solaris
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify Commercial / Free (Limited Capability) Windows, Linux, Macintosh
Wikto Sensepost Open Source Windows
w3af w3af.org GPLv2.0 Linux and Mac
Xenotix XSS Exploit Framework OWASP Open Source Windows
Zed Attack Proxy OWASP Open Source Windows, Unix/Linux and Macintosh
9. What to do with a list of known vulnerabilities
Scanners provide a score of 1 to 5 (relative to what?)
CVSS Common Vulnerability Scoring System is method used to classify
OCTAVE Operational Critical Threat, Asset, and Vulnerability Evaluation
OCTAVE defines three phases, is criticized as complex and not providing
detailed quantitative analysis of security exposure.
Phase 1: Build
Asset-Based
Threat Profiles
Phase 2: Identify
Infrastructure
Vulnerabilities
Phase 3: Develop
Security Strategy
and Plans
10. Penetration Tests
Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
We know we have flaws - pen test seeks to exploit them
Simulates attacker (does not cause harm)
Output: Identification of susceptible assets (sites)
In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia
11. Penetration Testing – Operations Evaluation
War Dialing (looking for modems – especially plugged into older
enterprise hardware)
Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
Eavesdropping
Radiation monitoring
Dumpster diving
Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget
12. Security Process Review
Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process
13. Security Process
Process is more than policy, although we start with
policy
What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
Cobit5 and NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)
14. You Need to U Read
International Organization for Standardization, Risk management – Principles and
guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm
International Organization for Standardization/International Electrotechnical Commission,
Information technology – Security techniques – Information security risk management,
ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742
Joint Task Force Transformation Initiative, Managing Information Security Risk:
Organization, Mission, and Information System View, NIST Special Publication 800-39,
March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process,
DOE/OE-0003, May 2012.
http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20
Guideline%20%20Final%20-%20May%202012.pdf
15. U Need to Use: NIST Framework for
Improving Critical Infrastructure
Cybersecurity; Annex A
16. Cobit 5: Process Area Assessment
APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”
17. Assessment v. Audit
Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/
CISM)
Security assessments normally include use of
testing tools and goes beyond automated
scanning
Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
The output of assessment is a report addressed
to management with recommendations in both
technical and non technical language
18. Auditing Security Assessment & Verification
Compliance checks
Internal and external
Frequency of review
Standard of due care
Internal Audit typically performs assessment
for internal audience
External Audits are performed for external
investors and as part of third party due
diligence requirements
Third Party review is emphasized to avoid
“conflict of interest”
19. What are the “Related Metrics” from Manage Risk APO12
Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
Related Metrics
Degree of visibility and
recognition in the current
environment
Number of loss events with
key characteristics captured
in repositories
Percent of audits, events and
trends captured in
repositories
Percent of key business
processes included in the risk
profile
Completeness of attributes
and values in the risk profile
Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
Number of significant
incidents not identified and
included in the risk
management portfolio
Percent of IT risk action plans
executed as designed
Number of measures not
reducing residual risk
*Align, Plan and Organize
20. What are the “Related Metrics” from Manage Security APO13
Define, operate and
monitor a system for
information security
management.
Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
Related Metrics
Number of key security
roles clearly defined
Number of security
related incidents
Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
Number of security
solutions deviating from
the plan
Number of security
solutions deviating from
the enterprise
architecture
Number of services with
confirmed alignment to
the security plan
Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize
21. What are the “Related Metrics” from Manage Security Services DSS05
Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
Related Metrics
Number of vulnerabilities
discovered
Number of firewall
breaches
Percent of individuals
receiving awareness
training relating to use of
endpoint devices
Number of incidents
involving endpoint devices
Number of unauthorized
devices detected on the
network or in the end-
user environment
Average time between
change and update of
accounts
Number of accounts (vs.
number of authorized
users/staff)
Percent of periodic tests
of environmental security
devices
Average rating for physical
security assessments
Number of physical
security-related incidents
Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support
22. Technical Security Testing
Technical testing is looking for security flaws, specifically
impacts to confidentiality, integrity or availability, ways to
steal, alter or destroy information
Vulnerability Assessments are looking for weakness
Penetration testing adds human factor
Code review includes errors that make it susceptible, e.g. to
buffer overflow, SQL insertion, etc.
Phishing is to see what users do when presented with typical
malicious email scenarios
Password assessments evaluate password settings and
practices, (sometimes as a part of scanning)
Goal: assess risk by discovering flaws that persist in
systems and applications
23. Threat Vectors – Attack surface
Methods attackers use to touch or exploit vulnerabilities
A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
One way to reduce risk is to minimize the attack vectors
Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities
24. Shift in attack vectors:
Server Side v. Client Side Attacks
Attacks against a listening service are called “Server-side
attacks”
TCP server side attacks are initiated by an attacker (client)
Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
We have to understand the environment from the
perspective of an adversary.
We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”
25. STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
Spoofing v. Authentication
Tampering v. Integrity
Repudiation v. Non-Repudiation
Information Disclosure v. Confidentiality
Denial of Service v. Availability
Elevation of Privilege v. Authorization
26. How they get us drives how we protect
against them
External or internal actor is able to
perform host discovery
Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities
27. Port Scanners
Open ports on systems is an attack
surface
Port scanners evaluates all TCP / UDP
ports (scans twice) to determine which
are open (there are 65535 ports)
Nmap is a well-known open source port
scanner
Question:
Who should be allowed to run a port
scanner?
What should happen when we detect a
port scan is in progress?
How long should we take to respond to
that information?
28. Its just a port – how much damage could be done?
Hacker scans to find vulnerabilities
to target – ports, services, versions
Hacker injects a virus, Trojan
Infected machines further scan and
infect (worm) – spreading from
internal network (bypassing DMZ)
Hacker issues commands to infected
hosts, able to send spam, effect
DDoS (denial of service)
Intrusion Prevention Systems (IPS),
IDS, NIDS, NIPS… architecture could
have prevented all this
https://www.cityu.edu.hk/csc/netcomp/dec2006-5p.htm
29. Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
The MetaSploit Framework (metasploit)
Core Impact (coresecurity)
Immunity Canvas (immunitysec.com)
For Linux, Backtrack and Kali
30. What do you call a person who uses attack
tools without permission?
inmate
Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation
31. Source Code Review – White Box (v.
Blackbox) Testing
Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
Code review discovers security vulnerabilities by inspecting the source
code of a target application.
Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
Compiled code review should be “blackbox”
32. Fuzzing is Blackbox – sends unexpected inputs
Automated cramming, exploits poorly
constructed interface constraints
Web Application Testing
HTTP Interception Proxy
Code Analysis
Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps
33. Audit Velocity increases Maturity
Approach: Find a flaw, fix
a flaw
Approach: Find a lot of
flaws and keep a list
Approach: align
vulnerability metrics into
a continual service
improvement model
34. Root Cause Analysis
What is the root cause for any failure
Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
What were the steps to create the finding?
What are the expectations as a result of this finding?
What is the measure of Security Program health?
35. Security Audit – Raising the right Bar
Cloud Security Alliance Control Matrix – Cloud
Operational Security
Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
PCI-DSS – The Payment Card Industry Data Standard
Associated to credit card processing – however should be
true in general – 12 tenants
36. Federal Information Processing Standards (FIPS) Publications
FIPS 202 SHA-3 Standard: Permutation-
Based Hash and Extendable-Output
Functions
FIPS 201-2 Personal Identity Verification
(PIV) of Federal Employees and Contractors
FIPS 200 Minimum Security Requirements
for Federal Information and Information
Systems
FIPS 199 Standards for Security
Categorization of Federal Information and
Information Systems
FIPS 198-1 The Keyed-Hash Message
Authentication Code (HMAC)
FIPS 197Advanced Encryption Standard
(AES)
FIPS 186-4 Digital Signature Standard (DSS)
FIPS 180-4 Secure Hash Standard (SHS)
FIPS 140-2 Security Requirements for
Cryptographic Modules
Standards issued by NIST after approval by the Secretary of Commerce
pursuant to the Federal Information Security Management Act (FISMA).
http://csrc.nist.gov/publications/PubsFIPS.html
37. Questions?
Reach out on LinkedIn and we can continue the dialogue.
Good luck in your studies. Hope this was helpful.
Editor's Notes
How is this possible? What missing?
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
Process, Purpose, Metrics
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
STRIDE
Spoofing v. Authentication
Tampering v. Integrity
Repudiation v. Non-Repudiation
Information Disclosure v. Confidentiality
Denial of Service v. Availability
Elevation of Privilege v. Authorization