Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Cost effective auditing of web applications and networks in smb
1. Cost Effective Auditing of Web Applications and
Networks in Small, Medium Business
Enterprises
Shalu Mrs. Neha Garg
Department of Computer Science and Engineering Department of Computer Science and Engineering
Graphic Era University Graphic Era University
Dehradun, India Dehradun, India
ABSTRACT
Small and Medium Businesses (SMBs) do not have the personnel or resources available to larger
organizations - SMBs have to do more with less. Because of these constraints, SMBs need to focus
on the issues that represent the highest risk to their businesses. This webcast will review web
application vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) that represent the
most risk and why the impact of these vulnerabilities is so great. A review of options for identifying
these vulnerabilities and common approaches to addressing them will also be discussed. With this
information SMBs will have the information they need to get the most risk reduction at the lowest
cost possible.
Small and medium sized businesses may need to adapt their web application security strategy to
focus on those aspects that best utilize their time, budget and resources.
There are many tools for available for web applications testing Web Application testing with SAHI
tool which has been showcased already is a tool for automating web application testing. It also
exposes the ability to be exact when needed, making it very suitable for any web application. It even
works with older scripts. Thereby it fits into the auditing requirements of the SMB’s.
Information Security Management Systems (ISMS) standards known colloquially as "ISO27k" and
based at ISO27001security.com. The primary aim of ISMS is to contribute to the development of the
new standard ISO/IEC 27007 by providing what is experienced ISMS implementers and IT/ISMS
auditors. A secondary aim is to provide a pragmatic and useful guideline for those involved in
auditing ISMSs.
The ISMS standard is preferred for auditing network environment as it ensures highest optimal
usage, efficiency and ISO specified practices.
The SMB’s by using a range of open source tools in an integrated environment as discussed in this
project can cover most of the activities done by an auditor before an audit.
1
2. A large range of tasks which form the first three phases can be covered by the proposed integrated
tool environment.
Technical compliance tests may be necessary to verify that IT systems are configured in accordance
with the organization’s information security policies, standards and guidelines. Automated
configuration checking and vulnerability assessment tools may speed up the rate at which technical
compliance checks are performed but potentially introduce their own security issues that need to be
taken into account.
Advantages:
i) Cost effective
ii) Reduce time of auditing
iii) Reduction in number of man days charged by the network auditor.
iv) Pre-closing of vulnerabilities thereby pro-actively protecting the hardware environment.
v) Pre-closing of vulnerabilities thereby pro-actively protecting the web applications.
During the fieldwork phase, audit evidence is gathered by the auditor/s working methodically
through the work plan or checklist, for example interviewing staff, managers and other stakeholders
associated with the ISMS, reviewing ISMS documents, printouts and data (including records of
ISMS activities such as security log reviews), observing ISMS processes in action and checking
system security configurations etc. Pre-Audit tests which are already performed by the system
administrator of SMB’s to validate reduces to a great extent the work and the audit test to be
performed by the auditor.
The integrated test tool environment discussed in this project combines the effective performance of
open source tools used for both the hardware and software aspects of SMB’s. Thus reducing a lot of
time which is required for independent testing of web applications on one hand and network
environment on the other.
KEYWORDS: Web application, java scripts, DOM, multithread
2
3. Table of Contents Page No.
1. Introduction 7
1.1 Scope 7
1.2 Principles of auditing 7
1.3 Managing an audit programme 7
2. Technique description 9
2.1 Sahi Architecture 9
3. Description of the tool used for simulation 10
3.1 Getting Started 10
3.2 Prerequisites 10
3.3 Download Sahi OS 10
3.4 Installation of Sahi 10
3.5 Sahi starting 10
4. Experiments and Results 11
4.1 Recording through Sahi 11
4.2 Playing back through Sahi 12
4.3 View Logs 12
5. Problem extended for dissertation 13
6. Timeline Chart of work done and work to be completed 14
7. References 15
8. Figures
Fig-1 8
Fig-2 9
Fig-3 10
Fig-4 11
Fig-5 12
3
4. Chapter 1
1. Introduction, Background
1.1 Scope
The ISMS guideline provides advice to IT auditors reviewing compliance with the ISO/IEC 27000
family of standards, principally ISO/IEC 27001 (the ISMS certification standard) and to a lesser
extent ISO/IEC 27002 (the code of practice for information security management). It is also meant
to help those who are implementing or have implemented the ISO/IEC 27000 family of standards, to
conduct internal audits and management reviews of their ISMS. Like the other related standards, it is
generic and needs to be tailored to the specific requirements of each situation. In particular, it point
out that audits are best planned and conducted in relation to the risks facing the organization being
audited, in other words the starting point for audit planning is an initial assessment of the main risks
(commonly known as a pre-audit survey or gap analysis). As with ISO/IEC 27001 and ISO/IEC
27002, being risk-based provides a natural priority to the audit tests and relates directly to the
organization's business requirements for information security.
1.2 Principles of auditing
Important but generic audit principles e.g. independent evaluation against agreed criteria, plus
more specific principles aimed at ISMS audits
In all matters related to the audit, the ISMS auditor should be independent of the auditee in both
attitude and appearance. The ISMS audit function should be independent of the area or activity
being reviewed to permit objective completion of the audit assignment.
Information security is a dynamic field with frequent changes to the risks (i.e. the threats,
vulnerabilities and/or impacts), controls and environment. It is therefore important that auditors
auditing information security controls should maintain knowledge of the state of the art
(e.g. emerging information security threats and currently-exploited vulnerabilities) and the
organizational situation (e.g. changing business processes and relationships, technology changes).
1.3 Managing an audit programme
Advice on planning and scoping individual ISMS audits within the overall audit work
programme, e.g. the idea of combining wide but shallow ISMS audits with more narrow but
deeper audits on areas of particular concern.
ISMS audits at multi-site organizations including multinationals and ‘group’ structures, where
comparisons between the ISMSs in operation within individual business units can help share and
promote good practices
Auditing business partners' ISMSs, emphasizing the value of ISO/IEC 27001 certification as a
means of gaining a level of confidence in the status of their ISMSs without necessarily having to
do the audit work
Developing an internal program for auditing the ISMS. From an IRCA point of view you
develop an Audit Plan when preparing to audit an organization. This plan is derived from the
"Scope of Registration" document that an individual fills out when requesting a certification audit
from a registrar. Besides the scope of registration the domain definition will also feed the audit
plan.
4
5. The activities performed by a network auditor as per the Information Security Management Systems
(ISMS) standards is as below :
Fig-1:
Audi
Activi
ties of Networks
The following checklist is common. It reflects and refers to ISO/IEC 27001's requirements for
Information Security Management Systems without regard to any specific ISMS requirements that an
individual organization might have (for example if they are subject to legal, regulatory or contractual
obligations to implement particular information security controls).
The checklist is primarily intended to guide, or to be adapted and used by, competent auditors
including those working for internal audit functions, external audit bodies and ISMS certification
bodies. It can also be used for internal management reviews of the ISMS including pre-certification
checks to determine whether the ISMS is in a fit state to be formally audited. Finally, it serves as a
general guide to the likely depth and breadth of coverage in ISMS certification audits, helping the
organization to prepare the necessary records and information (identified in bold below) that the
auditors will probably want to review.
The audit tests noted below are intended as prompts or reminders of the main aspects to be checked
by competent, qualified and experienced IT auditors. They do not cover every single aspect of
ISO/IEC 27001. They are not meant to be asked verbatim or checked-off piecemeal. They are not
suitable for use by inexperienced auditors working without supervision.
5
6. Chapter 2
2. Technique description
2.1 Sahi Architecture:
The architecture of Sahi allows Sahi to be used on any browser or operating system. Sahi relies on
two core technologies/concepts:
1. HTTP proxy – to inject code
2. Javascript code – to find elements and emulate actions
Both these technologies are basic building blocks of internet technologies and will necessarily be
supported by all browsers, making Sahi very easily extensible to newer browsers or newer versions
of browsers.
Sahi uses a HTTP proxy at its core to inject javascript into web pages. The injected Javascript uses
custom code to identify elements on the browser and simulate actions like click, type etc. on them.
Fig-2: Java based proxy server injects java scripts code
Html responses which pass through the proxy are modified such that JavaScript is injected at the start
and the end of the response. This allows the browser to record and playback scripts and talk back to
the proxy when needed. Apart from handling requests for pages that the browser requests, Sahi’s
proxy also handles custom commands related to recording, playback etc. which the browser sends.
6
7. Chapter 3
3. Description of the tool used for simulation
3.1 Getting Started
3.2 Prerequisites
Java 1.5 or above is needed for running Sahi.
3.3 Download Sahi OS
Download Sahi OS from http://sahi.co.in
3.4 Installation of Sahi
Once Sahi is downloaded, double click on the jar file to run the installer.
Fig-3: Sahi dashboard
3.5 Starting Sahi
Start Sahi Dashboard by any of the following methods:
1) Double click on the desktop shortcut
2) Go to Start -> All Programs -> Sahi -> Start Sahi
3) Start from the command line.
Windows: – Go to <Sahi>userdatabin and run start_dashboard.bat
The Sahi Dashboard starts the Sahi proxy, and allows launching of different browsers. Sahi
automatically modifies the browser’s proxy settings, so that requests go through the Sahi Proxy
(localhost:9999)
7
8. Chapter 4
4. Experiments and Results
4.1 Recording through Sahi
Click on any browser on the Dashboard. A browser window should open with the following
screen
Fig-4: Sahi controller
Press ALT and double click on the window which you want to record. The Sahi Controller will
pop up. (If that does not work, press CTRL and ALT keys together and then double click. Make
sure popup blockers are turned off)
On the controller, go to the Record tab.
Give a name for the script, and click ‘Record’. (.sah is optional)
Navigate on your website like you normally would. Most actions on the page will now get
recorded.
Add an assertion:
i) Move the mouse over any html element while pressing Ctrl key. The Accessor field will
get populated in the controller.
ii) Click the “Assert” button to generate assertions for the element. They will appear in the
“Evaluate Expression” box.
iii) Click “Test —>” to check that the assertions are true. You can evaluate any javascript
using “Evaluate Expression” and “Test —>”. Actions performed via the controller will not be
automatically recorded. Only actions performed directly on the page are automatically
recorded. This lets you experiment on the webpage at recording time without impacting the
script.
iv) Once satisfied, click on “Append to Script”. This will add the assertions to the script.
v) Click “Stop” to finish recording.
8
9. Fig-5: Sahi recording
Note that the controller can be closed and reopened at any time, without disrupting recording. The
recorded script is stored in <sahi_pro>userdatascripts directory. The recorded script can be
viewed and edited easily through any text editor. Sahi Scripts are simple text files which use
Javascript syntax.
The script can be edited even while recording, so that logical segregation into functions etc. can be
done as recording happens.
4.2 Playing back through Sahi
Running a test from the controller
Open the Sahi controller (ALT-Dbl click on the page).
Click on “Playback” tab
Enter the script name in the “File:” field (with the help of the auto completion feature)
Enter the start URL of the test. Eg. If you had started recording from
http://sahi.co.in/demo/training/, use that URL.
Click ‘Set’.
Click ‘Play’.
Steps will start executing, and the controller will be updated accordingly. Once finished, SUCCESS
or FAILURE will be displayed at the end of the steps.
4.3 View Logs
On the controller, go to Playback tab and click on “View Logs” link at the bottom right. It will open
a window with the results neatly formatted in HTML.
Clicking on a line in the logs will drill down to exact line in script. Logs show all the assertion in
green. If the assertion has failed it will show in red. You can click on any of these lines to go into the
line of script to debug.
9
10. Chapter 5
5. Problem extended for dissertation
Small, medium business enterprises have financial constrained and for them is it difficult to pay lots
of money to auditor. And there are many Legal and regulatory requirements which aim at protecting
sensitive or personal data as well as general public security requirements impel them to devote the
utmost attention and priority to information security risks. If a service is not tested then there will be
no information about its security or insecurity. A security auditing is unlikely to provide information
about new vulnerabilities, especially those discovered after the test is carried out. Vulnerability
assessments that include careful diagnostic reviews of all servers and network devices will definitely
identify more issues faster than a "black box" test.
The chief objective of work is to do pre auditing in order to minimize the cost of auditing, time of
auditing in Small, medium business enterprises.
10
11. Chapter 6
6. Timeline Chart of work done and work to be completed
i) Testing of web application, records, and playbacks has been completed.
ii) Survey of network auditing tools available and their efficiency vis-a-vis each other has been
completed.
iii) Study of ISMS standards for network auditing has been completed.
iv) Performance of network audit tools has to be checked.
v) Integration and assimilation of tools has to be done for the selected SMB
vi) Cost effective report of the environment developed has to be made.
11
12. References
[1] Ramy K. Khalil, Fayez W. Zaki , Mohamed M. Ashour, and Mohamed A. Mohamed, “A study of
network security systems,” IJCSNS International Journal of Computer Science and Network Security,
VOL.10 No.6, June 2010, pp. 204–212.
[2] Mr. V. K. Pachghare and Dr. Parag kulkarni, “Network security based on pattern matching: an
overview,” IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.10,
October 2008, pp. 314–318.
[3] Kapil Kumar Gupta, Baikunth Nath (Sr. Member IEEE) and Kotagiri Ramamohanarao, “Network
security framework,” IJCSNS International Journal of Computer Science and Network Security, VOL. 6
No.7B, July 2006, pp. 151–157.
[4] Kulvinder Singh, Rakesh Kumar and Iqbal Kaur, “Testing web based applications using finite state
machines employing genetic algorithm,” Faculty of Computer Science & Engineering, published in
International Journal of Engineering Science and Technology, Vol. 2(12), 6931-6941, 2010.
[5] Hazlifah Mohd Rusli, Suhaimi Ibrahim and Mazidah Puteh, “Testing web services composition: a
mapping study,” IBIMA Publishing, Communications of the IBIMA, Article ID 598357, Vol. 2, 12
pages, 2011.
[6] Mohd. Ehmer Khan, “Different forms of software testing techniques for finding errors,” Department of
Information Technology, Al Musanna College of Technology, Sultanate of Oman, IJCSI International
Journal of Computer Science Issues, Vol. 7, Issue 3, No 1, May 2010.
[7] Los Alamitos, CA: IEEE Computer Society Press, “IEEE Standard Glossary of Software Engineering
Terminology,” IEEE Std 610.12- 28 sep 1990.
[8] Young Gun Jang, Hoon Il Choi and Chan Kon Park, “Implementation of home network security system
based on remote management server,” IJCSNS International Journal of Computer Science and Network
Security, VOL.7 No.2, February 2007, pp. 267–274.
[9] W Makasiranondh, S P Maj and D Veal, “An integrated multimedia based platform for teaching network
security,” IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12,
December 2010
[10] Igor Kotenko and Mikhail Stepashkin, “Analyzing network security using malefactor action graphs,”
IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.6, June 2006, pp.
226–235.
12