Types of security assessment, technical and procedural.

1. http://www.enterprisegrc.com
Security Assessment – Concept Review with
a hint of CISSP Exam Prep
Contribution to ISACA-SV January 2016
Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP

2. Which items are elements of “security”?
2

3. The Mission: Resilience
 What are our critical assets?
 Who is responsible for them?
 Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
 Are we prepared for when there is a successful attack?
 Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?
3

4. Types of Security Assessment
 Technical Security Testing (ONE)
 Security Process Assessment (TWO)
 Security Audit (THREE)
4

5. Audit Velocity increases Maturity
 Approach: Find a flaw, fix
a flaw
 Approach: Find a lot of
flaws and keep a list
 Approach: align
vulnerability metrics into
a continual service
improvement model
5

6. Root Cause Analysis
 What is the root cause for any failure
 Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
 What were the steps to create the finding?
 What are the expectations as a result of this finding?
 What is the measure of Security Program health?
6

7. Technical (one)
 Looking for security weaknesses
 Vulnerability Assessment
 Network Penetration Testing
 Web Application Penetration Testing
 Source Code Analysis
7

8. Vulnerability Assessment
 Scanning systems looking for a set of vulnerabilities
(a list)
 Looks for common and known vulnerabilities
 Uses a scanning tool
 Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP
8

9. Penetration Tests
 Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
 We know we have flaws - pen test seeks to exploit them
 Simulates attacker (does not cause harm)
 Output: Identification of susceptible assets (sites)
 In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia
12

10. Penetration Testing – Operations Evaluation
 War Dialing (looking for modems – especially plugged into older
enterprise hardware)
 Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
 Eavesdropping
 Radiation monitoring
 Dumpster diving
 Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget
13

11. Security Process Review (two)
 Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process
14

12. Security Process
 Process is more than policy, although we start with
policy
 What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
 Cobit5 and NIST Cybersecurity Framework
 http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
 National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)
15

13. Download NIST Assessment Tool
http://www.nist.gov/cyberframework/csf_
reference_tool.cfm
17

14. U Need to Use: NIST Framework for
Improving Critical Infrastructure
Cybersecurity; Annex A
18

15. Determine Alignment
to ISMS and CobiT or
ITGCC program
19

16. Cobit 5: Process Area Assessment
 APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
 APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
 DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”
20

17. Assessment (two) v. Audit (three)
 Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/ CISM)
 Security assessments normally include use of
testing tools and goes beyond automated scanning
 Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
 The output of assessment is a report addressed to
management with recommendations in both
technical and non technical language
21

18. Auditing Security Assessment & Verification
 Compliance checks
 Internal and external
 Frequency of review
 Standard of due care
 Internal Audit typically performs assessment for
internal audience
 External Audits are performed for external investors
and as part of third party due diligence requirements
 Third Party review is emphasized to avoid “conflict of
interest”
22

19. Security Audit – Raising the right Bar
 Cloud Security Alliance Control Matrix – Cloud
Operational Security
 Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
 United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
 PCI-DSS – The Payment Card Industry Data Standard
 Associated to credit card processing – however should be
true in general – 12 tenants
23

20. What are the “Related Metrics” from Manage Risk APO12
 Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
 Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
 Related Metrics
 Degree of visibility and
recognition in the current
environment
 Number of loss events with
key characteristics captured
in repositories
 Percent of audits, events and
trends captured in
repositories
 Percent of key business
processes included in the risk
profile
 Completeness of attributes
and values in the risk profile
 Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
 Number of significant
incidents not identified and
included in the risk
management portfolio
 Percent of IT risk action plans
executed as designed
 Number of measures not
reducing residual risk
*Align, Plan and Organize
24

21. What are the “Related Metrics” from Manage Security APO13
 Define, operate and
monitor a system for
information security
management.
 Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
 Related Metrics
 Number of key security
roles clearly defined
 Number of security
related incidents
 Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
 Number of security
solutions deviating from
the plan
 Number of security
solutions deviating from
the enterprise
architecture
 Number of services with
confirmed alignment to
the security plan
 Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize
25

22. What are the “Related Metrics” from Manage Security Services DSS05
 Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
 Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
 Related Metrics
 Number of vulnerabilities
discovered
 Number of firewall
breaches
 Percent of individuals
receiving awareness
training relating to use of
endpoint devices
 Number of incidents
involving endpoint devices
 Number of unauthorized
devices detected on the
network or in the end-
user environment
 Average time between
change and update of
accounts
 Number of accounts (vs.
number of authorized
users/staff)
 Percent of periodic tests
of environmental security
devices
 Average rating for physical
security assessments
 Number of physical
security-related incidents
 Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support
26

23. Technical Security Testing (one)
Goal: assess risk by discovering flaws that
persist in systems and applications
 Technical testing is looking for security flaws, specifically impacts to
confidentiality, integrity or availability, ways to steal, alter or destroy
information
 Vulnerability Assessments are looking for weakness
 Penetration testing adds human factor
 Code review includes errors that make it susceptible, e.g. to buffer overflow,
SQL insertion, etc.
 Phishing is to see what users do when presented with typical malicious email
scenarios
 Password assessments evaluate password settings and practices, (sometimes as
a part of scanning)
27

24. Threat Vectors – Attack surface
 Methods attackers use to touch or exploit vulnerabilities
 A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
 If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
 One way to reduce risk is to minimize the attack vectors
 Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities
28

25. Shift in attack vectors:
Server Side v. Client Side Attacks
 Attacks against a listening service are called “Server-side
attacks”
 TCP server side attacks are initiated by an attacker (client)
 Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
 We have to understand the environment from the
perspective of an adversary.
 We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”
29

26. STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
 Spoofing v. Authentication
 Tampering v. Integrity
 Repudiation v. Non-Repudiation
 Information Disclosure v. Confidentiality
 Denial of Service v. Availability
 Elevation of Privilege v. Authorization
30

27. How they get us drives how we protect
against them
 External or internal actor is able to
perform host discovery
 Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities
31

28. Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
 Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
 Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
 Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
 The MetaSploit Framework (metasploit)
 Core Impact (coresecurity)
 Immunity Canvas (immunitysec.com)
 For Linux, Backtrack and Kali
34

29. What do you call a person who uses attack
tools without permission?
 inmate
 Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation
35

30. Source Code Review – White Box (v.
Blackbox) Testing
 Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
 Code review discovers security vulnerabilities by inspecting the source
code of a target application.
 Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
 Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
 Compiled code review should be “blackbox”
36

31. Fuzzing is Blackbox – sends unexpected inputs
 Automated cramming, exploits poorly
constructed interface constraints
 Web Application Testing
 HTTP Interception Proxy
 Code Analysis
 Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps
37

32. Questions?
 Reach out on LinkedIn and we can continue the dialogue.
 Good luck in your studies. Hope this was helpful.
39