Security Assessment

Security Assessment Concept Review with a hint of CISSP Exam PrepContribution to ISACA-SV January 2016Robin Basham, M.IT, M.Ed, CISA, CRISC, CGEIT, CISSP

http://www.enterprisegrc.com

Which items are elements of security?

2

2

The Mission: ResilienceWhat are our critical assets?Who is responsible for them?Is everyone involved in cyber-resilience? Do they have the knowledge and autonomy to make good decisions? Are we prepared for when there is a successful attack? Will there be a tried and tested process to follow or will cyber attack throw our organization into complete chaos?

3

Types of Security AssessmentTechnical Security Testing (ONE)Security Process Assessment (TWO)Security Audit (THREE)

4

4

Audit Velocity increases MaturityApproach: Find a flaw, fix a flawApproach: Find a lot of flaws and keep a listApproach: align vulnerability metrics into a continual service improvement model

5

5

Root Cause AnalysisWhat is the root cause for any failureExample: metrics indicate 80% of malicious code infections are attributed to vulnerable versions of JavaWhat were the steps to create the finding?What are the expectations as a result of this finding? What is the measure of Security Program health?

6

6

Technical (one)Looking for security weaknessesVulnerability AssessmentNetwork Penetration TestingWeb Application Penetration TestingSource Code Analysis

7

Vulnerability AssessmentScanning systems looking for a set of vulnerabilities (a list)Looks for common and known vulnerabilitiesUses a scanning toolPerformed in house and by third partyLets look at common and recommended scanning tools. Source is OWASPVulnerability Scanning Tools - OWASP

8

OWASP Listed Vulnerability Scanning ToolsNameOwnerLicencePlatformsAcunetix WVSAcunetixCommercial / Free (Limited Capability)WindowsAppScanIBMCommercialWindowsAVDSBeyond SecurityCommercial / Free (Limited Capability)N/ABugBlastBuguroo Offensive SecurityCommercialSaaS or On-PremisesBurp SuitePortSwigerCommercial / Free (Limited Capability)Most platforms supportedContrastContrast SecurityCommercial / Free (Limited Capability)SaaS or On-PremisesGamaScanGamaSecCommercialWindowsGrabberRomain GaucherOpen SourcePython 2.4, BeautifulSoup and PyXMLGrendel-ScanDavid ByrneOpen SourceWindows, Linux and MacintoshGoLismeroGoLismero TeamGPLv2.0Windows, Linux and MacintoshHailstormCenzicCommercialWindowsIKareITrustCommercialN/AIndusGuard WebIndusfaceCommercialSaaSN-StealthN-StalkerCommercialWindowsNetsparkerMavitunaSecurityCommercialWindowsNexposeRapid7Commercial / Free (Limited Capability)Windows/LinuxNiktoCIRTOpen SourceUnix/Linux

9

OWASP Listed Vulnerability Scanning ToolsNameOwnerLicencePlatformsAppSpiderRapid7CommercialWindowsParosProMileSCANCommercialWindowsProxy.appWebsecurifyCommercialMacintoshQualysGuardQualysCommercialN/ARetinaBeyondTrustCommercialWindowsSecurusOrvant, IncCommercialN/ASentinelWhiteHat SecurityCommercialN/AVegaSubgraphOpen SourceWindows, Linux and MacintoshWapitiInformtica GesforOpen SourceWindows, Unix/Linux and MacintoshWebApp360TripWireCommercialWindowsWebInspectHPCommercialWindowsSOATestParasoftCommercialWindows / Linux / SolarisTrustkeeper ScannerTrustwave SpiderLabsCommercialSaaSWebReaverWebsecurifyCommercialMacintoshWebScanServiceGerman Web SecurityCommercialN/AWebsecurify SuiteWebsecurifyCommercial / Free (Limited Capability)Windows, Linux, MacintoshWiktoSensepostOpen SourceWindowsw3afw3af.orgGPLv2.0Linux and MacXenotix XSS Exploit FrameworkOWASPOpen SourceWindowsZed Attack ProxyOWASPOpen SourceWindows, Unix/Linux and Macintosh

10

What to do with a list of known vulnerabilitiesScanners provide a score of 1 to 5 (relative to what?)CVSS Common Vulnerability Scoring System is method used to classifyOCTAVE Operational Critical Threat, Asset, and Vulnerability EvaluationOCTAVE defines three phases, is criticized as complex and not providing detailed quantitative analysis of security exposure.11

11

Penetration TestsRed Team Exercises or Ethical Hacking (Yes, Im compelled to talk about blue team, but not yet.)We know we have flaws - pen test seeks to exploit themSimulates attacker (does not cause harm)Output: Identification of susceptible assets (sites)In short: As good as the people who perform them and as valuable as the reduced risk on the items that get remediatedAred teamis an independent group that challenges an organization to improve its effectiveness. The United States intelligence community (military and civilian) hasred teamsthat explore alternative futures and write articles as if they were foreign world leaders.Red team - Wikipedia, the free encyclopedia12

12

Penetration Testing Operations EvaluationWar Dialing (looking for modems especially plugged into older enterprise hardware)Sniffing Wireshark -Configuring a monitor port on a managed switch - network tap EavesdroppingRadiation monitoringDumpster divingSocial Engineering

http://www.lawtechnologytoday.org/2015/03/information-security-threat-social-engineering-and-the-human-element/You typically insert a network tap inline between two nodes in a network, such as between your firewall and your first switch. $$$ Not typically in audit budgetHi, Im your friendly Pen Tester, Ralph

13

Security Process Review (two)Looking for weaknesses and vulnerabilities

Technology

People

Process

14

How is this possible? What missing?14

Security ProcessProcess is more than policy, although we start with policyWhat are two great frameworks for establishing necessary procedure and work product to show that the processes are effective?Cobit5 and NIST Cybersecurity Framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf National Institute of Standards and Technology, U.S. Department of Commerce (Not copyrightable in the United States.)

15

15

You Need to U ReadInternational Organization for Standardization, Risk management Principles and guidelines, ISO 31000:2009, 2009. http://www.iso.org/iso/home/standards/iso31000.htm International Organization for Standardization/International Electrotechnical Commission, Information technology Security techniques Information security risk management, ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742 Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800-39, March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May 2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20%20Final%20-%20May%202012.pdf 16

16

Download NIST Assessment Tool http://www.nist.gov/cyberframework/csf_reference_tool.cfm

17

U Need to Use: NIST Framework for Improving Critical Infrastructure Cybersecurity; Annex A

18

Determine Alignment to ISMS and CobiT or ITGCC program

19

Cobit 5: Process Area AssessmentAPO12: Manage Risk, Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.APO13: Manage Security, Define, operate and monitor a system for information security management.DSS05: Manage Security Services, Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.

20

Assessment (two) v. Audit (three)Security assessment is comprehensive review of systems and applications performed by trained security professionals (CISSP/ CCIE/ CCNA/ CISM)Security assessments normally include use of testing tools and goes beyond automated scanning Involves thoughtful review of the threat environment, current and future risk, and value definition of the targeted environmentsThe output of assessment is a report addressed to management with recommendations in both technical and non technical language

21

Auditing Security Assessment & VerificationCompliance checksInternal and externalFrequency of reviewStandard of due careInternal Audit typically performs assessment for internal audienceExternal Audits are performed for external investors and as part of third party due diligence requirementsThird Party review is emphasized to avoid conflict of interest

22

Security Audit Raising the right BarCloud Security Alliance Control Matrix Cloud Operational SecurityControls Domain and Controls Matrix (98 Controls with Mappings)Value architecture, portability and interoperability; physical, network, compute, storage, applications, and data, differentiates service provider versus tenantsUnited States NIST Publication 200, NIST SP 800-54 rev4 (mentioned earlier)PCI-DSS The Payment Card Industry Data StandardAssociated to credit card processing however should be true in general 12 tenants

23

STRIDE Spoofing v. AuthenticationTampering v. IntegrityRepudiation v. Non-RepudiationInformation Disclosure v. ConfidentialityDenial of Service v. AvailabilityElevation of Privilege v. Authorization23

What are the Related Metrics from Manage Risk APO12Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.Related MetricsDegree of visibility and recognition in the current environment Number of loss events with key characteristics captured in repositories Percent of audits, events and trends captured in repositoriesPercent of key business processes included in the risk profile Completeness of attributes and values in the risk profilePercent of risk management proposals rejected due to lack of consideration of other related risk Number of significant incidents not identified and included in the risk management portfolioPercent of IT risk action plans executed as designed Number of measures not reducing residual risk*Align, Plan and Organize

24

Lets put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.Process, Purpose, Metrics24

What are the Related Metrics from Manage Security APO13Define, operate and monitor a system for information security management.Keep the impact and occurrence of information security incidents within the enterprises risk appetite levels.Related MetricsNumber of key security roles clearly defined Number of security related incidentsLevel of stakeholder satisfaction with the security plan throughout the enterprise Number of security solutions deviating from the plan Number of security solutions deviating from the enterprise architectureNumber of services with confirmed alignment to the security planNumber of security incidents caused by non-adherence to the security plan Number of solutions developed with confirmed alignment to the security plan*Align, Plan and Organize

25

Lets put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.25

What are the Related Metrics from Manage Security Services DSS05Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.Minimize the business impact of operational information security vulnerabilities and incidents.Related MetricsNumber of vulnerabilities discoveredNumber of firewall breachesPercent of individuals receiving awareness training relating to use of endpoint devices Number of incidents involving endpoint devices Number of unauthorized devices detected on the network or in the end-user environmentAverage time between change and update of accounts Number of accounts (vs. number of authorized users/staff)Percent of periodic tests of environmental security devices Average rating for physical security assessments Number of physical security-related incidentsNumber of incidents relating to unauthorized access to information* Deliver, Service and Support

26

Lets put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.26

Technical Security Testing (one)Goal: assess risk by discovering flaws that persist in systems and applications

Technical testing is looking for security flaws, specifically impacts to confidentiality, integrity or availability, ways to steal, alter or destroy informationVulnerability Assessments are looking for weaknessPenetration testing adds human factorCode review includes errors that make it susceptible, e.g. to buffer overflow, SQL insertion, etc.Phishing is to see what users do when presented with typical malicious email scenariosPassword assessments evaluate password settings and practices, (sometimes as a part of scanning)27

Threat Vectors Attack surfaceMethods attackers use to touch or exploit vulnerabilitiesA systems attack surface represents all of the ways in which an attacker could attempt to introduce data to exploit a vulnerabilityIf you look at a list of vulnerabilities, you get too much information, so we have to start by analyzing our network, our data, evaluating our assets and their attack surface, then their vulnerabilities to known threatsOne way to reduce risk is to minimize the attack vectorsOnce we know those vectors, we remediate prioritized threats by reducing the likelihood of exploiting vulnerabilities28

Shift in attack vectors:Server Side v. Client Side AttacksAttacks against a listening service are called Server-side attacksTCP server side attacks are initiated by an attacker (client)Client-side attacks work in reverse, where victim initiates the traffic, usually by clicking on a link or email.We have to understand the environment from the perspective of an adversary. We use threat modelling and ask Who is the adversary and what does the adversary want to accomplish?29

STRIDE Microsoft Privacy Standard (MPSD) in response to FIPSSpoofing v. AuthenticationTampering v. IntegrityRepudiation v. Non-RepudiationInformation Disclosure v. ConfidentialityDenial of Service v. AvailabilityElevation of Privilege v. Authorization

30

How they get us drives how we protect against themExternal or internal actor is able to perform host discoveryLive systems can be discovered via ARP, ICMP, TCP, UDP traffic, IPv6 neighbor discovery, Sniffing packets and reviewing contentsAny person with administrative privilege to network and systems can perform these functionsMany general users can perform some of these functions31

Port ScannersOpen ports on systems is an attack surfacePort scanners evaluates all TCP / UDP ports (scans twice) to determine which are open (there are 65535 ports)Nmap is a well-known open source port scannerQuestion: Who should be allowed to run a port scanner?What should happen when we detect a port scan is in progress?How long should we take to respond to that information?

32

Its just a port how much damage could be done?

Hacker scans to find vulnerabilities to target ports, services, versionsHacker injects a virus, TrojanInfected machines further scan and infect (worm) spreading from internal network (bypassing DMZ)Hacker issues commands to infected hosts, able to send spam, effect DDoS (denial of service)Intrusion Prevention Systems (IPS), IDS, NIDS, NIPS architecture could have prevented all thishttps://www.cityu.edu.hk/csc/netcomp/dec2006-5p.htm33

Attackers shouldnt know our weaknesses before we do We should do something about our weaknessesVulnerability assessment determines weakness across our actual attack surface or threat vectorsTools to run (OWASP) Nessus, Nexpose, OpenVas, RetinaOnce vulnerable systems are identified, procedures to perform limited exploits can involve use of:The MetaSploit Framework (metasploit)Core Impact (coresecurity)Immunity Canvas (immunitysec.com)For Linux, Backtrack and Kali34

What do you call a person who uses attack tools without permission?inmate

Penetration testing is a process of HIRING or assigning a whitehat to penetrate an application, system or network

35

Source Code Review White Box (v. Blackbox) TestingCheaper and Safer to whitebox b/c the effort to Fuzz code from blackbox has high probability of impacting systems, is expensive and time consumingCode review discovers security vulnerabilities by inspecting the source code of a target application.Certain C Functions are commonly associated to buffer overflow -get(), strcpy(),strcat()Compilers usually include security checks, but they need to be run by policy and results need to be understood.Compiled code review should be blackbox36

Fuzzing is Blackbox sends unexpected inputsAutomated cramming, exploits poorly constructed interface constraintsWeb Application TestingHTTP Interception ProxyCode AnalysisBeyond the proxy, Dynamic web application scanners code attempt to automate assess the security of customer web apps37

Federal Information Processing Standards (FIPS) Publications FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output FunctionsFIPS 201-2 Personal Identity Verification (PIV) of Federal Employees and ContractorsFIPS 200 Minimum Security Requirements for Federal Information and Information SystemsFIPS 199 Standards for Security Categorization of Federal Information and Information SystemsFIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC)FIPS 197Advanced Encryption Standard (AES)FIPS 186-4 Digital Signature Standard (DSS)FIPS 180-4 Secure Hash Standard (SHS)FIPS 140-2 Security Requirements for Cryptographic Modules

Standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA).http://csrc.nist.gov/publications/PubsFIPS.html38

Questions?Reach out on LinkedIn and we can continue the dialogue.

Good luck in your studies. Hope this was helpful.39