Documente Academic
Documente Profesional
Documente Cultură
UNIT VI
Information
Security
Performance Metrics
LESSON PLAN
Outcomes
To be competent, you must be able to:
PC7. analyze information security
performance metrics to highlight
variances and issues for action by
appropriate people
PC3. carry out security assessment of
information security systems using
automated tools
PC9. update your organizations
knowledge base promptly and
accurately with information security
issues and their resolution
PC2. monitor systems and apply
controls in line with information
security policies, procedures and
guidelines
You need to know and understand:
KA1. your organizations policies,
procedures, standards and guidelines
for managing information security
KA2. your organizations knowledge
base and how to access
and update this
KA10. how to access and analyze
information security performance
metrics
Performance
Measures
Ensuring Work
Environment
Requirement
Lab
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access Points
Access to all security sites like
ISO, PIC DSS
Commercial Tools like HP Web
Inspect and IBM
AppScan etc.,
Open
Source tools
like
sqlmap, Nessus etc.,
when KA12.
Project
charter,
Architecture (charts), Project
plan, Poster presentation and
KA12. your organizations information execution plan.
security systems and tools and how to
access and maintain these
KA13. Creation of templates
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access Points
Access to all security sites like
ISO, PIC DSS
Commercial Tools like HP Web
Inspect and IBM
AppScan etc.,
Open
Source tools
like
sqlmap, Nessus etc.,
Lesson
6.1 Introduction Security Metrics (Edited)
In the face of regular, high-profile news reports of serious security breaches, as well as
intense scrutiny of institutional costs, security managers are more than ever being held accountable
for demonstrating effectiveness of their security programs. What means should managers be using
to meet this challenge? Key among these should be security metrics.
It helps to understand what metrics are by drawing a distinction between metrics and
measurements. Measurements provide single-point-in-time views of specific, discrete factors, while
metrics are derived by comparing to a predetermined baseline of two or more measurements taken
over time. Measurements are generated by counting; metrics are generated from analysis. In other
words, measurements are objective raw data and metrics are either objective or subjective human
interpretations of those data.
Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable,
and time dependent. Truly useful metrics indicate the degree to which security goals, such as data
confidentiality, are being met, and they drive actions taken to improve an organizations overall
security program. Distinguishing metrics meaningful primarily to those with direct responsibility for
security management from those that speak directly to executive management interests and issues
is
critical to development of an effective security metrics program.
While there are multiple ways to categorize metrics, guidance from the National Institute for
Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag
names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP
800-55 Revision 1) divides security metrics into three categories and links each to levels of security
program maturity.
The categories are:
Implementation metrics used to show progress in implementing policies and procedures and
individual security controls.
Effectiveness/efficiency metrics used to monitor results of security control implementation for a
single control or across multiple controls.
Impact metrics used to convey the impact of the information security program on the
institution's mission, often through quantifying cost avoidance or risk reduction produced by the
overall security program.
As mentioned earlier, truly useful metrics indicate the degree to which security goals are
being met and they drive actions taken to improve an organization's overall security program. Before
expending resources producing metrics in any of these three categories, it is essential that goals and
objectives of the security program be articulated.
A sample list of metrics is given below. These metrics cover the following business functions:
Application Security
o Number of Applications
o Percentage of Critical Applications
o Risk Assessment Coverage
o Security Testing Coverage
Configuration Change Management
o Mean-Time to Complete Changes
o Percent of Changes with Security Review
o Percent of Changes with Security Exceptions
Financial
o Information Security Budget as % of IT Budget
o Information Security Budget Allocation
Incident Management
o Mean-Time to Incident Discovery
5
This seven-step methodology should yield a firm understanding of the purpose of the
security metrics program, its specific deliverables, and how, by whom, and when these
deliverables will be provided. The steps are briefly described below, and outcome
examples, where appropriate, are provided.
Provide metrics that clearly and simply communicate how efficiently and effectively our company is
balancing security risks and preventive measures, so that investments in our security program can be
appropriately sized and targeted to meet our overall security objectives.
Statements of objective should indicate high-level actions that must be collectively accomplished to
meet the goal(s). An action plan should be directly derivable from these statements. A few
objectives for the goal above, for example, might be:
a) To base the security metrics program on process improvement best practices within
our company.
b) To leverage any relevant measurements currently being collected.
c) To communicate metrics in formats custom-tailored to various audiences.
d) To involve stakeholders in determining what metrics to produce.
TOP-DOWN APPROACH
a. Define/list objectives of the overall security
program
The bottom-up approach entails first defining which security processes, products, services, etc. are
in place that can be or already are measured, then considering which meaningful metrics could be
derived from those measurements, and finally assessing how well those metrics link to objectives for
the overall security program. To illustrate:
BOTTOM-UP APPROACH
a. Identify measurements that are/could be
collected for this process
The top-down approach will more readily identify the metrics that should be in place given the
objectives of the overall security program, while the bottom-up approach yields the most easily
obtainable metrics. Both approaches assume that overall security program objectives have already
been established. If they have not been, defining these high-level objectives is obviously important
and a prerequisite.
Step 3: Develop Strategies for Generating the Metrics
Now that what is to be measured is well understood, strategies for collecting needed
data and deriving the metrics must be developed. These strategies should specify the source of the
data, the frequency of data collection, and who is responsible for raw data accuracy, data
compilation into measurements, and generation of the metric.
Although a formal risk assessment is one method for collecting some of the data that might
be needed, experts disagree on its value for generating metrics. One line of thought is that
quantitative risk assessment provides close enough metrics,14 while another is that risk
assessments are not standardized and are too subjective and speculative to provide good
comparative metrics over time.15 There are, however, other suggested sources of data, such as help
desk logs, system logs, firewall logs, audit reports, and user surveys.
Early on there were few automated tools available to make data collection, analysis, and
reporting cost-effective, but in recent years products have been introduced into the marketplace to
make these activities more viable.
9
Conclusion
The task of developing a security metrics program may seem daunting to some, but it
need not be. The seven-step methodology can guide development of very simple metrics programs,
as well as highly ambitious ones. In fact, some individuals with experience in security metrics
recommend that simple starts be made. They advise managers to do what is easy, cheap, fast, and
leverage existing measures and metrics. The important thing to keep in mind is that the metrics
generated should be useful enough to drive improvement in the overall security program and to
help prove the value of that program to the organization as a whole.
Summary
Good security metrics are those that are SMART, i.e. specific, measurable, attainable,
repeatable and time-dependent.
The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1)
divides security metrics into three categories and links each to levels of security program
maturity, namely Implementation, Effectiveness/Efficiency & Impact
Security Metrics are classified into three distinct categories such as o Strategic security
metrics which are measures concerning the information security elements of high level
business goals, objectives and strategies
o Security management metrics which are numerous facets to managing information
security risks that could be measured, hence many possible metrics
o Operational security metrics which are at the lowest level of analysis, most
information security controls, systems and processes need to be measured in order to
operate and control them
Using security metrics involves data acquisition and the latter may be automated or manually
collected.
The frequency of reports depends on organizational norms, the volume and gravity of
information available, and management requirements. Regular reporting periods may vary
from daily or weekly to monthly, quarterly, six-monthly or annual.
The following questions should be asked while designing information security measurement
systems o What are we going to measure? o How will we measure things? o How will we
report?
o How should we implement our reporting system? o How to set targets?
Practical activities:
Activity 1:
13
Q. State TRUE or FALSE as to which of the following accurately describe some of the misconceptions
regarding metrics.
Metrics provide single-point-in-time views of specific, discrete factors, while measurements are
derived by comparing to a predetermined baseline of two or more measurements taken over
time. (
)
Metrics efforts are finite, while in reality a measurement programme is aimed at continual
improvement and long term benefits (
)
Measurement can be automated easily/rapidly, attempting to automate metrics that have not
yet been thoroughly tested and proven to be effective can be ultimately counterproductive.
(
)
Q. Which type of security metrics is used to monitor results of security control implementation for a
single control or across multiple controls?
_______________________________________________________
Q. The reporting/updating of which of the following types of security metrics is carried out monthly
or quarterly:
a) Strategic security metrics
b) Security management metrics
c) Operational security metrics
14
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
15
16
UNIT VII
Risk Assessment
17
LESSON PLAN
Outcomes
Performance
Measures
EnsuringWork
Environment
Requirement
Lab
PCs/Tablets/Laptops
for
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites like
ISO, PCI DSS,
Center
Internet Security
Project charter,
Architecture (charts),
Project plan, Poster
presentation and execution
plan.
Creation of templates based
on the learnings
You must know and understand:
KA6, KA7, KA8. Peer review
KA6.
how
to
carry
out with faculty with appropriate
information security assessments
feedback.
KA13. Creation of templates
based on the learnings
KA13. standard tools and
templates available and how to use KB1 KB4
these
Going through the security
standards over Internet by
KB4. how to identify and resolve
visiting sites like ISO, PCI DSS
information security vulnerabilities etc., and understand various
and issues
methodologies and usage of
algorithms
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites like
ISO, PCI DSS, Center
for
Internet Security
18
Lesson
7.1 Risk Overview (Edited)
A security risk is any event that could result in the compromise of organizational assets i.e. the
unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit,
personal interest or political interests of individuals, groups or other entities constitutes a
compromise of the asset, and includes the risk of harm to people. Compromise of organizational
assets may adversely affect the enterprise, its business units and their clients.
As reliance on computer systems and electronic data has grown, information security risk
has joined the array of risks that governments and businesses must manage. Regardless of the types
of risk being considered, all risk assessments generally include the following elements. Identifying
threats that
could harm and, thus, adversely affect critical operations and assets. Threats include such things as
intruders, criminals, disgruntled employees, terrorists, and natural disasters.
Estimating the likelihood that such threats will materialize based on historical information
and
judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality
of
the operations and assets that could be affected should a threat materialize in order to determine
which operations and assets are the most important.
Estimating, for the most critical and sensitive assets and operations, the potential losses or damage
that could occur if a threat materializes, including recovery costs. Identifying cost-effective actions to
mitigate or reduce the risk. These actions can include implementing new organizational policies and
procedures as well as technical or physical controls. Documenting the results and developing an
action plan. There are various models and methods for assessing risk, and the extent of an analysis
and the resources expended can vary depending on the scope of the assessment and the availability
of reliable data on risk factors. In addition, the availability of data can affect the extent to which risk
assessment results can be reliably quantified.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on
(1) the likelihood that a damaging event will occur,
(2) the costs of potential losses, and
(3) the costs of mitigating actions that could be taken.
When reliable data on likelihood and costs are not available, a qualitative approach can be taken by
defining risk in more subjective and general terms such as high, medium, and low. In this regard,
qualitative assessments depend more on the expertise, experience, and judgment of those
conducting
the assessment. It is also possible to use a combination of quantitative and qualitative methods.
19
Risk identification needs to match the type of assessment required to support risk informed
decision making. For an acquisition program, the first step is to identify the program goals and
objectives, thus fostering a common understanding across the team of what is needed for program
success. This gives context and bounds the scope by which risks are identified and assessed.
There are multiple sources of risk. For risk identification, the project team should review the
program scope, cost estimates, schedule (to include evaluation of the critical path), technical
maturity, key performance parameters, performance challenges, stakeholder expectations vs.
current plan, external and internal dependencies, implementation challenges, integration,
interoperability, supportability, supply-chain vulnerabilities, ability to handle threats, cost deviations,
test event expectations, safety, security, and more. In addition, historical data from similar projects,
stakeholder interviews, and risk lists provide valuable insight into areas for consideration of risk.
Risk identification is an iterative process. As the program progresses, more information will
be gained about the program (e.g., specific design), and the risk statement will be adjusted to reflect
the current understanding. New risks will be identified as the project progresses through the life
cycle.
20
Risk Evaluation
The risk evaluation process receives as input the output of risk analysis process. It compares each risk
level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
costs of
Risk reduction
Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will
include selecting countermeasures that will either reduce the likelihood of occurrence or reduce
the severity of loss, or achieve both objectives at the same time. Countermeasures can include
technical or operational controls or changes to the physical environment. For example, the risk
of computer viruses can be mitigated by acquiring and implementing antivirus software. When
evaluating the strength of a control, consideration should be given to whether the controls are
preventative or detective. The remaining level of risk after the controls/countermeasures have
been applied is often referred to as residual risk. An organization may choose to undergo a
further cycle of risk treatment to address this.
Risk sharing/transference
The organization shares its risk with third parties through insurance and/or service providers.
Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the
event were to occur. Transference is the shifting of risk from one party to another. For example,
when hard-copy documents are moved offsite for storage at a secure-storage vendor location,
the responsibility and costs associated with protecting the data transfers to the service
provider. The cost of storage may include compensation (insurance) if documents are damaged,
lost, or stolen.
Risk avoidance
The practice of eliminating the risk by withdrawing from or not becoming involved in the activity
that allows the risk to be realized. For example, an organization decides to discontinue a
business process in order to avoid a situation that exposes the organization to risk.
Risk acceptance
An organization decides to accept a particular risk because it falls within its risk-tolerance
parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable
strategy where the cost of insuring against the risk would be greater over time than the total
losses sustained. All risks that are not avoided or transferred are accepted by default
22
Risk management is carried out as a holistic, organization wide activity that addresses risk from the
strategic level to the tactical level, ensuring that risk based decision making is integrated into every
aspect of the organization. The following sections briefly describe each of the four risk management
components. The first component of risk management addresses how organizations frame risk or
establish a risk contextthat is, describing the environment in which risk-based decisions are made.
The purpose of the risk framing component is to produce a risk management strategy that addresses
how organizations intend to assess risk, respond to risk, and monitor riskmaking explicit and
transparent the risk perceptions that organizations routinely use in making both investment and
operational decisions. The risk frame establishes a foundation for managing risk and delineates the
boundaries for risk-based decisions within organizations.
Establishing a realistic and credible risk frame requires that organizations identify:
risk constraints (e.g., constraints on the risk assessment, response, and monitoring
alternatives under consideration);
risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are
acceptable); and
The risk framing component and the associated risk management strategy also include any
strategiclevel decisions on how risk to organizational operations and assets, individuals, other
organizations, and the Nation, is to be managed by senior leaders/executives.
The second component of risk management addresses how organizations assess risk within the
context of the organizational risk frame. The purpose of the risk assessment component is to identify:
the harm (i.e., consequences/impact) to organizations that may occur given the potential for
threats exploiting vulnerabilities; and
the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of
harm and likelihood of harm occurring).
the tools, techniques, and methodologies that are used to assess risk;
the assumptions related to risk assessments;
the constraints that may affect risk assessments;
roles and responsibilities;
how risk assessment information is collected, processed, and communicated throughout
organizations;
The third component of risk management addresses how organizations respond to risk once that risk
is determined based on the results of risk assessments.
The purpose of the risk response component is to provide a consistent, organization-wide, response
to risk in accordance with the organizational risk frame by:
determining appropriate courses of action consistent with organizational risk tolerance; and
implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can
be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk).
Organizations also identify the tools, techniques, and methodologies used to develop courses of
action for responding to risk, how courses of action are evaluated, and how risk responses are
communicated across organizations and as appropriate, to external entities (e.g., external service
providers, supply chain partners).
The fourth component of risk management addresses how organizations monitor risk over time. The
purpose of the risk monitoring component is to:
verify that planned risk response measures are implemented and information security
requirements derived from/traceable to organizational missions/business functions, federal
legislation, directives, regulations, policies, and standards, and guidelines, are satisfied;
To support the risk monitoring component, organizations describe how compliance is verified and
how the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques,
and methodologies used to determine the sufficiency/correctness of risk responses and if risk
24
25
Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness,
helping senior leaders/executives develop a better understanding of the ongoing risk to
organizational operations and assets, individuals, other organizations, and the Nation. Organizations
can implement risk monitoring at any of the risk management tiers with different objectives and
utility of information produced. For example, Tier 1 monitoring activities might include ongoing
threat assessments and how changes in the threat space may affect Tier 2 and Tier 3 activities,
including enterprise architectures (with embedded information security architectures) and
organizational information systems. Tier 2 monitoring activities might include, for example, analyses
of new or current technologies either in use or considered for future use by organizations to identify
exploitable weaknesses and/or deficiencies in those technologies that may affect mission/business
success. Tier 3 monitoring activities focus on information systems and might include, for example,
automated monitoring of standard configuration settings for information technology products,
vulnerability scanning, and ongoing assessments of security controls. In addition to deciding on
appropriate monitoring activities across the risk management tiers, organizations also decide how
monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of
monitoring activities based on, for example, the frequency with which deployed security controls
change, critical items on plans of action and milestones, and risk tolerance.
26
Summary
Definition of Risk: A probability or threat of damage, injury, liability, loss, or any other
negative occurrence that is caused by external or internal vulnerabilities, and that may be
avoided through pre-emptive action.
A quantitative approach generally estimates the monetary cost of risk and risk reduction
techniques based on o the likelihood that a damaging event will occur, o the costs of
potential losses, and o the costs of mitigating actions that could be taken.
Risk identification is an iterative process.
Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities
and threats, and assessing the possible damage to determine where to implement security
safeguards.
The risk evaluation process receives as input the output of risk analysis process.
Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate
administrative, technical and physical controls.
Risk management is carried out as a holistic, organization wide activity that addresses risk
from the strategic level to the tactical level, ensuring that risk based decision making is
integrated into every aspect of the organization.
Analysing monitoring results gives organizations the capability to maintain awareness of the
risk being incurred, highlight the need to revisit other steps in the risk management process,
and initiate process improvement activities as needed. h as laptop, appropriate software such
as packet sniffers, digital forensics, back up devices, blank media etc.
Practical activities:
Activity 1:
Research various risks for their institute in the area of information security. Prepare a
process report highlighting your approach towards identifying risk, recording, monitoring,
analysing and treating risk. The approach should be shared with the faculty and the report
should be submitted for evaluation.
27
Q. Analyse and state the differences between risk analysis and risk evaluation in two lines.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Suggest one of the appropriate measures that can curb the problem of residual risk.
__________________________________________________________________________________
__________________________________________________________________________________
Q. Complete the following requirements that an organization needs to identify in order to build a
realistic and credible risk frame
a) risk constraints
b) ________________
c) risk tolerance
d) ________________
28
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
29
UNIT VIII
Configuration review
30
LESSON PLAN
Outcomes
To be competent, you must be able
to:
PC4. carry out configuration
reviews of information security
systems using automated tools,
where required
Performance
Measures
Ensuring Work
Environment
Requirement
Lab
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking Equipment - Routers
& Switches
Firewalls and Access Points
Access to all security sites like
ISO, PIC DSS
Commercial Tools like HP Web
Inspect and IBM AppScan etc.,
Open Source tools like sqlmap,
Nessus etc.,
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites like
ISO, PCI DSS, Center for Internet
Security
31
Lesson
8.1 Configuration Management (As it is)
An information system is typically in a constant state of change in response to new, enhanced,
corrected, or updated hardware and software capabilities, patches for correcting software flaws and
other errors to existing components, new security threats, changing business functions, etc.
Implementing information system changes almost always results in some adjustment to the system
configuration. To ensure that the required adjustments to the system configuration do not adversely
affect the security of the information system or the organization from operation of the information
system, a well-defined configuration management process that integrates information security is
needed.
Organizations apply configuration management (CM) for establishing baselines and for tracking,
controlling, and managing many aspects of business development and operation (e.g., products,
services, manufacturing, business processes, and information technology). Organizations with a
robust and effective CM process need to consider information security implications with respect to
the development and operation of information systems including hardware, software, applications,
and documentation. Effective CM of information systems requires the integration of the
management of secure configurations into the organizational CM process or processes. For this
reason, this document assumes that information security is an integral part of an organizations
overall CM process; however, the focus of this document is on implementation of the information
system security aspects of CM, and as such the term security-focused configuration management
(SecCM) is used to emphasize the concentration on information security. Though both IT business
application functions and security-focused practices are expected to be integrated as a single
process, SecCM in this context is defined as the management and control of configurations for
information systems to enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware,
documentation, or a combination thereof) that is a discrete target of configuration control processes.
A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been
formally reviewed and agreed on at a given point in time, and which can be changed only through
change control procedures. The baseline configuration is used as a basis for future builds, releases,
and/or changes.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) Establishment of and charter for a group of qualified people
with responsibility for the process of controlling and approving changes throughout the
development and operational lifecycle of products and systems; may also be referred to as a change
control board;
Configuration Item Identification methodology for selecting and naming configuration items that
need to be placed under CM;
32
identification and recording of configurations that impact the security posture of the
information system and the organization;
the consideration of security risks in approving the initial configuration;
the analysis of security implications of changes to the information system configuration; and
documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates
require time for security impact analysis even as threats and vulnerabilities continue to exist. As
changes to information systems are made, baseline configurations are updated, specific
configuration settings confirmed, and configuration items tracked, verified, and reported. SecCM is a
continuous activity that, once incorporated into IT management processes, touches all stages of the
system development life cycle (SDLC).
In the context of SecCM of information systems, a configuration item (CI) is an aggregation of
information system components that is designated for configuration management and treated as a
single entity throughout the SecCM process. This implies that the CI is identified, labelled, and
tracked during its life cycle the CI is the target of many of the activities within SecCM, such as
configuration change control and monitoring activities. A CI may be a specific information system
component (e.g., server, workstation, router, application), a group of information system
components (e.g., group of servers with like operating systems, group of network components such
as routers and switches, an application or suite of applications), a non-component object (e.g.,
firmware, documentation), or an information system as a whole. CIs give organizations a way to
decompose the information system into manageable parts whose configurations can be actively
managed.
The purpose of breaking up an information system into CIs is to allow more granularity and control
in managing the secure configuration of the system. The level of granularity will vary among
organizations and systems and is balanced against the associated management overhead for each CI.
In one organization, it may be appropriate to create a single CI to track all of the laptops within a
system, while in another organization, each laptop may represent an individual CI.
Baseline configuration
A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a
system, that has been formally reviewed and agreed on at a given point in time, and which can be
33
34
SecCM Training
SecCM is a fundamental part of an organizational security program, but often requires a change in
organizational culture. Staff is provided training to ensure their understanding of SecCM policies and
procedures. Training also provides a venue for management to communicate the reasons why
SecCM is important. SecCM training material is developed covering organizational policies,
procedures, tools, artefacts, and monitoring requirements. The training may be mandatory or
optional as appropriate and is targeted to relevant staff (e.g., system administrators,
system/software developers, system security officers, system owners, etc.) as necessary to ensure
that staff has the skills to manage the baseline configurations in accordance with organizational
policy.
35
Integration with other products such as help desk, inventory management, and incident response
solutions;
Vendor-provided support (patches, updated vulnerability signatures, etc.);
Compliance with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidelines and link vulnerabilities to SP 800-53 controls;
Standardized reporting capability (e.g. SCAP, XML) including ability to tailor output & drill
down;
Data consolidation into Security Information and Event Management (SIEM) tools and dashboard
products.
Prioritize Configurations
Test Configurations
Resolve Issues and Document Deviations
Record and Approve the Baseline Configuration
Deploy the Baseline Configuration
i. Prioritize Configurations
In the ideal environment, all IT products within an organization would be configured to the most
secure state that still provided the functionality required by the organization. However, due to
limited resources and other constraints, many organizations may find it necessary to prioritize which
information systems, IT products, or CIs to target first for secure configuration as they implement
SecCM.
In determining the priorities for implementing secure configurations in information systems, IT
products, or CIs, organizations consider the following criteria:
System impact level Implementing secure configurations in information systems with a high or
moderate security impact level may have priority over information systems with a low security
impact level.
Risk assessments Risk assessments can be used to target information systems, IT products, or
CIs having the most impact on security and organizational risk.
Vulnerability scanning Vulnerability scans can be used to target information systems, IT
products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring
System (CVSS) is a specification within SCAP that provides an open framework for
communicating the characteristics of software flaw vulnerabilities and in calculating their
relative severity. CVSS scores can be used to help prioritize configuration and patching activities.
Degree of penetration The degree of penetration represents the extent to which the same
product is deployed within an information technology environment. For example, if an
organization uses a specific operating system on 95 percent of its workstations, it may obtain
the most immediate value by planning and deploying secure configurations for that operating
system. Other IT products or CIs can be targeted afterwards.
38
Scanning to discover components not recorded in the inventory. For example, after testing of a
new firewall, a technician forgets to remove it from the network. If it is not properly configured,
it may provide access to the network for intruders. A scan would identify this network device as
not a part of the inventory, enabling the organization to take action.
Scanning to identify disparities between the approved baseline configuration and the actual
configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the
information systems impacted by the new patch. A scan would identify a difference between the
actual environment and the description in the baseline configuration enabling the organization to
take action.
Example II. A new tool is installed on the workstations of a few end users of the information system.
During installation, the tool changes a number of configuration settings in the browser on the users
workstations, exposing them to attack. A scan would identify the change in the workstation
configuration, allowing the appropriate individuals to take action.
Implementation of automated change monitoring tools (e.g., change/configuration management
tools, application whitelisting tools). Unauthorized changes to information systems may be an
indication that the systems are under attack or that SecCM procedures are not being followed or
need updating. Automated tools are available that monitor information systems for changes and
alert system staff if unauthorized changes occur or are attempted.
When possible, organizations seek to normalize data to describe their information system in order
that the various outputs from monitoring can be combined, correlated, analysed, and reported in a
consistent manner. SCAP provides a common language for describing vulnerabilities,
misconfigurations, and products and is an obvious starting point for organizations seeking a
39
Administration interfaces are often provided through additional Web pages or separate Web
applications that allow administrators, operators, and content developers to managed site content
and configuration. Administration interfaces such as these should be available only to restricted and
authorized users. Malicious users able to access a configuration management function can
potentially deface the Web site, access downstream systems and databases, or take the application
out of action altogether by corrupting configuration data.
Counter measures to prevent unauthorized access to administration interfaces include:
Consider supporting only local administration. If remote administration is absolutely essential, use
encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the
data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies
to limit remote administration to computers on the internal network.
40
Keep custom configuration stores outside of the Web space. This removes the potential to
download Web server configurations to exploit their vulnerabilities.
Retrieval of Plaintext Configuration Secrets
Restricting access to the configuration store is a must. As an important defence in depth mechanism,
you should encrypt sensitive data such as passwords and connection strings. This helps prevent
external attackers from obtaining sensitive configuration data. It also prevents rogue administrators
and internal employees from obtaining sensitive details such as database connection strings and
account credentials that might allow them to gain access to other systems.
Lack of Individual Accountability
Lack of auditing and logging of changes made to configuration information threatens the ability to
identify when changes were made and who made those changes. When a breaking change is made
either by an honest operator error or by a malicious change to grant privileged access, action must
first be taken to correct the change. Then apply preventive measures to prevent breaking changes to
be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a
shared account; this applies to both administrative and user/application/service accounts.
Administrative accounts must not be shared. User/application/service accounts must be assigned at
a level that allows the identification of a single source of access using the account, and that contains
any damage to the privileges granted that account.
Over-privileged Application and Service Accounts
If application and service accounts are granted access to change configuration information on the
system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by
adopting a policy of using least privileged service and application accounts. Be wary of granting
accounts the ability to modify their own configuration information unless explicitly required by
design.
41
Summary
SecCM is defined as the management and control of configurations for information systems to
enable security and facilitate the management of information security risk.
Configuration Management (CM) comprises a collection of activities focused on establishing
and maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems.
The activities of SecCM include the following: o identification and recording of configurations
that impact the security posture of the information system and the organization;
o the consideration of security risks in approving the initial configuration;
o the analysis of security implications of changes to the information system
configuration;
o documentation of the approved/implemented changes.
Product patches, fixes, and updates require time for security impact analysis even as threats
and vulnerabilities continue to exist.
Configuration Item (CI) is identified, labelled, and tracked during its life cycle the CI is the
target of many of the activities within SecCM. It may be o specific information system
component (e.g., server, workstation, router, application) o group of information system
components (e.g., group of servers with like operating systems, group of network components
such as routers and switches, an application or suite of applications)
o non-component object (e.g., firmware, documentation)
o an information system as a whole. CIs give organizations a way to decompose the
information system into manageable parts whose configurations can be actively
managed
A baseline configuration is a set of specifications for a system, or Configuration Item (CI)
within a system, that has been formally reviewed and agreed on at a given point in time, and
which can be changed only through change control procedures.
Monitoring identifies undiscovered/ undocumented system components, misconfigurations,
vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose
organizations to increased risk.
The organization is typically responsible for defining documented policies for the SecCM
program. A SecCM policy should include the following :
Purpose the objective(s) in establishing organization-wide SecCM policy;
Scope the extent of the enterprise architecture to which the policy applies;
Roles the roles that are significant within the context of the policy;
Responsibilities the responsibilities of each identified role;
Activities the functions that are performed to meet policy objectives
Tools to support SecCM activities are selected for use across the organization by SecCM
program management, and information system owners are responsible for applying the tools
to the SecCM activities performed on each information system
42
Practical activities:
Activity 1:
Work in groups to research configuration management tools available in the industry.
Compare and categorise these tools based on their features, area of strengths and
limitations. These should be presented in class for shared understanding.
Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a sequential
process map of how the tool functions in order to carry out its functions.
Present the same in class, highlighting the functionality and dependencies of the tools.
There could be a different baseline configuration for each life cycle stage (development, test,
staging, production) of the information system. (
)
Semi-automated tools works best to scan Web server, database server, network devices, etc. in
SecCM program. (
)
43
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
44
UNIT IX
Log Correlation and
Management
45
LESSON PLAN
Outcomes
To be competent, you must be able
to:
PC6. maintain accurate daily
records/logs of information
security performance parameters
using standard templates and tools
PC7. analyze information security
performance metrics to highlight
variances and issues for action by
appropriate people
Performance
Measures
Ensuring Work
Environment
Requirement
Lab
PCs/Tablets/Laptops
46
KA9.
different
types of automation
tools and how to use these
KA10. how to access and analyze
information security performance
metrics
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking EquipmentsRouters & Switches
Firewalls and Access Points
Access to all security sites like
ISO, PIC DSS
Commercial Tools like HP Web
Inspect and IBM AppScan etc.,
Open Source tools like sqlmap,
Nessus etc.,
47
Lesson
9.1 Event Logs - Concepts (As it is)
A log is a record of the events occurring within an organizations systems and networks. Logs are
composed of log entries; each entry contains information related to a specific event that has
occurred within a system or network. Originally, logs were used primarily for troubleshooting
problems, but logs now serve many functions within most organizations, such as optimizing system
and network performance, recording the actions of users, and providing data useful for investigating
malicious activity.
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer
security; common examples of these computer security logs are audit logs that track user
authentication attempts and security device logs that record possible attacks
Key Concepts
Log management: Log management refers to the broad practice of collecting, aggregating and
analysing network data for a variety of purposes. Data logging devices collect incredible amounts of
information on security, operational and application events log management comprises the tools
to search and parse this data for trends, anomalies and other relevant information.
Security information event management (SIEM): Like log management, SIEM also involves the
collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for
information security. SIEM appliances enable event reduction and real-time alerting, and they
provide specific workflows to address security breaches as they occur. Another key feature of SIEM
is the incorporation of non-event based data, such as vulnerability scanning reports, for correlation
and analysis.
A lot of money has been invested in security products such as firewalls, intrusion detection, and
strong authentication over the past several years. However, system penetration attempts continue
to occur and go unnoticed until it is too late. It is not that security countermeasures are ineffective
against intrusive activity. Indeed, they can be very effective within an organization where security
policies and procedures require analysis of security events and appropriate incident response.
However, deploying and analysing a single device in an effort to maintain situational awareness with
respect to the state of security within an organization is the "computerized version of tunnel vision.
Security events must be analysed from as many sources as possible in order to assess threat and
formulate appropriate response. Extraordinary levels of security awareness can be attained in an
organization's network by simply listening to what its devices are telling you.
48
Security Software
Most organizations use several types of network-based and host-based security software to detect
malicious activity, protect systems and data, and support incident response efforts. Accordingly,
security software is a major source of computer security log data. Common types of network-based
and host based security software include the following:
Antimalware Software. The most common form of antimalware software is antivirus software, which
typically records all instances of detected malware, file and system disinfection attempts, and file
quarantines.
Additionally, antivirus software might also record when malware scans were performed and when
antivirus signature or software updates occurred. Antispyware software and other types of
antimalware software (e.g., rootkit detectors) are also common sources of security information.
Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention
systems record detailed information on suspicious behaviour and detected attacks, as well as any
actions intrusion prevention systems performed to stop malicious activity in progress.
Some intrusion detection systems, such as file integrity checking software, run periodically instead of
continuously, so they generate log entries in batches instead of on an ongoing basis.
Remote Access Software
Remote access is often granted and secured through virtual private networking (VPN). VPN systems
typically log successful and failed login attempts, as well as the dates and times each user connected
and disconnected, and the amount of data sent and received in each user session. VPN systems that
support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed
information about the use of resources.
Web Proxies
Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web
page requests on behalf of users, and they cache copies of retrieved Web pages to make additional
accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to
add a layer of protection between Web clients and Web servers. Web proxies often keep a record of
all URLs accessed through them.
Vulnerability Management Software
Vulnerability management software, which includes patch management software and vulnerability
assessment software, typically logs the patch installation history and vulnerability status of each
host, which includes known vulnerabilities and missing software updates.
Vulnerability management software may also record additional information about hosts
configurations. Vulnerability management software typically runs occasionally, not continuously,
and is likely to generate large batches of log entries.
49
Authentication Servers
Authentication servers, including directory servers and single sign-on servers, typically log each
authentication attempt, including its origin, username, success or failure, and date and time.
Routers
Routers may be configured to permit or block certain types of network traffic based on a policy.
Routers that block traffic are usually configured to log only the most basic characteristics of blocked
activity.
Firewalls
Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more
sophisticated methods to examine network traffic.
Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to
have more complex policies and generate more detailed logs of activity than routers.
Network Quarantine Servers
Some organizations check each remote hosts security posture before allowing it to join the
network. This is often done through a network quarantine server and agents placed on each host.
Hosts that do not respond to the servers checks or that fail the checks are quarantined on a
separate virtual local area network (VLAN) segment. Network quarantine servers log information
about the status of checks, including which hosts were quarantined and for what reasons.
Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches)
usually log a variety of information related to security. The most common types of security-related
OS data are as follows:
System Events
System events are operational actions performed by OS components, such as shutting down the
system or starting a service. Typically, failed events and the most significant successful events are
logged, but many OSs permit administrators to specify which types of events will be logged. The
details logged for each event also vary widely; each event is usually timestamped, and other
supporting information could include event, status, and error codes; service name; and user or
system account associated with an event.
Audit Records
Audit records contain security event information such as successful and failed authentication
attempts, file accesses, security policy changes, account changes (e.g., account creation and
deletion, account privilege assignment), and use of privileges. OSs typically permit system
administrators to specify which types of events should be audited and whether successful and/or
failed attempts to perform certain actions should be logged.
50
51
Log management infrastructures typically perform several functions that assist in the storage, analysis,
and disposal of log data. These functions are normally performed in such a way that they do not alter
the original logs.
The following items describe common log management infrastructure functions:
Log parsing is extracting data from a log so that the parsed values can be used as input for another
logging process. A simple example of parsing is reading a text-based log file that contains 10
commaseparated values per line and extracting the 10 values from each line.
Parsing is performed as part of many other logging functions, such as log conversion and log
viewing.
52
54
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log
data.
administrators determine which of their hosts and host components must or should participate
in the log management infrastructure,
A single log file might contain information from several sources, such as an OS log containing
information from the OS itself and several security software programs and applications.
Administrators ascertain which log sources use each log file.
For each identified log source, administrators determine which types of events each log source
must or should log, as well as which data characteristics must or should be logged for each type
of event.
The administrators ability to configure each log source is dependent on the features offered by that
particular type of log source. For example, some log sources offer very granular configuration
options, while some offer no granularity at alllogging is simply enabled or disabled, with no control
over what is logged. This section discusses log source configuration in three categories: log
generation, log storage and disposal, and log security.
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs
on to the computer or when a program encounters an error.
Example: Windows Event Log
Whenever the significant types of events occur, Windows records the event in an event log that you
can read by using Event Viewer. Advanced users might find the details in event logs helpful when
troubleshooting problems with Windows and other programs.
55
Event Viewer tracks information in several different logs. Windows Logs include:
Application (program) events
Events are classified as error, warning, or information, depending on the severity of the event. An
error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An information event describes the
successful operation of a program, driver, or service.
Security-related events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.
Setup events
Computers that are configured as domain controllers will have additional logs displayed here.
System events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or information.
Forwarded events
These events are forwarded to this log by other computers.
Applications and Services Logs vary. They include separate logs about the programs that run on your
computer, as well as more detailed logs that pertain to specific Windows services.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel,
clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
Administrator permission is required if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
Click an event log in the left pane.
Double-click an event to view the details of the event.
56
Click Start, select Programs, select Administrative Tools, click Computer Management.
In the console tree, click Event Viewer. Right-click Security and select Properties.
3.
The Security Properties window will appear. Here authorized administrators can set
take when the maximum log size is reached.
To restore the default settings, click Restore
Defaults.
To clear the log, click Clear Log.
Under Log size, select one of these options:
57
To retain all the events in the log, click Do not overwrite events (clear log manually). This option
requires that logs be cleared manually. When the maximum log size is reached, new events are
discarded. If the event log is not cleared and archived regularly, the following message will appear.
1.
After establishing the security log settings,
click the Apply button.
2.
The Security Properties window also provides
the ability to set filters on the event log to perform
searches and sorting of audit data. To filter an existing
event log in order to view or save specific security
events, select the Filter tab and configure the filter.
3.
To configure the filter, select the Event types
that will be included by checking or unchecking a
selection
box
next to Information,
Warning, Error, Success Audit, and/or Failure audit,
then input any additional desired filtering
requirements by Event source, Category,
Event ID, User, or Computer.
4.
By default the entire event log will be filtered
for viewing by the parameters selected above. If desired, select a date and time range for the
logs that will be filtered for viewing. This is accomplished by first clicking on the From: drop
down menu and changing the selection to Events On. The date and time dialog boxes will
become active. Change the date by selecting the drop down menu and choosing a date from the
calendar that is presented. Change the time by scrolling the up and down arrows in the time
dialog box. Follow the same procedures clicking on the To: drop down menu and changing the
selection to Events On. Set the date and time for the last as described above.
5.
Once all the desired filtering options have been selected, click the Apply button and click
OK. The Event Viewer will filter the log and display the information as defined by the
filter.
W3C Extended Log File Format Text-based, customizable format for a single site. This is the
default format.
W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C
log file format.
NCSA Common Log File Format Text-based, fixed format for a single site.
IIS Log File Format Text-based, fixed format for a single site.
ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database.
Centralized Binary Logging Binary-based, unformatted data that is not customizable. Data is
recorded from multiple Web sites and sent to a single log file. To interpret the data, you need
a special parser.
HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
60
Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file
name are in the format day, month and year the file was created.
Locate the header information. This is a line starting with "#Fields:." Use this line to determine
the corresponding values in each column.
Use the date and time to identify when the request was created. The "sitename" and
"computername" will indicate what server responded to the request.
Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors
computer.
The "cs-method" column will most often contain either "post" or "get" depending on the
request made by the visitors browser. The fields "cs-uri-stem" and "cs-uri-query" will denote
the resource such as an image or web page the visitor requested.
Use the "sc-status" column to determine whether the web server was capable of correctly
responding to the request. A link is provided in the resource section of this article to a
complete list of response codes.
Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the
visitor is actually a search engine. A link to a list of common user agents has been provided in
the resource area of this article.
61
63
Summary
Log management: Log management refers to the broad practice of collecting, aggregating
and analysing network data for a variety of purposes.
Security information event management (SIEM) involves the collection and analysis of
data Security software is a major source of computer security log data.
Web proxies often keep a record of all URLs accessed through them.
Routers and Firewalls permit or block certain types of network traffic based on a policy
however, they differ in terms of the level of complexity
OS logs are most beneficial for identifying or investigating suspicious activity involving a
particular host.
Operating systems and security software provide the foundation and protection for
applications; Applications vary significantly in the types of information that they log and
some of the most commonly logged types of information include:
o Client requests and server responses
o e-mail servers recording the sender, recipients, subject name, and attachment names
for each e-mail
o web servers recording each URL requested and the type of response provided by the
server;
o business applications recording which financial records were accessed by each user o
successful and failed authentication attempts, account changes (e.g., account creation
and deletion, account privilege assignment), and use of privileges
o brute force password guessing and escalation of privileges o number of transactions
occurring in a certain period and size of transactions, etc.
Log management ensures that computer security records are stored in sufficient detail for
an appropriate period of time. A log management infrastructure typically comprises the
following three tiers:
Log Generation: contains the hosts that generate the log data
Log Analysis and Storage: composed of one or more log servers that receive log
data or copies of log data
Log Monitoring: contains consoles that may be used to monitor and review log
data and the results of automated analysis
Log management infrastructures typically perform several functions that assist in the
storage, analysis, and disposal of log data. These functions are normally performed in such
a way that they do not alter the original logs.
Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security
Perform analysis of log data
Initiate appropriate responses to identified events
Manage the long-term storage of log data
Authorized administrators can define security settings for the event logs. The choices are
somewhat limited, and include log size, the length of time a log should be stored, and
when the log should be cleared.
Internet Information Services (IIS) is a web server developed by Microsoft for use with
Windows Server. The server is meant for a variety of hosting uses while attempting to
maintain a high level of flexibility and scalability.
The most effective way to gain a solid understanding of log data is to review and analyse
portions of it regularly (e.g., every day)
64
65
Practical activities:
Activity 1:
Study various log report templates and sources which provide guidance on using log
reports. The various information available in the report should be understood and
possible anomalies listed.
Activity 2:
Work in groups to explore the log configurations of your own training institute server
and generate reports from the servers each week. These should be analysed and
activity reports and inferences from it presented in class by a different group each
week.
Q. What do you understand by the technical phrase computerized version of tunnel vision?
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Q. Mention the common features shared by Routers and Firewalls
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
Web
proxies are
intermediate hosts that
acts
as
a
layer
between
_______________________________and______________________________________.
Status
of
checks and
quarantined
retrieved from__________________.
hosts
log
information
can
be
66
Event Filtering is extracting data from a log so that the parsed values can be used as input for
another logging process. (
)
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
67
UNIT X
Data Backup
LESSON PLAN
Outcomes
To be competent, you must be able
to:
PC2. monitor systems and apply
controls in line with information
security policies, procedures and
guidelines
PC5. carry out backups of security
devices and applications in line
with information security policies,
procedures and guidelines, where
required
You must know and understand:
KA12. your organizations
information security systems and
tools and how to access and
maintain these
KB2. different types of backups for
security devices and applications
and how to carry out backups
Performance
Measures
Ensuring Work
Environment
Requirement
Lab
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking Equipment- Routers
& Switches
Firewalls and Access Points
Backup
devices and
storage media
PCs/Tablets/Laptops
69
Lesson
10.1 Data Backup - Overview (As it is)
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe. Backup is usually a routine part of the operation of large
businesses with mainframes as well as the administrators of smaller business computers. For
personal computer users, backup is also necessary but often neglected. The retrieval of files you
backed up is called restoring them.
Purpose
All electronic information considered of institutional value should be copied onto secure storage
media on a regular basis (i.e., backed up), for disaster recovery and business resumption. Special
backup needs, identified through technical risk analysis that exceeds these requirements, should be
accommodated on an individual basis.
Scope
Data custodians are responsible for providing adequate backups to ensure the recovery of data and
systems in the event of failure. Backup provisions allow business processes to be resumed in a
reasonable amount of time with minimal loss of data. Since hardware and software failures can take
many forms, and may occur over time, multiple generations of institutional data backups need to be
maintained.
70
Full backup
Full backup is a method of backup where all the files and folders selected for the backup will be
backed up. It is commonly used as an initial or first backup followed with subsequent incremental or
differential backups. After several incremental or differential backups, it is common to start over
with a fresh full backup again.
Some also like to do full backups for all backup runs typically for smaller folders or projects that do not
occupy too much storage space.
Advantages
Restores are fast and easy to manage as the entire list of files and folders are in one backup set.
Easy to maintain and restore different versions.
Disadvantages
Backups can take very long as each file is backed up again every time the full backup is run.
Consumes the most storage space compared to incremental and differential backups. The exact
same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup
Incremental backup is a backup of all changes made since the last backup. The last backup can be a
full backup or simply the last incremental backup. With incremental backups, one full backup is done
first and subsequent backup runs are just the changed files and new files added since the last
backup.
Advantages
Much faster backups
Efficient use of storage space as files is not duplicated. Much less storage space used compared to
running full backups and even differential backups.
Disadvantages
Restores are slower than with a full backup and differential backups.
Restores are a little more complicated. All backup sets (first full backup and all incremental backups)
are needed to perform a restore.
Differential backups
Differential backups fall in the middle between full backups and incremental backup. A differential
backup is a backup of all changes made since the last full backup. With differential backups, one full
backup is done first and subsequent backup runs are the changes made since the last full backup.
The result is a much faster backup then a full backup for each backup run. Storage space used is less
than a full backup but more then with Incremental backups. Restores are slower than with a full
backup but usually faster then with Incremental backups.
71
Mirror backups
Mirror backups are as the name suggests a mirror of the source being backed up. With mirror
backups, when a file in the source is deleted, that file is eventually also deleted in the mirror backup.
Because of this, mirror backups should be used with caution as a file that is deleted by accident,
sabotage or through a virus may also cause that same file in mirror to be deleted as well. Some do
not consider a mirror to be a backup.
Many online backup services offer a mirror backup with a 30 day delete. This means that when you
delete a file on your source, that file is kept on the storage server for at least 30 days before it is
eventually deleted. This helps strike a balance offering a level of safety while not allowing the
backups to keep growing since online storage can be relatively expensive.
Many backup software utilities do provide support for mirror backups.
Advantages
The backup is clean and does not contain old and obsolete files
Disadvantages
There is a chance that files in the source deleted accidentally, by sabotage or through a virus may
also be deleted from the backup mirror.
Full PC backup
Full PC backup of full computer backup typically involves backing up entire images of the computers
hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It
may be stored compressed or uncompressed.
With other file backups, only the users document, pictures, videos and music files can be restored
while the operating system, programs etc. need to be reinstalled from is source download or disc
media.
With the full PC backup however, you can restore the hard drives to its exact state when the backup
was done. Hence, not only can the documents, pictures, videos and audio files be restored but the
72
Local backup
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage
medium is plugged in directly to the source computer being backed up or is connected through a
local area network to the source being backed up.
Advantages
Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate
employee sabotage on the source data.
Very fast backup and very fast restore.
Storage cost can be very cheap when the right storage medium is used like external hard drives
Data transfer cost to the storage medium can be negligible or very cheap
Since the backups are stored close by, they are very conveniently obtained whenever needed for
backups and restore.
Full internal control over the backup storage media and the security of the data on it. There is no
need to entrust the storage media to third parties.
Disadvantages
Since the backup is stored close by to the source, it does not offer good protections against theft,
fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these
circumstances, theres a good chance the backup will be also damaged.
Offsite Backup
Any backup where the backup storage medium is kept at a different geographic location from the
source is known as an offsite backup. The backup may be done locally at first on the usual
storage devices but once the storage medium is brought to another location, it becomes an
offsite backup.
73
Advantages
Offers additional protection when compared to local backup such as protection from theft, fire,
flood, earthquakes, hurricanes and more.
Disadvantages
Except for online backups, it requires more due diligence to bring the storage media to the offsite
location.
May cost more as people usually need to rotate between several storage devices. For example
when keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between
them. So at least one drive will be in storage at any time while the other is removed to perform
the backup.
Because of increased handling of the storage devices, the risk of damaging delicate hard disk is
higher. (does not apply to online storage)
Online backup
An online backup is a backup done on an ongoing basis to a storage medium that is always
connected to the source being backed up. The term online refers to the storage device or facility
being always connected. Typically the storage medium or facility is located offsite and connected to
the backup source by a network or Internet connection. It does not involve human intervention to
plug in drives and storage media for backups to run.
Many commercial data centers now offer this as a subscription service to consumers. The storage
data centers are located away from the source being backed up and the data is sent from the source
to the storage center securely over the Internet.
Typically a client application is installed on the source computer being backed up. Users can define
what folders and files they want to backup and at one times of the day they want the backups to
run. The data may be compressed and encrypted before being sent over the Internet to the storage
data center.
The storage facility is a commercial data center located away from the source computers being
backed up. Typically they are built to certain fire and earthquake safety specifications. They have
higher security standards with CCTV and round the clock monitoring. They typically have backup
generators to deal with grid power outages and the facility is temperature controlled. Data is not
just stored in one physical media but replicated across several devices. These facilities are usually
serviced by multiple redundant Internet connection so there is no single point of failure to bring the
service down.
Advantages
Offers the best protection against fires, theft and natural disasters.
Because data is replicated across several storage media, the risk of data loss from hardware failure
is very low.
Because backups are frequent or continuous, data loss is very minimal compared to other backups
that are run less frequently.
Because it is online, it requires little human or manual interaction after it is setup.
Disadvantages
Is a more expensive option then local backups.
74
Initial or first backups can be a slow process spanning a few days or weeks depending on Internet
connection speed and the amount of data backed up.
Can be slow to restore.
Remote backups
Remote backups are a form of offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location. The term
remote refers to the ability to control or administer the backups from another location.
You do not need to be physically present at the backup storage facility to access the backups.
Putting your backup hard drive at your bank safe deposit box would not be considered a remote
backup. You cannot administer or access it without making a trip to the bank. The term remote
backup is often used loosely and interchangeably with online backup and cloud backup.
Advantages
Much better protection from natural disasters than local backups.
Easier administration as it does not need a physical trip to the offsite backup location.
Disadvantages
More expensive then local backups
Can take longer to backup and restore than local backups
Cloud backup
Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote
Backup. This is a type of backup where data is backed up to a storage server or facility connected to
the source via the Internet. With the proper login credentials, that backup can then be accessed
securely from any other computer with an Internet connection. The term cloud refers to the
backup storage facility being accessible from the Internet.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet
connections so the system is not at the mercy of a single point of failure.
When the service is provided by a good commercial data center, service is managed and
protection is un-paralleled.
Disadvantages
More expensive then local backups
Can take longer to backup and restore
75
FTP Backup
This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the
Internet to an FTP Server. Typically the FTP Server is located in a commercial data center away from
the source data being backed up. When the FTP server is located at a different location, this is
another form of offsite backup.
Advantages
Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural
disasters.
Able to easily connect and access the backup with just an Internet connection.
Disadvantages
More expensive then local backups
Can take longer to backup and restore. Backup and restore times are dependent to the Internet
connection.
76
frequency,
data backup retention,
testing,
media replacement,
recovery time,
roles and responsibilities
Data Backup Retention. Retention of backup data must meet System and institution
requirements for critical data.
Testing - Restoration of backup data must be performed and validated on all types of media
in use periodically.
Media Replacement - Backup media should be replaced according to manufacturer
recommendations.
Recovery Time - The recovery time objective (RTO) must be defined and support business
requirements.
Roles and Responsibilities - Appropriate roles and responsibilities must be defined for data
backup and restoration to ensure timeliness and accountability.
Offsite Storage - Removable backup media taken offsite must be stored in an offsite location
that is insured and bonded or in a locked media rated, fire safe.
Onsite Storage - Removable backup media kept onsite must be stored in a locked container
with restricted physical access.
Media Destruction - How to dispose of data storage media in various situations.
Encryption - Non-public data stored on removable backup media must be encrypted.
Nonpublic data must be encrypted in transit and at rest when sent to an offsite backup
facility, either physically or via electronic transmission.
Third Parties - Third parties' backup handling & storage procedures must meet System, or
institution policy or procedure requirements related to data protection, security and privacy.
These procedures must cover contract terms that include bonding, insurance, disaster
recovery planning and requirements for storage facilities with appropriate environmental
controls.
77
Definitions
Archive: An archive is a collection of historical data specifically selected for long-term retention
and future reference. It is usually data that is no longer actively used, and is often stored on
removable media.
Backup: A copy of data that may be used to restore the original in the event the latter is lost or
damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to
provide a means to archive data for future reference or to maintain a versioned history of data to
meet specific retention requirements.
Critical Data: Data that needs to be preserved in support of the institution's ability to recover from
a disaster or to ensure business continuity.
Data: Information collected, stored, transferred or reported for any purpose, whether in
computers or in manual files. Data can include: financial transactions, lists, identifying information
about people, projects or processes, and information in the form of reports. Because data has
value, and because it has various sensitivity classifications defined by federal law and state
statute, it must be protected.
Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and
melting. Information cannot be restored in any form following destruction.
Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low
enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are
rated based on the length of time the contents of a safe are preserved while directly exposed to
fire and high temperatures.
Information Technology Resources: Facilities, technologies, and information resources used for
System information processing, transfer, storage, and communications. Included in this definition
are computer labs, classroom technologies, computing and electronic communications devices
and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax
transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive,
but rather, reflects examples of System equipment, supplies and services.
Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The
RPO is the point in time prior to service or data loss that service or data will be recovered to.
Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the
time of restoration.
Automated Backup
If the data backup plan defines a daily interval, making manual backups becomes quite time
consuming, and one may discover now and then that they have skipped making backups because
they had something else more important to do at same time. It is better to foresee the risk of not
making backups and try to automate the whole backup process as much as possible.
78
Disadvantages:
Disadvantages:
Very good option for local backups especially for networks and small businesses.
79
As several hard drives can be plugged in, NAS can hold very large amounts of data
Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write
performance. Depending on the type of RAID level used, the NAS can still function even if
one hard drive in the RAID set fails. Or two hard drives can be setup to double the read and
write speed of single hard drive.
The drive is always connected and available to the network making the NAS a good option
for implementing automated scheduled backups.
Disadvantages:
The most portable storage option. Can fit on a keychain making it an offsite backup when
you bring it with you.
Disadvantages:
Relatively expensive per GB so can only be used for backing up a small amount of data
Disadvantages:
80
free with more space available for a subscription fee. Examples of service providers are Amazon S3,
Google Drive, Sky Drive etc.
Advantages:
A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
Disadvantages:
More expensive than traditional external hard drives. Often requires an ongoing subscription.
Requires an Internet connection to access the cloud storage.
Much slower than other local backups
81
The following are features to aim for when designing your backup strategy:
Able to recover from data loss in all circumstances like hard drive failure, virus
attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth
quakes and other natural disasters.
Able to recover to an earlier state if necessary like due to data entry errors or
accidental deletes
Able to recover as quickly as possible with minimum effort, cost and data loss.
Require minimum ongoing human interaction and maintenance after the initial
setup. Hence able to run automated or semi-automated.
82
Backup Start Time: You would typically want to run your backups when theres minimal usage on
the computers. Backups may consume some computer resources that may affect performance.
Also, files that are open or in use may not get backed up.
Scheduling backups to run after business hours is a good practice providing the computer is left on
overnight. Backups will not normally run when the computer is in sleep or hibernate mode.
Some backup software will run immediately upon boot up if it missed a scheduled backup the
previous night.
So if the first hour on a business day morning is your busiest time, you would not want your
computer doing its backups then. If you always shut down or put your computer in sleep or
hibernate mode at the end of a work day, maybe your lunch time would be a better time to
schedule a backup. Just leave the computer on but logged-off when you go out for lunch.
Since servers are usually left running 24 hours, overnight backups for servers are a good choice.
4. Backup Types
Many backup software offer several backup types like Full Backup, Incremental Backup and
Differential backup. Each backup type has its own advantages and disadvantages. Full backups are
useful for projects, databases or small websites where many different files (text, pictures, videos
etc.) are needed to make up the entire project and you may want to keep different versions of the
project.
5. Compression & Encryption
As part of your backup plan, you also need to decide if you want to apply any compression to your
backups. For example, when backing up to an online service, you may want to apply compression
to save on storage cost and upload bandwidth. You may also want to apply compression when
backing up to storage devices with limited space like USB thumb drives.
If you are backing up very private or sensitive data to an offsite service, some backup tools and
services also offer support for encryption. Encryption is a good way to protect your content should
it fall into malicious hands. When applying encryption, always ensure that you remember your
encryption key. You will not be able to restore it without your encryption key or phrase.
6. Testing Your Backup
A backup is only worth doing if it can be restored when you need it most. It is advisable to
periodically test your backup by attempting to restore it. Some backup utilities offer a validation
option for your backups. While this is a welcome feature, it is still a good idea to test your backup
with an actual restore once in a while.
7. Backup Utilities & Services
Simply copying and pasting files and folders to another drive would be considered a backup.
However the aim of a good backup plan is to set it up once and leave it to run on its own. You
would check up on it occasionally but the backup strategy should not depend on your ongoing
interaction for it to continue backing up. A good backup plan would incorporate the use of good
quality, proven backup software utilities and backup services.
83
Summary
Backup is the activity of copying files or databases so that they will be preserved in case of
equipment failure or other catastrophe.
Data custodians are responsible for providing adequate backups to ensure the recovery of data
and systems in the event of failure. Types of Backup include:
Full backup where all the files and folders selected for the backup will be backed up
Incremental backup is a backup of all changes made since the last backup
Differential backups fall in the middle between full backups and incremental backup
Mirror backups are mirror of the source being backed up
Full PC backup involves backing up entire images of the computer hard drives
Local backup is any backup where the storage medium is kept close at hand
Offsite Backup where the backup storage medium is kept at a different geographic location
Online backup is ongoing backup to a storage medium that is always connected to the
source being backed up
Remote backups are offsite backup with a difference being that you can access, restore or
administer the backups while located at your source location or other physical location
Cloud backup where data is backed up to a storage server or facility connected to the
source via the Internet
FTP Backup where the backup is done via the File Transfer Protocol (FTP) over the Internet
to an FTP Server
The simplest way to remember how to back up your images safely is to use the 3-2-1 rule. To
keep 3 copies of any important file (a primary and two backups); have files on 2 different media
types (such as hard drive and optical media); 1 copy should be stored offsite (or at least
offline). Different types of Local Storage Options
External Hard Drive are hard drives similar to the type that is installed within a desktop
computer or laptop computer
Solid State Drive (SSD) looks and functions similar to traditional mechanical/ magnetic
hard drives but different
Network Attached Storage (NAS) are simply one or more regular IDE or SATA hard
drives plugged in an array storage enclosure and connected to a network Router or
Hub through a Ethernet port
USB Thumb Drive or Flash Drive are similar to Solid State Drives except that it is much
smaller in size and capacity
Optical Drive (CD/ DVD) are ideal for storing a list of songs, movies, media or software
for distribution or for giving to a friend due to the very low cost per disk.
Cloud Storage is storage space on commercial data center accessible from any
computer with Internet access
Ask the key questions while planning your backup strategy
What to Backup
Where to Backup to
When to Backup
Backup Types
Compression & Encryption
Testing Your Backup
Backup Utilities & Services
84
Practical activities:
Activity 1:
Backup data available in the institute and evaluate the backup requirements for the
institute. If there isnt a policy for backup then work in a group to develop one and
define all necessary steps for successful implementation.
Activity 2:
Work in a group prepare a report on difference between backup of individual data
and of security devices and applications. The same should focus on requirements,
challenges, products and means available, advantages and disadvantages, media
used, and other differences.
Activity 3:
Collect information on various products and services for backup available in the
industry and compare the benefits, features and limitations of each. The comparison
should be presented in class.
85
86
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
87
SSC/ N 0904:
SSC/ N 0905:
88
Unit Code
SSC/ N 0904
Description
This unit is about carrying out specific audit tasks as part of information security
audits.
89
Scope
endpoints/edge devices
storage devices
servers
software
application hosting
application security
application support
application penetration
application testing
content management
messaging
web security
security of infrastructure
infrastructure devices (e.g. routers, firewall services)
computer assets, server s and storage networks
messaging
intrusion detection/prevention
security incident management
third party security management
personnel security requirements
physical security
risk assessment
business continuity
disaster recovery planning
90
PC2.
PC3.
PC4.
PC5.
carry out required audit tasks using standard tools and following
established procedures/guidelines/checklists
PC6.
refer to appropriate people where audit tasks are beyond your levels of
knowledge, skills and competence
PC7.
record and document audit tasks and audit results using standard tools and
templates
PC8.
review results of audit tasks with appropriate people and incorporate their
inputs
PC9.
comply with your organizations policies, standards, procedures, guidelines
and checklists when contributing to information security audits
Knowledge and Understanding (K)
A. Organization The user/individual on the job needs to know and understand:
al
KA1. your organizations policies, standards, procedures, guidelines, systems
Context
and checklists for information security testing and auditing and your role
(Knowledge
in applying these scope of work to be carried out and the importance of
of the
keeping within these boundaries
KA2.
company /
limits of your knowledge, skills and competence and who to seek
organization
guidance from different types of information/security audits
KA3.
and its
processes)
KA4.
KA5.
who to involve when carrying out information security audits
KA6.
KA7.
KA8.
how to obtain and use input from others when carrying out information
security audit tasks
KA9. the purpose of information security audits and importance of taking part in
these
KA10. how to improve the process and outcomes of future audits
KA11. the range of standard tools, templates and checklists available and how to
use these
KA12. the role of teams in information security audits
B. Technical
Knowledge
91
KB2.
KB3.
KB4.
KB5.
KB1.
different systems and structures that may need information security audits
and how they operate, including:
servers and storage devices
infrastructure and networks
application hosting and content management
communication routes such as messaging
features, configuration and specifications of information security systems
and devices and associated processes and architecture
the importance of auditing and the key principles and rules of conduct that
apply when auditing
common audit techniques and how to record and report audit tasks
methods and techniques for testing compliance against your organizations
security criteria, legal and regulatory requirements
92
Unit Code
SSC/N0905
Unit Title
(Task)
Description
This unit is about supporting functional teams to prepare for and undergo information
security audits carried out by internal or external auditors.
Scope
PC3.
93
PC4.
PC5.
PC6.
PC7.
PC8.
KA5.
KA6.
KA7.
KA8.
94
B. Technical
Knowledge
KB2.
KB3.
KB4.
95
THE UNITS
The module for this NOS is divided in 8 Units based on the learning objectives as given below.
Role of an Auditor
Hiring an Information Security Auditor
Required Skills Sets of an Information Security Auditor
Ethics of an Information Security Auditor
What Makes an Information Security Auditor
Pre-audit tasks
Information Gathering
External Security Audit
Internal Network Security Auditing
Firewall Security Auditing
IDS Security Auditing
96
UNIT I
97
98
LESSON PLAN
Outcomes
To be competent, you must be
able to:
PC1. establish the nature and
scope of information security
audits and your role and
responsibilities in preparing for
them (0904/0905)
You need to know and
understand:
PCs/Tablets/Laptops
Projection facilities
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access
Points
Access to all security
sites like ISO, PCI DSS,
Center for Internet
Security
99
Lesson
An information security audit is one of the best ways to determine the security of an organization's
information without incurring the cost and other associated damages of a security incident.
100
In brief:
Information systems audit is a broader term that includes information security audit
System audit includes operations, network segmentation, server and device management
etc., whereas security audit focuses on security of data and information.
Security Audits
Vulnerability Assessments
Penetration Testing
Penetration testing is a covert operation, in which a security expert tries a number of attacks to
ascertain whether or not a system could withstand the same types of attacks from a malicious
hacker. In penetration testing, the feigned attack can include anything a real attacker might try, such
as social engineering.
Each of the approaches has inherent strengths, and using two or more of them in
conjunction may be the most effective approach of all.
As with any Audit, a risk assessment should be one of the first steps to be completed when
examining a new process. The risk assessment will help determine whether the process warrants
expending a significant amount of audit resources on the project. The scope of the audit depends on
the risk. But even for the high-risk systems, the scope should be limited to testing the critical internal
controls upon which the security of the process depends.
102
There are a number of key questions that security audits attempt to answer which include but
are not limited to:
Are access control lists (ACLs) in place on network devices to control who has access to
shared data?
Are the audit logs reviewed effectively and how are they reviewed?
Are the security settings for operating systems in accordance with accepted industry
security practices?
How are unnecessary applications and computer services managed? Are they eliminated
in a timely and effective manner for each system?
Are these operating systems and commercial applications patched? How and when did
the patching take place?
How is backup media stored? What is the backup policy and is it followed? Who has
access to the backup media and is it up-to-date?
103
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed
the disaster recovery plan? Does it have gaps in its construct?
Are there adequate cryptographic tools in place to govern data encryption, and have
these tools been properly configured?
What security considerations were used while writing custom-built applications, are
these adequate and well documented?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these
records reviewed and who conducts the review?
The duration of the cross-cutting audit depends on the size as well as the complexity of the
organisation. The size of the organisation is determined by the number of employees and locations.
The selection of the level of complexity of an organisation can only be performed on an
organisation-by-organisation basis according to the following criteria, for example:
What does the system landscape look like (number of systems and level of heterogeneity
of the systems used)?
How many network gateways are there?
Which and how many IT applications are used in the organisation? Are they used to
support critical business processes?
Are higher-level procedures used that may affect realms outside of the organisation?
How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organisation active in areas critical to security (for example, is it a security agency)?
104
The development and dissemination of the IS Auditing Standards by Information Systems Audit
and Control Association (ISACA) is already in circulation for further information.
A good security audit is part of a regular and comprehensive framework of information security.
A good security audit may likely include the following:
Audit team is experienced, independent and objective. Every audit team should consist of at
least two auditors to guarantee the independence and objectivity of the audit (twoperson
rule). There credentials should be verifiable.
There is unrestricted right to obtain and view information.
Important IS audit meetings such as the opening and the closing meetings as well as the
interviews should be conducted as a team. This procedure ensures objectivity,
thoroughness, and impartiality.
No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. they must not
have been involved in the development of concepts or the configuration of the IT systems.
It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit when initiating the audit. The auditors never actively intervene in
systems, and therefore should not provide any instructions for making changes to the
objects being audited.
Management responsibility for supporting the conduct of a fair and comprehensive audit.
Appropriate communication and appointment of central point of contact and other support
for the auditors.
The execution is planned and carried out in a phase wise manner
Functions in an Audit
All audits have common functions that must be performed if they are to be successful. These usually
include:
A. Define the security perimeter what is being examined?
105
Determine how intensive the audit is going to be. Are all facets of the organization to be
examined, or is this to be a common security audit based on the IT infrastructure.
Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel
being taken away from their primary duties to participate in the audit.
Does the corporation have existing methodologies to actively mitigate risk on an ongoing
basis?
Assemble a detailed list of the components within the security perimeter. While this is not
an exhaustive list, these devices often include:
o Computing equipment (main frames, servers, desktops, laptops, terminals). o
Networking equipment (firewalls, routers, and switches, hubs, and UPS devices). o
Communications equipment (PBX, phones, cell/smart phones, PDAs, fax machines).
o Input / Output devices (printers, copiers, scanners, cameras, web-cams, tablets).
o Data storage (databases: sales, customer, employee, other; email, voicemail, files
on server, files in cabinets, customer and employee information, log files). o
Common security items (passwords, access scanners / cards and ID cards, physical
security, data diagrams, daily schedules and employee activity charts).
o Internet exposure (company websites: internet and intranet, collaborative sites,
outbound access availability and restrictions, open ports and other visible devices).
Generate a list of threat vectors based on the scope of the audit. i.e.: if physical security is
beyond the scope of the audit you wont have to check to see if the server room is locked.
Examine each type of device on the components list for known vulnerabilities.
D. Delineate the available tools what documents and tools are in use or need to be created?
Assemble the various documents and datagrams of the systems under audit.
Gather the tools already in use to mitigate risk o Determine if the existing tools are
functional. o Determine if new tools are needed.
E. Reporting mechanism how will you show progress and achieve validation in all areas?
Determine what threats existed in the past and determine if those have been mitigated.
Interview members of the institution to determine if any known threats exist. G. Determine
Network Access Control list who really needs access to this?
106
Develop a matrix of all personnel that need access to each device on the component chart.
Develop a matrix of all devices that need access to other devices on the component chart.
Each device on the component list should have a minimal set of entry points.
How much privilege is required for each person or system to perform their functions?
I.
Given the list of possible threats, what are the possibilities a given threat will materialize.
If a threat were to materialize, how great would its impact be?
Establish the greatest pain points for the company. Determine if the approach is to work on
the big stuff first, or get all of the minor issues out of the way before making any major
changes.
Delineate mitigation plan what are the exact steps required to minimize the threats?
Generate a detailed project plan to reach the goal. Include tasking, timelines, costs,
reporting methods, checkpoints all the components of a successful project plan are
necessary.
Ensure that the organization is in agreement with the plan to mitigate risks. J. Implement
procedures start making changes.
Begin the mitigation process, using the priority decided upon by the stakeholders.
K. Review results perform an After Action Review (AAR) on the audit process
Perform a standard AAR on the audit.
o What went well? o What process needs revision before it will go
well?
o What issues are still outstanding at this time?
o Who is responsible for ensuring that outstanding issues will be
addressed?
o What is the timeline for issue resolution? o Who will validate issue
resolution?
Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called Black Swans. These risks are often not cost effective to address, so a formal acceptance
from management for these risks may the only strategy available. Every audit needs to have
managements participation to be completely successful.
107
Time constraints
Third party access constraints
Business operations continuity constraints
Scope of audit engagement
Technology tools constraints
Summary
An information security audit is one of the best ways to determine the security of an
organization's information without incurring the cost and other associated damages of a
security incident.
Information systems audit is a large, broad term that encompasses demarcation of
responsibilities, server and equipment management, problem and incident management,
network division, safety, security and privacy assurance etc.
Information security audit is only focused on security of data and information (electronic and
print) when it is in the process of storage and transmission. Both audits have many
overlapping areas.
Security audits are a formal process, carried out by certified auditing professionals to measure
an information system's performance against a list of criteria.
A vulnerability assessment, on the other hand, involves a comprehensive study of an entire
information system, seeking potential security weaknesses, usually carried out by industry
experts who may or may not be certified.
A good security audit may likely include the following: o Clearly defined objectives
o Coverage is comprehensive and cross-cutting o Audit team is experienced,
independent and objective with verifiable credentials o There is unrestricted right to
obtain and view information. o Important IS audit meetings such as the opening and
the closing meetings as well as the interviews should be conducted as a team.
o No member of the team should have participated directly in supporting or managing
the areas to be audited
o It should be ensured that actual operations in the organisation are not significantly
disrupted by the audit.
o The auditors never actively intervene in systems or provide change advice.
o Management should support the audit.
o Appropriate communication and appointment of central point of contact and other
support for the auditors.
o The execution is planned and carried out in a phase wise manner
Constraints of a security audit o Time constraints
o
108
Practical activities:
Activity 1:
List the various vulnerabilities in any organisation and various activities to check those
vulnerabilities.
Activity 2:
Conduct an audit of your surroundings, of things such as cleanliness, safety and security,
hygiene, etc. Share your report in class, detailing the approach and the various aspects of
auditing.
Previous security incidents are not important in a security audit, the auditors are only
concerned about what the situation is at the present time of the audit. (
)
109
b.
c.
Information Security Audit is carried out by an audit team which usually has a representative
from the team which has been involved in the development of the IT configuration to be
audited. (
)
A key purpose of the Audit team is to correct and modify practices followed in the
organisation while conducting the audit so as to make the system less vulnerable. (
)
d.
AAR is another term used for the audit, it stands for After Attack Responsibility. (
)
e.
Information
Security
Audit is
/informal)
process
by
(certified/uncertified) auditing professional.
carried out
as
(formal
An IS audit is focused on current data in use (and is also/but is not) concerned with past data
stored in back up media, etc.
h. Passwords are (within/beyond) the purview of the audit.
g.
110
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
111
UNIT II
Security Audit Features
112
LESSON PLAN
Outcomes
To be competent, you must
be able to:
PC2. identify the
procedures/guidelines/chec
klists for the audit tasks you
are required to carry out
(0904/0905)
PC5. organize
data/information required for
information security audits
using standard templates and
tools (0905)
You need to know and
understand:
KA4./KA9. different types of
information/security audits
(0904/0905)
KA10. different approaches
and ways of working for
internal and external
information security audits
(0905)
and requirements
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min
2 Mbps Dedicated)
Access to all security sites
like ISO, PCI DSS,
Center for Internet
Security
Security Templates from
ITIL, ISO
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min
2 Mbps Dedicated)
Access to all security sites
like ISO, PCI DSS,
Center for Internet
Security
Security Templates from
ITIL, ISO
113
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min
2 Mbps Dedicated)
Access to all security sites
like ISO, PCI DSS,
Center for Internet
Security
Security Templates from
ITIL, ISO
Lesson
2.1 Types of Security Audits (As it is)
Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (Control Objectives for
Information and related Technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices
Internal audits usually are conducted by experts linked to the organisation, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
There is a large variety of audit types based on standards followed. Some examples include SSAE 16
audits (Type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security
standard and audits of Industry specific standards such as HIPPA controls.
Within the broad scope of auditing information security there are multiple types of audits, multiple
objectives for different audits, etc. Audits can be broken down into a number of types, from the
simple analysis of security architecture based on opinion, to a full-blown, end-to-end audit against a
security framework such as ISO27001. Auditing information security covers topics from auditing the
physical security of data centers to auditing the logical security of databases and highlights key
components to look for and different methods for auditing these areas. When centred on the IT
aspects of information security, it can be seen as a part of an information technology audit. It is
often then referred to as an information technology security audit or a computer security audit.
However, information security encompasses much more than IT.
Security Review
114
Security Assessment
Security assessments utilize professional opinion and expertise, but they also analyse the
output for relevancy and criticality to the organization. The analysis aspect of an
assessment attempts to quantify the risk associated with the items discovered to
determine the extent of the problem. If you an organisation has two servers with the same
vulnerability, but one is the financial server, and the other operates as a print server a
security assessment would rank the financial server as a high risk and the print server as a
lower risk based on the severity and damage potential. The biggest differentiator between
an assessment and a review is the depth to which the auditor examines the system and
analyses the results. Examples include: Vulnerability assessment, Risk assessment,
Architecture assessment, Policy assessment
Security Audit
A security Audit examines the organizations security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies. Audits take into account people, processes, and
technologies, and it compares them to a benchmark in a standardized and repeatable way.
Examples include: Compliance audit, Policy audit, Procedure audit, Risk audit.
Some of the specific audits that can be included in the above categories are:
Penetration Test
Vulnerability Audit
Web Application Security Audit
Mobile Application Security Audit
Audit Overall Concept
IT-Risk Analyses
Audit Access Control / Social Engineering
Architecture, Design and Code Review
115
Conducting a preliminary review of the clients environment, mission, operations, polices, and
practices. Performing risk assessments of client environment, data, and technology resources.
Completing research of regulations, industry standards, practices, and issues. Reviewing current
policies, controls, operations, and practices. Holding an Entrance Meeting to review the
engagement memo, to request items from the client, schedule client resources, and to answer
client questions. This will also include laying out the time line and specific methods to be used for
the various activities.
This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to
reach a conclusion related to the audit objectives and to support audit findings and
recommendations. During this phase, the auditor will conduct interviews, observe procedures
and practices, perform automated and manual tests, and other tasks. Fieldwork activities may be
performed at the clients worksite(s) or at remote locations, depending on the nature of the
audit.
Analysis
Analyses are performed after documentation of all evidence and data, to arrive at the audit
findings and recommendations. Any inconsistencies or open issues are addressed at this time.
The auditor may remain on-site during this phase to enable prompt resolution of questions and
issues. At the end of this phase, the auditor will hold an Exit Meeting with the client to discuss
findings and recommendations, address client questions, discuss corrective actions, and resolve
any outstanding issues. A first draft of the findings and recommendations may be presented to
the client during the exit meeting.
Reporting
Generally, the Information Security Audit Program will provide a draft audit report after
completing fieldwork and analysis. Based on client response if changes are required to the draft,
116
the auditor may issue a second draft. Once the client is satisfied that the terms of the audit are
complied with the final report will be issued with the auditors findings and recommendations.
Follow-through
Depending on expectations and agreements the auditor will evaluate the effectiveness of the
corrective action taken by the client, and, if necessary, advise the client on alternatives that may
be utilized to achieve desired improvements. In larger, more complex audit situations, follow-up
may be repeated several times as additional changes are initiated. Additional audits may be
performed to ensure adequate implementation of recommendations. The level of risk and
severity of the control weakness or vulnerability dictate the time allowed between the reporting
phase and the follow-up phase. The follow-up phase may require additional documentation for
the audit client.
Audit methods may also be classified according to type of activity. These include three types
a. Testing Pen tests and other testing methodologies are used to explore
vulnerabilities. In other words, exercising one or more assessment objects to
compare actual and expected behaviours.
b. Examination and Review This include reviewing policies, processes, logs, other
documents, practices, briefings, situation handling, etc. In other words checking,
inspecting, reviewing, observing, studying, or analysing assessment objects
c. Interviews and Discussion This involves group discussions, individual interviews,
etc.
The three methods combine together to form an effective methodology for an overall audit.
117
Auditing techniques:
There are various Auditing techniques used:
Examination Techniques
Examination techniques, generally conducted manually to evaluate systems, applications,
networks, policies, and procedures to discover vulnerabilities
Techniques include o
Documentation review o
Log review
o Ruleset and system configuration review o Network
sniffing
o File integrity checking
Target Identification and Analysis Techniques
Testing techniques, generally performed using automated tools used to identify systems, ports,
services, and potential vulnerabilities
Techniques include o
Network discovery
o Network port and service identification o Vulnerability
scanning o Wireless scanning
o Application security examination
Target Vulnerability Validation Techniques
Testing techniques that corroborate the existence of vulnerabilities, these may be performed
manually or with automated tools
Techniques include o
Password cracking o
Penetration testing o
Social engineering
o Application security testing
Organisations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
118
All of these frameworks provide a detailed, process-oriented manner in which to conduct a security
test, and each has its particular strengths and weaknesses. Most auditors and penetration testers
use these frameworks as a starting point to create their own testing process, and they find a lot of
value in referencing them.
OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas
into six interconnected modules:
ISSAF
The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for. It is split into two
primary documents. One is focused on the business aspect of security, and the other is designed as
a penetration test framework. The level of detailed explanation of services, security tools to use,
and potential exploits is high and can help an experienced security auditor and someone getting
started in auditing.
NIST 800-115
119
The NIST 800-115, Technical Guide to Information Security Testing, provides guidance and a
methodology for reviewing security that is required for the U.S. government's various departments
to follow. Like all NIST-created documents, 800-115 is free for use in the private sector. It includes
templates, techniques, and tools that can be used for assessing many types of systems and
scenarios. It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for
the conduction of security reviews. The document includes guidance on the following:
OWASP
The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications. A proliferation of poorly written and executed web applications has
resulted in numerous, easily exploitable vulnerabilities that put the Internet community at risk to
malware, identity theft, and other attacks. The OWASP testing guide has become the standard for
web application testing and has helped increase the awareness of security issues in web
applications through testing and better coding practices.
The OWASP testing methodology is split as follows:
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Denial of service testing
Web services testing
AJAX testing
The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
120
Delineate the available tools what documents and tools are in use or need to be created?
o Assemble the various documents and datagrams of the systems under audit.
o Gather the tools already in use to mitigate risk
Reporting mechanism how will you show progress and achieve validation in all areas?
o Determine what the reporting mechanism will be.
Evaluation against the organizations own security policy and security baselines
Regulatory/industry complianceHealth Insurance Portability and Accountability Act
(HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card
Industry (PCI)
Evaluation against standards such as NIST 800 or ISO 27002
Governance frameworks such as COBIT or Coso
After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals. A number of
assessments are usually required to determine appropriate means for referring back to the scope,
which defines the boundaries of the audit. The following are types of assessments that might be
performed to test security controls:
123
This section covered evaluation techniques for auditing security practices within an organization.
Many of the security practices used to protect a company are process - and policy-focused. They
represent the primary drivers for technology purchases and deployment. Technology can automate
many of these processes and policies and needs a different approach to testing effectiveness. The
remainder of this chapter covers tools that can be used to test security technologies.
124
125
Graybox
Red Team/Blue Team assessment: The terms Red and Blue Team come from the military where
combat teams are tested to determine operational readiness. In the computer world, a Red and
Blue Team assessment is like a war game, where the organization being tested is put to the test in
as real a scenario as possible. Red Team assessments are intended to show all of the various
methods an attacker can use to gain entry. It is the most comprehensive of all security tests. This
assessment method tests policy and procedures, detection, incident handling, physical security,
security awareness, and other areas that can be exploited. Every vector of attack is fair game in this
type of assessment. This is used to simulate attacks and test the ability to develop defences for
these attacks. The Red team designate is the attacker and the Blue team is the defence mechanism
builder.
The two teams sharpen an organisations detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common
difference is the amount of knowledge of the implementation details of the system being tested
that are available to the testers.
Black box testing
This assumes no prior knowledge of the infrastructure to be tested. The testers must first
determine the location and extent of the systems before commencing their analysis.
White box testing
This provides the testers with complete knowledge of the infrastructure to be tested, often
including network diagrams, source code, and IP addressing information.
Grey box testing
These are the several variations in between the white and the black box, where the testers
have partial information.
126
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure"
(grey box), or "blind" (black box) tests based on the amount of information provided to the
testing party.
127
3. What orientation or training can you provide them to be comfortable within the
environment?
4. Communicate with your managers and staff in the areas to be audited.
5. If an area was audited before, review the prior report to see the issues raised and
recommended made. Get an update of corrections or changes made as a result of
prior audit work and give your staff and the audit department credit.
Audit checklist:
1.
2.
3.
4.
5.
6.
7.
8.
128
Summary
Broadly, there are two types of Audit, internal and external.
External audits are commonly conducted by independent, certified parties in an objective
manner.
Internal audits usually are conducted by experts linked to the organisation, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide
advice in a limited fashion. They differ from the external audit in allowing the auditor to discuss
mitigation strategies with the owner of the system that is being audited.
Within the broad scope of auditing information security there are multiple types of audits,
multiple objectives for different audits, etc. Audits can be broken down into a number of types,
from the simple analysis of security architecture based on opinion, to a full-blown, end-to-end
audit against a security framework such as ISO27001.
A security review is when the security posture of an organization is examined based on
professional experience and opinion. In this type of examination, issues that stand out are
sought as a way to help define the starting point for further activities.
Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization. The analysis aspect of an assessment attempts
to quantify the risk associated with the items discovered to determine the extent of the
problem.
A security Audit examines the organizations security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI. An audit
includes review and assessment; it also conducts a gap analysis against standards to measure
how well the organization complies.
Auditing Techniques include o Documentation review o Log review
o Ruleset and system configuration review o
Network sniffing o File integrity checking
Four of the most common standard frameworks are as follows:
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISSAF)
NIST 800-115
Open Web Application Security Project (OWASP)
Red Teaming is a process designed to detect network and system vulnerabilities and test security
by taking an attacker-like approach to system/network/data access. This process is also called
"ethical hacking" since its ultimate purpose is to enhance security. Red Teams are third-party
entities hired to make an impartial assessment of the network or system.
Blue teams responsibility is designed to detect, respond and mitigate the attacks of the offensive
red teams. Blue teams need access to log data, SIEM data, threat intelligence data and to
network traffic capture data. The blue team needs to be able to analyse vast swathes of data to
detect the attacked vulnerability.
Black box testing: This assumes no prior knowledge of the infrastructure to be tested. The
testers must first determine the location and extent of the systems before commencing their
analysis.
White box testing: This provides the testers with complete knowledge of the infrastructure to be
tested, often including network diagrams, source code, and IP addressing information.
Grey box testing: These are the several variations in between the white and the black box, where
the testers have partial information.
129
Practical activities:
Activity 1:
Search various Information Security Service Audit Organizations on the internet and prepare
a list of services they offer and the process or methodology followed. Present the same in
class.
Activity 2:
Go through various organizations websites and understand the various security policies and
guidelines. Prepare a descriptive write-up on the subject.
Activity 3:
Go through various security benchmarks, research and learn to conduct security audits and
the creation of reports and audit templates. Present in a group the audit approach.
Activity 4:
Go through security benchmarks like ISO 27001, PCI DSS, and Centre for Internet Security
and understand the implications of non-maintenance of such standards.
b) NIST 800-115
c) National Cyber Awareness System (NCAS)
d) Information Systems Security Assessment Framework (ISSAF)
Q. Log review is part of which of the following categories of auditing techniques?
a) Target Vulnerability Validation Techniques
b) Examination review techniques
c) Target Identification and Analysis Techniques
d) Interviews and discussions
Q. Arrange the following audit stages in the order of execution, starting from 1 to 6.
A.
______
B.
Follow-through
______
C.
D.
E.
Reporting
______
______
F.
Analysis
______
Q. The test phase is part of which of the following audit stages?
a) Analysis
b) Pre-audit agreement stage
c) Data collection and fieldwork
d) Initiation and planning
Q. List the three types of audit methods as per activity
1. ____________________________ 2.
____________________________
3. ____________________________
131
NOTES:
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
132
UNIT III
133
134
LESSON PLAN
Outcomes
To be competent, you must be
able to:
PC1. establish the nature and
scope of information security
audits and your role and
responsibilities within them
(0904)
PC6. refer to appropriate people
where audit tasks are beyond
your levels of knowledge, skills
and competence (0904)
Performance Ensuring
Measures
1. List and discuss the various
skills, knowledge and
qualifications of an auditor
and a security analyst
carrying out audit activities
2. Discuss details of formal
qualifications for acquiring
these skills and knowledge
and the benefits of getting
formal qualifications
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min 2
Mbps Dedicated)
Access to sites like ISACA
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min 2
Mbps Dedicated)
Access to sites like ISACA
Lesson
3.1 Role of an Auditor (As it is)
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to
fix the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organizations activities versus its security best practices.
The auditor is responsible for planning and conducting audits in a manner that is fair and
consistent to the people and processes that are examined.
The auditing charter or engagement letter defines the conduct and responsibilities of an
auditor.
Depending on how a companys auditing program is structured, ultimate accountability for the
auditor is usually to senior management or the Board of Directors.
Auditors are usually required to present a report to management about the findings of the
audit and also make recommendations about how to reduce the risk identified.
Inspect and evaluate financial and information systems, management procedures and
security controls
Evaluate the efficiency, effectiveness and compliance of operation processes with corporate
security policies and related government regulations
Weigh the relevancy, accuracy and perspective of conclusions against audit evidence
Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
Auditing the information asset management process will verify that the critical assets are
being managed in accordance with the IT/IS policies.
The auditor audits the information security and privacy policies and standards. The auditor
begins with policies and standards related to access control, data classification and network
security. In addition they focus on other policies and standards such as vendor management,
vulnerability management and data leakage prevention.
One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This
verification can be accomplished by performing an audit of the security training and
awareness program
Instead of focusing on the actual access of each user, the auditor focuses on the IAM process
and verify that the IAM process is working as designed. Auditing an automated IAM process
ensures the integrity of the process. The audit also focuses on the workflow, which includes
the approval hierarchy. Several IAM vendors are starting to provide mechanisms to
incorporate segregation of duties (SoD) checks within the workflow. If an organization has
incorporated the SoD checks in the workflow, it is important to include this process within
its audit scope.
During the audit of policies and standards, the auditor should understand how the policies
and standards are being communicated across the enterprise. Every organization has a
communication method (e-mail, posting on an intranet web page, periodic security
seminars, monthly security awareness training, lunch-n-learns, etc.).
The responsible auditor should determine if logging is enabled in critical systems. Where
logs are enabled, the auditor verifies that there is a process for monitoring. The auditor also
verifies that the process has been assigned to a person and that this person is executing this
process. The focus here is on data leakage prevention (DLP). Besides verifying that the
proper access is granted to each individual, the auditor focuses on how the approved users
are using the data assets. Are data being encrypted properly before they are sent outside of
the organization? Depending on an organizations DLP policy, the SIEM system can
potentially help the auditor determine if the data are being copied on USB drives and leaving
the organization.
identified and relevant risks. Noncompliance should be tracked and managed by executive
management.
The internal auditor should identify how the organization is connected to the outside, and
who on the outside is connected to the organization. There is a total reliance by some
organizations on Statement on Auditing Standards No. 70 (SAS 70) Type II reports for review
of external vendors. While SAS 70 is good, it is not final. The auditor first verifies that there is
a policy in place to address third-party connections. In addition to the SAS 70 report, the
organization should periodically perform its own audit of the vendor to certify that its
policies and security needs are being adequately addressed (the organization may have to
ensure that the vendor contracts allow for this audit). Changes performed by the third-party
vendor on systems affecting the organization should follow the organizations normal
change management process.
Also, the auditor should follow the entire process within the extended enterprise where the
critical data assets reside. For example, an enterprise may do an exceptional job of
protecting critical data assets within the enterprise, but an unencrypted backup tape can fall
off a vendors truck and expose critical information and put the enterprise at risk. An audit
of the entire process will definitely reduce the risks associated with the extended enterprise.
This extended enterprise may exist globally and could add more complexity to the audit
plans.
The auditor verifies that a business continuity plan exists and is maintained and tested
periodically. The auditor should also make sure that the plan covers all the risks associated
with the business and that it is enough to keep the business in operation in times of
disruption. The IT auditor should understand the difference between business continuity
and disaster recovery and make sure that each is adequately addressed and periodically
tested.
The auditor identifies a catalog of IT initiatives, reviews the business reasons for the project
and identifies the executive sponsor for the project. The auditor obtains and reviews the
management reports from IT to executive management and verifies that sufficient
information is provided to management. The auditor verifies that IT initiatives are
adequately aligned with business objectives.
139
Management
Technical
Forensic
The first step in hiring a reliable consultant is to define the requirements of the job. Does it
involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete
the work.
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product
or service line and understand that it may result in a conflict of interest.
140
The following things has to be borne in mind before hiring of an audit company as auditors:
Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?
Does the consulting organization have a quality certification?
Does the consulting organization have a track record of having handled a similar assignment for
security consulting?
Are the organizations security professional having certificates like CISSP, CISA, CSM and CIPP?
Does the Organization have sound methodology to follow?
Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
141
A good auditor requires the following skills and knowledge in the various areas listed below:
Organization wide security program planning and management
Knowledge of the legislative requirements for an agency security program
Knowledge of the sensitivity of data and the risk management process through risk
assessment and risk mitigation
Knowledge of the risks associated with a deficient security program
Knowledge of the elements of a good security program
Ability to analyse and evaluate an organizations security policies and procedures and
identify their strengths and weaknesses
Access control
Knowledge across platforms of the access paths into computer systems and of the
functions of associated hardware and software providing an access path
Knowledge of access level privileges granted to users and the technology used to provide
and control them
Knowledge of the procedures, tools, and techniques that provide for good physical,
technical, and administrative controls over access
Knowledge of the risks associated with inadequate access controls
Ability to analyse and evaluate an organizations access controls and identify the strengths
and weaknesses
Skills to review security software reports and identify access control weaknesses
Skills to perform penetration testing of the organizations applications and supporting
computer systems
Application software development and change control
Knowledge of the concept of a system life cycle and of the System Development Life Cycle
(SDLC) process
Knowledge of the auditors role during system development and of federal guidelines for
designing controls into systems during development
Knowledge of the procedures, tools, and techniques that provide control over application
software development and modification
Knowledge of the risks associated with the development and modification of application
software
Ability to analyse and evaluate the organizations methodology and procedures for system
development and modification and identify the strengths and weaknesses
142
System software
Knowledge of the different types of system software and their functions
Knowledge of the risks associated with system software
Knowledge of the procedures, tools, and techniques that provide control over the
implementation, modification, and use of system software
Ability to analyse and evaluate an organizations system software controls and identify the
strengths and weaknesses
Skills to use software products to review system software integrity
Segregation of duties
Knowledge of the different functions involved with information systems and data processing
and incompatible duties associated with these functions
Knowledge of the risks associated with inadequate segregation of duties
Ability to analyse and evaluate an organizations organizational structure and segregation of
duties and identify the strengths and weaknesses
Service continuity
Knowledge of the procedures, tools, and techniques that provide for service continuity
Knowledge of the risks that exist when measures are not taken to provide for service
continuity
Ability to analyse and evaluate an organizations program and plans for service continuity
and identify the strengths and weaknesses
Application controls
Knowledge about the practices, procedures, and techniques that provide for the
authorization, completeness, and accuracy of application data
Knowledge of typical applications in each business transaction cycle
Ability to analyse and evaluate an organizations application controls and identify the
strengths and weaknesses
Skills to use a generalized audit software package to conduct data analyses and tests of
application data, and to plan, extract, and evaluate data samples
Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:
Network analyst
Advanced knowledge of network hardware and software
Understanding of data communication protocols
Ability to evaluate the configuration of routers and firewalls
Ability to perform external and internal vulnerability tests with manual and automated tools
Knowledge of the operating systems used by servers
Windows/Novell analyst
Detailed understanding of microcomputer and network architectures
Ability to evaluate the configuration of servers and the major applications hosted on
servers
Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst
Detailed understanding of the primary variants of the Unix architectures
Ability to evaluate the configuration of servers and the major applications hosted on servers
Ability to perform internal vulnerability tests with manual and automated tools
143
Database analyst
Understanding of the control functions of the major database management systems
Understanding of the control considerations of the typical application designs that use
database systems
Ability to evaluate the configuration of major database software products
Mainframe system software analyst
Detailed understanding of the design and function of the major components of the
operating system
Ability to develop or modify tools necessary to extract and analyse control information from
mainframe computers
Ability to use audit software tools
Ability to analyse modifications to system software components
Mainframe access control analyst
Detailed understanding of auditing access control security software such as ACF2, Top
Secret, and RACF
Ability to analyse mainframe audit log data
Ability to develop or modify tools to extract and analyse access control information
The Information Systems Audit and Control Association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As
a CISA, they expect them to be bound to uphold this code. The following points form part of
this code:
The auditor agrees to
Support the implementation of, and encourage compliance with, appropriate standards
and procedures for the effective governance and management of enterprise information
systems and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance
with professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be
used for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
144
2.
3.
4.
5.
6.
7.
procedures for the effective governance and management of enterprise information systems
and technology, including: audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the Association.
Maintain the privacy and confidentiality of information obtained in the course of their
activities unless disclosure is required by legal authority. Such information shall not be used
for personal benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities
they can reasonably expect to complete with the necessary skills, knowledge and
competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the
results.
Support the professional education of stakeholders in enhancing their understanding of the
governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's
or certification holder's conduct and, ultimately, in disciplinary measures.
145
ABOUT CISA
This certification is recognized worldwide as completion of a standardized security auditing
certification program.
Information Systems Audit and Control Association (ISACA) is a world recognized body that
was founded in 1969. The CISA examination and certification was initiated by ISACA in 1978, to
address industry requirements.
The CISA designation is awarded to individuals with an interest in Information Systems
auditing, control and security who meet the following requirements:
It is important to note that many individuals choose to take the CISA exam prior to meeting
the experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
ABOUT CISSP
CISSP (Certified Information Systems Security Professional) is a vendor-neutral CISSP
certification is for those with proven deep technical and managerial competence, skills,
experience, and credibility to design, engineer, implement, and manage their overall
information security program to protect organizations from growing sophisticated attacks.
Backed by (ISC), the globally recognized, not-for-profit organization dedicated to advancing
the information security field.
146
Summary
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program. The
objective of the auditor is to report on security weakness.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring
the organizations activities versus its security best practices.
The auditor audits the information security and privacy policies and standards.
A good auditor possess skills in the following areas:
o
Organization wide security program planning and
management o Access control
o
Application software development and change control o
System software o Segregation of duties o Service continuity
o
Application controls
A consultant should be independent and not affiliated with a product or service. If your
consultant is not independent, you should know about his or her relationship with a product or
service line and understand that it may result in a conflict of interest.
Ethics statements are necessary to demonstrate the level of honesty and professionalism
expected of every auditor. Overall, the profession requires them to be honest and fair in all
representations they make. The goal is to build trust with clients.
ISACA has an auditor code of ethics which auditors should comply with.
While the minimum qualifications required for an auditor is a Bachelors degrees, an auditor can
get CISA and CISSP recognized certification to enhance their value.
147
Practical Activities:
Activity 1:
Identify some of the organisations offering audit services and to list down and compare
the offering, features, benefits and limitations of at least three of these.
Activity 2:
Collect information of various qualifications for data security auditors and consultants
Activity 3:
Collect through the internet and various other sources various cases where mishandling
of audits or security audit failures have caused damage to organisations. Present one
such interesting case in class.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
149
UNIT IV
VULNERABILITY ANALYSIS
LESSON PLAN
Outcomes
To be competent, you must be
able to:
PC5. carry out required audit
tasks using standard tools and
following established
procedures/guidelines/checklist
s (0904)
PC3. identify the
requirements of information
security audits and prepare
for audits in advance (0905)
PC4. liaise with appropriate
people to gather
data/information required for
information security audits
(0905)
You need to know and
understand:
KA11. the range of standard
tools, templates and checklists
available and how to use these
(0904)
KB5. common audit techniques
and how to record and report
audit tasks (0904)
KB6. methods and techniques
for testing compliance against
your organizations security
criteria, legal and regulatory
requirements (0904) KA12.
your organizations knowledge
base and how to use this to
support information
security audits (0905)
Performance Ensuring
Measures
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min 2
Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access Points
Commercial Tools like HP
Web Inspect and IBM
AppScan etc.,
Open Source tools like
sqlmap, Nessus etc.,
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites
like ISO, PCI DSS, Center for
Internet Security
Security Templates from
ITIL, ISO
151
Lesson
Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies,
and classifies the security holes (vulnerabilities) in a computer, network, or communications
infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed
countermeasures and evaluate their actual effectiveness after they are put into use.
152
CERT/CC (the federally funded research and development center operated by Carnegie Mellon
University) reports that nearly 99% of all intrusions resulted from exploitation of known vulnerabilities
or configuration errors.
security misconfigurations can lead an attacker right into the system and result in a partially or totally
compromised system. Attackers find these misconfigurations through unauthorized access to default
accounts, unused web pages, unpatched flaws, unprotected files and directories, and more. If a
system is compromised through faulty security configurations, data can be stolen or modified slowly
over time and can be time-consuming and costly to recover.
Default installations
Most server applications included in a default installation are solid, thoroughly tested pieces of
software. Having been in use in production environments for many years, their code has been
thoroughly refined and many bugs that have been found are fixed. However, there is no perfect
software and there is always room for further refinement. Moreover, newer software is often not as
rigorously tested because of its recent arrival to production environments or because it may not be as
popular as other server software. Developers and system administrators often find exploitable bugs in
server applications and publish the information on bug tracking and security related websites such as
the Bugtraq mailing list (http://www.securityfocus.com) or the Computer Emergency Response Team
(CERT) website (http://www.cert.org).
Buffer overflows
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold. Since buffers are created to contain a
finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally
through programming error, buffer overflow is an increasingly common type of security attack on data
integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific
actions, in effect sending new instructions to the attacked computer that could, for example, damage
the user's files, change data, or disclose confidential information.
Unpatched servers
According to Wikipedia, a patch is a piece of software designed to update a computer program or its
supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with
such patches usually called bugfixes or bug fixes, and improving the usability or performance.
Although meant to fix problems, poorly designed patches can sometimes introduce new problems.
Server applications which languish unpatched by developers or administrators who fail to patch their
systems leave this as one of the most exploited vulnerabilities.
Default passwords
Another common error is to leave the default passwords or keys in services that have such
authentication methods built into them. For example, some databases leave default administration
passwords under the assumption that the system administrator will change this immediately upon
configuration. Even an inexperienced cracker can use the widely-known default password to gain
administrative privileges to the database.
154
155
STEP 3.
STEP 4.
Developing a strategy to deal with the most serious potential problems first
STEP 5.
Defining and implementing ways to minimize the consequences if an attack occurs.
The following tasks are involved in conducting a VA
Search the web for more postings about the companys vulnerabilities
Search at underground websites for more postings about the companys vulnerabilities
Pre-assessment phase
Describe the scope of the Assessment
Creates proper information protection procedures such as effective planning, scheduling,
coordination and logistics
Identifies and ranks the critical assets
Assessment phase
Examine the network architecture
Evaluates the threat environment
Carries out penetration testing
Examines and evaluates physical security
Performs a physical asset analysis
Observes policies and procedures
Conducts and impact analysis
Performs a risk characterization
Locating nodes
Now that auditors have identified and verified the vulnerabilities, they must perform in-depth analysis
of all the assembled data. The goal here is to identify systemic causes, and then they formulate plans to
remedy each cause. These plans are the basis of the strategic recommendations that they bring before
the business executives. Once the auditors have completed their assessment, the IT department or the
consultants work alongside the executives to fix those problem areas. Once the business rectifies
vulnerabilities, they can direct their attention to upgrading or transitioning the network.
157
Tools may also be classified based on data examined or location. For example Network-based scanner,
agent based scanner, proxy scanner or cluster scanner.
158
While new vulnerabilities are discovered every day and new tools are required to tackle
these, a list of available tools are listed below:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
159
Firewalk
Firewalking is a technique that employs traceroute-like techniques to analyze IP packet responses to
determine gateway ACL filters and map networks. It can also be used to determine the filter rules in
place on a packet forwarding device.
For more information visit http://www.packetfactory.net/Projects/Firewalk
Summary
160
161
Practical Activity:
Activity 1:
Go through the latest threats and breaches in cyberspace to understand the
implications of non-compliance to security standards. List such sources from which
information can be had.
Activity 2:
Search and list various VA tools offered by various organizations and note down their
features, uses, benefits and limitations. Also research reviews of these tools available
online.
Activity 3:
Search for examples of incidents reported for each of the categories of the
vulnerability listed in this unit. Share this with your class.
Host based
Application based
Scope Assessment
Firewall based
Scans the network using any network scanner to find hosts, services and
vulnerabilities.
Wireless network
Assessment
Sniffs the network traffic to find out active systems, network services,
applications and vulnerabilities present.
Host based
Assessment
Active Assessment
This determines and tracks all the wireless network prevalent at the client
side.
Application
Assessment
162
Assesses the network from a hacker point of view to find out what
exploits and vulnerabilities are available to the outside world.
External Assessment
Passive Assessment
Determines the possible network security attacks that may occur on the
Internal Assessment
organization system.
Scans the infrastructure inside the company to find out the exploit and
vulnerabilities.
Network Assessment
163
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
164
UNIT V
PENETRATION TESTING
LESSON PLAN
Outcomes
To be competent, you must be
able to:
PC5. carry out required audit
tasks using standard tools and
following established
procedures/guidelines/checklist
s (0904)
PC3. identify the
requirements of information
security audits and prepare
for audits in advance (0905)
PC4. liaise with appropriate
people to gather
data/information required for
information security audits
(0905)
Performance Ensuring
Measures
166
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min 2
Mbps Dedicated)
167
Lesson
A penetration test is the process of actively evaluating companys information security measures.
Security measures are Security measures are actively analysed for actively analysed for design
weaknesses, technical flaws and vulnerabilities. The results are delivered comprehensively in a
report, to executive, management, and technical audiences.
An organization should conduct a risk assessment operation before the penetration testing that will
help to identify the main threats, such as:
Public facing systems; websites, email gateways, and remote access platforms.
Testing should be performed d be performed on all hardware and software components of a network
security system.
Pre-attack
Attack Phase
Post-attack phase
Pre-attack phase
This process seeks to gather as much information about the target network as possible, following
these seven steps:
STEP 1. Gather initial information
STEP 2. Determine the network range
STEP 3. Identify active machines
STEP 4. Discover open ports and access points
STEP 5. Fingerprint the operating system
STEP 6. Uncover services on ports
STEP 7. Map the network
169
Attack Phase
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified and
safeguards are identified to mitigate the associated security exposure. In many cases, exploits that
are executed do not grant the maximum level of potential access to an attacker. They may instead
result in the testers learning more about the targeted network and its potential vulnerabilities, or
induce a change in the state of the targeted networks security.
Some exploits enable testers to escalate their privileges on the system or network to gain access
to additional resources. If this occurs, additional analysis and testing are required to determine the true
level of risk for the network, such as identifying the types of information that can be gleaned, changed,
or removed from the system. In the event an attack on a specific vulnerability proves impossible, the
tester should attempt to exploit another discovered vulnerability.
If testers are able to exploit a vulnerability, they can install more tools on the target system or
network to facilitate the testing process. These tools are used to gain access to additional systems or
resources on the network, and obtain access to information about the network or organization.
Footprinting
Scanning
Enumerating
Malicious hackers also value reconnaissance as the first step in an effective attack.
The three stages of reconnaissance are:
170
Footprinting
Footprinting is the active blueprinting of the security profile of an organization. It involves gathering
information about your customer's network to create a unique profile of the organization's networks
and systems. It's an important way for an attacker to gain information about an organization
passively, that is, without the organization's knowledge.
Footprinting may also require manual research, such as studying the company's Web page for useful
information, for example:
You can also get more active with footprinting. For example, you can call the organization's help
desk, and by employing social engineering techniques, get them to reveal privileged information.
Scanning
The next four information-gathering steps -- identifying active machines, discovering open ports
and access points, fingerprinting the operating system, and uncovering services on ports are
considered part of the scanning phase. The goal here is to discover open ports and applications by
performing external or internal network scanning, pinging machines, determining network ranges
and port scanning individual systems.
Although this is still information gathering mode, scanning is more active than footprinting, it
provides a more detailed picture of the customer operations.
Some common tools used in the scanning phase are:
NMap
Ping
Traceroute
Superscan
Netcat
NeoTrace
Visual Route
171
Enumerating
In enumeration, a tester tries to identify valid user accounts or poorly-protected resource shares
using active connections to systems and directed queries. The type of information sought by testers
during the enumeration phase can be users and groups, network resources and shares, and
applications.
The techniques used for enumeration include:
Remember that during a penetration test, you'll need to document every step and finding, not only
for the final report, but also to alert the organization immediately to serious vulnerabilities that may
exist. This is also known as the Discovery phase.
172
Summary
A penetration test is the process of actively evaluating companys information security
measures. Security measures are Security measures are actively analysed for actively analysed
for design weaknesses, technical flaws and vulnerabilities. The results are delivered
comprehensively in a report, to executive, management, and technical audiences.
Testing should be performed on all hardware and software components of a network security
system.
According to one classification, there are three stages in penetration testing o Pre-attack o
Attack Phase o Post-attack phase
The three stages of reconnaissance are: o Footprinting o Scanning o Enumerating
Types of Reconnaissance o Active Reconnaissance o Passive Reconnaissance
Reconnaissance process seeks to gather as much information about the target network as
possible, following these seven steps: o Gather initial information o Determine the network
range o Identify active machines o Discover open ports and access points o Fingerprint the
operating system o Uncover services on ports o Map the network
The next phase is the attack phase, where if an attack is successful, the vulnerability is verified
and safeguards are identified to mitigate the associated security exposure.
Attack phase activities include: perimeter auditing, web application auditing, wireless auditing,
application security auditing, network security auditing, wireless/remote access auditing,
database auditing, file integrity checking, log management auditing, telephone security, data
leakage auditing, social engineering auditing
At the conclusion of the test, a report is generally developed to describe identified
vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered
weaknesses.
173
Practical Activity:
Activity 1:
Collate data from various sources and list the various types of penetration testing
based on the object of testing. List down steps and considerations for each type of
testing including the various tools that are available in the market for the particular
testing.
Activity 2:
Compare various data security companies and their offerings for penetration testing.
Compare their features, benefits and value propositions, also research reviews of
various clients /independent reviewers of their products and services.
Activity 3:
Study from various sources and discuss in class the legal and ethical concerns of
penetration testing. Also to explore the advantages and disadvantages of penetration
testing.
c) ___________________________________
d) ___________________________________
e) ___________________________________
Q. Active blueprinting of the security profile of an organization, involving gathering information about
your customer's network to create a unique profile of the organization's networks and systems is known
as
a) Enumerating
b) Footprinting
c) Scanning
d) Relational Assessment
Q. List at least 5 tools used for web application assessment.
a) ___________________________________
b) ___________________________________
c) ___________________________________
d) ___________________________________
e) ___________________________________
175
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
176
UNIT VI
Information Security Audit
Tasks
177
LESSON PLAN
Outcomes
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min
2 Mbps Dedicated)
Networking EquipmentRouters & Switches
Firewalls and Access
Points
Commercial Tools like
HP Web Inspect and
IBM AppScan etc.,
Open Source tools like
sqlmap, Nessus etc.,
178
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi (Min
2 Mbps Dedicated)
179
During the pre-audit survey, the ISMS auditors identify and ideally make contact with the main
stakeholders in the ISMS such as the ISM manager/s, security architects, ISMS developers, ISMS
implementers and other influential figures such as the CIO and CEO, taking the opportunity to
request pertinent documentation etc. that will be reviewed during the audit. The organization
normally nominates one or more audit "escorts", individuals who are responsible for ensuring
that the auditors can move freely about the organization and rapidly find the people,
information etc. necessary to conduct their work, and act as management liaison points.
The primary output of this phase is an agreed ISMS audit scope, charter, engagement letter or similar.
Contact lists and other preliminary documents are also obtained and the audit files are opened to
contain documentation (audit working papers, evidence, reports etc.) arising from the audit.
180
The pre-audit questionnaire is used to assist the audit manager in gathering pertinent information prior
to the on-site visit. Information gathered from the pre-audit questionnaire is used to formulate
additional questions to be answered during the on-site visit and to assist in determining policy
compliance. Additionally, the pre-audit questionnaire is used as a tool by audit managers to prepare
information sheets for local auditors, outlining/summarizing the CSAs audit program and procedures.
181
5.
Application Discovery: Application discovery is an activity oriented to the identification of the
web applications hosted on a web server/application server. This analysis is important because often
there is not a direct link connecting the main application backend. Discovery analysis can be useful to
reveal details such as web applications used for administrative purposes. In addition, it can reveal old
versions of files or artefacts such as undeleted, obsolete scripts, crafted during the test/development
phase or as the result of maintenance.
6.
Analysis of Error Codes: During a penetration test, web applications may divulge information
that is not intended to be seen by an end user. Information such as error codes can inform the tester
about technologies and products being used by the application. In many cases, error codes can be easily
invoked without the need for specialist skills or tools, due to bad exception handling design and coding.
Clearly, focusing only on the web application will not be an exhaustive test. It cannot be as
comprehensive as the information possibly gathered by performing a broader infrastructure analysis
b. Information Gathering Methodology
Phase One
Network survey: A network survey is like an introduction to the system that is tested. By doing that, you
will have a network map, using which you will find the number of reachable systems to be tested
without exceeding the legal limits of what you may test. But usually more hosts are detected during the
testing, so they should be properly added to the network map. The results that the tester might get
using network surveying are: - Domain Names - Server Names - IP Addresses - Network Map - ISP / ASP
information - System and Service Owners Network surveying can be done using TTL
modulation(traceroute), and record route (e.g. ping -R), although classical 'sniffing' is sometimes as
effective method
Phase Two
OS Identification (sometimes referred as TCP/IP stack fingerprinting): The determination of a remote
OS type by comparison of variations in OS TCP/IP stack implementation behaviour. In other words, it is
active probing of a system for responses that can distinguish its operating system and version level. The
results are: - OS Type - System Type - Internal system network addressing.
Phase Three
Port scanning: Port scanning is the invasive probing of system ports on the transport and network level.
Included here is also the validation of system reception to tunnelled, encapsulated, or routing protocols.
Testing for different protocols will depend on the system type and services it offers. However, it is not
always necessary to test every port for every system. This is left to the discretion of the test team. Port
numbers that are important for testing according to the service are listed with the task. Additional port
numbers for scanning should be taken from the Consensus Intrusion Database Project Site. The results
that the tester might get using Port scanning are: - List of all Open, closed or filtered ports - IP addresses
of live systems - Internal system network addressing - List of discovered tunnelled and encapsulated
protocols - List of discovered routing protocols supported. Methods include SYN and FIN scanning, and
variations thereof e.g. fragmentation scanning.
182
Phase Four
Services identification: This is the active examination of the application listening behind the service. In
certain cases more than one application exists behind a service where one application is the listener and
the others are considered components of the listening application. The results of service identification
are: - Service Types - Service Application Type and Patch Level - Network Map
The methods in service identification are same as in Port scanning. There are two ways using which one
can perform information gathering:
1.
1st method of information gathering is to perform information gathering techniques with a 'one
to one' or 'one to many' model; i.e. a tester performs techniques in a linear way against either one
target host or a logical grouping of target hosts (e.g. a subnet). This method is used to achieve
immediacy of the result and is often optimized for speed, and often executed in parallel
2.
Another method is to perform information gathering using a 'many to one' or 'many to many'
model. The tester utilizes multiple hosts to execute information gathering techniques in a random, ratelimited, and in non-linear way. This method is used to achieve stealth. (Distributed information
gathering)
c. Information gathering steps
Information Gathering Steps
1.
Crawl the website and mirror the pages on your PC
2.
Crawl the FTP website and mirror the pages on your PC
3.
Lookup registered information in WHOIS database
4.
List the products sold by the company
5.
List the contact information, email addresses, and telephone numbers
6.
List the companys distributors
7.
List the companys partners
8.
Search the internet, newsgroups, bulletin boards and negative websites for information
about the company
9.
Search for trade association directories
10.
Search for link popularity of the company website
11.
Compare price of product or service with competition
12.
Find the geographical location
13.
Search the internet archive pages about the company
14.
Search similar or parallel domain name listings
15.
Search job postings sites about the company
16.
Browse social network websites
17.
Write down key employees
18.
Investigate key personnel searching in Google, look up their resumes and cross reference
information
19.
List employee company and personal email address
20.
Search for web pages posting patterns and revision numbers
183
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
Inventory the companys external infrastructure and create a topological map of the network
Identify the IP address of the targets
Locate the traffic route that goes to the web servers
Locate TCP and UDP traffic path to the destination
Identify the physical location of the target servers
Examine the use IPV6 at the remote location
Lookup domain registry for IP information, find IP block information about the target
Locate the ISP servicing the client
List open and closed ports
List suspicious ports that are half open/close
Port scan every port on the targets network
Use SYN scan and connect scan on the target and see the response
Use XMAS scan, FIN scan and NULL scan on the target and see the response
Firewalk on the routers gateway and guess the access-list
Examine TCP sequence number prediction
Examine the use standard and non-standard protocols
Examine IPID sequence number prediction
Examine the system uptime of target
Examine the operating system used for different targets
Examine the applied patch to the operating system
185
easily access another users machine using well-known exploits, trust relationships and default settings.
Most of these attacks require little or no skill, putting the integrity of a network at stake.
Most employees do not need and should not have access to each others machines, administrative
functions, network devices and so on. However, because of the amount of flexibility needed for normal
operation, internal networks cannot afford maximum security. On the other hand, with no security at
all, internal users can be a major threat to many corporate internal networks. A user within the
company already has access to many internal resources and does not need to bypass firewalls or other
security mechanisms which prevent non-trusted sources, such as Internet users, to access the internal
network. Poor network security also means that, should an external hacker break into a computer on
your network, he/she can then access the rest of the internal network more easily. This would enable a
sophisticated attacker to read and possibly leak confidential emails and documents; trash computers,
leading to loss of information; and more. Not to mention that they could then use your network and
network resources to start attacking other sites, that when discovered will lead back to you and your
company, not the hacker.
Most attacks, against known exploits, could be easily fixed and, therefore, stopped by administrators if
they knew about the vulnerability in the first place. During an Internal Network Security Assessment,
security experts scan the entire internal local-area and wide-area networks for known vulnerabilities.
These scans include all servers, workstations, and network devices.
Steps for Internal Network Security Auditing
Internal Network Review includes:
Examining the internal configuration and setup of the organizations computing resources.
Users accounts & password policies and practices
Access privileges and levels
File, directory, event log and registry permissions
Audit logs
Software Patch management
Physical network cabling
Backup methodology & disaster recovery plans
Internal testing involves testing computers and devices within the company. The internal penetration
testing involves:
187
Internal testing which is a critical part of this includes the following steps:
Capture the communications between the FTP client and FTP server
Continue to compromise every machine in the network and perform the previous steps. Make sure you
can undo your actions based on the pen-test process you had conducted.
Internal Security Auditing Tools
a.
b.
189
Firewalls can filter packets based on their source and destination addresses and port numbers.
Network filtering:
Firewalls can also filter specific types of network traffic. The decision to forward or reject traffic
is dependent upon the protocol used, for example HTTP, FTP, or Telnet.
If you have an attack against an authorized port and service, and your server is compromised, it isnt
the firewall that failed but the lack of defence in depth. Of course the concept of what a firewall is just
isnt as clear as it used to be in the days of single purpose firewalls. We live in a unified threat
management world, and todays firewalls perform a great many security tasks. IPS and VPN has been
integrated into the firewall line. Unified Threat Management (UTM) devices operate as a combined
threat management device, but the foundational elements of the firewall are central to how the device
operates.
A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it
meets certain criteria. The type of criteria used to determine whether traffic should be allowed through
varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with
source or destination addresses and ports. They may also use complex rule bases that analyse the
application data to determine if the traffic should be allowed through.
190
Types of firewall
Firewalls fall into four broad categories:
Packet filters
Packet filtering firewalls work at the network level of the OSI model (or the IP layer of TCP/IP).
They are usually part of a router. In a packet filtering firewall, each packet is compared to a set of
criteria before it is forwarded.
Depending on the packet and the criteria, the firewall can:
Rules can include source and destination IP address, source and destination port number and protocol
used.
The advantage of packet filtering firewalls is their low cost and low impact on network performance.
Most routers support packet filtering.
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They
monitor TCP handshaking between packets to determine whether a requested session is legitimate.
Information passed to remote computer through a circuit level gateway appears to have originated
from the gateway. Circuit level gateways are relatively inexpensive. They have the advantage of hiding
information about the private network they protect. Circuit level gateways do not filter individual
packet
Application level gateways are also called proxies. They can filter packets at the application layer of the
OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain
terms, an application level gateway that is configured to be a web proxy will not allow any FTP, gopher,
Telnet or other traffic through. Because they examine packets at application layer, they can filter
application specific commands such as http: post and get.
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They
filter packets at the network layer, determine whether session packets are legitimate and evaluate
contents of packets at the application layer. They are expensive and require competent personal to
administer the device.
Review Firewall Design
191
Assessing firewall design requires that the auditor understand the various ways in which a firewall can
be deployed. There are many factors that cause an organization to choose one design over another,
and technical requirements sometimes are shaped by politics and budget as well. The firewall is a
policy enforcement tool that should be placed at key network zone boundaries. It is ultimately up to
the business to determine its tolerance for risk and deploy the countermeasures that make sense. The
following examples illustrate common firewall designs that an auditor might find.
Simple Firewall
The simple firewall design is common for small or branch networks and involves a firewall or router
(configured as a firewall) between the Internet and the internal network. NAT is typically used, and
providing Internet access is the primary function of the firewall. There might be port forwarding
configured to internal servers for e-mail delivery or limited web hosting. These designs typically
suffer from minimal layered security, but are by far the least expensive deployment method to
connect a very small remote office or mobile worker situation.
Screening Router and Firewall
A screening router provides frontline defence at the network edge. Not only does this router act as
a basic firewall, but can also perform services such as routing, Netflow collection, quality of service,
and anti-spoofing. The point of a screening router is to provide defence in depth and another place
where access rules can be applied.
Firewall with DMZ
A better design for an organization that hosts its own websites, e-mail, or other Internet facing
services is the firewall with DMZ design. This design provides segmentation of Internet-facing
services to their own dedicated subnet where policies and access control can be better enforced.
Typically the firewall provides NAT services to the web applications, and also conducts application
layer inspection to enforce RFC compliance and application use policies. Layering in an IPS via an
SSM module inside the firewall or through a dedicated appliance can give full IPS protection for all
traffic passing through the device.
Firewall with DMZ and Services Network
As the criticality of web services increases, a single DMZ can sometimes become crowded with
applications and services. The more applications, the more complicated the access rules can
become, and before long policies become difficult to implement on a single DMZ. Creating service
networks on separate firewall interfaces addresses this, by grouping like services together to
simplify policy enforcement. Web servers can go into the DMZ, and internal servers can go into the
services network. The amount of configuration starts to increase as the number of interfaces
increases, but the capability to be able to create more effective policies is vastly improved.
High Availability Firewall
High availability firewall designs are common in organizations that rely on the Internet as both a
source of revenue and an important mechanism for reaching customers. For these types of
organizations, downtime can create significant monetary loss, so the expense of a redundant
architecture is well worth it. Another high availability option is active/active where both firewalls
enforce policy and pass traffic at the same time, and in the event of a failure of one device all
traffic flows through the single remaining firewall. The benefits of active/active over active/standby
are that both firewalls are being utilized and can support higher data rates than a single firewall.
192
The downside to active/active is that both firewalls must be able to support their own traffic loads
in addition to the other firewall if one fails or the organization must be able to accept.
Firewall testing
The steps involved in firewall penetration testing include:
Test firewall specific vulnerabilities After the testing the following is documented:
Firewall logs.
Tools output
The analysis
Recommendations (if any).
Firewall Auditing Tools: HTTPORT, HTTHOST, Firewall Test Agent, Hping3, Netfilter, fragroute, IP
Filter, Ftester, Fwanalog, Fpipe, Firewall Builder, Port Test/ Firewall Tester, VisualRoute,
datapipe, firewalking;
193
A network intrusion detection system (NIDS) is a system that tries to detect malicious activity such as
denial of service attacks, port-scans or even attempts to crack into computers by monitoring network
traffic.
A host-based IDS monitors individual hosts on the network for malicious activity; for example, Cisco
Security Agent. Host systems are more accurate than network-based IDS because they analyse the
server's log files and not just network traffic patterns. The host monitors the system and reports its
activities to a centralized server. They are expensive and resource intensive.
An application-based IDS is like a host-based IDS designed to monitor a specific application (similar to
antivirus software designed specifically to monitor your mail server). An application-based IDS is
extremely accurate in detecting malicious activity for the applications it protects. Multi-Layer Intrusion
Detection Systems
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine. It
aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a single
monitoring and analysis source.
Benefits:
DoS attacks.
MAC spoofing.
RF interference.
Isolates an attacker's physical location
Identifies non-encrypted traffic. IDS Security Auditing Steps
IDS Informer
Firewall informer
Traffic IQ professional
OSSEC HIDS
Evasion tools:
EVADE IDS
Evasion GAteway
196
Attempt social engineering techniques using phone, vishing, telephone, email, traditional mail,
in person, dumpster diving, insider accomplice, shoulder surfing, desktop information, extortion
and blackmail, websites, theft and phishing attacks, satellite imagery and building blue prints,
details of an employee from social networks sites, telephone monitoring device to capture
conversation, video recording tools to capture images, vehicle/asset tracking system to monitor
motor vehicles, identified disgruntled employees and engage in conversation to extract
sensitive information
Document everything including approach, response, information sought and retrieved
Summary
198
Pre audit tasks: During this phase, the auditors determine the main area/s of focus for the
audit and any areas that are explicitly out-of-scope, based normally on an initial risk-based
assessment plus discussion with those who commissioned the audit.
An External Intrusion Audit and Analysis identifies strengths and weaknesses of a client system
and network as they appear from the outside the clients security perimeter, usually from the
internet.
Internal testing involves testing computers and devices within the company. It is more like
white-box testing. What if an employee of the company penetrates the network with the
amount of IT knowledge he knows? What if a hacker breaks-in to the internal network that
houses employees PC and databases and steals sensitive information?
Internal testing involves testing computers and devices within the company. The internal
penetration testing involves:
o
Performing port scanning on individual machines and establishing null sessions.
o
Attempting replay attacks, ARP poisoning, MAC flooding. o Conducting man-inthe-middle attack and trying to login to a console machine.
o
Attempting to plant keylogger, Trojan, and Rootkit on target machine. o
Attempting to send virus using target machine. o Hiding sensitive data and hacking tools
in target machine.
o
Escalating user privileges.
Firewall auditing includes testing the firewall after establishing the types of firewall and their
configuration in the company
Firewalls fall into four broad categories: o Packet filters o Circuit level gateways o Application
level gateways
o
Stateful multilayer inspection firewalls There are 2 types of IDS: o Host-based:
A host-based IDS uses system log files and other electronic audit data to identify
suspicious activity. o Network-based: A network-based IDS uses a sensor to monitor
packets on the network to which it is attached.
mIDS integrates many layers of IDS technologies into a single monitoring and analysis engine.
It aggregates integrity monitoring software logs, system logs, IDS logs, and firewall logs into a
single monitoring and analysis source.
WIDS monitor and evaluate user and system activities, identify known attacks, determine
abnormal network activity, and detect policy violations for WLANs.
Other audits in Penetration testing include Social Engineering and Web Application testing.
Practical Activities:
199
Activity 1:
Gather as much information and the various sources of information, you can gather of the
training institute without crossing boundaries of law. Share the same in class and debate on
the security considerations for each type of information being out there and the authorised
or unauthorised sources of information.
Activity 2:
Make a list of precautions, security measures and legal options your institute has to enhance
the security of their organisations information assets?
Activity 3:
Study and deliberate on the varying needs, concerns, limitations and challenges of an internal
and external information security audits.
a)
b)
___________________________________________________
___________________________________________________ Q. Write a short
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
201
UNIT VII
202
LESSON PLAN
Outcomes
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security
sites like ISO, PCI DSS,
Center for Internet
Security
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security
sites like ISO, PCI DSS,
Center for Internet
Security
203
Lesson
The auditor reports goal is to show the organization that the team honestly wants to improve the
companys security posture this is to be borne in mind when writing the report.
Documentation report should contain the final result and recommendations to rectify the problem if
occurred during the penetration testing process.
The document report includes:
After documentation, submit the document to the client and get the signature from them and keep a
copy of the report.
The summary should provide a short, high-level overview of the test. It should contain the clients
name, testing firm, date of test, and so on. Information about the targeted systems and applications.
End-user test results. Examine all exploits performed. The summary should include details of discovered
vulnerabilities.
Scope of the project should include the IP address ranges that are tested and mentioned in the contract.
Examining whether Trojans and backdoor software applications are permitted or not.
The results analysed should include:
Vulnerability analysis
If one would simply run a handful of tools and provide a report, then the company will never want to
see you again. Recommendations to their security is very important for the report to be accepted by
the customer.
Appendices should include:
Contact information
204
Screen shots
Log output
Executive report - Generate reports for various hosts, users, and vulnerabilities that were
identified, targeted, and exploited during the test process.
Host report - Generate a detailed report on various hosts that were tested.
Payment Card Industry (PCI) report - Display the results of vulnerabilities that are
performed by the Payment Card Industry (PCI) data security standard. (Where applicable)
Client-side penetration testing should include the following reports:
Client-side penetration report - Provide report for client side test that includes the email
template sent, exploit launched, test result, and details about the compromised systems.
User report - Provide information about which links were clicked, when the links were
clicked, and who have clicked the link. Display summarized report on all the users who
were identified and targeted during the testing process.
Web application penetration testing should include the following reports:
Provides detailed report on every vulnerability that were found during the testing process.
Provides summarized report of every vulnerable web page found during the penetration
testing process.
Writing the final report does not have to be the responsibility of one person. In many cases, multiple
team members will contribute to the actual writing of the final report. Assigning the writing
responsibility is usually according to the abilities of individual team members and the scope they
covered.
Divide the reports into sessions as follows:
Management summary
Technical summary
Findings are security issues that the team uncovered during the penetration testing. Findings are
categorized as:
High
Medium
Low
205
High criticality findings: Loss could result in the unauthorized release of information that could have
a significant impact on the organizations mission or financial assets or result in loss of life
Medium criticality findings: Loss could result in the unauthorized release of information that could
have an impact on the organizations mission or financial assets or result in harm to an individual
Low criticality findings: Loss could result in the unauthorized release of information that could have
some degree of impact on the organizations mission or financial assets or result in harm to an individual
Focus on high priority security concerns first. Develop strategies to achieve short term and long term
security postures. Decide on required and available resources to maintain a consistent level of
information security.
Organizations should develop an action plan to:
Create or use configuration checklists available from the product vendors and security
organizations such as NIST and NSA.
Improve the level of control for the purchased software's by checking for updates and
patches from the vendors.
Create guidelines for best practices to be followed based on the recommendations of pen
test report.
Password Policy
Encryption Policy
A title page: this will indicate the report name, the agency or department it is for, the date
as to when the report was published.
A table of contents: Seems obvious, but these documents can get lengthy, include this as
courtesy.
An executive summary: This will be a high level summary of the results, what was found
and what the bottom line is. The sections of the executive summary will include:
o Organization synopsis o Purpose for the
evaluation o System description o Summary
of evaluation o Major findings and
Recommendations o Conclusion
An introduction: A simple statement of your qualifications, the purpose of the audit and
what was in scope.
Findings: This section will contain your findings and will list the vulnerabilities or issues that
should be re-mediate. This listing should be ordered by critical levels, of which are
hopefully defined by internal policies (i.e. if your vulnerability scanner finds a high critical
vulnerability, based upon how that vulnerability is implemented in your environment, it
may not be a true high critical, so internal policies should assist in defining the critical
levels)
Methodologies: Here you will discuss tools used, how false positives were ruled out, what
processes completed this audit. This is to provide consistency and allow your audits to be
repeatable in the event a finding is disputed or deemed not worthy of fixing by
management.
Conclusion: Basic conclusion, summarize the information you have already put together.
207
Summary
The auditor reports goal is to show the organization that the team
honestly wants to improve the companys security posture this is to be
borne in mind when writing the report.
The document report includes: o Summary of the test execution o
Scope of the project o Result analysis o Recommendations o
Appendixes
The results analysed should include: o Domain name and IP address of
the host. o TCP and UDP ports. o Description of the service. o Details of
the test performed.
o Vulnerability
analysis. Appendices
should include: o Contact
information o Screen
shots o Log output
Divide the reports into sessions as follows: o Network test reports o
Client side test reports o Web application test reports Findings are
categorized as:
o High o Medium
o Low
Organizations should develop an action plan as a result of the audit
The report should help in creating and strengthening information
security policies
Practical Activities:
Activity 1:
Collate various audit report templates and sources which provide guidance on audit
reports. These should be compared and the considerations and requirements for their
preparation should be discussed in class.
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
210
UNIT VIII
Audit Support Activities As it is
211
LESSON PLAN
Outcomes
212
1.
Research and list down the
various aspects of support
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
2.
Discuss with the class the
challenges and need for support
anticipated in carrying out audit
activities.
3.
Discuss implications of
these challenges and actions taken
to address them for overall audit.
You must know and understand: 1. Research and list down the
various policies/documents that
KA1. your organizations
that provide information around
PCs/Tablets/Laptops
Labs availability (24/7)
Internet with WiFi
213
214
Lesson
Assisting the auditors
Security Analyst: A security analyst may be assigned responsibilities to carry out activities supporting
the audit team or independently carrying out a set of security auditing activities. It is important for the
security analyst to clarify and understand their scope of responsibilities and work within these limits. In
case they are not clear about any aspect of their limits of authority, or scope of responsibilities they
should speak to their supervisor and clarify the same. It always helps to get written clarifications for
eliminating the scope of confusion later on.
Auditors need organizational support, such as having access to certain data or staff. The Security
analyst often assists and supports the information audit. This support often includes actions such as
obtaining access to copies of policies or system configuration data. These expectations should be
clarified or directed by seniors to the security analyst and the auditors. The security analyst should also
get clear information about units whose systems will be audited. The security analyst would
communicate the same to co-workers and other users in the organization to ensure a least disruptive
and smooth audit. For this purpose, business and IT unit managers of the audited systems should be
involved in the process early in the process. This will ensure there are no disputes and delays regarding
auditor's access to areas and information.
The various responsibilities of the Security Analyst in supporting the auditors can include the following:
Assisting with Security Policy
As stated, a security audit is essentially an assessment of how effectively the organization's security
policy is being implemented. Of course, this assumes that the organization has a security policy in place
which, unfortunately, is not always the case. A Security Analyst will support the auditors in getting the
necessary information by getting them access to policies and procedures documents or explaining the
processes where such documents are not available.
Facilitating access
Natural tensions frequently exist between workplace culture and security policy. Even with the best of
intentions, employees often choose convenience over security. Sometimes teams and individuals need
to be spoken to and auditors need to be helped in gaining access to the facilities required for auditing.
This may also be the case with getting time with individuals to get their time for auditing.
Pre-Audit Homework
Before the computer security auditors even begin an organizational audit, there's a fair amount of
homework that should be done. Auditors need to know what they're auditing. In addition to reviewing
the results of any previous audits that may have been conducted, there may be several tools they will
use or refer to before. The first is a site survey. This is a technical description of the system's hosts. It
also includes management and user demographics. This information may be out of date, but it can still
provide a general framework. Security questionnaires may be used as to follow up the site survey.
215
These questionnaires are, by nature, subjective measurements, but they are useful because they
provide a framework of agreed-upon security practices. The respondents are usually asked to rate the
controls used to govern access to IT assets. These controls include:
management controls, authentication/access controls, physical security, outsider access to systems,
system administration controls and procedures, connections to external networks, remote access,
incident response, and contingency planning.
A security analyst may be called upon to assist in conducting site surveys and administering security
questionnaires. Accompanying communication may be required to acquire the specific responses of
specific requirements.
Auditors, review previous security incidents at the client organization to gain an idea of historical weak
points in the organization's security profile. It may require the support of organisational staff to support
auditors examine current conditions to ensure that repeat incidents cannot occur. If auditors are asked
to examine a system that allows Internet connections, they may also want to know about IDS/Firewall
log trends. Do these logs show any trends in attempts to exploit weaknesses? A security analyst may be
called upon to provide such support to auditors.
The auditors develop an audit plan. This plan will cover how will audit be executed, with which
personnel, and using what tools. They will then discuss the plan with the requesting agency. Next they
discuss the objective of the audit with site personnel along with some of the logistical details, such as
the time of the audit, which site staff may be involved and how the audit will affect daily operations.
The security analyst may be called upon to coordinate and smoothen the audit execution.
At the Audit Site
When the auditors arrive at the site, their aim is to not to adversely affect business transactions during
the audit. They should conduct an entry briefing where they again outline the scope of the audit and
what they are going to accomplish. Any questions that site management may have should be addressed
and last minute requests considered within the framework of the original audit proposal. This
communication may be further passed on with the help of the security analyst.
During the audit, they will collect data about the physical security of computer assets and perform
interviews of site staff. They may perform network vulnerability assessments, operating system and
application security assessments, access controls assessment, and other evaluations. Throughout this
process, the auditors should follow their checklists, but also keep eyes open for unexpected problems.
Here they get their noses off the checklist and start to sniff the air. They should look beyond any
preconceived notions or expectations of what they should find and see what is actually there. In this
case the security analyst may be of immense help providing the auditors with background information
and facilitating ad-hoc activities that may not be registered in the original plan.
Conduct Outgoing Briefing
After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that management
is aware of any problems that need immediate correction. Questions from management are answered
in a general manner so as not to create a false impression of the audit's outcome. It should be stressed
that the auditors may not be in a position to provide definitive answers at this point in time. Any final
216
answers will be provided following the final analysis of the audit results. The security analyst may be
the conduit for channeling the information and supporting interim measures for strengthening security.
Back in the Office
Once back in the home office, the auditors will begin to comb their checklists and analyze data
discovered through vulnerability assessment tools. There should be an initial meeting to help focus the
outcome of the audit results. During this meeting, the auditors can identify problem areas and possible
solutions. They may require some pending information or call for information to fill in some gaps. This
may be provided by the Security Analyst.
Post-recommendation stage
Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site staff can
correct the problems discovered during the audit. Depending on company policy, auditors should be
ready to guide the audited site staff (Security Analysts) in correcting deficiencies and help them
measure the success of these efforts. Management should continually supervise deficiencies that are
turned up by the audit until they are completely corrected.
The Ongoing Audit
It must be kept in mind that as organizations evolve, their security structures will change as well. With
this in mind, the computer security audit is not a one-time task, but a continual effort to improve data
protection.
Security analysts learn with each audit and testing activity and can carry on evaluation of the strength
of the organizations security policy and its implementation. The analyst makes ongoing efforts to help
refine the policy and correct deficiencies that are discovered through the audit process. Whereas tools
are an important part of the audit process, the audit is less about the use of the latest and greatest
vulnerability assessment tool, and more about the use of organized, consistent, accurate, data
collection and analysis to produce findings that can be measurably corrected. This is where the security
analyst continues to contribute to.
217
Summary
A security analyst may be assigned responsibilities to carry out activities supporting the audit
team or independently carrying out a set of security auditing activities.
It is important for the security analyst to clarify and understand their scope of responsibilities
and work within these limits.
In case they are not clear about any aspect of their limits of authority, or scope of
responsibilities they should speak to their supervisor and clarify the same.
Auditors need organizational support, such as having access to certain data or staff. The
Security analyst often assists and supports the information audit.
This support often includes actions such as obtaining access to copies of policies or system
configuration data. These expectations should be clarified or directed by seniors to the
security analyst and the auditors.
Security Analyst in supporting the auditors can include the following: o Security Analyst will
support the auditors in getting the necessary information by getting them access to policies
and procedures
o
Helping Auditors in gaining access to the facilities required for auditing. This may
also be the case with getting time with individuals to get their time for auditing. o A
security analyst may be called upon to assist in conducting site surveys and administering
security questionnaires. Accompanying communication may be required to acquire the
specific responses of specific requirements.
o
Auditors on site need help in site management o Security analyst may be of
immense help providing the auditors with background information and facilitating ad-hoc
activities that may not be registered in the original plan.
o
Security analysts learn with each audit and testing activity and can carry on
evaluation of the strength of the organisations security policy and its implementation.
The analyst makes ongoing efforts to help refine the policy and correct deficiencies that
are discovered through the audit process.
218
219
NOTES:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
220