Presentation is loading. Please wait.

Presentation is loading. Please wait.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Similar presentations


Presentation on theme: "I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company."— Presentation transcript:

1 I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

2 How to Audit Vulnerability Scans Doug Landoll CEO, Assero Security LLC dlandoll@asserosecurity.com (512) 633-8405 http://twitter.com/douglandoll www.douglandoll.com ISACA Phoenix Chapter Monthly Meeting - January

3 Agenda Background – Security Risk Management & Assessments – Assessments as a process – Security risk management – Types of assessments Anatomy of a Vulnerability Scan – Vulnerability Scan Objective, Scope, and Execution Vulnerability Scan phases How to Audit Vulnerability Scan (by phase) Checklist

4 Security Assessment as Process Time Changing Threats and Environment Increase Risk Over Time New exploits New system functions New regulations Staff turnover Security Improvements Lower Risk Security awareness training Security policy development Operating system hardening Security patches Anti-virus updates Incident handling Low High Risk

5 Security Risk Management Risk Assessment threats / likelihood vulnerabilities / exploitation assets / impact risk / countermeasures Risk Assessment threats / likelihood vulnerabilities / exploitation assets / impact risk / countermeasures Test & Review scanning audit of controls Test & Review scanning audit of controls Operational Security patches incident handling training Operational Security patches incident handling training Risk Mitigation safeguard implementation additional controls Risk Mitigation safeguard implementation additional controls

6 Types of Assessments TermDefinitionPurpose Gap AssessmentA review of security controls against a standard. To provide a list of controls required to become compliant. Compliance Audit Verification that all required security controls are in place. To attest to an organization’s compliance with a standard. Security AuditA verification that specified security controls are in place. To attest to an organization’s adherence to industry standards. Penetration Testing A methodical and planned attack on a system’s security controls. To test the adequacy of security controls in place. Vulnerability Scanning An element of penetration testing that searches for obvious vulnerabilities. To test for the existence of obvious vulnerabilities in the system’s security controls.

7 Types of Assessments Illustrated Standard, Regulation Controls Assessments Action List Attestation Gap Assessment Required Compliance Audit Covered Effectiveness Scoped Security Risk Assessment Risk & Recommendations Security Audit Selected

8 Anatomy of a Vulnerability Scan Pre-Inspection Define Scope Define Objective Define Project Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice Report Generation Introduction Findings & Recommendations Appendices

9 What controls were covered by the assessment? Pre-Inspection: Scope Control Areas: – IP addresses (complete, internal/external) – Web applications – Remote access – VOIP, Telephones – Wireless Boundaries – Physical boundary – Logical boundary – Outsourced functions – External interfaces – Relevant systems Rigor – Defined – Adequate What were the boundaries of the assessment? To what level of rigor was the assessment performed?

10 Scope: Physical Boundaries

11 Scope: Logical Boundaries External Interfaces

12 Scope: Level of Rigor Low – Limited review, inspections, and tests. Moderate – Substantial examination, inspections, and extended tests. High – Comprehensive analysis, inspections, and extended depth and scope of test Document and communicate level of rigor through the adoption of a standard approach (e.g., NIST SP 800-53A, RIIOT, etc.)

13 Scope: Implications Meeting scan objective Scan caveats Objective analysis of the effectiveness of current security controls that protect an organization’s assets. If assessor believes the scope of the assessment is limited and may not meet the stated objective, the report should clearly indicate this.

14 Scoping: Limitations Reasonable limitations – Common controls assessed elsewhere Obtain report to ensure – Control limitations – sponsor does not control other area Clearly indicate scope of assessment Unreasonable limitations – Sever restrictions on rigor, methods, interfaces, time, budget. Clearly state limitations in report Is it an adequate vulnerability scan?

15 Pre-Inspection: Objective Objective Statement – Defined – Frequency – Driver Restrictions – Reasonableness – Acceptance Permissions – Granted – DOS inclusion – Data modification inclusion What restrictions were placed on the assessment? Were appropriate permissions granted? Is the objective of the assessment clearly stated?

16 Pre-Inspection: Team Independence – Claimed? – Adequate? Expertise – Security expertise Credentials (CISSP) – Audit expertise Credentials (CISA) – Regulation / Business expertise (knowledge) Was the team performing the assessment independent and qualified?

17 Team: Objectivity Who should perform the Vulnerability Scan? – Objectivity vs. independence – Budget and other factors affecting the decision

18 Footprint Audit Points Pre-Inspection Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice Report Generation Introduction Findings & Recommendations Appendices

19 Footprint: IP Ownership Did the assessment cover all the IP addressed identified by the system owner? Did the assessment team independently verify the ownership of the IP addresses? Were any of the identified IP addresses owned by a third party (i.e., hosting company), if so did the assessment team obtain permission? Did the report clearly identify IP addresses not covered by the assessment (for example email server not covered for continuity reasons)?

20 Discovery Audit Points Pre-Inspection Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice Report Generation Introduction Findings & Recommendations Appendices

21 Discovery: Discover Interfaces Were interfaces within the boundary and scope completely discovered? – Did the assessor discover any additional interfaces? – Did the assessment cover multiple protocols to the same IP address? (ports?) – Did the assessment include: VPN, IPS Web servers, application servers, custom apps DNS, mail servers

22 Discovery: Discover Information Did the assessment team perform adequate analysis to discover information? – Public information (e.g. google hack) – Internal information (FTP, file shares) – Operating systems fingerprinted

23 Discovery: Complete Discover Did the assessment team ensure complete discovery? – Load balancers – Virtual host (recent scan) – Wireless access points

24 Enumeration Audit Points Pre-Inspection Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice Report Generation Introduction Findings & Recommendations Appendices

25 Enumeration: Determine Exploits General exploits – Open access – no passwords – Password guessing and cracking Specific exploits – Sendmail, DNS, SQL Did the assessment team adequately determine exploits?

26 Vulnerability Assessment Audit Points Pre-Inspection Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice Report Generation Introduction Findings & Recommendations Appendices

27 Vulnerability Assessment: Determine Impact Did the team have a process for identifying and removing false positives? Did the report utilize a ranking process for found vulnerabilities? Was the security service (confidentiality, integrity, availability) affected indicated for each vulnerability? Was there a re-test? Was the final scan free of “high” level vulnerabilities?

28 Report Audit Points Report Generation Introduction Findings & Recommendations Appendices Pre-Inspection Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Discovery Open ports OS fingerprint Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Vulnerability Assessment False positive removal Severity rating Remediation advice

29 Report: Introduction Dates – Report date. Recent? – Assessment date. Consistent? Method – Described adequately? – Meets rigor objective? – Meets compliance needs? Findings & Remediation – Each vulnerability Described Patch guidance Rated (impact) Ranked (order) Organized – Rigorous enough to meet goals? – Persistent findings? Is the assessment recent and relevant? Were the findings detailed, useful, and accurate? Was the method used appropriate?

30 Report: Appendices Start and Stop Times – Match assessment date? – Adequate length? Findings – Match main report and summaries? Remediation – Match findings? Do the start and stop times match the report? Are the findings consistent? Is there a remediation for each finding?

31 Checklist See Handout


Download ppt "I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company."

Similar presentations


Ads by Google