1. Donald Hester October 21, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 158313

2. Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window. Housekeeping

3. Adjusting Audio 1)If you’re listening on your computer, adjust your volume using the speaker slider. 2)If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

4. Saving Files & Open/close Captions 1.Save chat window with floppy disc icon 2.Open/close captioning window with CC icon

5. Emoticons and Polling 1)Raise hand and Emoticons 2)Polling options

6. Donald Hester

7. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com

8.  Organizations are becoming increasingly dependent on technology and the Internet  The loss of technology or the Internet would bring operations to a halt  The need for security increases as our dependence on technology increases  Management wants to have assurance that technology has the attention it deserves 8

9.  Does our current security posture address what we are trying to protect?  Do we know what we need to protect?  Where can we improve?  Where do we start?  Are we compliant with laws, rules, contracts and organizational policies?  What are your risks? 9

10.  Provide Assurance  Demonstrate due diligence  Make risk based decisions 10

11.  Assessment  Audit  Review  ST&E = Security Test & Evaluation  Testing  Evaluation 11

12. Planning Information Gathering Business Process Assessment Technology Assessment Risk Analysis & Reporting 12

13.  Vulnerability Assessment  Penetration Test  Application Assessment  Code Review  Standard Audit/Review  Compliance Assessment/Audit  Configuration Audit  Wireless Assessment  Physical/Environmental Assessment  Policy Assessment 13

14.  What will be the scope of the assessment? Network (Pen Test, Vul Scan, wireless) Application (Code or Vul scan) Process (business or automated)  How critical is the system you are assessing? High, medium – use independent assessor Low – self assessment 14

15.  Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)  Computer Assisted Audit Tools and Techniques (CAATTs) SQL queries Scanners Excel programs Live CDs Checklists 15

16.  AuditNet www.auditnet.org  ISACA & IIA Member Resources  DoD Checklists iase.disa.mil/stigs/checklist/  NIST Special Publications csrc.nist.gov/publications/PubsSPs.html 16

17.  BackTrack  Knoppix Security Tool Distribution  F.I.R.E.  Helix 17

18.  Documentation Review  Log Review  Ruleset Review  System Configuration Review  Network Sniffing  File Integrity Checking 18

19.  Network Discovery  Network Port and Service Identification OS fingerprinting  Vulnerability Scanning  Wireless Scanning Passive Wireless Scanning Active Wireless Scanning Wireless Device Location Tracking (Site Survey) Bluetooth Scanning Infrared Scanning 19

20.  Password Cracking Transmission / Storage  Penetration Testing Automated / Manual  Social Engineering Phishing 20

21.  Microsoft Security Assessment Tool (MSAT) 21

22. Governance RiskCompliance 22 Dashboards Metrics Checklists Reporting Trend Analysis Remediation Dashboards Metrics Checklists Reporting Trend Analysis Remediation

23.  Black Box Testing Assessor starts with no knowledge  White Box Testing Assessor starts with knowledge of the system, i.e. the code  Grey Box Testing Assessor has some knowledge, not completely blind 23

24. Input Data Entry Data Collection Database Storage Output Reports 24 Verification Match Verification Match

25.  Code Review Automated/Manual  Vulnerability scanning  Configuration review  Verification testing  Authentication  Information leakage  Input/output Manipulation 25

26.  Native Audit (Provided by DB)  SIEM & Log Management  Database Activity Monitoring  Database Audit Platforms Remote journaling & analytics  Compliance testing  Performance 26

27.  Configuration  Verification testing  Log and Alert review 27

28. 28

29.  Electromagnetic Radiation  Emissions Security (EMSEC)  Van Eck phreaking  Tempest  Tempest surveillance prevention  Faraday Cage 29

30.  Assessment on the use of resources  Power Management  Virtualization Assessment 30

31.  Plan Testing, Training, and Exercises (TT&E)  Tabletop Exercises Checklist Assessment Walk Through  Functional Exercises Remote Recovery Full Interruption Test 31

32.  Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.  Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical) 32

33.  Microsoft Baseline Security Analyzer 2.2 33

34. 34 Sample from Qualys

35. 35 Where is the best place to scan from? External scan found 2 critical vulnerabilities Internal scan found 15 critical vulnerabilities

36. 36 Source: http://www.gartner.com/technology/media-products/reprints/rapid7/173772.html

37. 37 Penetration Testers Incident Responders Mimic real-world attacks Unannounced Mimic real-world attacks Unannounced Observers and Referees

38. 38 Penetration Testers Incident Responders Mimic real-world attacks Announced Mimic real-world attacks Announced

39. 39

40. 40 Sample from CoreImpact

41.  Open Source Vulnerability DB http://osvdb.org/  National Vulnerability Database http://nvd.nist.gov/  Common Vulnerabilities and Exposures http://cve.mitre.org/  Exploit Database http://www.exploit-db.com/ 41

42.  Posture Review  Access Control Testing  Perimeter review  Monitoring review  Alarm Response review  Location review (Business Continuity)  Environmental review (AC / UPS) 42

43. Knowledge SkillAbility 43

44.  Priority Certifications Certified Information Systems Auditor (CISA)* GIAC Systems and Network Auditor (GSNA)  Secondary Certifications Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… Vendor Specific: Microsoft, Cisco, etc… 44 *GAO 65% of audit staff to be CISA

45.  At the discretion of the organization  Legal Review Reviewing the assessment plan Providing indemnity or limitation of liability clauses (Insurance) Particularly for tests that are intrusive Nondisclosure agreements Privacy concerns 45

46.  Mitigation Recommendations Technical, Managerial or Operational  Reporting Draft and Final Reports  Remediation / Mitigation Not enough to finds problems need to have a process to fix them 46

47.  Information Systems Audit and Control Association (ISACA)  American Institute of Certified Public Accountants (AICPA)  Institute of Internal Auditors (IIA)  SANS  National State Auditors Association (NSAA)  U.S. Government Accountability Office (GAO) 47

48.  Gartner Report on Vulnerability Assessment Tools  Twenty Critical Controls for Effective Cyber Defense 48

49. Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College www.LearnSecurity.org http://www.linkedin.com/in/donaldehester http://www.facebook.com/group.php?gid=245570977486 Email: DonaldH@MazeAssociates.com

50. Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at: http://www.surveymonkey.com/s/IT-SecurityAssessments

51. Thanks for attending For upcoming events and links to recently archived seminars, check the @ONE Web site at: http://onefortraining.org/