Presentation is loading. Please wait.

Presentation is loading. Please wait.

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Published byCuthbert May Modified over 6 years ago

Similar presentations

Presentation on theme: "INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company."— Presentation transcript:

1 INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

2 How to Audit Vulnerability Scans
Doug Landoll CEO, Assero Security LLC (512) ISACA Phoenix Chapter Monthly Meeting - January

3 Agenda Background – Security Risk Management & Assessments
Assessments as a process Security risk management Types of assessments Anatomy of a Vulnerability Scan Vulnerability Scan Objective, Scope, and Execution Vulnerability Scan phases How to Audit Vulnerability Scan (by phase) Checklist

4 Security Assessment as Process
Risk Security Improvements Lower Risk Security awareness training Security policy development Operating system hardening Security patches Anti-virus updates Incident handling High Changing Threats and Environment Increase Risk Over Time New exploits New system functions New regulations Staff turnover Low Time

5 Security Risk Management
Risk Assessment threats / likelihood vulnerabilities / exploitation assets / impact risk / countermeasures Test & Review scanning audit of controls Operational Security patches incident handling training Risk Mitigation safeguard implementation additional controls

6 Types of Assessments Term Definition Purpose Gap Assessment
A review of security controls against a standard. To provide a list of controls required to become compliant. Compliance Audit Verification that all required security controls are in place. To attest to an organization’s compliance with a standard. Security Audit A verification that specified security controls are in place. To attest to an organization’s adherence to industry standards. Penetration Testing A methodical and planned attack on a system’s security controls. To test the adequacy of security controls in place. Vulnerability Scanning An element of penetration testing that searches for obvious vulnerabilities. To test for the existence of obvious vulnerabilities in the system’s security controls.

7 Types of Assessments Illustrated
Standard, Regulation Gap Assessment Required Compliance Audit Covered Action List Security Audit Selected Scoped Security Risk Assessment Attestation Controls Effectiveness Risk & Recommendations

8 Anatomy of a Vulnerability Scan
Pre-Inspection Define Scope Define Objective Define Project Define Team Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Footprint Document IP ownership Public Information Search DNS Retrieval Vulnerability Assessment False positive removal Severity rating Remediation advice Discovery Open ports OS fingerprint Report Generation Introduction Findings & Recommendations Appendices

9 Pre-Inspection: Scope
Control Areas: IP addresses (complete, internal/external) Web applications Remote access VOIP, Telephones Wireless Boundaries Physical boundary Logical boundary Outsourced functions External interfaces Relevant systems Rigor Defined Adequate What controls were covered by the assessment? What were the boundaries of the assessment? To what level of rigor was the assessment performed?

10 Scope: Physical Boundaries

11 Scope: Logical Boundaries
External Interfaces

12 Scope: Level of Rigor Low Moderate High
Limited review, inspections, and tests. Moderate Substantial examination, inspections, and extended tests. High Comprehensive analysis, inspections, and extended depth and scope of test Document and communicate level of rigor through the adoption of a standard approach (e.g., NIST SP A, RIIOT, etc.)

13 Scope: Implications Meeting scan objective Scan caveats
Objective analysis of the effectiveness of current security controls that protect an organization’s assets. If assessor believes the scope of the assessment is limited and may not meet the stated objective, the report should clearly indicate this.

14 Scoping: Limitations Reasonable limitations Unreasonable limitations
Common controls assessed elsewhere Obtain report to ensure Control limitations – sponsor does not control other area Clearly indicate scope of assessment Unreasonable limitations Sever restrictions on rigor, methods, interfaces, time, budget. Clearly state limitations in report Is it an adequate vulnerability scan?

15 Pre-Inspection: Objective
Objective Statement Defined Frequency Driver Restrictions Reasonableness Acceptance Permissions Granted DOS inclusion Data modification inclusion Is the objective of the assessment clearly stated? What restrictions were placed on the assessment? Were appropriate permissions granted?

16 Pre-Inspection: Team Independence Expertise Claimed? Adequate?
Security expertise Credentials (CISSP) Audit expertise Credentials (CISA) Regulation / Business expertise (knowledge) Was the team performing the assessment independent and qualified?

17 Team: Objectivity Who should perform the Vulnerability Scan?
Objectivity vs. independence Budget and other factors affecting the decision

18 Footprint Audit Points
Pre-Inspection Enumeration General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Define Scope Define Objective Define Team Footprint Document IP ownership Public Information Search DNS Retrieval Vulnerability Assessment False positive removal Severity rating Remediation advice Discovery Report Generation Open ports OS fingerprint Introduction Findings & Recommendations Appendices

19 Footprint: IP Ownership
Did the assessment cover all the IP addressed identified by the system owner? Did the assessment team independently verify the ownership of the IP addresses? Were any of the identified IP addresses owned by a third party (i.e., hosting company), if so did the assessment team obtain permission? Did the report clearly identify IP addresses not covered by the assessment (for example server not covered for continuity reasons)?

20 Discovery Audit Points
Pre-Inspection Enumeration Define Scope Define Objective Define Team General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Footprint Vulnerability Assessment Document IP ownership Public Information Search DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation Open ports OS fingerprint Introduction Findings & Recommendations Appendices

21 Discovery: Discover Interfaces
Were interfaces within the boundary and scope completely discovered? Did the assessor discover any additional interfaces? Did the assessment cover multiple protocols to the same IP address? (ports?) Did the assessment include: VPN, IPS Web servers, application servers, custom apps DNS, mail servers

22 Discovery: Discover Information
Did the assessment team perform adequate analysis to discover information? Public information (e.g. google hack) Internal information (FTP, file shares) Operating systems fingerprinted

23 Discovery: Complete Discover
Did the assessment team ensure complete discovery? Load balancers Virtual host (recent scan) Wireless access points

24 Enumeration Audit Points
Pre-Inspection Enumeration Define Scope Define Objective Define Team General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Footprint Vulnerability Assessment Document IP ownership Public Information Search DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation Open ports OS fingerprint Introduction Findings & Recommendations Appendices

25 Enumeration: Determine Exploits
General exploits Open access – no passwords Password guessing and cracking Specific exploits Sendmail, DNS, SQL Did the assessment team adequately determine exploits?

26 Vulnerability Assessment Audit Points
Pre-Inspection Enumeration Define Scope Define Objective Define Team General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Footprint Vulnerability Assessment Document IP ownership Public Information Search DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation Open ports OS fingerprint Introduction Findings & Recommendations Appendices

27 Vulnerability Assessment: Determine Impact
Did the team have a process for identifying and removing false positives? Did the report utilize a ranking process for found vulnerabilities? Was the security service (confidentiality, integrity, availability) affected indicated for each vulnerability? Was there a re-test? Was the final scan free of “high” level vulnerabilities?

28 Report Audit Points Pre-Inspection Enumeration Footprint
Define Scope Define Objective Define Team General exploits open access, password guessing Specific exploits Sendmail, DNS, SQL Footprint Vulnerability Assessment Document IP ownership Public Information Search DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation Open ports OS fingerprint Introduction Findings & Recommendations Appendices

29 Were the findings detailed,
Report: Introduction Dates Report date. Recent? Assessment date. Consistent? Method Described adequately? Meets rigor objective? Meets compliance needs? Findings & Remediation Each vulnerability Described Patch guidance Rated (impact) Ranked (order) Organized Rigorous enough to meet goals? Persistent findings? Is the assessment recent and relevant? Were the findings detailed, useful, and accurate? Was the method used appropriate?

30 Are the findings consistent?
Report: Appendices Start and Stop Times Match assessment date? Adequate length? Findings Match main report and summaries? Remediation Match findings? Do the start and stop times match the report? Are the findings consistent? Is there a remediation for each finding?

31 Checklist See Handout

Download ppt "INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company."

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.

CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
University of Florida Incident Tracking and Reporting Kathy Bergsma

University of Florida Incident Tracking and Reporting Kathy Bergsma
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.

Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, 12-13 October 2009 Introduction to IT audits PART II IT.

1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.
Network Vulnerability Assessment Methodology Lesson 6.

Network Vulnerability Assessment Methodology Lesson 6.

Similar presentations

Ads by Google