Security-Audit

 Technical Security Audit and Assessments


DISCLAIMER

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.
  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • Performing a Technical Security Audit and Assessment : Marc Menninger

Contents:

  • Overview
  • Security Assessment reviews
  • Identifying and analyzing Targets 
  • Planning Technical Security Assessments 
  • Executing the Technical security 
  • Post testing activities 


************************************************************************************************

Technical Security Audit and Assessments Notes:- 

Overview:

  • To find security weakness and technical vulnerabilities
  • Determining the compliance with standards
  • Security assessment when conducted periodically - will give valuable insights on current security posture.
  • Periodic assessment will give results to compare and arrive at trends on security gaps.
Phases involved
Phases involved


Documentation:

  • Facilitates consistency
  • Reduces risk
  • Facilitated continual improvement
  • Helps new staff come up to speed
  • Security assessment is a living document

Conducting

  • reuse resources ,
  • spend less time scrambling,
  • reduce overall cost

Phases:-

  • Planning
    • Assets
    • Potential threats
    • Security controls in scope
    • Assessment viewpoint

      • External and Internal
      • External = outside org network

  • Execution
    • Identify and validate vulnerabilities

  • Post Execution
    • Identify root cause
    • Develop mitigation plan
    • Write report

      • NIST SP 800-53A, Assessing Security and Privacy controls and Open source Testing Methodology manual.

How to find out - How secure, the system and Networks are

  • Review.
    • Review techniques are often manual examinations of systems, applications, networks, policies, and procedures to ensure they meet minimum security requirements.
    • Firewall and switch rulesets
    • System config
    • Network sniffing
    • File integrity checking

  • Target Identification and analysis.
    • Automated tools conduct
      • Network discovery
      • Ports and service identification
      • Vulnerability scanning
      • Wireless scanning


  • Target vulnerability validation.
    • are used to confirm that any vulnerabilities identified in earlier testing are valid.
    • Password cracking
    • Penetration tests
    • Social Engineering


Testing View Point:

  • External = outside the org network and physical assets.
    • 3 Phases
      • Reconnaissance
      • Enumeration
      • testing

  • Internal
    • In the view of malicious insider, who has access and trying to escalate privileges 

  • Overt testing - white hat testing
  • Covert testing - black hat testing

    • Costly and time consuming

Security Assessment reviews:


  • Process of examining docs, sys files, networks to look for vulnerabilities & security gaps
  • Review tech
    • Documentation review
      • Requested docs - Security policy, standards, processes, procedures.
      • Security plans and configuration instructions.
      • Network architecture and diagrams.
      • Incident response plans
      • Evidence of third party testing or certifications.

        • Regulatory standards - HIPAA, PCI, ISO27001

      • Looking for outdated, missing or inaccurate info. 

    • log review,
      • Log review is determined if systems are adequately logging important security events and if the organization is following its own logging policies and standards.
      • Sys logs for acc changes
      • IDS/IPS logs or malicious acts
      • Firewall logs for outbound connections
      • Anti-malware logs for software failures
      • Patch logs for deployment failures
      • Backup system logs for backup failures
      • Tools used like - MS Log parser

    • ruleset review (Firewall rule sets),
      • Firewall actions
        • Permitting and routing packets
        • Denying packets
        • Logging traffic activity
        • Creating system events and alerts

      • SANS - firewall checklist

        • First - Filter rule sets
        • Sec - Permit rules
        • Finally - Deny rules

      • All firewall policy has corresponding rules
      • All rules still required
      • Unnecessary open ports - closed
      • Traffics doesn't escapes defense
      • Rules enforce least privilege access  
      • Tools

        • Algosec
        • Solar winds
        • 360-FAAR
    • system configuration review,

      • Is done to identify incorrect or missing sys settings 
      • Poor hardening

        • Configurations misaligned with Sec Standards

        • Weak passwords settings
        • Unmanaged services
        • Inadequate logging
        • Tools

          • checklists from the NIST National Checklist Program Repository or from the Center for Internet Security
          • CISCAP tool
          • Nexpose
          • Tenable Security center

    • network sniffing,
      • Collect and review information
      • Discover active devices
      • Identity systems and services
      • Uncover potential security vulnerabilities
      • Tools

        • Dsniff
        • Ettercap
        • Wireshark
        • Kismet
        • Tcpdump
        • Libpcap

    • File integrity checking.
      • File that should change only under authorized chain.

        • E.g: accounting ledger programs should only be changed by the authorized personnel from accounting.

      • Malicious activities - can delete certain files and replace the existing ones - 

        • system or configuration file to gain privileges access.
      • Best way to check the file integrity using the hash values of the files.

        • HASH values will change even if a single character is changed in the file, thus change in hash values results that the two files are different or changes are made.

      • Hashing Tools
        • Aide
        • Rootkit Hunger
        • Samhain
        • Tripwire

      • Host-based intrusion detection systems, or HIDs, such as OSSEC
      • Files to monitor
        • Key system files
          • Configuration files
          • Windows registry

        • Sensitive information classified files
        • Rarely change

          • Static web pages

      • If an important file changes during their assessment without proper permission and without telling system or security administrators, that could be a problem. File integrity checks help organizations keep an eye on the security of their most important files.

    • How exposed is your organization is to data loss due to human error on a set of database systems
      • What to look for

        • Security Controls
          • Org require and enforce least privileges
          • Who all have access to the database servers
          • How frequent is the data back up done

            • Are data backup is adequate in event of data loss

        • Documentation review
          • policies , standards, guidelines

        • Log reviews
          • Who access the database
          • Who modified

        • Ruleset reviews
          • Critical systems needs to be isolated from main network
          • DMZ zone

        • System configuration review
          • Correct set of controls configured

        • Regular database integrity reviews

Identifying and analyzing Targets:-

  • To determine which systems and devices are available on the network
    • Asset inventories
    • Network diagrams

  • After identifying next steps involves testing 
  • Techniques used for identifying

    • Conducting network discovery
      • Purpose and functions of network devices - Need knowledge on TCP/IP 
      • IP addressing and subnetting 
      • Network scanners

    • Identifying network ports and services 
      • Ports and services workflow 
      • Common ports and services
      • Port and service scanning tools

    • Scanning for vulnerabilities 
      • Protocols and system misconfigurations 
      • Vulnerability scanning tools 

        • OpenVAS

    • Scanning wireless network. 
      • Wifi tech and protocols 

        • Wifi protected access, WPA

      • Wireless scanning tools

    • Conduct network discovery

    • Active

      • ISMP or echo request or ping
      • Faster than passive
      • Sometime noisy and creates traffic 

        • Can slow down network
        • Cause a denial of service

      • Communicate in advance for running active n/w discovery

    • Passive 
      • Network sniffing tools 
        • Wireshark - captures open ports, operating systems of devices 

      • Sniffer 
        • Placed in the network, where it captures the network traffic. 

      • Stealthy
        • No detection of devices that aren't active

    • Network discovery Tool
      • Network miner 
      • Nmap

    • Identify network ports and services
      • E.g - Port 80 = HTTP = Active yes = likely Apache/ Microsoft IIS
      • To identify

        • Operating systems
        • Functions - web server / FTP server 
        • Security vulnerabilities on ports & services 

    • OS fingerprinting 
      • Port = 111 = likely OS = Unix or Linux
      • Port = 135, 139, 445 = likely OS  = windows 
      • Tool

        • Legion

    • Scan devices for vulnerabilities

      • Scan to find outdated software, 
      • missing patches 
      • Missing configurations
      • Used to validate system compliance with internal security configurations. 
      • Vulnerability scanners require Admin privileges to run and perform scanning. 
      • Types of scanning

        • Local Vulnerability scanning 
        • Network vulnerability scanning 

      • Tools

        • GVM 

Planning Technical Security Assessments

  • Security Assessment Policy 
    • Vulnerability assessment policy
    • Risk assessment policy
    • Risk management policy 

  • Guidance for Sec Assess
    • Frequency
    • Sec std the org should comply with.
    • Network and Systems in scope
    • Documentation and reporting requirements 

  • Roles and responsibilities
    • Who conducts audit
    • Who receives the final reports 
    • Who is responsible for remediation 

  • Effective policy 
    • Approved by relevant stakeholders 
    • Communicated to staff and 3rd parties
    • Review and update periodically. 

  • Prioritize and schedule
    • Define objectives 
      • Quarterly assess & Standards - 27001

    • Scopes
      • All systems or sub-set of systems 

    • System priority 
      • Systems impact ratings 
      • Assessment time - overdue
      • Scheduling constraints 
      • Technical consideration - significant vulnerabilities 

    • Frequent requirements
      • Quarterly or annually 

    • Resource availability 
      • Qualified staff
      • Organizational IT staff 
      • Testing equipments 

    • Size and complexity 
  • Choosing Techniques
      • Assessment objectives 
      • Testing view point
      • Resource availability 
      • Technique risk 

    • Perspective 
      • Covert = social engg.
      • Overt = log reviews 
      • Test external facing systems

    • E.g Compliance with 27001 std
      • Document reviews
      • Ruleset and security configuration reviews 
      • Network discovery and vulnerability scanning
      • Wireless scanning
      • Penetration test with social engineering 

    • Select the Assessors
      • Technical security assessors
        • Strong IT understanding- n/w, OS, firewalls 
        • Latest security threats 

    • Assessment leads
      • Experience in leading audits
      • Communication skills
      • Project Management skills

    • Internal Assessors
      • Part of ITr security of internal audit
      • Conduct assessment in accordance with policies 
      • Analyze results
      • Recommend mitigation for security gaps
      • Retest if necessary 

    • Third party / External Assessors
      • Vetted prior to process
      • Sign NDA

  • Selecting locations
      • Internal testing from any part of the network
      • External testing - outside the org n/w 
      • Right privilege access for internal testing

  •  Select tools and resources 
      • Third party assessors - laptop with capabilities
      • Internal assessors - local desktop 

  • Develop assessment plan
      • Type and objective
      • Systems and network in scope
      • Time frame
      • Security controls
      • Testing techniques
      • Sensitive data handling
      • Organizational risk
      • Completeness criteria 
      • IP addresses and MAc address 
      • How to handle incidents 
      • How to handle a security breach 

  • E.g. Security Assessment methodology 
    • For external Covert test

      • How data will be gathered 

        • To conduct assessment, scripts and software tools will be used to run the following tests against the in-scope systems

          • Network discovery to find unknown or rouge systems
          • Port and service discovery to identify OS and potential vulnerabilities 

        • Will attempt to exploit any known exploitable vulnerabilities

      • How security controls will be tested

        • Testing will be conducted during business hrs to give incident response team maximum opportunity to detect and respond 
        • The response or lack of response will be noted as part of results
        • Keeping tech support alert in due to failure of systems during testing
        • No DOS attack will be carried out

      • When testing will be conducted
        • After testing is concluded, analyze any vulnerabilities found
        • Determine the root cause
        • The mitigation plan and recommendation will be identified

      • All findings, results, and test conduct are recorded in the final report and published with relevant stakeholders.
      • Legal requirements 

        • Limitation of liability
        • NDA
        • Privacy requirements
        • Data handling req

Executing the Technical security 

  • Coordinating the assessments 
    • All key stakeholders are aware
    • Assessors have privileges and access
    • Higher management informed 
    • Communication in all stages to key stakeholders

  • Conduct assessments 
    • Some risk 
      • Systems outage
      • Security attack can be discovered 
      • High severity vulnerability found mid-way 

    • Standard escalation procedures to be followed in occurrence of these risks. 

    • Some roadblocks 

      • Resistance from staff
      • An unrealistic assessment plan not complied within budget or timeline. 

  • Conduct analysis
    • False positives 
    • Found vulnerabilities are validated by manually on the each systems 
    • Validated vulnerabilities are categories 

      • Severity of risk
      • Control families - NIST 800-53

    • Finding Root cause
      • Common root cause found
        • Patch management
        • Anti-malware controls
        • Infrequent signature updates
        • Policies and standards 

  • Data Handling
    • HIghly sensitive data 

      • Assessment plans and rules of engagement
      • Configurations and network documentations 
      • Results for testing tools 
      • Assessments findings and reports
      • Remediation recommendations 

    • Data lifecycle phases
      • Creations, collection or receipt
      • access , use or reuse
      • Transmission 
      • Storage
      • Disposal 

    • Assessment data stored in encrypted form

Post testing activities 

  • Recommended Mitigations
    • Are reviewed and accepted

  • Finally Report the results
    • Final Report
      • Describe why and how testing is done
      • Vulnerabilities of system, network, and remediations recommendations

  • Implementation of remediation and mitigations
    • Who is responsible for implementing the mitigation plans
    • Remediation steps

      • Test
      • Coordinate
      • Implement and validate
      • Report closure

        • What implemented and validated

  • Modification applied to test systems
  • Then moved to production systems


This is end of the conducting technical security assessments. 

*********************************************************************************************************

search keyword: Security Audit, GRC, Governance, Risk, Compliance, Quality Management

Comments

Popular Posts

Enable additional Security layer for Logging into: Google, Facebook and Twitter

Contacts of Helpline for: Child rescue, Food wastage, blood group

Privacy Settings for windows