Technical Security Audit and Assessments
DISCLAIMER
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
References
- Performing a Technical Security Audit and Assessment : Marc Menninger
Contents:
- Security Assessment reviews
- Identifying and analyzing Targets
- Planning Technical Security Assessments
- Executing the Technical security
************************************************************************************************
Technical Security Audit and Assessments Notes:-
Overview:
- To find security weakness and technical vulnerabilities
- Determining the compliance with standards
- Security assessment when conducted periodically - will give valuable insights on current security posture.
- Periodic assessment will give results to compare and arrive at trends on security gaps.
|
Phases involved |
Documentation:
- Facilitated continual improvement
- Helps new staff come up to speed
- Security assessment is a living document
Conducting
- spend less time scrambling,
Phases:-
- Planning
- Security controls in scope
- External = outside org network
- Execution
- Identify and validate vulnerabilities
- Post Execution
- NIST SP 800-53A, Assessing Security and Privacy controls and Open source Testing Methodology manual.
How to find out - How secure, the system and Networks are
- Review.
- Review techniques are often manual examinations of systems, applications, networks, policies, and procedures to ensure they meet minimum security requirements.
- Firewall and switch rulesets
- Target Identification and analysis.
- Automated tools conduct
- Ports and service identification
- Target vulnerability validation.
- are used to confirm that any vulnerabilities identified in earlier testing are valid.
Testing View Point:
- External = outside the org network and physical assets.
- Internal
- In the view of malicious insider, who has access and trying to escalate privileges
- Overt testing - white hat testing
- Covert testing - black hat testing
- Costly and time consuming
Security Assessment reviews:
- Process of examining docs, sys files, networks to look for vulnerabilities & security gaps
- Review tech
- Documentation review
- Requested docs - Security policy, standards, processes, procedures.
- Security plans and configuration instructions.
- Network architecture and diagrams.
- Evidence of third party testing or certifications.
- Regulatory standards - HIPAA, PCI, ISO27001
- Looking for outdated, missing or inaccurate info.
- log review,
- Log review is determined if systems are adequately logging important security events and if the organization is following its own logging policies and standards.
- IDS/IPS logs or malicious acts
- Firewall logs for outbound connections
- Anti-malware logs for software failures
- Patch logs for deployment failures
- Backup system logs for backup failures
- Tools used like - MS Log parser
- ruleset review (Firewall rule sets),
- Firewall actions
- Permitting and routing packets
- Creating system events and alerts
- SANS - firewall checklist
- All firewall policy has corresponding rules
- Unnecessary open ports - closed
- Traffics doesn't escapes defense
- Rules enforce least privilege access
- Algosec
- Solar winds
- 360-FAAR
- system configuration review,
- Is done to identify incorrect or missing sys settings
- Configurations misaligned with Sec Standards
- checklists from the NIST National Checklist Program Repository or from the Center for Internet Security
- network sniffing,
- Collect and review information
- Identity systems and services
- Uncover potential security vulnerabilities
- File integrity checking.
- Malicious activities - can delete certain files and replace the existing ones -
- If an important file changes during their assessment without proper permission and without telling system or security administrators, that could be a problem. File integrity checks help organizations keep an eye on the security of their most important files.
- How exposed is your organization is to data loss due to human error on a set of database systems
- Security Controls
- Org require and enforce least privileges
- Who all have access to the database servers
- How frequent is the data back up done
- Are data backup is adequate in event of data loss
- Documentation review
- policies , standards, guidelines
- Log reviews
- Ruleset reviews
- Critical systems needs to be isolated from main network
- System configuration review
- Correct set of controls configured
- Regular database integrity reviews
Identifying and analyzing Targets:-
- To determine which systems and devices are available on the network
- After identifying next steps involves testing
- Techniques used for identifying
- Conducting network discovery
- Purpose and functions of network devices - Need knowledge on TCP/IP
- IP addressing and subnetting
- Identifying network ports and services
- Ports and services workflow
- Common ports and services
- Port and service scanning tools
- Scanning for vulnerabilities
- Protocols and system misconfigurations
- Vulnerability scanning tools
- Scanning wireless network.
- Wifi protected access, WPA
- Conduct network discovery
- ISMP or echo request or ping
- Sometime noisy and creates traffic
- Can slow down network
- Cause a denial of service
- Communicate in advance for running active n/w discovery
- Passive
- Network sniffing tools
- Wireshark - captures open ports, operating systems of devices
- Sniffer
- Placed in the network, where it captures the network traffic.
- Stealthy
- No detection of devices that aren't active
- Network discovery Tool
- Identify network ports and services
- E.g - Port 80 = HTTP = Active yes = likely Apache/ Microsoft IIS
- Functions - web server / FTP server
- Security vulnerabilities on ports & services
- OS fingerprinting
- Port = 111 = likely OS = Unix or Linux
- Port = 135, 139, 445 = likely OS = windows
- Scan devices for vulnerabilities
- Scan to find outdated software,
- Used to validate system compliance with internal security configurations.
- Vulnerability scanners require Admin privileges to run and perform scanning.
- Local Vulnerability scanning
- Network vulnerability scanning
Planning Technical Security Assessments
- Security Assessment Policy
- Vulnerability assessment policy
- Guidance for Sec Assess
- Sec std the org should comply with.
- Network and Systems in scope
- Documentation and reporting requirements
- Roles and responsibilities
- Who receives the final reports
- Who is responsible for remediation
- Effective policy
- Approved by relevant stakeholders
- Communicated to staff and 3rd parties
- Review and update periodically.
- Prioritize and schedule
- Define objectives
- Quarterly assess & Standards - 27001
- Scopes
- All systems or sub-set of systems
- System priority
- Assessment time - overdue
- Technical consideration - significant vulnerabilities
- Frequent requirements
- Resource availability
- Size and complexity
- Choosing Techniques
- Perspective
- Test external facing systems
- E.g Compliance with 27001 std
- Ruleset and security configuration reviews
- Network discovery and vulnerability scanning
- Penetration test with social engineering
- Select the Assessors
- Technical security assessors
- Strong IT understanding- n/w, OS, firewalls
- Assessment leads
- Experience in leading audits
- Project Management skills
- Internal Assessors
- Part of ITr security of internal audit
- Conduct assessment in accordance with policies
- Recommend mitigation for security gaps
- Third party / External Assessors
- Selecting locations
- Internal testing from any part of the network
- External testing - outside the org n/w
- Right privilege access for internal testing
- Select tools and resources
- Third party assessors - laptop with capabilities
- Internal assessors - local desktop
- Develop assessment plan
- Systems and network in scope
- IP addresses and MAc address
- How to handle a security breach
- E.g. Security Assessment methodology
- How data will be gathered
- To conduct assessment, scripts and software tools will be used to run the following tests against the in-scope systems
- Network discovery to find unknown or rouge systems
- Port and service discovery to identify OS and potential vulnerabilities
- Will attempt to exploit any known exploitable vulnerabilities
- How security controls will be tested
- Testing will be conducted during business hrs to give incident response team maximum opportunity to detect and respond
- The response or lack of response will be noted as part of results
- Keeping tech support alert in due to failure of systems during testing
- No DOS attack will be carried out
- When testing will be conducted
- After testing is concluded, analyze any vulnerabilities found
- The mitigation plan and recommendation will be identified
- All findings, results, and test conduct are recorded in the final report and published with relevant stakeholders.
Executing the Technical security
- Coordinating the assessments
- All key stakeholders are aware
- Assessors have privileges and access
- Higher management informed
- Communication in all stages to key stakeholders
- Conduct assessments
- Some risk
- Security attack can be discovered
- High severity vulnerability found mid-way
- Standard escalation procedures to be followed in occurrence of these risks.
- An unrealistic assessment plan not complied within budget or timeline.
- Conduct analysis
- Found vulnerabilities are validated by manually on the each systems
- Validated vulnerabilities are categories
- Control families - NIST 800-53
- Finding Root cause
- Common root cause found
- Infrequent signature updates
- Data Handling
- Assessment plans and rules of engagement
- Configurations and network documentations
- Results for testing tools
- Assessments findings and reports
- Remediation recommendations
- Data lifecycle phases
- Creations, collection or receipt
- Assessment data stored in encrypted form
Post testing activities
- Recommended Mitigations
- Are reviewed and accepted
- Finally Report the results
- Final Report
- Describe why and how testing is done
- Vulnerabilities of system, network, and remediations recommendations
- Implementation of remediation and mitigations
- Who is responsible for implementing the mitigation plans
- What implemented and validated
- Modification applied to test systems
- Then moved to production systems
This is end of the conducting technical security assessments.
*********************************************************************************************************
search keyword: Security Audit, GRC, Governance, Risk, Compliance, Quality Management
Comments
Post a Comment