1 / 31

I NDULGENC E

I NDULGENC E. There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company. How to Audit Vulnerability Scans. Doug Landoll CEO, Assero Security LLC dlandoll@asserosecurity.com (512) 633-8405

colin
Télécharger la présentation

I NDULGENC E

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

  2. How to Audit Vulnerability Scans Doug Landoll CEO, Assero Security LLC dlandoll@asserosecurity.com (512) 633-8405 http://twitter.com/douglandoll www.douglandoll.com ISACA Phoenix Chapter Monthly Meeting - January

  3. Agenda • Background – Security Risk Management & Assessments • Assessments as a process • Security risk management • Types of assessments • Anatomy of a Vulnerability Scan • Vulnerability Scan • Objective, Scope, and Execution • Vulnerability Scan phases • How to Audit Vulnerability Scan (by phase) • Checklist

  4. Security Improvements Lower Risk • Security awareness training • Security policy development • Operating system hardening • Security patches • Anti-virus updates • Incident handling Changing Threats and Environment Increase Risk Over Time • New regulations • Staff turnover • New exploits • New system functions Security Assessment as Process Risk High Low Time

  5. Security Risk Management • Risk Assessment • threats / likelihood • vulnerabilities / exploitation • assets / impact • risk / countermeasures • Test & Review • scanning • audit of controls • Operational Security • patches • incident handling • training • Risk Mitigation • safeguard implementation • additional controls

  6. Types of Assessments

  7. Required Gap Assessment Covered Selected Compliance Audit Scoped Security Audit Security Risk Assessment Types of Assessments Illustrated Assessments Standard, Regulation Action List Attestation Controls Effectiveness Risk & Recommendations

  8. Enumeration • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL Pre-Inspection • Define Scope • Define Objective • Define Project • Define Team Footprint Vulnerability Assessment • Document IP ownership • Public Information Search • DNS Retrieval False positive removal Severity rating Remediation advice Discovery • Open ports • OS fingerprint Anatomy of a Vulnerability Scan Report Generation • Introduction • Findings & Recommendations • Appendices

  9. Control Areas: IP addresses (complete, internal/external) Web applications Remote access VOIP, Telephones Wireless Boundaries Physical boundary Logical boundary Outsourced functions External interfaces Relevant systems Rigor Defined Adequate Pre-Inspection: Scope What controls were covered by the assessment? What were the boundaries of the assessment? To what level of rigor was the assessment performed?

  10. Scope: Physical Boundaries

  11. External Interfaces Scope: Logical Boundaries

  12. Scope: Level of Rigor • Low • Limited review, inspections, and tests. • Moderate • Substantial examination, inspections, and extended tests. • High • Comprehensive analysis, inspections, and extended depth and scope of test Document and communicate level of rigor through the adoption of a standard approach (e.g., NIST SP 800-53A, RIIOT, etc.)

  13. Scope: Implications • Meeting scan objective • Scan caveats • Objective analysis of the effectiveness • of current security controls that protect • an organization’s assets. • If assessor believes the scope of the assessment • is limited and may not meet the stated objective, • the report should clearly indicate this.

  14. Scoping: Limitations • Reasonable limitations • Common controls assessed elsewhere • Obtain report to ensure • Control limitations – sponsor does not control other area • Clearly indicate scope of assessment • Unreasonable limitations • Sever restrictions on rigor, methods, interfaces, time, budget. • Clearly state limitations in report • Is it an adequate vulnerability scan?

  15. Objective Statement Defined Frequency Driver Restrictions Reasonableness Acceptance Permissions Granted DOS inclusion Data modification inclusion Pre-Inspection: Objective Is the objective of the assessment clearly stated? What restrictions were placed on the assessment? Were appropriate permissions granted?

  16. Pre-Inspection: Team • Independence • Claimed? • Adequate? • Expertise • Security expertise • Credentials (CISSP) • Audit expertise • Credentials (CISA) • Regulation / Business expertise (knowledge) Was the team performing the assessment independent and qualified?

  17. Team: Objectivity • Who should perform the Vulnerability Scan? • Objectivity vs. independence • Budget and other factors affecting the decision

  18. Footprint • Document IP ownership • Public Information Search • DNS Retrieval Footprint Audit Points Pre-Inspection Enumeration • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL • Define Scope • Define Objective • Define Team Vulnerability Assessment False positive removal Severity rating Remediation advice Discovery Report Generation • Open ports • OS fingerprint • Introduction • Findings & Recommendations • Appendices

  19. Footprint: IP Ownership • Did the assessment cover all the IP addressed identified by the system owner? • Did the assessment team independently verify the ownership of the IP addresses? • Were any of the identified IP addresses owned by a third party (i.e., hosting company), if so did the assessment team obtain permission? • Did the report clearly identify IP addresses not covered by the assessment (for example email server not covered for continuity reasons)?

  20. Discovery Audit Points Pre-Inspection Enumeration • Define Scope • Define Objective • Define Team • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL Footprint Vulnerability Assessment • Document IP ownership • Public Information Search • DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation • Open ports • OS fingerprint • Introduction • Findings & Recommendations • Appendices

  21. Discovery: Discover Interfaces • Were interfaces within the boundary and scope completely discovered? • Did the assessor discover any additional interfaces? • Did the assessment cover multiple protocols to the same IP address? (ports?) • Did the assessment include: • VPN, IPS • Web servers, application servers, custom apps • DNS, mail servers

  22. Discovery: Discover Information • Did the assessment team perform adequate analysis to discover information? • Public information (e.g. google hack) • Internal information (FTP, file shares) • Operating systems fingerprinted

  23. Discovery: Complete Discover • Did the assessment team ensure complete discovery? • Load balancers • Virtual host (recent scan) • Wireless access points

  24. Enumeration Audit Points Pre-Inspection Enumeration • Define Scope • Define Objective • Define Team • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL Footprint Vulnerability Assessment • Document IP ownership • Public Information Search • DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation • Open ports • OS fingerprint • Introduction • Findings & Recommendations • Appendices

  25. Enumeration: Determine Exploits • General exploits • Open access – no passwords • Password guessing and cracking • Specific exploits • Sendmail, DNS, SQL Did the assessment team adequately determine exploits?

  26. Vulnerability Assessment Audit Points Pre-Inspection Enumeration • Define Scope • Define Objective • Define Team • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL Footprint Vulnerability Assessment • Document IP ownership • Public Information Search • DNS Retrieval False positive removal Severity rating Remediation advice Discovery Report Generation • Open ports • OS fingerprint • Introduction • Findings & Recommendations • Appendices

  27. Vulnerability Assessment: Determine Impact • Did the team have a process for identifying and removing false positives? • Did the report utilize a ranking process for found vulnerabilities? • Was the security service (confidentiality, integrity, availability) affected indicated for each vulnerability? • Was there a re-test? Was the final scan free of “high” level vulnerabilities?

  28. Report Audit Points Pre-Inspection Enumeration • Define Scope • Define Objective • Define Team • General exploits • open access, password guessing • Specific exploits • Sendmail, DNS, SQL Footprint Vulnerability Assessment • Document IP ownership • Public Information Search • DNS Retrieval • False positive removal • Severity rating • Remediation advice Discovery Report Generation • Open ports • OS fingerprint • Introduction • Findings & Recommendations • Appendices

  29. Dates Report date. Recent? Assessment date. Consistent? Method Described adequately? Meets rigor objective? Meets compliance needs? Findings & Remediation Each vulnerability Described Patch guidance Rated (impact) Ranked (order) Organized Rigorous enough to meet goals? Persistent findings? Report: Introduction Is the assessment recent and relevant? Were the findings detailed, useful, and accurate? Was the method used appropriate?

  30. Start and Stop Times Match assessment date? Adequate length? Findings Match main report and summaries? Remediation Match findings? Report: Appendices Do the start and stop times match the report? Are the findings consistent? Is there a remediation for each finding?

  31. Checklist • See Handout

More Related