Security-Audit

Technical Security Audit and Assessments

DISCLAIMER

This document contains unedited notes and has not been formally proofread.

The information provided in this document is intended to provide a basic understanding of certain technologies.

Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.

Some websites and software may be flagged as malware by antivirus programs.

The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.

The document is not a substitute for professional advice or expert analysis and should not be used as such.

The document does not constitute an endorsement or recommendation of any particular technology, product, or service.

The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.

The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.

The author reserve the right to update or change the information contained in this document at any time without prior notice.

Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.

It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.

Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.

It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.

It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.

It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

Performing a Technical Security Audit and Assessment : Marc Menninger

Contents:

Overview

Security Assessment reviews

Identifying and analyzing Targets

Planning Technical Security Assessments

Executing the Technical security

Post testing activities

************************************************************************************************

Technical Security Audit and Assessments Notes:-

Overview:

To find security weakness and technical vulnerabilities

Determining the compliance with standards

Security assessment when conducted periodically - will give valuable insights on current security posture.

Periodic assessment will give results to compare and arrive at trends on security gaps.

Phases involved

Phases involved

Documentation:

Facilitates consistency

Reduces risk

Facilitated continual improvement

Helps new staff come up to speed

Security assessment is a living document

Conducting

reuse resources ,

spend less time scrambling,

reduce overall cost

Phases:-

Planning

Assets

Potential threats

Security controls in scope

Assessment viewpoint

External and Internal

External = outside org network

Execution

Identify and validate vulnerabilities

Post Execution

Identify root cause

Develop mitigation plan

Write report

NIST SP 800-53A, Assessing Security and Privacy controls and Open source Testing Methodology manual.

How to find out - How secure, the system and Networks are

Review.

Review techniques are often manual examinations of systems, applications, networks, policies, and procedures to ensure they meet minimum security requirements.

Firewall and switch rulesets

System config

Network sniffing

File integrity checking

Target Identification and analysis.

Automated tools conduct

Network discovery

Ports and service identification

Vulnerability scanning

Wireless scanning

Target vulnerability validation.

are used to confirm that any vulnerabilities identified in earlier testing are valid.

Password cracking

Penetration tests

Social Engineering

Testing View Point:

External = outside the org network and physical assets.

3 Phases

Reconnaissance

Enumeration

testing

Internal

In the view of malicious insider, who has access and trying to escalate privileges

Overt testing - white hat testing

Covert testing - black hat testing

Costly and time consuming

Security Assessment reviews:

Process of examining docs, sys files, networks to look for vulnerabilities & security gaps
Review tech

Documentation review

Requested docs - Security policy, standards, processes, procedures.

Security plans and configuration instructions.

Network architecture and diagrams.

Incident response plans

Evidence of third party testing or certifications.

Regulatory standards - HIPAA, PCI, ISO27001

Looking for outdated, missing or inaccurate info.

log review,

Log review is determined if systems are adequately logging important security events and if the organization is following its own logging policies and standards.

Sys logs for acc changes

IDS/IPS logs or malicious acts

Firewall logs for outbound connections

Anti-malware logs for software failures

Patch logs for deployment failures

Backup system logs for backup failures

Tools used like - MS Log parser

ruleset review (Firewall rule sets),

Firewall actions

Permitting and routing packets

Denying packets

Logging traffic activity

Creating system events and alerts

SANS - firewall checklist

First - Filter rule sets

Sec - Permit rules

Finally - Deny rules

All firewall policy has corresponding rules

All rules still required

Unnecessary open ports - closed

Traffics doesn't escapes defense

Rules enforce least privilege access

Tools

Algosec
Solar winds
360-FAAR

system configuration review,

Is done to identify incorrect or missing sys settings

Poor hardening

Configurations misaligned with Sec Standards

Weak passwords settings

Unmanaged services

Inadequate logging

Tools

checklists from the NIST National Checklist Program Repository or from the Center for Internet Security

CISCAP tool

Nexpose

Tenable Security center

network sniffing,

Collect and review information

Discover active devices

Identity systems and services

Uncover potential security vulnerabilities

Tools

Dsniff

Ettercap

Wireshark

Kismet

Tcpdump

Libpcap

File integrity checking.

File that should change only under authorized chain.

E.g: accounting ledger programs should only be changed by the authorized personnel from accounting.

Malicious activities - can delete certain files and replace the existing ones -

system or configuration file to gain privileges access.

Best way to check the file integrity using the hash values of the files.

HASH values will change even if a single character is changed in the file, thus change in hash values results that the two files are different or changes are made.

Hashing Tools

Aide

Rootkit Hunger

Samhain

Tripwire

Host-based intrusion detection systems, or HIDs, such as OSSEC
Files to monitor

Key system files

Configuration files

Windows registry

Sensitive information classified files

Rarely change

Static web pages

If an important file changes during their assessment without proper permission and without telling system or security administrators, that could be a problem. File integrity checks help organizations keep an eye on the security of their most important files.

How exposed is your organization is to data loss due to human error on a set of database systems

What to look for

Security Controls

Org require and enforce least privileges

Who all have access to the database servers

How frequent is the data back up done

Are data backup is adequate in event of data loss

Documentation review

policies , standards, guidelines

Log reviews

Who access the database

Who modified

Ruleset reviews

Critical systems needs to be isolated from main network

DMZ zone

System configuration review

Correct set of controls configured

Regular database integrity reviews

Identifying and analyzing Targets:-

To determine which systems and devices are available on the network

Asset inventories

Network diagrams

After identifying next steps involves testing

Techniques used for identifying

Conducting network discovery

Purpose and functions of network devices - Need knowledge on TCP/IP

IP addressing and subnetting

Network scanners

Identifying network ports and services

Ports and services workflow

Common ports and services

Port and service scanning tools

Scanning for vulnerabilities

Protocols and system misconfigurations

Vulnerability scanning tools

OpenVAS

Scanning wireless network.

Wifi tech and protocols

Wifi protected access, WPA

Wireless scanning tools

Conduct network discovery

Active

ISMP or echo request or ping

Faster than passive

Sometime noisy and creates traffic

Can slow down network
Cause a denial of service

Communicate in advance for running active n/w discovery

Passive

Network sniffing tools

Wireshark - captures open ports, operating systems of devices

Sniffer

Placed in the network, where it captures the network traffic.

Stealthy

No detection of devices that aren't active

Network discovery Tool

Network miner

Nmap

Identify network ports and services

E.g - Port 80 = HTTP = Active yes = likely Apache/ Microsoft IIS

To identify

Operating systems

Functions - web server / FTP server

Security vulnerabilities on ports & services

OS fingerprinting

Port = 111 = likely OS = Unix or Linux

Port = 135, 139, 445 = likely OS = windows

Tool

Legion

Scan devices for vulnerabilities

Scan to find outdated software,

missing patches

Missing configurations

Used to validate system compliance with internal security configurations.

Vulnerability scanners require Admin privileges to run and perform scanning.

Types of scanning

Local Vulnerability scanning
Network vulnerability scanning

Tools

GVM

Planning Technical Security Assessments

Security Assessment Policy

Vulnerability assessment policy

Risk assessment policy

Risk management policy

Guidance for Sec Assess

Frequency

Sec std the org should comply with.

Network and Systems in scope

Documentation and reporting requirements

Roles and responsibilities

Who conducts audit

Who receives the final reports

Who is responsible for remediation

Effective policy

Approved by relevant stakeholders

Communicated to staff and 3rd parties

Review and update periodically.

Prioritize and schedule

Define objectives

Quarterly assess & Standards - 27001

Scopes

All systems or sub-set of systems

System priority

Systems impact ratings

Assessment time - overdue

Scheduling constraints

Technical consideration - significant vulnerabilities

Frequent requirements

Quarterly or annually

Resource availability

Qualified staff

Organizational IT staff

Testing equipments

Size and complexity

Choosing Techniques

Assessment objectives

Testing view point

Resource availability

Technique risk

Perspective

Covert = social engg.

Overt = log reviews

Test external facing systems

E.g Compliance with 27001 std

Document reviews

Ruleset and security configuration reviews

Network discovery and vulnerability scanning

Wireless scanning

Penetration test with social engineering

Select the Assessors

Technical security assessors

Strong IT understanding- n/w, OS, firewalls

Latest security threats

Assessment leads

Experience in leading audits

Communication skills

Project Management skills

Internal Assessors

Part of ITr security of internal audit

Conduct assessment in accordance with policies

Analyze results

Recommend mitigation for security gaps

Retest if necessary

Third party / External Assessors

Vetted prior to process

Sign NDA

Selecting locations

Internal testing from any part of the network

External testing - outside the org n/w

Right privilege access for internal testing

Select tools and resources

Third party assessors - laptop with capabilities

Internal assessors - local desktop

Develop assessment plan

Type and objective

Systems and network in scope

Time frame

Security controls

Testing techniques

Sensitive data handling

Organizational risk

Completeness criteria

IP addresses and MAc address

How to handle incidents

How to handle a security breach

E.g. Security Assessment methodology

For external Covert test

How data will be gathered

To conduct assessment, scripts and software tools will be used to run the following tests against the in-scope systems

Network discovery to find unknown or rouge systems

Port and service discovery to identify OS and potential vulnerabilities

Will attempt to exploit any known exploitable vulnerabilities

How security controls will be tested

Testing will be conducted during business hrs to give incident response team maximum opportunity to detect and respond

The response or lack of response will be noted as part of results

Keeping tech support alert in due to failure of systems during testing

No DOS attack will be carried out

When testing will be conducted

After testing is concluded, analyze any vulnerabilities found

Determine the root cause

The mitigation plan and recommendation will be identified

All findings, results, and test conduct are recorded in the final report and published with relevant stakeholders.

Legal requirements

Limitation of liability

NDA

Privacy requirements

Data handling req

Executing the Technical security

Coordinating the assessments

All key stakeholders are aware

Assessors have privileges and access

Higher management informed

Communication in all stages to key stakeholders

Conduct assessments

Some risk

Systems outage

Security attack can be discovered

High severity vulnerability found mid-way

Standard escalation procedures to be followed in occurrence of these risks.

Some roadblocks

Resistance from staff

An unrealistic assessment plan not complied within budget or timeline.

Conduct analysis

False positives

Found vulnerabilities are validated by manually on the each systems

Validated vulnerabilities are categories

Severity of risk

Control families - NIST 800-53

Finding Root cause

Common root cause found

Patch management

Anti-malware controls

Infrequent signature updates

Policies and standards

Data Handling

HIghly sensitive data

Assessment plans and rules of engagement

Configurations and network documentations

Results for testing tools

Assessments findings and reports

Remediation recommendations

Data lifecycle phases

Creations, collection or receipt

access , use or reuse

Transmission

Storage

Disposal

Assessment data stored in encrypted form

Post testing activities

Recommended Mitigations

Are reviewed and accepted

Finally Report the results

Final Report

Describe why and how testing is done

Vulnerabilities of system, network, and remediations recommendations

Implementation of remediation and mitigations

Who is responsible for implementing the mitigation plans

Remediation steps

Test

Coordinate

Implement and validate

Report closure

What implemented and validated

Modification applied to test systems

Then moved to production systems

This is end of the conducting technical security assessments.

*********************************************************************************************************

search keyword: Security Audit, GRC, Governance, Risk, Compliance, Quality Management

Comments