This book provides comprehensive methodology, enabling the staff charged with an IT security audit to create a sound framework, allowing them to meet the challenges of compliance in a way that aligns with both business and technical needs. This "roadmap" provides a way of interpreting complex, often confusing, compliance requirements within the larger scope of an organization's overall needs. Key Features:* The ulitmate guide to making an effective security policy and controls that enable monitoring and testing against them* The most comprehensive IT compliance template available, giving detailed information on testing all your IT security, policy and governance requirements* A guide to meeting the minimum standard, whether you are planning to meet ISO 27001, PCI-DSS, HIPPA, FISCAM, COBIT or any other IT compliance requirement* Both technical staff responsible for securing and auditing information systems and auditors who desire to demonstrate their technical expertise will gain the knowledge, skills and abilities to apply basic risk analysis techniques and to conduct a technical audit of essential information systems from this book* This technically based, practical guide to information systems audit and assessment will show how the process can be used to meet myriad compliance issues
Author(s): Craig S. Wright
Year: 2008
Language: English
Pages: 750
cover.jpg......Page 1
Lead Author......Page 2
Technical Editors......Page 3
Introduction to IT Compliance......Page 4
Introduction......Page 5
Job Roles and Responsibilities......Page 6
Audit......Page 8
Penetration Tests and Red Teaming......Page 9
Ethical Attacks......Page 10
Black and White Box Testing......Page 11
Data Conversion......Page 12
The Taxonomy......Page 13
The Decision Test of the Process......Page 14
Key Concepts......Page 16
General Controls......Page 17
IT Governance......Page 18
Ethics......Page 19
Planning......Page 20
The Program—Criteria for Defining Procedures......Page 21
Purpose and Scope of the Report......Page 22
CISA......Page 23
FISCAM......Page 24
Summary......Page 26
Evolution of Information Systems......Page 27
Introduction......Page 28
The Threat Scene......Page 29
Threats......Page 30
Low......Page 31
Definition Matrix......Page 32
Targeted Attacks......Page 34
Common Criminals......Page 35
Methods of Attack......Page 36
Unobtrusive Public Research......Page 37
System Break-Ins......Page 38
Denial-of-Service (DoS) Attacks......Page 39
Flooding Attacks......Page 40
Trojans......Page 41
Policy gt Procedure gt Audit......Page 42
Summary......Page 43
The Information Systems Audit Program......Page 44
Audit Checklists......Page 45
Baselines and Automation......Page 46
Standards and Ethics......Page 47
Protection Testing or Internet Assessments......Page 48
Server Operating System Security Analysis......Page 49
Social Engineering......Page 50
BCP/DR Testing: Disaster Readiness Assessment......Page 51
What is Covered in a BCP/DR Review?......Page 52
Criteria for Defining Procedures......Page 53
The Final Report......Page 54
Executive Summary......Page 55
Security Management Model......Page 56
Summary......Page 59
Planning......Page 60
Planning the Audit......Page 61
Communicating Results......Page 62
Information Sensitivity and Criticality Assessment......Page 63
Security Supporting Functions Review......Page 64
Security Enforcing Functions Review......Page 65
Scope......Page 66
Statement of Purpose/Scope......Page 67
Audit Planning......Page 68
Planning Scope......Page 69
Scope Also Covers Time......Page 71
Summary......Page 73
Information Gathering......Page 74
Information Asset Identification......Page 75
A Review of an Organization’s Security Enforcement Functions......Page 76
Internal and External Standards......Page 77
How to Characterize Your Organization......Page 78
Administrative Steps......Page 79
What Happens if Documentation Is Incomplete or Unavailable?......Page 80
Profile Matrix......Page 81
Risk Factoring......Page 82
Difficult......Page 84
Critical/Major Applications......Page 85
Concept of Operations Brief......Page 86
Detailed Configuration Documentation......Page 87
System Security Policy and Administrative Security......Page 88
Media Security......Page 89
Operational Support Procedures......Page 90
System Backup Procedures......Page 91
Contingency Plans......Page 92
Category 3: Successful Attempts to Subvert the System......Page 93
General Background Information......Page 94
Identify LAN products used......Page 95
Review duties and responsibilities of administrators for proper network security......Page 96
Review system documentation......Page 97
Internal Controls Review......Page 98
Review Audit Trails......Page 99
All That Information......Page 100
User Name Harvesting......Page 101
More on Planning......Page 102
Audit Strategy......Page 103
Password Management......Page 104
Password Cracking and Guessing......Page 106
Password Guessing......Page 107
Access Control Techniques and Types......Page 108
Lattice-Based Access Control......Page 110
Bell LaPadula......Page 111
Biba and Clark Wilson......Page 112
Terms and Definitions......Page 113
Notes......Page 115
Security Policy Overview......Page 116
SMART......Page 117
Specific......Page 118
Time-Based......Page 119
The Policy Life Cycle Process......Page 120
What’s What?......Page 121
The Mission Statement......Page 122
Policy......Page 123
Standard......Page 124
Process or Procedure......Page 125
Interpreting Policy as an Auditor......Page 126
System Audit Considerations......Page 127
Various Levels of Policy and their Functions......Page 128
Overview or Executive Summary......Page 130
Compliance or Enforcement......Page 131
Developing a Security Policy......Page 132
The Use of the English Language in Policy Should Be Simple......Page 133
Software Security......Page 134
Information Security Policy......Page 135
User Training......Page 136
Protection from Malicious Software......Page 137
Computer Access Control......Page 138
Business Continuity Planning......Page 139
SANS SCORE......Page 140
Overview......Page 141
General Use and Ownership......Page 142
System and Network Activities......Page 143
Enforcement......Page 145
More Information......Page 146
Summary......Page 148
Policy Issues and Fundamentals......Page 149
Specific......Page 150
Timely......Page 151
Employees......Page 152
Policy Creation......Page 153
Incident Handling......Page 154
Standards and Compliance......Page 155
Third-Party and Government Reviews......Page 156
Human Resource (HR) Issues......Page 157
Draft a Policy......Page 158
Summary......Page 159
Assessing Security Awareness and Knowledge of Policy......Page 160
Security Awareness and Training......Page 161
Awareness Programs Need to Be Implemented......Page 163
Resources......Page 164
Motivation......Page 165
Development and Implementation of the Program......Page 166
Periodic Evaluations......Page 167
Education and Professional Development......Page 168
Training Description and Scope......Page 169
Definition of Workshop......Page 170
Guidelines for Use of Tools......Page 171
Background......Page 172
There Is also the Human Element......Page 173
What Is Information Security......Page 174
Threats: Slide 7......Page 175
Disgruntled Employees......Page 176
Environmental/Natural......Page 177
Targets: Slide 18–19......Page 178
Information Security Procedures......Page 179
Frequently Asked Questions......Page 180
People Are Important Too......Page 181
Security Breaches......Page 182
Accidental Breaches......Page 183
Operate A Clean Desk Policy......Page 184
“Borrowing” Software......Page 185
Bringing Your Own Home Computer To The Office......Page 186
Identification Techniques......Page 187
System Improvement Monitoring and Checks......Page 188
System Maintenance......Page 189
Testing Knowledge and Security Awareness......Page 190
Sample Managerial Assessment Interview Questionnaire......Page 191
Notes......Page 193
An Introduction to Network Audit......Page 194
NMAP: The King of Network Port Scanners......Page 195
Network Mapping......Page 196
Premapping Tasks......Page 197
Auditing Perimeter Defenses......Page 200
Auditing Routers, Switches, and Other Network Infrastructure......Page 201
What a Cracker Does......Page 202
Phase 2: System Design, Configuration and Support Vulnerability Assessment......Page 203
Phase 4: The Attack......Page 204
Protection Testing?......Page 205
Phone Line Scanning......Page 206
Social Engineering......Page 207
Nessus......Page 208
Using this feature to scan your network in background......Page 209
Using the Nessus Client......Page 210
Using this feature to test your network automatically every “X” hours......Page 218
Using this feature to keep one’s KB up-to-date......Page 219
Before You Start nessusd, Ensure That Sendmail is in Your $PATH !......Page 221
How to Use It......Page 222
More Reading......Page 223
Essential Net Tools (EST)......Page 224
Cerberus Internet Scanner......Page 225
Summary......Page 226
Auditing Cisco Routers and Switches......Page 227
Modes of Operation......Page 228
How a Router Can Play a Role in Your Security Infrastructure......Page 229
Understanding the Auditing Issues with Routers......Page 230
Console Ports......Page 231
Controlling VTYs and Ensuring VTY Availability......Page 232
Common Management Services......Page 233
Logging......Page 234
Sample Router Architectures in Corporate WANs......Page 235
Router Audit Tool (RAT) and Nipper......Page 240
How RAT Works......Page 241
How to Install RAT......Page 242
How to Run RAT......Page 247
RAT Configuration Options......Page 253
Options Affecting Rule Selection and Reporting......Page 254
Options for Selecting RAT Configuration files......Page 255
Nipper......Page 256
Using Nipper......Page 257
Using the Command Line......Page 260
Modifying the nipper.ini File......Page 261
Cisco Output Interpreter......Page 263
Security Access Controls Performed by a Router......Page 264
Security of the Router Itself and Auditing for Router Integrity......Page 265
Router Audit Steps......Page 267
Sample Commands......Page 268
Cisco Router Check Lists......Page 270
Summary......Page 271
Testing the Firewall......Page 272
Introduction......Page 273
Firewall Configuration......Page 274
Working with Firewall Builder......Page 276
Building or Only Testing......Page 277
Conflicting Rules......Page 281
Testing the Firewall Rulebase......Page 282
Identifying Vulnerabilities......Page 283
Using nmap......Page 285
Using hping2......Page 288
Validated Firewalls......Page 289
Creating Your Checklist......Page 291
CIS (Center for Internet Security)......Page 292
NSA, NIST and DISA......Page 293
Summary......Page 294
Auditing and Security with Wireless Technologies......Page 295
WLAN and Wi-Fi......Page 296
Analyzing 802.11 traffic......Page 297
Investigating Rogue WLANs......Page 299
Conducting Wireless Site Surveys......Page 300
Using Maps to Document Wireless Signal Leakage......Page 301
Avoiding RF Interference......Page 302
Common Misconceptions with Wireless Security......Page 303
Passive WLAN Traffic Sniffing – from TCPDump to Kismet......Page 304
AP Fingerprinting using Nessus......Page 305
Triangulation Techniques for Locating Transmitters......Page 306
PrismStumbler......Page 307
BTScanner......Page 308
Detection......Page 309
Wireless-Side Analysis - Wireless LAN IDS......Page 310
Open-source and Commercial Tools for WLAN Monitoring......Page 311
Running Kismet......Page 312
KISMET WLAN IDS support......Page 315
NetStumbler......Page 316
The Backtrack Network Security Suite Linux Distribution......Page 320
Summary......Page 321
Analyzing the Results......Page 322
Creating Network Maps......Page 323
ScanPBNJ default scan options......Page 324
NDIFF......Page 325
Identifying Vulnerabilities......Page 326
Using Nmap......Page 327
Prioritizing Vulnerability Fixes......Page 328
NAC (Network Access Control)......Page 329
Benefits of Periodic Network Mapping......Page 330
Configuration Auditing of Key Network Services (DNS, SMTP, etc.)......Page 333
Mail Relays......Page 335
Recursive......Page 337
Split-Split DNS......Page 338
Note......Page 341
An Introduction to Systems Auditing......Page 342
Introduction......Page 343
There Are Few Limits......Page 344
Turning Off Unnecessary Services......Page 345
Configuring AutoScan......Page 346
Tripwire......Page 347
Failures to Patch......Page 348
Details......Page 350
Secured Zones and Appropriate Levels of Security......Page 351
Security of organization Property Off-Premises......Page 352
Operations Log......Page 353
Outsourcing Management......Page 354
IT Change Control......Page 355
Malware Protection......Page 356
Operations Backup Logs......Page 357
Security of System Documentation......Page 358
Education & Training......Page 359
Default and System Passwords......Page 360
Software Copyright......Page 361
Audit Logging and Reporting......Page 362
Reporting of Security Weaknesses and Incidents......Page 363
Password-Cracking Tools......Page 364
Summary......Page 365
Database Auditing......Page 366
Database Security......Page 367
Update, Delete, and Insert Triggers......Page 368
Auditing Changes to the Database Structure......Page 369
Check for Users Sharing Database Accounts......Page 370
Integrity Controls......Page 371
Authorization Rules......Page 372
Client Service Security and Databases......Page 373
Automated Database Audit Solutions......Page 374
Data Access Auditing......Page 376
Specialized Audit software......Page 377
CASE (Computer-Aided Software Engineering) Tools......Page 378
Introduction to SQL......Page 382
Database......Page 383
Remote Testing......Page 384
Sans......Page 386
Microsoft SQL checks......Page 387
Summary......Page 388
Microsoft Windows Security and Audits......Page 389
Basic System Information......Page 390
Somarsoft DumpSec......Page 391
Somarsoft Hyena......Page 394
Belarc Advisor......Page 401
Microsoft Baseline Security Analyzer (MBSA)......Page 403
How to Scan for Patch Levels Using MBSA......Page 406
For the Security Update Checks......Page 407
Qfecheck and Hotfix Reports......Page 408
Downloading and Installing Qfecheck......Page 409
Using Qfecheck......Page 410
Using System Information......Page 411
Using the MMC......Page 412
Using the Command Line......Page 413
TCPView......Page 415
Using TCPView......Page 416
Using Tcpvcon......Page 417
PsTools Suite......Page 418
Using PsTools......Page 419
Running PsTools in the local host......Page 420
Using Add or Remove Programs......Page 421
Security Configuration......Page 422
Microsoft Management Console (MMC)......Page 423
Customizing the Display of Snap-ins in the Console: New Windows......Page 425
How to Run SCA......Page 429
Creating and using template databases with SCA......Page 430
Scanning System Security......Page 432
Using Local Security Policy (LSP)......Page 435
Group policy Management......Page 436
How to use Active Directory......Page 437
Using Group Policy......Page 439
Using Resultant Set of Policy (RSoP)......Page 443
Patch Installation......Page 446
Windows Software Update Services (WSUS)......Page 447
DAD......Page 448
Windows Log Files......Page 450
Windows Scripting Tools......Page 452
WMIC......Page 453
Creating Your Checklist......Page 454
Considerations in Windows Auditing......Page 455
Summary......Page 457
Auditing UNIX and Linux......Page 459
Introduction......Page 460
The Need for Patches......Page 461
Obtaining and Installing System Patches......Page 462
Validating the Patch Process......Page 463
Failures to Patch......Page 465
Example Information Systems Security Patch Release Procedures......Page 466
Vendor Contacts/Patch Sources......Page 467
Guidance for Network Services......Page 468
RPC and Portmapper......Page 469
Controlling Services at Boot Time......Page 470
Authentication and Validation......Page 471
Syslog and Other Standard Logs......Page 474
Connect Session Statistics......Page 476
Disk Space Utilization......Page 477
Automatic Accounting Commands......Page 478
Manually Executed Commands......Page 479
File System Access Control......Page 480
User-Level Access......Page 482
ls or the List command......Page 483
Blocking Accounts, Expiration, etc.......Page 484
Additional Security Configuration......Page 485
Use tcpd to limit access to your machine......Page 486
Lsof......Page 487
Ps......Page 488
Solaris Kernel Parameters......Page 489
IP Parameters......Page 490
TCP Parameters......Page 491
Security for the cron System......Page 492
Compressing and uncompressing tar images......Page 493
Tricks and Techniques......Page 494
Arudius......Page 495
Building Your Own Auditing Toolkit......Page 496
Using the Distribution......Page 497
Hardware Integrity......Page 498
Finer Points of Find......Page 499
Output Options......Page 501
A Summary of the Find Command......Page 502
What Tools to Use......Page 503
SANS......Page 504
NSA, NIST and DISA......Page 505
Network Security......Page 506
Account Security......Page 507
Notes......Page 508
Auditing Web-Based Applications......Page 509
Sample Code......Page 510
An Introduction to HTTP......Page 512
Limitations with the Web Browser......Page 513
HTTP Digest Authentication......Page 514
Get vs. Post......Page 516
Session Cookie (Memory Based)......Page 517
Cookie Headers......Page 518
What is a Web Bug?......Page 519
Information-Gathering Attacks......Page 520
Resource Exhaustion......Page 522
OS and Web Server Weaknesses......Page 523
Too Few Layers......Page 524
Buffer Overflows......Page 525
Session Tracking and Management......Page 526
Session Re-Authentication......Page 527
Unexpected User Input......Page 528
OWASP 2007 Top 10......Page 529
9 - Insecure Communications......Page 530
Best Practice Resources......Page 531
WebScarab Web Auditing Tool......Page 532
Fuzzing......Page 534
ASCII......Page 535
HEX......Page 536
XSS References......Page 537
XSS (Cross Site Scripting) Cheat Sheet......Page 538
DNS Rebinding Attacks......Page 539
What is the Same-Origin Policy?......Page 540
What Is DNS Pinning?......Page 541
Anti-DNS Pinning (Re-Binding)......Page 543
Anti Anti Anti DNS Pinning......Page 545
Varieties of DNS Rebinding attacks......Page 546
CNiping (Pronounced “Sniping”)......Page 547
JSON......Page 548
Defending Against DNS Rebinding......Page 549
Splogging......Page 550
Defenses......Page 551
NSA, NIST and DISA......Page 552
IIS Specific Information for the Checklist......Page 553
Scanning......Page 554
Other Systems......Page 555
Mainframes and Legacy Systems......Page 556
What Is a Mainframe?......Page 557
Legacy Systems......Page 558
Reviewing Legacy and Mainframe Systems......Page 559
LPAR (Logical Partition)......Page 561
Model......Page 562
UML and Processes......Page 563
Further information about UML......Page 564
White box testing......Page 565
Unit testing......Page 566
Test Development......Page 567
Encryption......Page 568
Summary......Page 570
Risk Management, Security Compliance, and Audit Controls......Page 571
System......Page 572
Risk Analysis......Page 573
Risk Management, Security Compliance and Audit Controls......Page 574
Quantitative......Page 575
Total Value......Page 576
Qualitative Risk......Page 577
Threats......Page 578
FMECA Analysis......Page 579
Two Tree Types......Page 580
Hardware Theft......Page 581
Vandalize Hardware......Page 582
Disrupt Network Traffic......Page 583
Gain Root Access......Page 585
Goal 1: Intercept a network connection for a particular user......Page 587
Risk Dynamics......Page 588
Monte Carlo Method......Page 589
Crystal Ball......Page 590
Creating an Information Systems Risk Program......Page 591
Risk Assessment......Page 592
The Assessment Process......Page 593
Threat Assessment......Page 594
Known Deficiencies......Page 595
Risk Management is an Issue for Management, not Technology......Page 596
Risk Summary......Page 597
Counter Strategy and Counter Measures......Page 598
Business Impact Analysis......Page 599
Data Classification......Page 600
Notes......Page 601
Information Systems Legislation......Page 602
Civil and Criminal Law......Page 603
Legal Requirements......Page 604
Contracts......Page 605
Problems with Electronic Contracting......Page 606
E-mail......Page 607
The Postal Acceptance Rule......Page 608
World Wide Web......Page 609
Invitation to Treat, Offers and Acceptance......Page 610
Electronic Signatures......Page 612
Electronic Agency Issues......Page 613
Jurisdiction......Page 614
Crime (Cybercrime)......Page 615
Electronic Espionage......Page 616
Activity Monitor......Page 617
Spy Tool: SpyBuddy......Page 618
Data Protection......Page 619
Inciting Racial Hatred......Page 620
Defamation......Page 621
Mail Bombing......Page 624
Distributing a Virus or Other Malware......Page 625
Defamation and Injurious Falsehood......Page 626
Harassment and Cyber Stalking......Page 627
Pornography and Obscenity......Page 628
Child Pornography and Obscenity......Page 629
Privacy......Page 631
Searches and the Fourth Amendment......Page 632
Anton Piller (Civil Search)......Page 633
Intellectual Property......Page 634
Copyright......Page 635
Investigating Copyright Status......Page 637
Trademark Infringement......Page 638
Patents and Patent Infringement......Page 639
Evidence Law......Page 640
Remedy in Tort and Civil Suits......Page 641
Cyber Negligence......Page 642
Civil Liability......Page 644
Criminal Liability......Page 646
Reporting an Incident......Page 647
Introduction to Document Management Policy......Page 648
Applications to Internal Audit......Page 649
Minimum Document Retention Guidelines......Page 650
The Sarbanes-Oxley Act......Page 651
Acceptable Use Policies......Page 652
Reviewing and Auditing Contracts......Page 653
Prevention Is the Key......Page 654
Notes......Page 655
Operations Security......Page 665
The Concepts of Organizational OPSEC (Operation Security)......Page 666
Administrative Management......Page 668
Fraud......Page 669
The Fraud Triangle......Page 670
Preventative Controls......Page 671
Input Controls......Page 672
Patch Management......Page 673
Configuration Change Management (CCM)......Page 674
Resource Protection......Page 675
Nonrepudiation......Page 676
Operational Controls......Page 677
Hardware Physical Control......Page 678
Intrusion Detection......Page 679
Incident Handling......Page 680
Follow-up Analysis......Page 681
Audit Trails......Page 682
Monitoring and Logging......Page 683
Clipping Level......Page 684
Notes......Page 685
A......Page 686
C......Page 688
D......Page 690
E......Page 691
F......Page 692
H......Page 693
I......Page 694
M......Page 696
N......Page 697
O......Page 698
P......Page 699
R......Page 700
S......Page 701
T......Page 703
V......Page 704
W......Page 705
X......Page 706