Security Auditing: A New Practice Opportunity

1
Security Auditing A New Practice Opportunity

• presented by
• Jeffrey M. Zalusky, CISA
• Centerprise Advisors IT Risk Management Services
  Group

November 4, 2002 Charleston, SC
2
Session objectives

• IT security field 30,000 foot view
• Security practice primer
• Security auditing vs. security testing
• Anatomy of a p-test
• Key tools and resources
• Certification programs
• Whats next?

3
1.1 IT security field 30,000 foot view

• Very different skill (and mind) sets needed
• Not a true commodity market yet
• Still viewed as discretionary by buyers
• Too many views on threats and approaches
• For CPA firms in post-Enron era defining
  services in terms of consulting vs. auditing
• Background economy NOT helping!

4
1.2 IT security spending trends
Source FactSet (via JP Morgan)
5
1.3 IT security threat trends

• In a wordup
• Sample statistic 31,709 digital assaults through
  Augustmore than all 2001
• Increasing technical complexity
• False solutions and no real fixes
• Increasing regulatory pressure
• leads to increasing opportunity

6
1.4 Success factors for security practices

• Objectivity and native skepticism
• Strong, varied experience and technical skills
• Healthy paranoia regarding root causes of risk
• High level of trust, both inside and out
• Credibility in security space
• Ability to scale
• Flexible response to client needs

7
2.1 Security practice primer

• Understand that security is a PROCESS!
• Dedicate IT professionals to security/audit
• Commit to certification-oriented CPE
• Expect to pay a premium
• Emphasize non-traditional incentives
• Embrace non-conformity in the workplace
• Define practice standards and methodology

8
2.2 Skill sets

• Know your services, ports and protocols
• Avoid O/S or other platform dependence
• Also avoid blind advocacy
• Open Source vs. Industry Standard
• Degree vs. real-world experience

9
2.3 Practical considerations

• Test lab essential
• Air gapped access to the Internet
• Hooks to academia desirable
• Prepare for unusual working hours/habits
• Clearly-stated engagement scope and terms

10
3.1 Security auditing

• Security audit defined
• Broad-based assessment of security controls as
  intended and actually deployed, measured against
  defined objectives
• Focus
• Identify weaknesses in controls that could
  introduce risk if not mitigated
• Deliverable
• Report of Findings and Recommendations

11
3.2 Security testing

• Penetration test and analysis defined
• Point-in-time test of the operational
  effectiveness of in-place defenses against
  specific attacks attempted by specific attackers
• Focus
• Find a way into the network, locate a vulnerable
  host, exploit the vulnerability, gain control,
  (test incident response capability)
• Deliverable
• Summary of results, with backup details of
  testing performed, hosts enumerated,
  vulnerabilities found, exploits attempted and
  what succeeded

12
4.1 Anatomy of a p-test

• Basic approach Hacking Exposed
• Follow structured rules of engagement
• Document everything that happens
• External testing perimeter, modem, wireless
• Internal testing authorized intruder

13
5.1 Key tools and resources

• Security standards
• Assessment and recommendation toolkits
• Security test utilities
• Professional/educational organizations

14
5.2 Security standards

• RFC
• DoD
• NSA
• BS 7799
• NIST
• CVE

http//www.ietf.org/rfc.html http//iase.disa.mil/
policy.html http//www.nsa.gov/snac/index.html htt
p//www.iso17799-made-easy.com/ http//niap.nist.g
ov/tools/cctool.html http//cve.mitre.org
15
5.3 Assessment and recommendation toolkits

• NIST
• NSA
• CERT
• DoD
• CIS
• also

http//csrc.nist.gov/asset/ http//www.nsa.gov/sna
c/index.html http//www.cert.org/octave STIGs (if
you can get em) http//www.cisecurity.org http//
www.securityfocus.com http//www.sans.org
16
5.4 Security test utilities

• Nessus (1.2.6)
• nmap (3.00)
• netcat (1.10)
• cheops (ng)
• PhoneSweep (4.4)

http//www.nessus.org/ http//www.insecure.org htt
p//www.atstake.com http//cheops-ng.sourceforge.n
et/ http//www.phonesweep.com
17
5.5 Professional/educational organizations

• ISACA
• SANS
• ISSA
• Usenix
• MISTI
• ISC2

http//www.isaca.org http//www.sans.org http//ww
w.issa.org http//www.usenix.org http//www.misti.
com http//www.isc2.org
18
6.1 Certification programs

• ISACA
• ISC2
• CompTIA
• SANS

CISA (Certified Information Systems Auditor)
CISM (Certified Information Security
Manager) CISSP (Certified Information Systems
Security Professional) SSCP (Systems Security
Certified Practitioner) Security GIAC (Global
Information Assurance Certification)
19
6.2 More on SANS GIAC

• GIAC Security Essentials Certification (GSEC)
• GIAC Certified Firewall Analyst (GCFW)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Windows Security Administrator
  (GCWN)
• GIAC Certified UNIX Security Administrator (GCUX)
  
• GIAC Information Security Officer - Basic (GISO -
  Basic)
• GIAC Systems and Network Auditor (GSNA)
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Information Security for Auditors Kickstart
  (GIAK)

20
7.1 Whats next?

• SACteamTM approach
• Security focus first traffic, then content
• Introducing ACE
• Other opportunities

21
7.2 SACteamTM approach

• Security is a process
• Security is just one piece of the puzzle
• Security may not be the greatest risk
• Back to Basics focus on
• internal controls is needed
• Compliance-oriented strategy is key

22
7.3 Current state of attack methodology

• Packets can now be managed successfully to
  minimize risk of attack via data traffic
• Only certain kinds of malicious content can be
  similarly managed as of now
• Fundamental problem how to establish controls
  to prevent a legitimate, authorized user from
  committing detrimental acts

23
7.4 Auditing Compliance Engine

• Securify offers a platform for designing and
  monitoring effective security policy via data
  traffic analysis
• The SACteamTM offers professional IT audit
  services to establish the policy baseline needed
  to meet specific compliance requirements

24
7.5 Securify Enterprise
25
7.6 Other product/service opportunities

• Security design/engineering
• PKI
• Physical security
• Computer-based forensics
• ISO 17799 certification/implementation