Example: stock market

Information Systems Security Assessment Framework

Information Systems Security Assessment Framework (ISSAF) draft TABLE OF CONTENTS. 1 EXECUTIVE SUMMARY .. 15. 2 ABOUT 18. 3 THE Framework .. 26. 4 ENGAGEMENT 39. 5 GOOD PRACTICES PRE Assessment , Assessment AND POST Assessment .. 55. 6 RISK Assessment .. 89. 7 ENTERPRISE Information Security POLICY .. 107. 8 ENTERPRISE INFORMAITON Security ORGANIZATION & MANAGEMENT .. 121. 9 ENTERPRISE Security & CONTROLS Assessment .. 131. PERSONNEL Security .. 132. TECHNICAL CONTROLS AND Security Assessment .. 134. A UNDERSTANDING Assessment 135. B PENETRATION TESTING METHODOLOGY .. 136. C PENETRATION TESTING METHODOLOGY, PHASE-II EXPLAINED .. 147. D HANDLING FALSE DETECTION RATES .. 290. -- NETWORK Security .. 293. E PASSWORD Security TESTING .. 294. F SWITCH Security Assessment .. 359. G ROUTER Security Assessment .. 394. H FIREWALL Security 436. I INTRUSION DETECTION SYSTEM Security 483.

©2005, O pen Information S ystems Securit Grou Page 2 of 1263 Information Systems Security Assessment Framework(ISSAF) draft 0.2 TABLE OF CONTENTS

Fullscreen Download

Tags:

  Assessment, Security, Framework, Security assessment framework

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Information Systems Security Assessment Framework

1 Information Systems Security Assessment Framework (ISSAF) draft TABLE OF CONTENTS. 1 EXECUTIVE SUMMARY .. 15. 2 ABOUT 18. 3 THE Framework .. 26. 4 ENGAGEMENT 39. 5 GOOD PRACTICES PRE Assessment , Assessment AND POST Assessment .. 55. 6 RISK Assessment .. 89. 7 ENTERPRISE Information Security POLICY .. 107. 8 ENTERPRISE INFORMAITON Security ORGANIZATION & MANAGEMENT .. 121. 9 ENTERPRISE Security & CONTROLS Assessment .. 131. PERSONNEL Security .. 132. TECHNICAL CONTROLS AND Security Assessment .. 134. A UNDERSTANDING Assessment 135. B PENETRATION TESTING METHODOLOGY .. 136. C PENETRATION TESTING METHODOLOGY, PHASE-II EXPLAINED .. 147. D HANDLING FALSE DETECTION RATES .. 290. -- NETWORK Security .. 293. E PASSWORD Security TESTING .. 294. F SWITCH Security Assessment .. 359. G ROUTER Security Assessment .. 394. H FIREWALL Security 436. I INTRUSION DETECTION SYSTEM Security 483.

2 J VPN Security Assessment .. 506. K ANTI-VIRUS SYSTEM Security Assessment AND MANAGEMENT STRATEGY .. 516. L STORAGE AREA NETWORK (SAN) Security .. 530. M WLAN Security 539. N INTERNET USER Security .. 560. O AS 400 Security .. 566. P LOTUS NOTES 592. -- HOST 597. Q UNIX /LINUX SYSTEM Security 598. R WINDOWS SYSTEM Security Assessment .. 636. S NOVELL NETWARE Security Assessment .. 705. T WEB SERVER Security Assessment .. 707. -- APPLICATION 718. U WEB APPLICATION Security Assessment .. 719. V WEB APPLICATION Security Assessment (CONTINUE ) SQL INJECTIONS .. 780. W SOURCE CODE AUDITING .. 808. X BINARY AUDITING .. 830. 2005, Open Information Systems Security Group Page 2 of 1263. Information Systems Security Assessment Framework (ISSAF) draft Y APPLICATION Security EVALUATION CHECKLIST .. 831. -- DATABASE Security .. 834. Z DATABASE Security 835. 10 PHYSICAL Security Assessment .

3 884. 11 SOCIAL 891. 12 ENTERPRISE Security OPERATIONS 917. 13 ENTERPRISE CHANGE 947. 14 ENTERPRISE Security 1034. 15 ENTERPRISE INCIDENT MANAGEMENT .. 1045. 16 OUTSOURCING Security CONCERNS .. 1055. 17 BUSINESS CONTINUITY 1056. 18 LEGAL AND REGULATORY COMPLIANCE .. 1087. ANNEXURE - KNOWLEDGE 1096. 1 TEMPLATES AND OTHERS .. 1097. 2 BUILD FOUNDATION .. 1141. 3 PENETRATION TESTING LAB .. 1166. 4 HANDLING FALSE DETECTION RATES .. 1176. 5 WINDOWS (DESKTOP) Security 1197. 6 LINUX Security CHECKLIST .. 1203. 7 SOLARIS Security 1206. 8 1227. 9 TEAM .. 1255. 10 FEEDBACK FORM .. 1261. 2005, Open Information Systems Security Group Page 3 of 1263. Information Systems Security Assessment Framework (ISSAF) draft 1 EXECUTIVE SUMMARY .. 15. 2 ABOUT 18. PREFACE .. 18. TARGET AUDIENCE .. 21. TEAM .. 22. DOCUMENT STRUCTURE .. 23. DISCLAIMER .. 25. LICENSING .. 25. 3 THE Framework .. 26. PHASE I PLANNING.

4 28. PHASE II Assessment .. 31. PHASE III - TREATMENT .. 36. PHASE IV - 36. PHASE V 38. 4 ENGAGEMENT 39. ENGAGEMENT EXECUTIVE OVERVIEW .. 39. OBJECTIVE .. 39. APPROACH .. 40. ENGAGEMENT SCOPE .. 40. ENGAGEMENT KICKOFF MEETING (INTERNAL).. 41. COMMUNICATIONS PLAN .. 42. ENGAGEMENT KICKOFF DISCUSSION WITH CLIENT .. 43. SAMPLE STATUS 44. ISSUE ESCALATION PLAN .. 46. DEVELOP A ENGAGEMENT PLAN AND SEND IT TO CUSTOMER FOR UPDATE .. 46. SET MILESTONES AND TIMELINES .. 46. ENGAGEMENT SCHEDULE .. 47. DELIVERABLES PRODUCED .. 47. ENGAGEMENT ESTIMATED EFFORT/COST/DURATION (COST OPTIONAL) .. 47. ENGAGEMENT ASSUMPTIONS .. 49. ENGAGEMENT RISKS .. 49. ENGAGEMENT APPROACH .. 50. ENGAGEMENT ORGANIZATION ( Assessment TEAM & CLIENT).. 50. RESPONSIBILITY MATRIX .. 51. SIGN-OFF SHEET .. 51. ANNEXURE - Assessment ADMINISTRATION ROADMAP .. 52. 5 GOOD PRACTICES PRE Assessment , Assessment AND POST Assessment .

5 55. PHASE I: 61. PHASE II: Assessment .. 79. PHASE III: POST Assessment .. 82. 6 RISK Assessment .. 89. BACKGROUND .. 89. METHODOLOGY .. 92. RISK Assessment TOOL .. 101. RISK Assessment METHODOLOGY EVALUATION .. 105. 7 ENTERPRISE Information Security POLICY .. 107. INTRODUCTION .. 107. PRE-REQUISITE .. 107. OBJECTIVE .. 107. Assessment 107. Assessment QUESTIONNAIRE - NARRATIVE .. 110. 2005, Open Information Systems Security Group Page 4 of 1263. Information Systems Security Assessment Framework (ISSAF) draft 8 ENTERPRISE INFORMAITON Security ORGANIZATION & MANAGEMENT .. 121. INTRODUCTION .. 121. PRE-REQUISITE .. 121. OBJECTIVE .. 121. Assessment 121. Assessment QUESTIONNAIRE - NARRATIVE .. 124. 9 ENTERPRISE Security & CONTROLS Assessment .. 131. PERSONNEL Security .. 132. INTRODUCTION .. 132. PRE-REQUISITE .. 132. OBJECTIVE .. 132. Assessment 132. TECHNICAL CONTROLS AND Security Assessment .

6 134. A UNDERSTANDING Assessment 135. B PENETRATION TESTING METHODOLOGY .. 136. PHASE I: PLANNING AND PREPARATION .. 136. PHASE II: Assessment .. 136. Information 138. NETWORK MAPPING .. 138. VULNERABILITY IDENTIFICATION .. 139. PENETRATION .. 139. GAINING ACCESS AND PRIVILEGE ESCALATION .. 140. ENUMERATING FURTHER .. 141. COMPROMISE REMOTE USERS/SITES .. 142. MAINTAINING ACCESS .. 142. COVER THE TRACKS .. 143. AUDIT (OPTIONAL).. 145. PHASE III: REPORTING, CLEAN UP & DESTROY 145. 145. VERBAL 145. FINAL REPORTING .. 145. CLEAN UP AND DESTROY ARTIFACTS .. 146. C PENETRATION TESTING METHODOLOGY, PHASE-II EXPLAINED .. 147. Information GATHERING .. 148. PASSIVE Information GATHERING .. 151. ACTIVE Information GATHERING .. 183. NETWORK MAPPING (SCANNING, OS FINGERPRINTING AND ENUMERATION) .. 208. VULNERABILITY Assessment (IDENTIFICATION) .. 248. PENETRATION .. 255. GAINING ACCESS AND PRIVILEGE ESCALATION.

7 255. ENUMERATING FURTHER .. 257. COMPROMISE REMOTE USERS/SITES .. 257. MAINTAINING 259. COVERING THE TRACKS .. 275. AUDIT (OPTIONAL).. 289. D HANDLING FALSE DETECTION RATES .. 290. -- NETWORK Security .. 293. E PASSWORD Security TESTING .. 294. FIRST PART: GATHERING AUTHENTICATION 294. STEP ONE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN OUTSIDER PENETRATION TESTER. (LOW PRIVILEGE).. 296. 2005, Open Information Systems Security Group Page 5 of 1263. Information Systems Security Assessment Framework (ISSAF) draft STEP ONE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN OUTSIDER PENETRATION TESTER. (LOW PRIVILEGE).. 297. PROCESS (STEPS TO COMPLETE THIS TASK) .. 297. EXAMPLE USES OF COMMON TESTING TOOL(S) .. 298. RESULT ANALYSIS / CONCLUSION / OBSERVATION .. 301. COUNTERMEASURES .. 301. FURTHER READING (LINKS) .. 302. CONTRIBUTROS .. 302. STEP TWO: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN INSIDER PENETRATION.

8 TESTER (LOW PRIVILEGE) .. 302. DESCRIPTION .. 302. OBJECTIVE .. 302. EXPECTED RESULTS .. 303. PROCESS (STEPS TO COMPLETE THIS TASK) .. 303. EXAMPLE USES OF COMMAN TESTING TOOL(S) .. 304. RESULT ANALYSIS / CONCLUSION / OBSERVATION .. 305. COUNTERMESAURES .. 305. FURTHER READINGS (LINKS) .. 306. CONTRIBUTOR(S) .. 306. STEP THREE: LOCAL HOST AUTHENTICATION CREDENTIALS GATHERING AS AN INSIDER PENETRATION. TESTER (LOW PRIVILEGE) .. 307. DESCRIPTION .. 307. OBJECTIVE .. 307. EXPECTED RESULTS .. 307. PROCESS .. 307. EXAMPLE .. 308. RESULTS ANALYSIS / CONCLUSION / OBSERVATION .. 310. COUNTERMEASURES .. 310. FURTHER READING (LINKS) .. 311. CONTRIBUTOR(S) .. 311. STEP FOUR: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN OUTSIDER. ADMINISTRATOR (HIGH PRIVILEGE) .. 312. DESCRIPTION .. 312. OBJECTIVE .. 312. EXPECTED RESULTS .. 312. PROCESS .. 313. EXAMPLE .. 314. ANALYSIS .. 314.

9 COUNTERMEASURE(S).. 314. FURTHER READING .. 315. CONTRIBUTOR(S) .. 315. STEP FIVE: NETWORK AUTHENTICATION CREDENTIALS GATHERING AS AN INSIDER ADMINISTRATOR. (HIGH PRIVILEGE) .. 316. DESCRIPTION .. 316. OBJECTIVE .. 316. EXPECTED RESULTS .. 316. PROCESS .. 316. EXAMPLE .. 316. RESULTS .. 316. COUNTERMEASURE(S).. 317. FURTHER READING .. 317. COUNTERMEASURE(S).. 317. STEP SIX: LOCAL HOST AUTHENTICATION CREDENTIALS GATHERING AS AN ADMINISTRATOR (HIGH. PRIVILEGE).. 318. DESCRIPTION .. 318. OBJECTIVE .. 318. EXPECTED RESULTS .. 318. PROCESS .. 318. EXAMPLES .. 318. 2005, Open Information Systems Security Group Page 6 of 1263. Information Systems Security Assessment Framework (ISSAF) draft RESULTS .. 318. COUNTERMEASURE(S).. 319. FURTHER READING(S) .. 319. COUNTERMEASURE(S).. 319. SECOND PART: ENCRYPTED/HASHED PASSWORD CRACKING .. 320. BACKGROUND I: PASSWORD TYPES .. 320. BACKGROUND II: ALGORITHMS, PUBLIC AND PROPRIETARY ALGORITHMS.

10 323. BACKGROUND III: MATHEMATICS .. 324. BACKGROUND IV: RAINBOW TABLES AND RAINBOW CRACKING .. 327. DESCRIPTION .. 329. OBJECTIVE .. 329. COUNTERMEASURE(S).. 329. PROCESS .. 330. EXAMPLE .. 330. USE OF 332. USE OF CAIN .. 332. USE OF JOHN THE RIPPER .. 336. USE OF LEPTON'S CRACK .. 340. CRACKING STRATEGY .. 347. GATHER Information .. 348. INVESTIGATION .. 348. DICTIONARIES .. 349. BUILDING A CRACKING TACTIC .. 350. SAMPLE TACTIC TO ATTACK LM HASHES: .. 351. WORKING DICTIONARY .. 351. DICTIONARY .. 351. QUICK AND DIRTY .. 354. INCREMENTAL .. 354. LM HALF PASSWORDS .. 354. BASIC BRUTE FORCE ATTEMPTS .. 355. INSTANT CRACKING (RAINBOW CRACKING) .. 356. ADVANCED BRUTE-FORCE ATTEMPTS .. 357. CONCLUSION .. 357. COUNTERMEASURES .. 358. FURTHER READINGS .. 358. COUNTERMEASURE(S) .. 358. F SWITCH Security Assessment .. 359. DESCRIPTION .. 359. PURPOSE .. 359. REQUIREMENT .. 359. EXPECTED RESULT.

Show more

Documents from same domain

Open Source Security Testing Methodology Manual - …

Open Source Security Testing Methodology Manual - …

untrustednetwork.net

et<at>cyberspace.org lvera<at>isecb.com rma<at>isecb.com rfeist<at>nyxtec.net rmeijer<at>xs4all.nl ... a certain set of “ethical hacks” will prove successful, so the tester will savor these jewels from his/her database of attacks, and log the success ratios. ... legal issues, and the client’s industry regulations as well as known

  Issue, Ethical, Cyberspace

Related documents

Comprehensive Cyber Security Framework for Primary …

Comprehensive Cyber Security Framework for Primary …

rbidocs.rbi.org.in

Dec 31, 2019 · prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would

  Security, Framework, Security framework

Cyber Security Framework Saudi Arabian Monetary Authority

Cyber Security Framework Saudi Arabian Monetary Authority

sama.gov.sa

The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in Member Organizations. The Framework provides cyber security controls which are applicable to the information assets of the Member Organization, including: Electronic information.

  Security, Framework, Security framework

NIST Cybersecurity Framework Policy Template Guide

NIST Cybersecurity Framework Policy Template Guide

www.cisecurity.org

Technology Cybersecurity Framework (NIST CSF). This guide gives the correlation between 49 of the NIST CSF subcategories, and applicable policy and standard ... created and maintained incorporating security principles (e.g. concept of least functionality). Access Control Policy Account Management/Access Control Standard

  Security, Framework

Framework for SCADA Security Policy - Energy

Framework for SCADA Security Policy - Energy

www.energy.gov

The SCADA policy frameworkTM (Figure 1) has been developed to make it easier to create a SCADA security policy. Using a framework allows authors to apply a sys-tematic approach that ensures that all critical topics have been adequately addressed by policy. The framework also compartmentalizes the policies, allowing multiple authors

  Security, Framework

Related search queries

Security Framework, Security, Framework