Wednesday, August 29, 2007

Anatomy of an Attack


Anatomy of an Attack

1. Information Gathering:

1.1 Passive.

1.2 Active.

2. Networking Mapping:

2.1 Identify Live Hosts.

2.2 Identify Open Ports.

2.3 Identify Services.

2.4 Identify Operating System.


3. Vulnerability Identification (Assessment and Verification):

3.1 Default Configuration.

3.2 Vulnerability Scanning (known vulnerabilities).

3.3 Vulnerability scanning (unknown vulnerabilities).

4. Prepare for Penetration:

4.1 Identify Proof of concept (PoC) tool(s).

4.2 Testing PoC.

4.2 Fire PoC.

5. Gaining Access and Privilege Escalation:

5.1 Obtain User Access.

5.2 Obtain Operator Access.

5.3 Obtain Administrative Access.

6. Enumerate Further:

6.1 Sniff the traffic and analyze traffic.

6.2 Obtain passwords.

6.3 Gather cookies.

6.4 Analyzing route information and whole network.

7. Attack on Remote Users/Site (n vis-a-vis) (Optional):

8. Maintain Access:

8.1 Backdoor.

8.2 Rootkit.

8.3 Establish Tunnel.

9. Cover your Tracks:

9.1 Remove Logs (windows).

9.1.1 Remove Event Viewer Log.

9.1.2 Remove Application Log (e.g. Terminal Service, Mail Server, and Application Server).

9.1.2 Remove Web server Log.

Conclusion :
The above details clearly reflect as to what methodologies to be followed in a penetration test environment. Please treat this know-how as an opensource. Would be glad to answer your questions if you have any.
-----
Hassan
http://securityassessmentframework.blogspot.com/
http://groups.yahoo.com/groups/issaf

Friday, August 17, 2007

Implementing ISO/IEC 27001 - Information Security Management System. (ISMS)

Implementation of ISO/IEC 27001


ISO 27001 (formerly BS7799) describes an approach known as PDCA:


'Plan Do Check Act' is a broad stage by stage approach which covers a range of standards.

ISO 27001 (formerly BS7799) summarizes a 10 stage process.

  1. Define an information security policy
  2. Define scope of the information security management system
  3. Combine teams to provide the planning, implementation, assess and check the ISO 27001 implementation.
  4. Identifying information assets and classifying them.
  5. Perform a security risk assessment
  6. Manage the identified risk and valuing them against the CIA.
  7. Select controls to be implemented and applied
  8. Prepare an SoA (a "statement of applicability").
  9. Forming an internal audit check system to maintain this strategy.
  10. Inclusion of accredited auditors to obtain the certification.

Summarization.(in-detail)

Providing a planning strategy in a meeting with the immediate boss, hence discussing the framework/standard aimed to be followed.

Assembling the Project team / organization structure for this implementation:

a) Forming a steering group of senior management to provide support to the executive management during the project stage.

b) Forming a working group comprising of middle level managers from all department for planning and implementation during project and maintenance stage.

Aligning with business goals and defining top level security policy:

a) A top level policy provides a clear management direction and commitment and establishes agreed roles and responsibilities.

b) Top level security policy may include scope, legal and regulatory obligations, roles and responsibilities, strategic approach to risk management, action in the event of the breach of policy.

Mapping information flow:

a) Including the operations team into the scope of ISMS and getting information on the operational processes.

b) Getting list of key system from the IT department.

c) Mapping process flows, which are the core processes which if ignored, can fail the organizational objectives.

d) Mapping information flow by the help of process flow which is the information created, processed, transmitted, stored and deleted in the realization of the product.

Identifying information Assets and Dependents asset

a) Using the process model, for each scope we identify the all assets under each parameter, and then identify which of these assets are information assets.

b) Information assets are those what may be considered as information, that is the information received, created, processed, transmitted, stored or deleted as a direct part of the product realization or as part of the support processes / functions / activities.

c) Dependant’s assets are those assets that may not be information and on which the receipt, creation, processing, transmission, storage or destruction of information depends.

d) Identifying the assets with the dispatch desk.

Approval:

a) Submitting the list of the assets to the steering group of approval.

Classification of Assets:

a) Categorizing the assets into physical information, electronic information, non-electronic information, people, services, software etc depending upon the organizational infrastructure to be assessed.

Developing Risk Scenarios:

a) Developing risk scenarios and assessing the vulnerabilities and threats.

b) Establishing the vulnerabilities to the assets.

c) Establishing the threats to the assets.

d) Establishing the likelihood of the threats.

e) Calculating the risks to the assets.

f) Valuing the assets hence expressed in terms of potential impacts of unwanted incidents such as loss of confidentiality, integrity and or availability (CIA) of information.

Risk Assessment:

a) Meeting with the working group to develop a risk assessment strategy.

b) Performing impact & probability analysis in terms of CIA by assigning impact & likelihood ratings to all risks scenarios in conjunction with the business owners of all the assets.

c) Calculating the risk = function of probability and impact.

d) Identifying the critical, high, medium and low risk factors while rating.

e) Creating risks deliverables (Risk assessment outputs) which may include the summary report to the management for decision making related to the management of risks, controls selected from ISO/IEC 17799-2005 & worksheets from the risk assessment spreadsheet (Attaching copies to the risk assessment summary report).

Statement of Applicability:

a) A mandatory requirement for ISO 27001 certification.

b) Including description of control objectives and controls with clause references in the SoA.

c) Indication of whether a control objective or control is applicable to your ISMS or not, in the SoA.

d) Including in the SoA, a remark column to explain why a particular control has not been included, including a reference for the senior management acceptance for the same.

e) Identifying control objectives and controls.

f) Including any plans to transfer risks.

g) Assess and quantify residual risks.

h) Provide cross reference for acceptance of residual risks by senior management (steering group).

i) Listing the control objectives and controls that are relevant and applicable to the organizations ISMS, based on the results and conclusions of the risk assessment.

j) Also listing the control objectives and controls from ISO/IEC 17799-2005 that have not been selected, and justification for exclusion; (justifying exclusions provides a cross-check that no controls have been inadvertently omitted).

Risk Treatment Plan:

a) Should include design, implementation, audit , review and maintenance of the information secutiy management system.

b) It should cover areas such as physical security, technical and logical security, creation and implenetation of policies and procedures and personnel (personal) security (including awareness and training).

Policies and procedures:

a) Preparing a draft of policies and procedures with the working group and submitting to the steering group for the approval.

b) Drafting the background, purpose of policy/procedure, policy of statements/procedure, enforcement standards, responsibilities, accountability method, reviewing and monitoring standards. Providing also the reference to the other documents.

Implementation plan:

a) Preparing a draft for the implementation to be submitted to the working group.

b) Including the task description, milestone description, dependency, resources needed duration and responsibilities factors into the project report.

Audit:

a) Approaching the audit firms which are qualified with accredited certification.

b) Highlighting and focusing on details before forging the agreement to the audit firm.

c) Forging the agreement to the audit firm.

d) Providing mandatory services prior to the actual certification audit.

e) Recognizing the steps of audit to be performed.

f) Identifying the certificate issue procedure.

g) Identifying and maintaining the rules of certificates.

ISMS:

a) Preparing meeting agenda with the working group for managements review.

b) Preparing minutes of management review meeting with target dates and responsibilities.

c) Preparing corrective and preventive action plans after the review with dates and responsibilities.


Hassan Syed
http://securityassessmentframework.blogspot.com/

http://groups.yahoo.com/groups/issaf




Tuesday, August 7, 2007

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY

BENEFITS OF PROFESSIONAL FORENSIC METHODOLOGY

The impartial computer expert who helps during discovery will typically have experience on a wide range of computer hardware and software. This is always beneficial when your case involves hardware and software with which this expert is directly familiar. But fundamental computer design and software implementation is often quite similar from one system to another, and experience in one application or operating system area is often easily transferable to a new system.
Unlike paper evidence, computer evidence can often exist in many forms, with earlier versions still accessible on a computer disk. Knowing the possibility of their existence, even alternate formats of the same data can be discovered. The discovery process can be served well by a knowledgeable expert identifying more possibilities that can be requested as possibly relevant evidence. In addition, during on-site premises inspections, for cases where computer disks are not actually seized or forensically copied (see below), the forensics expert can more quickly identify places to look, signs to look for, and additional information sources for relevant evidence. These may take the form of earlier versions of data files (eg. memos, spreadsheets) that still exist on the computer's disk or on backup media, or differently formatted versions of data, either created or treated by other application programs (eg. word processing, spreadsheet, e-mail, timeline, scheduling, or graphic).
Protection of evidence is critical. A knowledgeable computer forensics professional will ensure that a subject computer system is carefully handled to ensure that:
1. no possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to investigate the computer.
2. no possible computer virus is introduced to a subject computer during the analysis process.
3. extracted and possibly relevant evidence is properly handled and protected from later mechanical or electromagnetic damage.
4. a continuing chain of custody is established and maintained

====================================================================

Reporting

Users,

Reporting a security breach does not require much of expertise. It is very easy to lookout for a loophole or a vulnerability at a given target to be assessed.
However what signifies the most is the preventive maintenance to be acknowledged and should be carried out immediately. For example the SSH Login attempts.
SSH provides an alternate authentication method which successfully mitigates password guessing attacks. This authentication method is based on cryptographic keys, or so-called private key and public key. The public key is placed onto the server and acts as a custom lock for access to your account. This lock can only be opened with the corresponding private key. Once you provide this key, you gain access.
Password guessing attacks would fail as attackers cannot guess or generate such a private key. All modern SSH servers are configured by default to support this authentication method. However, they usually fail back to password-based authentication in case the incorrect private key is provided, opening the door for password guessing attacks once again. The server needs to instead be configured to accept key-based authentication only for this mitigation strategy to be successful.
The above have been written down from a combined study.
Hope this would shed some light on the Security concerns.

====================================================================

 

J A H I L Z
J A H I L Z