5.5 Audits and Assessments Flashcards
Audits and assessments
Not just for taxes
– There are good reasons to audit your technology
* Cybersecurity audit
– Examines the IT infrastructure, software, devices, etc.
– Checks for effectiveness of policies and procedures
– Find vulnerabilities before the attackers
– Can be performed internally or by a third-party
* Attestation
– Provides an opinion of truth or accuracy of a
company’s security positioning
– An auditor will attest to a company’s cybersecurity
posture
Internal audits
Audits aren’t just for third-parties
– You should also have internal audits
* Compliance
– Is your organization complying with regulatory or
industry requirements?
* Audit committee
– Oversees risk management activities
– All audits start and stop with the committee
* Self-assessments
– Have the organization perform their own checks
– Consolidate the self-assessments into ongoing reports
External audits
Regulatory requirements
– An independent third-party may be required to perform the audit
– Audit type and frequency are often based on the regulation
* Examinations
– Audits will often require hands-on research
– View records, compile reports, gather additional details
* Assessment
– Audit will assess current activities
– May also provide recommendation for future improvements
Physical penetration testing
Operating system security can be circumvented by
physical means
– Modify the boot process
– Boot from other media
– Modify or replace OS files
* Physical security is key
– Prevent access by unauthorized individuals
* Assess and test physical security
– Can you enter a building without a key?
– What access is available inside?
– Doors, windows, elevators, physical security processes
Pentesting perspectives
Offensive
– The red team
– Attack the systems and look for vulnerabilities to exploit
* Defensive
– The blue team
– Identify attacks in real-time
– Prevent any unauthorized access
* Integrated
– Create an ongoing process
– Identify and patch exploitable systems and services
– Test again
Working knowledge
How much do you know about the test?
– Many different approaches
* Known environment
– Full disclosure
* Partially known environment
– A mix of known and unknown
– Focus on certain systems or applications
* Unknown environment
– The pentester knows nothing about the systems
under attack
– “Blind” test
Reconnaissance
Need information before the attack
– Can’t rush blindly into battle
* Gathering a digital footprint
– Learn everything you can
* Understand the security posture
– Firewalls, security configurations
* Minimize the attack area
– Focus on key systems
* Create a network map
– Identify routers, networks, remote sites
Passive reconnaissance
Learn as much as you can from open sources
– There’s a lot of information out there
– Remarkably difficult to protect or identify
* Social media
* Corporate web site
* Online forums, Reddit
* Social engineering
* Dumpster diving
* Business organizations
Active reconnaissance
Trying the doors
– Maybe one is unlocked
– Don’t open it yet
– Relatively easy to be seen
* Visible on network traffic and logs
* Ping scans, port scans
* DNS queries
* OS scans, OS fingerprinting
* Service scans, version scans