Chapter 6: Safety assessment and testing

6.1 Audit Policy

An information system security audit is a systematic assessment of various security controls on a specific range of people/computers/processes and information. Security audit process: Identify objectives -- Appropriate business segment Leadership Participation -- Define scope -- Select audit team -- Plan audit -- Perform Audit -- Record results -- Convey results to appropriate leader Internal audit Advantage: Familiarity with internal systems makes it easier to identify vulnerabilities in information systems: Possible conflicts of interest Third-party audit advantages: Brings new knowledge. Remain objective, compliance audit must be carried out by external team Disadvantages: High cost Service Organization Control Audit Standard Framework (SOC) SOC Report Type 1 SOC1: Applicable to financial control 2 SOC2: Applicable to trust services, detailed data, generally not public 3 SOC3: Suitable for trust services, less detail, can be used for general public purposesCopy the code

6.2 Audit technology control

Technical control is security control vulnerability testing using IT assets: a written agreement is required before vulnerability testing can be performed. Black box testing: Simulates an external attacker, which may not cover all white box testing: evaluates more completely, but does not represent the behavior of external attackers Gray box testing: Falls between the other two methods, reducing various problems in white box or black box testing penetration testing: simulates the process of attacking a network and its systems. Penetration process: discovery - enumeration - vulnerability mapping - exploitation - report to management. Blind testing is when the evaluator only has publicly available data for testing and the network security personnel are aware of the testing taking place. A double blind test is a blind test conducted without the network security personnel being notified. War dial attack: Make a lot of calls and search for available modems. Other vulnerability types Kernel defects: Timely installation of security patches Buffer overflows: symbolic links: Writing programs and specific scripts to ensure that the full path to a file cannot be bypassed. File descriptor attacks: race conditions File and directory permissions Log review Examines the system's log files to detect various security events or verify the effectiveness of various security controls to prevent log tampering: Remote log/one-way communication/replication/one-time write media/encrypted hash chain integrated transactions: Write scripts to simulate real users and test the behavior and performance of key services of the system. A way to test the behavior and performance of critical services. Misuse case tests: Use cases for various threat roles and tasks they want to perform on the system. Code review: A systematic examination of the instructions that make up the parts of a piece of software and are performed by someone other than the author of the code. Follow coding standards. Interface testing: A special case called integration testing evaluates how different parts of a system interact with each other.Copy the code

6.3 Audit management control

Management control is mainly through strategy or process to implement the account management piggybacking on account of the existing privilege: use strong authentication (such as a strong password or two-factor authentication)/performing specific tasks using privilege account privileges to create a new account improve general user account permissions pay close attention to create/modify/pause to diminish the backup validation data types: User data files/databases/mailboxes perform backup validation DISASTER recovery and business continuity testing and disaster recovery drills should be conducted at least once a year as a structured rehearsal test: representatives get together to review the plan. Simulation test: Practice executing a disaster recovery plan based on a specific scenario. Realistic. Parallel test: Start the active and standby systems at the same time. Minimal impact. Full interruption test: Complete by shutting down the original site and moving business processing to the standby site. Security training and Awareness Training Security training is usually provided to security personnel, and security awareness training should be provided to every member of the organization. Social engineering: Phishing/spear phishing (for specific individuals)/whaling (for senior managers)/impersonating Online security Data protection Culture Key Performance and Risk Indicators Key Performance Indicators (KPIs) : Measures the degree of progress of the current situation and describes the interpretation of one or more measures of ISMS effectiveness. Key Risk indicators (KRI) : Measures how bad things will get in the future and informs managers where the organization stands relative to its risk appetite.Copy the code

6.5 Management Review

Management reviews are formal meetings of senior organizational leadership that occur regularly and use audit results as key input.