AhnLab AQAS Penetration Service

8/7/2019 AhnLab AQAS Penetration Service

1/11

AhnLab Quick Assessment

Services2010. 02.


2/11

Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.2

Procedures

GAP AnalysisScope

Definition

As-Is Analysis

RequirementDefinition

Risk Assessment

Penetration Test

Planning Risk Analysis

Work Planning

Safeguards

Quick Hits

Master Planning

Based on the AhnLab Consulting Methodology, AhnLab will assess the security level ofcustomer and provide drafted master plan.

AQAS > Overview


3/11


Security Management Assessment

We evaluate the security management status by interviewing with security/IT departmentbased on best practices such as global IT security standard, ISO27001 and US FISMA(FederalInformation Security Management Act).

AQAS > Security ManagementAssessment

MethodologyAssessment Criteria

ISO27001

FISMA (US)

KISA ISMS(Korea)

ReviewSecurityPolicy,

Procedure

ReviewSecurityPolicy,

Procedure

Interview

Interview

Analysis

Analysis

Checklist

Reporting

Reporting

1

Day

3D

ay

1

Day

1. Security Policy

2. Risk Assessment

3. Configuration Management

4. Media Protection

5. Awareness & Education

6. Contingency Plan

7. Physical & EnvironmentalProtection

8. Personnel Security

9. Incident Response

10. Audit & Responsibility

11. Access Control & CommunicationSecurity

12.Technical Security

GlobalStandar

d

Regional

Standard


4/11

Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.

PT Procedures

Define Level

Check Lists

Network Info.(DNS, IP, Config.)

Define Scope Agreement Responsibility

System Info.(OS, Services, Vul. Scan)

Vul. Analysis

Analyze the impact to services

Attack the weakest point first Detour firewall

CollectEvidence

AcquireAdmin. Rights

InstallBackdoor

AttackOther Systems

Penetration Test(Attack Method. Vul. List, Evidence)

Recommendation

Concepts RemediationHacking Demo

Phase 1

Phase 1

Step 1 Define Check Items

Step 0 Pre-Meeting

Step 7 Reporting

Step 2 Info. Gathering

Step 3 Impact Analysis

Step 4 Attack

Step 5 Attack Spread

Step 6 Report Generation

Phase 2

Phase 2

Phase 3

Phase 3

Phase 4

Phase 4 Reporting

Pre-step

DataCollection

Verification

Testing

AhnLab will have penetration test based on AhnLabs expertise and experiences as following

steps

AQAS > Penetration Test

4


5/11


AhnLab will draw the available threat scenarios based on the analysis of service structure

Scenario

Understandingcore processes

Finding coreinformation

Finding availableattack pathsbased on ananalysis of servicearchitecture

Drawing threatscenarios

Internet

DMZDMZ

CMZCMZS iS i

Data CenterData Center

Development

ServersInternalSystems

Ethical Hacker

Ethical Hacker

Attack from Outside

Penetrate through DMZ

Leak Internal Info. Customer

Center

AQAS > Penetration Test

Drawing PT Scenario

5


6/11


AQAS > Work Schedule

Day 1 Day 2 Day 3 Day 4 Day 5 Remark

AssessmentInterview

On-Site

Penetration Test Remote

Analysis Report Generation

Reporting

The assessment will take 5 working days and one of our consultants will be on site and

penetration test will be done from remote.


7/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.

Sample Report > Domain Summary

Summary by domainsSummary by domainsSummary by domainsSummary by domains

Average score about information security of each domain is 2.2. Basic rules are Make, but practice is

unsatisfied.

Average target score is 3.9 and it directs to a measureable level. So the gap between them is not

big. (average 1.7)

Especially vulnerable domains are security policy & organization, risk assessment, Personnel

security, and

technical security.

Average score about information security of each domain is 2.2. Basic rules are Make, but practice is

unsatisfied.

Average target score is 3.9 and it directs to a measureable level. So the gap between them is not

big. (average 1.7)

Especially vulnerable domains are security policy & organization, risk assessment, Personnel

security, and

technical security.Domain Radar ChartDomain Radar ChartDomain Radar ChartDomain Radar Chart

DOMAIN CurrentScore

TargetScore

Gap Best

Practice

Security policy &organization

2.0 5.0 3.0 5.0

Risk assessment 1.5 4.2 2.7 5.0Configurationmanagement

2.4 4.2 1.8 5.0

Media protection 1.7 3.0 1.3 5.0Security awarenessand education

2.0 3.0 1.0 5.0

Emergency plan 1.9 3.3 1.4 5.0Physical &

environmentalprotection

3.0 4.5 1.5 5.0

Personnel security 2.1 4.0 1.9 5.0Incidents response 2.2 3.8 1.6 5.0Audit & responsibility 2.8 4.0 1.3 5.0System access control& communicationprotection

2.7 4.0 1.3 5.0

Technical security 2.3 4.2 1.9 5.0

Riskassessment

Securitypolicy &organization

Configurationmanagement

Mediaprotection

Securityawareness &education

Emergencyplan

Physical &environmental

protection

Technicalsecurity

Systemaccesscontrol

Audit &responsibili

ty

Audit &responsibili

ty

Personnelsecurity

7



Sample Report > Technical SecuritySummary

Summary of technical securitySummary of technical securitySummary of technical securitySummary of technical security

Scores of technical security by domains is averaged 3.0. It is in operation, but repeated survey and

improvement are necessary.

The biggest gap-difference domain between current and target score is Integrated management.

Security operation is not conducted holistically, but is conducted individually by each business. To improve the level of technical security, the fast and reachable areas are Access control, Patch

management, and Host intrusion prevention.

Scores of technical security by domains is averaged 3.0. It is in operation, but repeated survey and

improvement are necessary.

The biggest gap-difference domain between current and target score is Integrated management.

Security operation is not conducted holistically, but is conducted individually by each business. To improve the level of technical security, the fast and reachable areas are Access control, Patch

management, and Host intrusion prevention.

DOMAIN Current

Score

TargetScore

Gap BestPractic

e

Priority

Access control 3 5 2 5 16.7Intrusiondetection/prevention

5 5 0 5 0.0

DDoS attack 2 4 2 5 6.0UTM 3 4 1 5 6.0

Network accesscontrol 5 5 0 5 0.0

Anti-Malware 5 5 0 5 0.0Patch management 3 4 1 5 15.0Media control 2 4 2 5 6.0Host intrusionprevention

1 4 3 5 15.0

Web applicationaccess control

3 4 1 5 5.0

URL filtering 3 4 1 5 3.0Mail security 3 4 1 5 3.0

DB access control 2 4 2 5 6.0Integratedmanagement

1 4 3 5 9.0

DOMAIN CurrentScore

TargetScore

Gap BestPractice

Network security 3.6 4.6 1.0 5.0System security 2.8 4.3 1.5 5.0

Application security 2.1 4.0 1.9 5.0Integrated management 1.0 4.0 3.0 5.0

Intrusion

detection /Prevention

Accesscontrol

DDoSattack

UTM

Networkaccesscontrol

Anti-Malware

PatchmanagementMedia

control

Hostintrusion

prevention

Webapplication

URLfilterin

g

Mailsecurity

DBaccesscontrol

Integratedmanagement

8



Media protectionStatus Systems are operating in the separate location and in-and-out is controlled by figure-

print recognition.

Backup media is kept in the safe of separate floor besides a server room

There is a security regulation about document, but there is no assessment about

practice.

Documents about system introduction & development are managed individually by

operators.

There is a regulation including a condition about destruction of information asset.

However, there is no

instruction about a method or history about destruction.Recommendatio

n It is essential to Inspect a history of in-and-out periodically

It is essential that documents about system introduction & development should be

managed for

integrating due to possibilities of leakage or loss.

It is essential that destruction process by media should be Make and destruction result

should be

managed for confirmingPlan Make & perform a assessment process about in-and-out control history

Make & perform a assessment process about backup media management history and

storage condition

Make & perform a destruction process about system and stored media

(Attach a proof for confirmation when important asset is destructed)

Long

MidShort LowMidHigh

Period

Priority

Sample Report >Recommendation

9


10/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.10

Short-Term Mid-Term Long-Term

Administrative security

Technicalsecurity

Make & perform security process and operationPrepare a checklist for security review /

review system setup, security rule, and etc.

Update filtered website periodically

Review about introducing a DB security solution and control access

Make a process to respond intrusion /

perform training about response

Make a process for destructingInformation asset

Make and perform a plan for securitytraining

Make and perform a process for externalpersonnel

Risk assessment

Review about introducing a media control solution

Make & perform a assessment plan forServer/Network vulnerability

Store and transmit DB information (password, etc) in encrypted

Improve a guide about authorizationmanagement

Audit security periodically

Make Host access control solution

Make & perform a guide about OS patchupdate

Sample Report > Roadmap


11/11Copyright (C) AhnLab Inc 1988-2009 All rights reserved CI 11


AhnLab, the AhnLab logo, and V3 are t rademarks or registered trademarks of AhnLab, Inc.,in Korea and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.

AhnLabThe Joy of Care-Free Your Internet World

AhnLab AQAS Penetration Service

Documents

Transcript of AhnLab AQAS Penetration Service