Penetration testing
1
COMPSEC ‘97 Paper Abstracts relationships, the NTFS file system, auditing using the event log and common configuration errors. Title: Auditing the IT Security Function Author: Keith Osborne, ICL As many IT Security functions are relatively new, it may be the first time that a formal audit of the IT Security function has been undertaken. Additionally, there is as yet little published material, either articles or reference guides, on the audit of the IT Security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT Security function may be staffed by former peer (IT Audit) colleagues, which may give rise to unusual or difficult working relationships. Auditors will have a number of aspects that they will want to examine.The principal interest will be to see whether the IT Security f&&on’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT Security func- tion is effectively communicating IT Security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT Security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are impor- tant responsibilities of the IT Security function, audit will want to examine the public face of the IT Security function, to see how outward-facing the function is. Finally, as with the other function, audit will be inter- ested in aspects such as internal controls, cost-effective- ness and value-for-money Title: Key Concerns in a Review of Title: Securing Third Party Connections CAACF2/MVS Author: Eugene Schultz, SRI Author: Norman Cracker IBM mainframe installations started to protect com- puter data and transactions during the latter part of the 1970s. Since the IBM mainframe operating systems themselves do not incorporate suitable access control facilities several vendors began to market ‘add-on’ packages to provide these.The MVS market leader, in terms of total systems protected, has consistently been CA-ACF2. Part of its popularity has been due to its ability to protect complex environments, providing more powerful facilities and options than the other products.The very complexity which makes it such a powerful solution also makes it difficult to understand, particularly for the EDP Auditor who must be able to both detect potential exposures in the system and rec- ommend ways of operating in a more controlled man- ner. Based on about 40 CA-ACF2 audits carried out by the author and 18 years experience with the soft- ware, this paper will provide pointers to the most common problems found, show how to extract the relevant information from CA-ACF2 and discuss appropriate control measures. The paper will concen- trate on CA-ACF2 in the MVS environment, but many of the concerns and techniques will also apply in theVM andVSE environments. DAY 3: Friday 7th November STREAM 1: Network Security Title: Penetration Testing Author: Gary Hardy, Zergo In today’s ever expanding networking environment and growing use of the Internet, organizations are becoming more and more concerned about unautho- rized access to corporate data. As a consequence, more and more organizations are using penetration testing techniques to check their network defences. The paper will explain what penetration testing covers, the pros and cons, and how it should be undertaken. Several practical examples will be described. Beginmng in the early 199Os, organizations began con- necting to the Internet on a widespread basis. Although many of these organizations were quicker to develop Internet connectivity than to implement suitable secu- rity solutions, eventually (and often after costly security incidents have occurred) they installed effective Internet security control solutions such as firewalls to protect their networks. The problem of securing net- 524
-
Upload
gary-hardy -
Category
Documents
-
view
217 -
download
0
Transcript of Penetration testing
COMPSEC ‘97 Paper Abstracts
relationships, the NTFS file system, auditing using the event log and common configuration errors.
Title: Auditing the IT Security Function Author: Keith Osborne, ICL
As many IT Security functions are relatively new, it may be the first time that a formal audit of the IT Security function has been undertaken. Additionally, there is as yet little published material, either articles or reference guides, on the audit of the IT Security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT Security function may be staffed by former peer (IT Audit) colleagues, which may give rise to unusual or difficult working relationships. Auditors will have a number of aspects that they will want to examine.The principal interest will be to see whether the IT Security f&&on’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT Security func- tion is effectively communicating IT Security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT Security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are impor- tant responsibilities of the IT Security function, audit will want to examine the public face of the IT Security function, to see how outward-facing the function is. Finally, as with the other function, audit will be inter- ested in aspects such as internal controls, cost-effective- ness and value-for-money
Title: Key Concerns in a Review of Title: Securing Third Party Connections CAACF2/MVS Author: Eugene Schultz, SRI
Author: Norman Cracker
IBM mainframe installations started to protect com- puter data and transactions during the latter part of the 1970s. Since the IBM mainframe operating systems themselves do not incorporate suitable access control facilities several vendors began to market ‘add-on’ packages to provide these.The MVS market leader, in terms of total systems protected, has consistently been
CA-ACF2. Part of its popularity has been due to its ability to protect complex environments, providing more powerful facilities and options than the other products.The very complexity which makes it such a powerful solution also makes it difficult to understand, particularly for the EDP Auditor who must be able to both detect potential exposures in the system and rec- ommend ways of operating in a more controlled man- ner. Based on about 40 CA-ACF2 audits carried out by the author and 18 years experience with the soft- ware, this paper will provide pointers to the most common problems found, show how to extract the relevant information from CA-ACF2 and discuss appropriate control measures. The paper will concen- trate on CA-ACF2 in the MVS environment, but many of the concerns and techniques will also apply in theVM andVSE environments.
DAY 3: Friday 7th November
STREAM 1: Network Security
Title: Penetration Testing Author: Gary Hardy, Zergo
In today’s ever expanding networking environment and growing use of the Internet, organizations are becoming more and more concerned about unautho- rized access to corporate data. As a consequence, more and more organizations are using penetration testing techniques to check their network defences. The paper will explain what penetration testing covers, the pros and cons, and how it should be undertaken. Several practical examples will be described.
Beginmng in the early 199Os, organizations began con- necting to the Internet on a widespread basis. Although many of these organizations were quicker to develop Internet connectivity than to implement suitable secu- rity solutions, eventually (and often after costly security incidents have occurred) they installed effective Internet security control solutions such as firewalls to protect their networks. The problem of securing net-
524
