Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.



Similar documents
Managing internet security

How To Protect Decd Information From Harm

Critical Controls for Cyber Security.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Data Access Request Service

ICANWK406A Install, configure and test network security

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Goals. Understanding security testing

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Section 12 MUST BE COMPLETED BY: 4/22

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

The Protection Mission a constant endeavor

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Central Agency for Information Technology

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Cybersecurity Health Check At A Glance

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Penetration Testing. Presented by

Supplier Security Assessment Questionnaire

Simple Steps to Securing Your SSL VPN

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Cyber Essentials Scheme

Automation Suite for. 201 CMR Compliance

Information Security Services

PCI Requirements Coverage Summary Table

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

Office of Inspector General

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Supplier Information Security Addendum for GE Restricted Data

CONTENTS. PCI DSS Compliance Guide

A Rackspace White Paper Spring 2010

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Evaluation Report. Office of Inspector General

How To Manage Security On A Networked Computer System

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

External Supplier Control Requirements

External Supplier Control Requirements

Defending Against Data Beaches: Internal Controls for Cybersecurity

EA-ISP-012-Network Management Policy

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Risk Assessment Guide

White Paper. Information Security -- Network Assessment

1 Introduction 2. 2 Document Disclaimer 2

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Newcastle University Information Security Procedures Version 3

Specific recommendations

Critical Security Controls

Network Security Policy

Estate Agents Authority

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

PCI Compliance. Top 10 Questions & Answers

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Global Partner Management Notice

THE OPEN UNIVERSITY OF TANZANIA

Policy Title: HIPAA Security Awareness and Training

ABB s approach concerning IS Security for Automation Systems

Computer and Network Security Policy

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

SANS Top 20 Critical Controls for Effective Cyber Defense

Network Security Policy

Aberdeen City Council IT Security (Network and perimeter)

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

MUNICIPAL WIRELESS NETWORK

Consensus Policy Resource Community. Lab Security Policy

CloudCheck Compliance Certification Program

Data Security Incident Response Plan. [Insert Organization Name]

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Sygate Secure Enterprise and Alcatel

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

A Decision Maker s Guide to Securing an IT Infrastructure

Service Children s Education

Security Management. Keeping the IT Security Administrator Busy

Best Practices For Department Server and Enterprise System Checklist

Intro to Firewalls. Summary

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Network Security: Introduction

Better secure IT equipment and systems

Introduction to Cyber Security / Information Security

System Security Plan University of Texas Health Science Center School of Public Health

Using Remote Desktop Clients

Transcription:

Information Security Penetration testing Guideline Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03. Keywords: Information security penetration testing; SEC/STD/03; guideline; SEC/GUIDE/03 Identifier: SEC/GUIDE/03 Version no.: 1.0 Status: Final Issue date: N/A Date of effect: 1 May 2010 Next review date: In progress Owner: Government Services Division Department of Treasury and Finance Victorian Government Issuing authority: Government Services Division Department of Treasury and Finance Victorian Government The State of Victoria 2011 Copyright in this publication is reserved to the Crown in right of the State of Victoria. Other than for the purposes of and subject to the conditions prescribed under the Copyright Act, no part of it may in any form or by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced, stored in a retrieval system, or transmitted without prior written permission. Inquiries should be addressed to: Government Services Division Department of Treasury and Finance Government of Victoria Melbourne

Overview In November 2009 the Department of Treasury and Finance (DTF) published the whole of Victorian Government (WoVG) information security standard on penetration testing, SEC/STD/03 1. This standard describes the requirement for annual penetration testing of all externally facing applications and infrastructure, as well as business-assessed sensitive internal systems. It requires all inner budget departments and agencies to prepare a response to DTF: by May 2010 (now 30 June 2010) outlining the initial work plan for penetration testing; and annually on the results of penetration testing (1 November). Subsequent departmental penetration testing programs of work should be included in the overall departmental program of work in the response to the Information Security Management Framework SEC/STD/01 2. Audience Information security is the responsibility of all staff. These guidelines are therefore produced for the benefit of information owners, and the IT staff involved in compliance with SEC/STD/03. Context This guideline will assist departments in their consideration of compliance with SEC/STD/03 and should be read in conjunction with that standard. Suggested approach Phase 1: plan and consult The success of the penetration test will depend on a comprehensive planning and preparation phase. 1. Define the objectives of the proposed penetration test Document what the business is trying to achieve through the test. The objective will play a large part in defining the scope of the test. 2. Consider the legal and contractual obligations These obligations could potentially limit the time and nature of the test. Legal obligations, contractual service level agreements, availability requirements in contracts, throughput service level agreements and similar conditions will impact the scope of the test. 3. Ensure findings are covered under strict non-disclosure agreements Findings of penetration testing may contain sensitive security weakness information. Ensure that the project in general and the findings specifically are covered by the strictest nondisclosure agreements. 1 SEC/STD/03 Information Security Penetration Testing, http://www.enterprisesolutions.vic.gov.au/business-systems/information-security/ 2 SEC/STD/01 Information Security Management Framework, http://www.enterprisesolutions.vic.gov.au/business-systems/informationsecurity/

4. Discuss the risks Risks of conducting the penetration test need to be discussed with the stakeholders. This includes IT staff, application owners, business stakeholders and executive management. The outcomes of the risk discussion may have an impact on the scope of the test. 5. Finalise the scope Once the objective, legal and contractual obligations are completed and the risks discussed with stakeholders, finalise the actual scope of the penetration test. The scope should clearly define the timing, extent and nature of the test, including target systems, whether it needs to be a black box or a white box test etc. The scope should also specify the success criteria against which the department can measure results. 6. Notify appropriate stakeholders involved Appropriate stakeholders need to be identified. For example: internet services providers may need to be informed so that they don t automatically block sniffer packets; business executives may need to be informed if there is risk of system performance degradation; HR may need to be involved if a social engineering test is to be performed. 7. Develop and approve the test plan Develop a comprehensive test plan. Once this detailed, step-by-step plan is developed, business executives (the information owners) and other relevant stakeholders are required to approve it. Phase 2: reconnaissance and information gathering A penetration tester will generally use the same techniques and processes used by an external hacker. The first and most important step in penetration testing is gathering base information on the target system/network. This is called passive reconnaissance. This phase consists of: 1. gathering publicly available information; 2. gathering information from other sources; and 3. identifying target details. Phase 3: device/network enumeration and vulnerability scanning The authorised attack is carried out using public, customer and professional tools to identify the vulnerabilities that could be exploited by potential attackers. 1. Scan target network and identify devices; 2. Identify device operating systems; 3. Scan devices and networks for vulnerabilities; 4. Identify services/open ports; 5. Determine landscape of target network; 6. Identify vulnerabilities; and 7. Review logs. Phase 4: analysis of recommendations In this critical phase, the test team analyses the information and reports high-risk vulnerabilities and recommended controls to the sponsor. The final report must map the findings (the risks) to the department if the vulnerabilities had been exploited and threats were realised. The final report must contain the objectives and scope of the penetration test, findings and recommendations from each phase and the relative priority of these recommendations. 1. Assess weaknesses and impacts; 2. Identify controls/strategies for remediation; 3. Perform cost/benefit analysis; 4. Develop remediation action plan; and 5. Integrate action plan into the departmental risk management process.

Scoping considerations A non-exhaustive list of criteria to consider for testing of known and unknown vulnerabilities is given in the table below. The actual testing will depend on the purpose and scope of the test. Additional vulnerabilities will arise from time to time, while some existing vulnerabilities will be made redundant due to dynamically changing technologies. Therefore, this list acts as a guide only. Departments and agencies remain responsible for determining the scope and extent of their penetration testing. Physical access controls Social engineering Wireless devices Identify access points into the: premises; server room; and network. adequate access controls are provided on doors; alarm monitoring controls are in place; opportunities for tailgating exist; opportunities for shoulder surfing exist; adequate access controls to the server room exist; server security containers (racks) provide adequate access controls; any logging, auditing and monitoring is being conducted and how long the logs are maintained; dumpster-diving can reveal any information; classification-based physical containers and secure areas exist 3 ; and written sensitive information such as passwords or configuration details etc. are lying around on desks or desktops. Determine who has access to control mechanisms to the premises, server rooms, racks etc. Identify whether: opportunities for tailgating exist; opportunities for shoulder surfing exist; confidential/privileged information is available through telephone enquiries; confidential/privileged information is available from staff; and policies exist for confidentiality. Identify staff awareness of security requirements. Check for sensitive conversations in public areas e.g. canteens, coffee shops, breakout areas. Look for rogue wireless devices on the network. Identify: wireless endpoint devices on network/accessible in the area; and the wireless Access Points accessible in the area. the encryption mechanisms used; the Authentication mechanisms used; whether authorisation mechanisms (password length/complexity) are adequate; the model and firmware versions of wireless devices to see if vulnerabilities 3 Refer to the Australian Commonwealth Government s Protective Security Manual (PSM) produced by the Commonwealth Government s Attorney General s Department: https://www.protectivesecurity.gov.au/ and the Australian Commonwealth Government s Department of Defence Information Security Manual (ISM), September 2009, produced by the Defence Signals Directorate: http://www.dsd.gov.au/library/infosec/ism.html

Operating systems Network infrastructure Security devices exist; whether wireless access points/devices are physically accessible; the antenna type used on Access Points and their orientation; whether parameters on wireless devices are configured correctly; and the services/ports open on wireless devices. the version and service pack levels of identified devices; what ports are open on servers and workstations; what privileged accounts exist on servers and workstations; what privileged groups exist on servers and workstations; and what local and network user accounts exist. antivirus controls are in place and up to date; firewall controls are in use on local systems; security auditing is being conducted on local systems and servers; the authorisation mechanisms in place (password length/complexity) are adequate; the authentication mechanisms in place are adequate; rogue services are running on servers; and unauthorised applications are running on servers / workstations. Check: for user accounts not accessed in more than 30 days and the reasons; and details of privileged users how many, what access, need, etc. what devices are discoverable on the network; what network infrastructure is physically accessible; the model and firmware versions of network devices to see if vulnerabilities exist; what ports are open on network devices; what services are available; what authorisation mechanisms (password length/complexity) are in place; what authentication mechanisms are in place; and what local user accounts are on devices. rule-sets on applicable devices are configured appropriately; devices are configured appropriately with minimum access requirements; auditing is being conducted on network devices for access and changes; and physical connection to the network is accessible. Test authentication and authorisation services. what security devices are discoverable on the network; what security devices are physically accessible; what access is possible on security devices; and the model and firmware versions of security devices to see if vulnerabilities exist. security incidents and concerns are logged, monitored and reported; any controls exist to deter or prevent unauthorised access; antivirus controls are in place and whether the virus signatures are up to date; and network filtering devices exist. Check for adequacy of rule sets, access control lists, etc.

Web applications Applications Incident detection and response Information security policy Databases web services are hosted internally or externally by third party; identified websites are susceptible to known vulnerabilities; confidential information is accessible via websites; and appropriate secure communication channels exist between client and web server. what applications are hosted on corporate servers; the requirements for user access to websites, including; o the authorisation mechanisms in place; and o the authentication mechanisms in place; patch levels on web applications. what applications are on the network and their purpose; the version and release number of applications; the requirements for user access to applications, including; o the authorisation mechanisms in place; and o the authentication mechanisms in place; what information is accessible from the applications. any known vulnerabilities exist within the identified applications; the controls around the applications are appropriate for the classification level of the information stored within them; databases are associated to applications; and other applications share information with the application being assessed. incidents have been detected and what actions were taken; a policy and procedure exist to respond to incidents; staff are aware of policy and responsibilities in responding to incidents; and incidents are logged and audited. Determine the timeframe for incident detection to incident response. an information security policy exists; the information security policy is enforced; and controls in place reflect information security policy. adherence to information security policy; and user awareness of the information security policy what databases exist on the network the requirements for access to databases, including o the authorisation mechanisms in place o the authentication mechanisms in place what privileged accounts exist on databases the assignment of responsibilities of each privileged account Determine whether transaction logging and auditing is being performed.

Glossary of terms and abbreviations Term Internal penetration test External penetration test Vulnerability Meaning Penetration testing the systems and services that are accessible and exploitable from inside an agency level network, and identifying what information and systems can be viewed, and what vulnerabilities exist. Penetration testing the information, systems and vulnerabilities that are accessible and exploitable from outside the physical bounds of the network. For example, determining what can be identified and accessed from a public network. A flaw or weakness that can be exploited to gain an advantage. Version history Version Date GSD TRIM ref Details 1.0 13 May 2010 D10/37178 First promulgated

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information