• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
 
The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that applyspecifically to IS auditing. One of the goals of the Information Systems Audit and Control Association
(ISACA
) is to advance globallyapplicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of theISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance.
Standards
 
define mandatory requirements for IS auditing and reporting. They inform:
IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACACode of Professional Ethics for IS auditors
Management and other interested parties of the profession’s expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor 
(CISA
®
) designation of requirements. Failure to comply with these standardsmay result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and,ultimately, in disciplinary action.
Guidelines
 
provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
 
Procedures
 
provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the ISAuditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
C
OBI
T
resources should be used as a source of best practice guidance. Each of the following is organised by IT management process,as defined in the C
OBI
T
Framework 
. C
OBI
T is intended for use by business and IT management, as well as IS auditors; therefore, itsusage enables the understanding of business objectives, communication of best practices and recommendations to be made around acommonly understood and well-respected standard reference. C
OBI
T includes:
 
Control Objectives
—High-level and detailed generic statements of minimum good control
 
Control Practices
—Practical rationales and “how to implement” guidance for the control objectives
 
 Audit Guidelines
—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance andsubstantiate the risk of controls not being met
 
Management Guidelines
—Guidance on how to assess and improve IT process performance, using maturity models, metrics andcritical success factors
 
Glossary
 
of terms can be found on the ISACA web site at
www.isaca.org/glossary 
. The words audit and review are usedinterchangeably.
 
Disclaimer
:
ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics for IS auditors
.
ISACA makes no claim that use of this product willassure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specificprocedure or test, the controls professional should apply his/her own professional judgment to the specific control circumstancespresented by the particular systems or information technology environment.The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines andProcedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment.The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation wherenecessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed (
standards@isaca.org 
),faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of thedirector of research, standards and academic relations.This material was issued on 1 July 2004.
Information Systems Audit and Control Association 2003-2004 STANDARDS BOARD
 
Chair, Claudio Cilli, Ph.D., CISA, CIA, CISSP Value Partners, ItalySvein Aldal Scandinavian Business Security AS, NorwaySergio Fleginsky, CISA PricewaterhouseCoopers, UruguayChristina Ledesma, CISA, CISM Citibank NA Sucursal, UruguayAndrew MacLeod, CISA, CIA, FCPA, PCP Brisbane City Council, AustraliaRavi Muthukrishnan, CISA, CISM, FCA, ISCA NextLinx India Private Ltd., India
 
Peter Niblett, CISA, CA, CIA, FCPA WHK Day Neilson, AustraliaJohn G. Ott, CISA, CPA Aetna Inc., USA
IS AUDITING PROCEDURE
SECURITY ASSESSMENT–PENETRATIONTESTING AND VULNERABILITY ANALYSIS
 
DOCUMENT P8
 
 
Page 2 Penetration Testing and Vulnerability Analysis Procedure
1. BACKGROUND1.1 Linkage to Standards
 
1.1.1
Standard S6 Performance of Audit Work states, “IS audit staff should be supervised to provide reasonable assurance thataudit objectives are accomplished and applicable professional auditing standards are met.”
1.1.2
 
Standard S6 Performance of Audit Work states, "During the course of the audit, the IS auditor should obtain sufficient, reliableand relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriatedocumented analysis and interpretation of this evidence."
1.1.3
 
Procedure P3 Intrusion Detection Systems (IDS) Review provides guidance.
 
1.1.4
 
Guideline G25 Review of Virtual Private Networks provides guidance.
 
1.2
 
Linkage to C
OBI
T1.2.1
 
C
OBI
T
 
Framework 
states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge thisresponsibility as well as to achieve its expectations, management should establish an adequate system of internal control."
 1.2.2
C
OBI
T
Management Guidelines
provides a management-oriented framework for continuous and proactive control self-assessment specifically focused on:
Performance measurement—How well is the IT function supporting business requirements?
IT control profiling—What IT processes are important? What are the critical success factors for control?
Awareness—What are the risks of not achieving the objectives?
Benchmarking—What do others do? How can results be measured and compared?
1.2.3
C
OBI
T
Management Guidelines
provides example metrics enabling assessment of IT performance in business terms. The keygoal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well theprocesses are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gapsand strategies for improvement.
1.2.4
C
OBI
T
Management Guidelines
can be used to support self-assessment workshops and can also be used to support theimplementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.
1.2.5
C
OBI
T provides a detailed set of controls and control techniques for the information systems management environment.Selection of the most relevant material in C
OBI
T applicable to the scope of the particular audit is based on the choice of specific C
OBI
T IT processes and consideration of C
OBI
T information criteria.
 
1.2.6
The C
OBI
T references located in the appendix of this document outline the specific objectives or processes of C
OBI
T thatshould be considered when reviewing the area addressed by this guidance.
1.3 Need for Procedure
 
1.3.1
Primarily intended for IS auditors—internal as well as external auditors—this document can be used by other IS securityprofessionals with responsibilities in capacity of information security.
1.3.2
Modern businesses are organised as a set of core processes operating within supply and demand networks. Almost everyorganisation in the world is faced with increasing pressure for effectiveness and efficiency (i.e., higher quality requirements for products and services, increased revenue, cost reduction, new product development), a pressure for better, faster andcheaper processes. These increasingly complex operating networks are supported by available communication technologies(mainly the Internet), allowing businesses to focus on their core competencies and partner with others to deliver enhancedvalue to customers; thereby, complexity introduces multiple avenues of threats and vulnerabilities.
1.3.3
The transformation of the old processes is enabled by new communication channels. These channels provide new linkingpossibilities among different systems and networks, making them available to more people and letting the organisations andtheir processes interact (e.g., e-procurement and e-sourcing).
 
1.3.4
 
This document provides guidance for IS auditors who are required increasingly to audit or review perimeter and internalcontrols to provide reasonable assurance that all external and internal threats, including potential system compromises, areminimised by identification and correction of vulnerabilities detected in performing a penetration test and vulnerabilityassessment.
1.3.5
This procedure is not a substitute for an internal audit including an organisationwide risk assessment and internalgeneral controls and application audits of all critical infrastructures and applications, including those with financialstatement implications. Weaknesses in a noncritical infrastructure and applications component could have aconsequential impact on a critical infrastructure and application components; therefore, a system wide audit shouldbe completed in its totality and not in a piece-meal fashion.
 
2.
 
PENETRATION TESTING
 
2.1
 
Introduction and Planning
 
2.1.1
 
The penetration testing scope determines whether the individual tasks should occur in phases or in single sequence. The ISauditor’s review should begin with a formal threat assessment to ascertain the likelihood of any threats to the organisationresulting from, among other reasons, hardware and/or software failures, internal employee compromise or data theft, or outside attacks.
2.1.2
 
The risks associated with unauthorised access vary from financial loss; inappropriate release of personal, commercial or politically sensitive information; and reputation lost; to total loss of system control. The specific information system risk of unauthorised access to information resources includes loss of system availability, data and processing integrity, andinformation confidentiality.
2.1.3
 
The purpose of this procedure is to test controls that should be employed to protect against unauthorised access. Sincemethods used for unauthorised access vary greatly and are becoming more sophisticated, the procedures defined are general
 
 
Penetration Testing and Vulnerability Analysis Procedure Page 3
 
in nature and should be supplemented, wherever possible, with techniques and tools specific to the environment(s) under examination.
2.1.4
 
The significant difference in the actions taken by an IS auditor performing penetration testing (beyond having managementauthority) and a hacker is that the former is searching for (via testing) as many potential vulnerabilities as the testingscript/program mandates, while hackers ordinarily will search for a specific vulnerability(ies) to exploit to fulfil their goal of (typically) obtaining control, or disrupting the operation or availability of the system. The hacker is likely to continue to attemptto find additional vulnerabilities once one is found to obtain increased system privileges and to protect against the increasedrisk of detection. Therefore, while an IS auditor performing penetration testing has a greater overall scope for finding generalvulnerabilities, the hacker is likely to attempt to exploit any identified vulnerabilities more extensively.
2.2
 
Record Keeping
 
2.2.1
Records should be in sufficient detail to support the findings and conclusions reached as a result of the testing to:
Defend against accusations of unethical or unauthorised practices against the IS auditor performing the test
Provide the organisation with a detailed description of the weaknesses and how they were identified and exploited
Provide an audit log for future testing to provide reasonable assurance that vulnerabilities identified have beenaddressed
Demononstrate the possibility and risk of unauthorised access from any determined/willing attacker possessing the skills
3. TYPES OF PENETRATION TESTING AND VULNERABILITY ASSESSMENT3.1
 
Scope of Evaluation3.1.1
There are several types of penetration tests that will, depending upon the circumstances, affect the scope of the evaluation,methodology adopted and assurance levels of the audit.
3.1.2
 
The individual (appropriate IT management) responsible for safeguarding the organisation should evaluate variousalternatives, selecting that which provides the maximum level of assurance with the least disruption acceptable to theorganisation (cost/risk analysis).
3.1.3
 
There should be agreement on the type of penetration testing to be carried out–intrusive or nonintrusive.
4.
 
EXTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENT4.1
 
Internet4.1.1
The purpose of Internet testing is to compromise the target network. The methodology needed to perform this test allows for asystematic checking for known vulnerabilities and pursuit of potential security risks. The methodology ordinarily employedincludes the processes of:
Information gathering (reconnaissance)
Network enumeration
Vulnerability analysis
Exploitation
Results analysis and reporting
4.1.2
There are several variations to the processes listed in section 4.1.1. However, a common, standardised and objective script isordinarily followed and should provide a detailed and exact method of execution. In addition, the intricacies of newvulnerabilities and methods of exploitation require detailed study with a history of information to draw upon.
4.2 Dial-in
 
4.2.1
War dialling is the systematic calling of each number in the target range in search of listening modems. Once all listeningmodems are identified, brute force default password attempts or strategic guessing attempts are made on theusername/password challenge (sometimes only passwords are necessary) to gain unauthorised access.
4.2.2
 
Access to the login screen banner is crucial to accessing any system. Some systems require only a password, which can be avendor-provided default password or just hitting “enter.”
4.2.3
 
At times of poor configuration, even a login banner does not appear and access is granted directly devoid of anyauthentication mechanism.
5. INTERNAL PENETRATION TESTING AND VULNERABILITY ASSESSMENT5.1 Goal5.1.1
 
The goal of internal penetration testing is to ascertain vulnerabilities inside the network perimeter. The testing performedclosely parallels that which an internal IS auditor will be assigned to audit, given the size, complexity and financial resourcesdevoted to risk associated with lack of security concerns. The overall objective is to identify potential vulnerabilities within theinternal network and weaknesses in controls in place to prevent and/or detect their exploitation by a hacker/maliciousemployee/contractor who may obtain unauthorised access to information resources or cause system disruption or a systemoutage.
5.1.2
 
The first phase relates to information gathering, which is comprised of public information search, googling, obtaining maximuminformation about business, employees, etc., thereby profiling the target. For instance this phase may result in obtainingresumes/CVs of employees which may be useful in understanding technologies employed at the attack site.
5.1.2
The first testing goal is to ascertain the internal network topology or footprint that provides a map of the critical accesspaths/points and devices including their Internet protocol (IP) address ranges. This is the network discovery stage.
5.1.3
Once critical points/devices are identified within the network, the next step is to attack those devices given the various types of known vulnerabilities within the system and operating software running on the devices (e.g., UNIX, NT, Apache, Netscape and
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...