GRC & AUDIT

ADVANCED CLOUD SECURITY COURSE

 Advanced Cloud Security course

Presented By:-
- Hossam Shaaban Eissa
- Moatasem Ali
- Saber Abdel wahab

Presented To :-
Dr. Nour Mohamed
Agenda

 Microsoft Hyper-V
 Oracle VM VirtualBox
 Red Hat Enterprise Virtualization
 XenServer / Citrix Hypervisor
 Kernel Virtual Machine
 VMware Fusion
 Nutanix Hyperconverged Infrastructure
 Parallels Desktop
 QEMU
 Virtuozzo
 Advanced Cloud Security course

IT GRC and Audit: Understanding the Basics

 IT auditing

 is the process of evaluating and reviewing an organization's information technology infrastructure, policies, and operations to
determine whether they align with the organization's goals, comply with industry standards and regulations, and are secure and
reliable.
 IT auditing involves examining various aspects of an organization's IT systems, including hardware, software, networks, data
storage, and security protocols.
 The primary goal of IT auditing is to identify potential risks and vulnerabilities in an organization's IT systems and provide
recommendations for improving the effectiveness and efficiency of the IT operations. IT auditors assess the adequacy and
effectiveness of the controls in place to manage the risks associated with the use of technology.
 IT auditing is an essential component of corporate governance and risk management, and it helps organizations to ensure the
confidentiality, integrity, and availability of their information assets. IT auditors typically have specialized knowledge and
training in technology, accounting, and risk management.
 What is IT GRC

 IT GRC refers to the management of Governance, Risk, and Compliance in the context of IT or information
technology. It is a framework that enables organizations to align their IT processes and activities with business
objectives and regulatory requirements.

 It includes tools and processes to unify an organization's governance and risk management with its technological
innovation and adoption.
 What is The purpose of IT GRC

 establish a structured approach to managing the risks and compliance obligations associated with IT operations.
By implementing IT GRC, organizations can ensure that their IT systems and processes are aligned with their
business objectives and compliant with relevant laws and regulations. This, in turn, helps to reduce the risk of
security breaches, data loss, and other IT-related incidents that could harm the organization.

 Companies use GRC to achieve organizational goals reliably, remove uncertainty, and meet compliance
requirements.
Components of IT GRC
 Components of IT GRC

 Governance:
 IT governance refers to the framework of policies, procedures, and decision-making processes that guide the management of
IT systems and infrastructure

It includes
 the strategic planning
 performance management
 resource allocation necessary to ensure that IT resources are effectively deployed to support the organization's objectives
 governance also involves defining roles and responsibilities, establishing accountability, and ensuring that there are
appropriate controls and oversight mechanisms in place to manage risks.
 Governance

 Good governance includes the following:

 Ethics and accountability
 Transparent information sharing
 Conflict resolution policies
 Resource management

 Effective IT governance involves defining roles and responsibilities, establishing policies and procedures, and ensuring that
there are appropriate controls and oversight mechanisms in place
 By implementing IT governance as part of IT GRC, organizations can ensure that their IT systems and processes are
managed in a way that supports their business objectives, minimizes risks, and ensures compliance with regulatory
requirements
 Risk

 IT risk management involves

 identification
 assessment
 mitigation of potential risks associated with IT operations

 This includes risks related to data security, system failures, and regulatory compliance. Risk management aims to minimize
the negative impact of IT-related risks on the organization by implementing controls and processes to reduce the likelihood
of a risk occurring or mitigate the consequences of a risk event.
 IT Risk Management

 The role of IT risk management in IT GRC

 help organizations understand and manage the risks associated with their IT operations. IT risk management helps
organizations to identify potential risks, assess the likelihood and impact of those risks, and prioritize mitigation efforts to
reduce the overall risk exposure.

 Effective IT risk management

 involves a structured approach to identifying and assessing risks, implementing appropriate controls and safeguards to
mitigate risks, and monitoring and reporting on risk management activities.
 By incorporating IT risk management into IT GRC, organizations can ensure that they are effectively managing the risks
associated with their IT operations and are aligning their risk management efforts with their business objectives and
compliance obligations.
 Compliance

 IT compliance refers to the adherence of IT systems and processes to applicable laws, regulations, and standards
 This includes regulatory requirements related to data privacy, security, and other IT-related matters.

 Compliance involves ensuring that IT systems are designed and operated in a manner that meets the relevant compliance
requirements, and that adequate measures are in place to monitor and report on compliance.
 Compliance is essential to prevent legal and financial penalties and to maintain the organization's reputation.
 IT Compliance

 The role of IT compliance in IT GRC

 ensure that organizations are meeting their legal, regulatory, and contractual obligations related to IT operations. This includes
requirements related to data privacy, security, and other IT-related matters. IT compliance involves understanding the relevant
compliance requirements, developing policies and procedures to meet those requirements, and implementing controls and
safeguards to ensure ongoing compliance.
 Effective IT compliance
 involves a structured approach to compliance management that includes risk assessments, compliance audits, and ongoing
monitoring and reporting. By incorporating IT compliance into IT GRC, organizations can ensure that they are meeting their
legal and regulatory obligations related to IT operations and are reducing the risk of legal and financial penalties. Additionally,
effective IT compliance helps to maintain the organization's reputation and builds trust with customers and stakeholders
 Why is GRC important?

 By implementing GRC programs, businesses can make better decisions in a risk-aware environment. An effective
GRC program helps key stakeholders set policies from a shared perspective and comply with regulatory requirements.
With GRC, the entire company comes together in its policies, decisions, and actions. 
 The following are some benefits of implementing a GRC strategy at your organization.
 Data-driven decision-making
 You can make data-driven decisions within a shorter time frame by monitoring your resources, setting up rules or frameworks, and using GRC software and
tools.

 Responsible operations
 GRC streamlines operations around a common culture that promotes ethical values and creates a healthy environment for growth. It guides strong
organizational culture development and ethical decision-making in the organization.

 Improved cybersecurity
 With an integrated GRC approach, businesses can employ data security measures to protect customer data and private information. Implementing a GRC
strategy is essential for your organization due to increasing cyber risk that threatens users' data and privacy. It helps organizations comply with data privacy
regulations like the General Data Protection Regulation (GDPR). With a GRC IT strategy, you build customer trust and protect your business from penalties.
 How dose GRC Works?

 GRC in any organization works on the following principles:

 Key stakeholders
 GRC requires cross-functional collaboration across different departments that practices governance, risk management, and regulatory
compliance. Some examples include the following:
 Senior executives who assess risks when making strategic decisions
 Legal teams who help businesses mitigate legal exposures
 Finance managers who support compliance with regulatory requirements
 HR executives who deal with confidential recruitment information
 IT departments that protect data from cyber threats
 common GRC tools

 GRC tools are software applications that businesses can use to manage policies, assess risk, control user access, and streamline
compliance. You might use some of the following GRC tools to integrate business processes, reduce costs, and improve efficiency. 

 common GRC tools

 User management
 You can give various stakeholders the right to access company resources with user management software. This software supports
granular authorization, so you can precisely control who has access to what information. User management ensures that everyone can
securely access the resources they need to get their work done.
 Security information and event management
 You can use security information and event management (SIEM) software to detect potential cybersecurity threats. IT teams use SIEM
software like AWS CloudTrail to close security gaps and comply with privacy regulations
IT GRC Tools

 GRC
 ThreadFIX

 Audit
 Open-Audit
Advanced Cloud Security course

ThreadFix
 Agenda :

Agenda
• Introduction / Background
• Vulnerabilities
– Infrastructure (Network) vs. Application (Software)
• Roles
– Security vs. Development
• Vulnerability Workflow
• ThreadFix: An Open Source Tool
• Questions
 ThreadFix

ThreadFix is a software vulnerability

aggregation and management system that
helps organizations aggregate vulnerability
data, generate virtual patches, and interact
with software defect tracking systems
 Vulnerabilities: Defined

• Infrastructure (Network):
– any flaw or weakness in network defense that could be exploited to gain
unauthorized access to, damage , or otherwise affect a network
• Application (Software):
– a weakness in an application, either a design flaw or an implementation bug, that allows
an attacker to cause harm to the stakeholders of an application.
Problem isn’t finding vulnerabilities, it’s fixing them
– Identifying application-level vulnerabilities via scanning tools, penetration tests and
code reviews is only the first step in actually addressing the underlying risk.
Vulnerability Fun Facts:

• Average number of serious

vulnerabilities found per
website per year is 79 **
• Serious Vulnerabilities
were fixed in ~38 days **
• Percentage of serious
vulnerabilities fixed
annually is only 63% **
• Average number of days a
website is exposed, at least
one serious vulnerability
~231 days
WhiteHat Statistics Report (Summer 2012):
https://www.whitehatsec.com/assets/
WPstats_summer12_12th.pdf
 The Problem

 Every day organizations face increasing

pressure to secure their systems.
 A malicious attack can expose data
interrupt operations and be very
expensive to recover from.
 Protection often starts with securing
infrastructure but that's not enough.
 Introduction :

 Vulnerable software
leaves open doors for
malicious attacks on
critical data and systems.
 To address software
security risk, a typical
security team will buy a
scanning tool that finds
vulnerabilities in their
software.
 Introduction :

 The security team tests the software and

generates a report of what's wrong without
fixing the vulnerabilities they find.
 Problem isn’t finding vulnerabilities, it’s
fixing them Identifying application-level
vulnerabilities via scanning tools,
penetration tests and code reviews is only the
first step in actually addressing the
underlying risk.
 Introduction :

 These reports are sent to the

development team, adding more to
their plate that's already full of new
features to deliver.
 Receiving frequent reports of
vulnerabilities often leads a frustrated
development team to push security
further under the backburner 
Secuity team VS Development team

 Meanwhile the security team has

discovered that more tools and other
activities like penetration tests are needed
to get better coverage.
 More tools need more reports with even
more formats and grading systems.
 This constant back and forth between
security and development teams leads to
more frustration more time wasted and
fewer vulnerabilities fixed. 
Security Team Development Team:
Identify / Communicate Risk
• Penetration Testing Building Software
• Application Scanning • Feature Development
• Protecting Assets • Application Performance
• Mitigating Risk VS. • Bug Fixes
Building Software • Deployments
• Feature Development
• Application Performance
• Bug Fixes
• Deployments Typically, teams that fix vulnerabilities
Typically, teams that find (Development) don’t understand
vulnerabilities (Security) don’t the potential business risk / impact
know how to fix / remediate
Typically, teams that fix vulnerabilities
(Development) don’t understand
the potential business risk / impact
 That's where thread fix comes in.

 “Two teams with different focuses, however both

teams play a critical role in the remediation of
application vulnerabilities, and need to
communicate.”
 But what if there was a way to unify these reports to
create a single normalized view of what to tackle and
Where.
 Threat fix streamlines this process by
bringing multiple tools alongside other
testing activities  to create unified
security view
 Security teams can quickly pinpoint the
most critical vulnerabilities
 New defects are fed into the tracking
system that development teams are
already using avoiding a mess of
spreadsheets and separate trackers
 Thread fix also automatically allows
security teams to keep tabs on the
defects, allowing for the teams to
coordinate release cycles effectively.
 ThreadFix

 Open source vulnerability management and aggregation platform:

 Allows software security teams to reduce the time to remediate software vulnerabilities
 Enables managers to speak intelligently about the status / trends of software security within their
organization.
 Features/Benefits:
 Imports dynamic, static and manual testing results into a centralized platform
 Removes duplicate findings across testing platforms to provide a prioritized list of security faults
 Eases communication across development, security and QA teams
 Exports prioritized list into defect tracker of choice to streamline software remediation efforts
 Auto generates web application firewall rules to protect data during vulnerability remediation
 Empowers managers with vulnerability trending reports to pinpoint issues and illustrate application
security progress
 Benchmark security practice improvement against industry standards
 List of Supported Tools / Technologies:

ThreadFix integrates with more than 40 testing;

government, risk, and compliance (GRC); and defect SaaS Testing Platforms
tracking tools, including: WhiteHat
Dynamic Scanners Veracode
Acunetix QualysGuard WAS
Arachni IDS/IPS and WAF
Burp Suite DenyAll
HP WebInspect F5
IBM Security AppScan Standard Imperva
IBM Security AppScan Enterprise Mod_Security
Mavituna Security Netsparker Snort
NTO Spider Defect Trackers
OWASP Zed Attack Proxy Atlassian JIRA
Static Scanners Microsoft Team Foundation Server
FindBugs Mozilla Bugzilla
IBM Security AppScan Source Known Vulnerable Component Scanner
HP Fortify SCA Dependency Check
Microsoft CAT.NET
Large Range of Tool Compatibility
What Can We Do With ThreadFix?

 Create a consolidated view of your applications and vulnerabilities

 Prioritize application risk decisions based on data
 Translate vulnerabilities to developers in the tools they are already
 Using.
 It provides access to powerful analytics.
 Drive efficiency with automation and orchestration
 Organize, prioritize, and speed up your security processes.
 Quickly spot vulnerability trends to prioritize security efforts.
 Streamline workflows among teams to fix vulnerabilities faster.
 Track vulnerabilities identified by scanners, manual testing, and other assurance activities.
 Automatically combine and deduplicate results from multiple scanners for easy management.
 Apply DevOps concepts for continuous vulnerability resolution to reduce mean-time-to-fix.
 Make smarter remediation decisions : Vulnerability trending reports, metrics, analysis, and dashboards help you characterize the true state of
vulnerability resolution within your organization
 Where to Get ThreadFix
• For more information, go to http://www.denimgroup.com/threadfix
• Directed to a Google Code Repository and download the zip file.
• Click on the Threadfix.bat icon in Windows, or, in Linux, navigate to
the folder and execute bash threadfix.sh.
• Go on the wiki and open the “Getting Started” file for more step by
step directions.
Contact Information :
Brian Mather
Product & Consulting Manager
brian@denimgroup.com
(210) 572-4400
www.denimgroup.com
www.threadstrong.com
blog.denimgroup.com
 Summary

• Communication between security & development teams is

inefficient
• Current Vulnerability Management process
• ThreadFix facilitates communication between security &
development
– Integrating with commercial and open source scanners & defect trackers
– Reducing the time required to fix vulnerable applications.
– Dramatically simplifying remediation effort required
– Providing centralized visibility into current security state of applications
– Giving security ability to benchmark progress & track progress over time
• No licensing fees
– Freely available under the Mozilla Public License (MPL) via Google Code
• Open community support
 Advanced Cloud Security course

Using Open-AudIT for Efficient IT Auditing

 Introduction

 IT auditing is critical for organizations to ensure their IT infrastructure is secure and in compliance with
regulatory requirements.
 Open-AudIT is an open-source software that can help organizations streamline their IT auditing process.
 This presentation provides an overview of Open-AudIT and its capabilities for IT auditing.
 Introduction

 Open-AudIT is an application to tell you exactly

 what is on your network.
 how it is configured
 and when it changes.
 Open-AudIT is an open-source software that can help organizations streamline their IT auditing process.
 Open-AudIT will run on Windows and Linux systems. Essentially,
 The entire application is written in php, bash and vbscript. These are all 'scripting' languages - no compiling and human
readable source code. Making changes and customizations is both quick and easy.
 Data about the network is inserted via a Bash Script (Linux) or VBScript (Windows).

 Open-AudIT is a database of information, that can be queried via a web interface.

 Introduction

 Network devices (printers, switches, routers, etc) can have data recorded such as IP-Address, MAC
Address, open ports, serial number, etc..
 Windows PCs can be queried for hardware, software, operating system settings, security settings, IIS
settings, services, users & groups and much more.
 Linux systems can be queried for a similar amount of information.
 Output is available in PDF, CSV and webpages.
 There are export options for Dia and Inkscape.
 Open-AudIT can be configured to scan your network and devices automatically.
 A daily scan is recommended for systems, with network scans every couple of hours. That way, you
can be assured of being notified if something changes (day to day) on a PC, or even sooner, if
something "new" appears on your network.
 Open-AudIT Benefits

 IT Asset management:
 Open-Audit helps organizations manage their assets, including hardware and software, by providing a complete inventory of all assets on the
network. This allows organizations to keep track of all their assets, and to identify which assets are in use or not in use.
 License management
 Open-Audit helps organizations manage their software licenses by providing information on software installations and licenses. This helps
organizations avoid non-compliance issues and optimize their software licensing expenses.
 Security:
 Open-Audit provides real-time visibility into network assets, and can help organizations identify security vulnerabilities and potential risks.
 This allows organizations to proactively address these issues, and prevent potential security breaches.
 Cost-effective:
 Open-Audit is an open-source tool, which means that it is available for free. This makes it a cost-effective solution for organizations looking
to manage their assets, software licenses, and security.
 Open-AudIT Benefits

 Customizable:
 Open-Audit is highly customizable, allowing organizations to configure it to meet their specific needs and requirements. This makes it a versatile tool that can be
used across a wide range of industries and businesses.
 Scalable:
 Open-Audit is designed to scale, allowing organizations to use it to manage any number of assets on their network, from small businesses to large enterprises.
 Compliance:
 Open-Audit can help organizations achieve compliance with regulatory requirements such as HIPAA, GDPR, and PCI DSS, by providing real-time visibility into
network assets and software installations, tracking changes to the network, and generating compliance reports.
 Overall,
 Open-Audit is a versatile, cost-effective, customizable, and scalable tool that can help organizations manage their assets, software licenses, security, and
compliance requirements effectively.
 PCI DSS : - Payment Card Industry Data Security Standard
 GDPR :- General Data Protection Regulation
 HIPAA :- Health Insurance Portability and Accountability Act
 Open-AudIT Features

 Open-Audit offers a wide range of features to help organizations manage their assets, software licenses, and
security. Some of the key features of Open-Audit include:
 Network discovery: Open-Audit can automatically discover all assets on the network, including servers, workstations,
mobile devices, and other endpoints.

 Asset inventory: Open-Audit provides a complete inventory of all assets on the network, including hardware and software.

 Software auditing: Open-Audit can audit software installations and licenses, providing information on which software is
installed and whether it is properly licensed.

 Customizable reporting: Open-Audit provides customizable reporting that allows organizations to generate reports on all
aspects of their network infrastructure.
Open-AudIT Features

 Alerts and notifications: Open-Audit can send alerts and notifications when specific events occur, such as when new
software is installed or when a security vulnerability is detected.

 Integration with other security tools: Open-Audit can integrate with other security tools such as SIEMs and vulnerability
scanners, providing additional layers of security and risk management.

 Compliance support: Open-Audit can help organizations achieve compliance with regulations such as HIPAA, GDPR, and
PCI DSS by providing real-time visibility into network assets and software installations, tracking changes to the network,
and generating compliance reports.

 Access control: Open-Audit provides access control features that allow organizations to control who has access to network
assets and data.
 Open-AudIT Features

 API integration: Open-Audit provides an API that allows organizations to integrate it with other systems and tools.

 Mobile device management: Open-Audit provides mobile device management features that allow organizations to manage
and track mobile devices on the network.
 Geographic Mapping of devices
 Configuration Management
 Schedule tasks & Reports
 Overall, Open-Audit offers a comprehensive set of features that can help organizations manage their assets,
software licenses, and security effectively, while also providing compliance support and integration with other
security tools.
Open-AudIT Discovery

 Open-AudIT uses several protocols such as SNMP, WMI, SSH, and HTTP to collect data
from devices.
 Open-AudIT can discover and inventory devices such as servers, workstations, printers,
and network devices.
Open-AudIT Discovery
Open-AudIT Discovery
Inventory

 Open-AudIT collects detailed hardware and software information from devices such as
manufacturer, model, serial number, CPU, memory, disk, installed software, and operating
system.
 Open-AudIT provides accurate and up-to-date information on an organization's IT assets.
 Integrations

 Open-AudIT integrates with other IT management tools such as Nagios, OCS Inventory,
and GLPI.
 Integrations can help organizations automate their IT management processes and improve
efficiency.
 Challenges

 Open-AudIT can be complex to configure and deploy, requiring IT expertise.

 Integrating Open-AudIT with other IT management tools can be challenging.
Reports

 Open-AudIT provides a wide range of reports to help organizations analyze the data
collected from their IT assets.
 Reports can be generated on hardware, software, licenses, vulnerabilities, and
compliance.
 Reports can be customized and scheduled to meet an organization's specific needs.
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Which version of Open-AudIT is right for you?
Which version of Open-AudIT is right for you?
Conclusion

 Open-AudIT is a powerful tool for IT auditing that can help organizations streamline their
IT auditing process.
 Organizations considering Open-AudIT should carefully evaluate their IT auditing needs
and resources before implementing the software.
 Open-AudIT can provide significant benefits to organizations, but it can also pose some
challenges.
Open-AudIT Enterprise

 Opmantek offer very attractive 12 month subscription licenses for Open-AudIT

Enterprise.
 100 devices is just $249 US and 500 devices is just $799 US
 References

 Open-Audit Documentation: https://docs.open-audit.org/

 "Open-AudIT Overview" by Opmantek: https://opmantek.com/network-discovery-tools/open-audit/
 "How to Install Open-Audit on Ubuntu 20.04" by TechRepublic: https://www.techrepublic.com/article/how-to-
install-open-audit-on-ubuntu-20-04/
 "Open-AudIT vs. OCS Inventory" by Opmantek: https://opmantek.com/open-audit-vs-ocs-inventory/
 "Open-Audit vs. Spiceworks" by Opmantek: https://opmantek.com/open-audit-vs-spiceworks/
 "Open-Audit vs. Lansweeper" by Opmantek: https://opmantek.com/open-audit-vs-lansweeper/
 "Open-Audit vs. ManageEngine AssetExplorer" by Opmantek: https://opmantek.com/open-audit-vs-manageengine-
assetexplorer/
 "Open-Audit: The Perfect Network Inventory Solution" by Opmantek: https://opmantek.com/open-audit-the-
perfect-network-inventory-solution/
Thank You
 Questions
HOSSAM SHAABAN EISSA