ahnlab aqas penetration service
TRANSCRIPT
-
8/7/2019 AhnLab AQAS Penetration Service
1/11
AhnLab Quick Assessment
Services2010. 02.
-
8/7/2019 AhnLab AQAS Penetration Service
2/11
Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.2
Procedures
GAP AnalysisScope
Definition
As-Is Analysis
RequirementDefinition
Risk Assessment
Penetration Test
Planning Risk Analysis
Work Planning
Safeguards
Quick Hits
Master Planning
Based on the AhnLab Consulting Methodology, AhnLab will assess the security level ofcustomer and provide drafted master plan.
AQAS > Overview
-
8/7/2019 AhnLab AQAS Penetration Service
3/11
Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.3
Security Management Assessment
We evaluate the security management status by interviewing with security/IT departmentbased on best practices such as global IT security standard, ISO27001 and US FISMA(FederalInformation Security Management Act).
AQAS > Security ManagementAssessment
MethodologyAssessment Criteria
ISO27001
FISMA (US)
KISA ISMS(Korea)
ReviewSecurityPolicy,
Procedure
ReviewSecurityPolicy,
Procedure
Interview
Interview
Analysis
Analysis
Checklist
Reporting
Reporting
1
Day
3D
ay
1
Day
1. Security Policy
2. Risk Assessment
3. Configuration Management
4. Media Protection
5. Awareness & Education
6. Contingency Plan
7. Physical & EnvironmentalProtection
8. Personnel Security
9. Incident Response
10. Audit & Responsibility
11. Access Control & CommunicationSecurity
12.Technical Security
GlobalStandar
d
Regional
Standard
-
8/7/2019 AhnLab AQAS Penetration Service
4/11
Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.
PT Procedures
Define Level
Check Lists
Network Info.(DNS, IP, Config.)
Define Scope Agreement Responsibility
System Info.(OS, Services, Vul. Scan)
Vul. Analysis
Analyze the impact to services
Attack the weakest point first Detour firewall
CollectEvidence
AcquireAdmin. Rights
InstallBackdoor
AttackOther Systems
Penetration Test(Attack Method. Vul. List, Evidence)
Recommendation
Concepts RemediationHacking Demo
Phase 1
Phase 1
Step 1 Define Check Items
Step 0 Pre-Meeting
Step 7 Reporting
Step 2 Info. Gathering
Step 3 Impact Analysis
Step 4 Attack
Step 5 Attack Spread
Step 6 Report Generation
Phase 2
Phase 2
Phase 3
Phase 3
Phase 4
Phase 4 Reporting
Pre-step
DataCollection
Verification
Testing
AhnLab will have penetration test based on AhnLabs expertise and experiences as following
steps
AQAS > Penetration Test
4
-
8/7/2019 AhnLab AQAS Penetration Service
5/11
Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.
AhnLab will draw the available threat scenarios based on the analysis of service structure
Scenario
Understandingcore processes
Finding coreinformation
Finding availableattack pathsbased on ananalysis of servicearchitecture
Drawing threatscenarios
Internet
DMZDMZ
CMZCMZS iS i
Data CenterData Center
Development
ServersInternalSystems
Ethical Hacker
Ethical Hacker
Attack from Outside
Penetrate through DMZ
Leak Internal Info. Customer
Center
AQAS > Penetration Test
Drawing PT Scenario
5
-
8/7/2019 AhnLab AQAS Penetration Service
6/11
Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.6
AQAS > Work Schedule
Day 1 Day 2 Day 3 Day 4 Day 5 Remark
AssessmentInterview
On-Site
Penetration Test Remote
Analysis Report Generation
Reporting
The assessment will take 5 working days and one of our consultants will be on site and
penetration test will be done from remote.
-
8/7/2019 AhnLab AQAS Penetration Service
7/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.
Sample Report > Domain Summary
Summary by domainsSummary by domainsSummary by domainsSummary by domains
Average score about information security of each domain is 2.2. Basic rules are Make, but practice is
unsatisfied.
Average target score is 3.9 and it directs to a measureable level. So the gap between them is not
big. (average 1.7)
Especially vulnerable domains are security policy & organization, risk assessment, Personnel
security, and
technical security.
Average score about information security of each domain is 2.2. Basic rules are Make, but practice is
unsatisfied.
Average target score is 3.9 and it directs to a measureable level. So the gap between them is not
big. (average 1.7)
Especially vulnerable domains are security policy & organization, risk assessment, Personnel
security, and
technical security.Domain Radar ChartDomain Radar ChartDomain Radar ChartDomain Radar Chart
DOMAIN CurrentScore
TargetScore
Gap Best
Practice
Security policy &organization
2.0 5.0 3.0 5.0
Risk assessment 1.5 4.2 2.7 5.0Configurationmanagement
2.4 4.2 1.8 5.0
Media protection 1.7 3.0 1.3 5.0Security awarenessand education
2.0 3.0 1.0 5.0
Emergency plan 1.9 3.3 1.4 5.0Physical &
environmentalprotection
3.0 4.5 1.5 5.0
Personnel security 2.1 4.0 1.9 5.0Incidents response 2.2 3.8 1.6 5.0Audit & responsibility 2.8 4.0 1.3 5.0System access control& communicationprotection
2.7 4.0 1.3 5.0
Technical security 2.3 4.2 1.9 5.0
Riskassessment
Securitypolicy &organization
Configurationmanagement
Mediaprotection
Securityawareness &education
Emergencyplan
Physical &environmental
protection
Technicalsecurity
Systemaccesscontrol
Audit &responsibili
ty
Audit &responsibili
ty
Personnelsecurity
7
-
8/7/2019 AhnLab AQAS Penetration Service
8/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.
Sample Report > Technical SecuritySummary
Summary of technical securitySummary of technical securitySummary of technical securitySummary of technical security
Scores of technical security by domains is averaged 3.0. It is in operation, but repeated survey and
improvement are necessary.
The biggest gap-difference domain between current and target score is Integrated management.
Security operation is not conducted holistically, but is conducted individually by each business. To improve the level of technical security, the fast and reachable areas are Access control, Patch
management, and Host intrusion prevention.
Scores of technical security by domains is averaged 3.0. It is in operation, but repeated survey and
improvement are necessary.
The biggest gap-difference domain between current and target score is Integrated management.
Security operation is not conducted holistically, but is conducted individually by each business. To improve the level of technical security, the fast and reachable areas are Access control, Patch
management, and Host intrusion prevention.
DOMAIN Current
Score
TargetScore
Gap BestPractic
e
Priority
Access control 3 5 2 5 16.7Intrusiondetection/prevention
5 5 0 5 0.0
DDoS attack 2 4 2 5 6.0UTM 3 4 1 5 6.0
Network accesscontrol 5 5 0 5 0.0
Anti-Malware 5 5 0 5 0.0Patch management 3 4 1 5 15.0Media control 2 4 2 5 6.0Host intrusionprevention
1 4 3 5 15.0
Web applicationaccess control
3 4 1 5 5.0
URL filtering 3 4 1 5 3.0Mail security 3 4 1 5 3.0
DB access control 2 4 2 5 6.0Integratedmanagement
1 4 3 5 9.0
DOMAIN CurrentScore
TargetScore
Gap BestPractice
Network security 3.6 4.6 1.0 5.0System security 2.8 4.3 1.5 5.0
Application security 2.1 4.0 1.9 5.0Integrated management 1.0 4.0 3.0 5.0
Intrusion
detection /Prevention
Accesscontrol
DDoSattack
UTM
Networkaccesscontrol
Anti-Malware
PatchmanagementMedia
control
Hostintrusion
prevention
Webapplication
URLfilterin
g
Mailsecurity
DBaccesscontrol
Integratedmanagement
8
-
8/7/2019 AhnLab AQAS Penetration Service
9/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.
Media protectionStatus Systems are operating in the separate location and in-and-out is controlled by figure-
print recognition.
Backup media is kept in the safe of separate floor besides a server room
There is a security regulation about document, but there is no assessment about
practice.
Documents about system introduction & development are managed individually by
operators.
There is a regulation including a condition about destruction of information asset.
However, there is no
instruction about a method or history about destruction.Recommendatio
n It is essential to Inspect a history of in-and-out periodically
It is essential that documents about system introduction & development should be
managed for
integrating due to possibilities of leakage or loss.
It is essential that destruction process by media should be Make and destruction result
should be
managed for confirmingPlan Make & perform a assessment process about in-and-out control history
Make & perform a assessment process about backup media management history and
storage condition
Make & perform a destruction process about system and stored media
(Attach a proof for confirmation when important asset is destructed)
Long
MidShort LowMidHigh
Period
Priority
Sample Report >Recommendation
9
-
8/7/2019 AhnLab AQAS Penetration Service
10/11Copyright (C) AhnLab, Inc. 1988-2009. All rights reserved.10
Short-Term Mid-Term Long-Term
Administrative security
Technicalsecurity
Make & perform security process and operationPrepare a checklist for security review /
review system setup, security rule, and etc.
Update filtered website periodically
Review about introducing a DB security solution and control access
Make a process to respond intrusion /
perform training about response
Make a process for destructingInformation asset
Make and perform a plan for securitytraining
Make and perform a process for externalpersonnel
Risk assessment
Review about introducing a media control solution
Make & perform a assessment plan forServer/Network vulnerability
Store and transmit DB information (password, etc) in encrypted
Improve a guide about authorizationmanagement
Audit security periodically
Make Host access control solution
Make & perform a guide about OS patchupdate
Sample Report > Roadmap
-
8/7/2019 AhnLab AQAS Penetration Service
11/11Copyright (C) AhnLab Inc 1988-2009 All rights reserved CI 11
Copyright (C) AhnLab, Inc. 1988-2010. All rights reserved.
AhnLab, the AhnLab logo, and V3 are t rademarks or registered trademarks of AhnLab, Inc.,in Korea and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.
AhnLabThe Joy of Care-Free Your Internet World