Introduction
In general, security assessments are more technical, more focused, and, in the case of penetration testing, more targeted than an audit. Comparatively speaking, the auditor takes the broader,
holistic view. Nevertheless, an auditor still needs to gather reliable and relevant evidence to measure compliance. What happens when the auditor lacks the technical skills to gather that
evidence? An auditor can employ other experts, given proper permission, to conduct testing, such as a security assessment. If that is the case, it is important that the assessment is
aligned with the audit’s objectives.
In this homework assignment, you will review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors. You will identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You will look at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations. You will also look at the practices of vulnerability management to prevent threats from old or
previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
holistic view. Nevertheless, an auditor still needs to gather reliable and relevant evidence to measure compliance. What happens when the auditor lacks the technical skills to gather that
evidence? An auditor can employ other experts, given proper permission, to conduct testing, such as a security assessment. If that is the case, it is important that the assessment is
aligned with the audit’s objectives.
In this homework assignment, you will review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors. You will identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You will look at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations. You will also look at the practices of vulnerability management to prevent threats from old or
previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
Learning Objectives
Upon completing this homework assignment, you will be able to:
- Review the vulnerability life cycle and explain the different types of disclosure to mitigate different risk factors, such as nondisclosure, full disclosure, limited disclosure, and responsible disclosure.
- Identify the risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have for organizations.
- Mitigate the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP Remote File Include, botnets, and PDF attacks on organizations.
- Align best practices in vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
- Draft an executive summary explaining how security assessments performed on the seven domains of a typical IT infrastructure can be used to help achieve compliance for an organization.
Hands-On Steps
- Review the following scenario:
Your organization is a governmental agency that serves a vital role in homeland security functions. In fact, your hiring took longer than you would have liked because it seemed
as though the organization’s managers wanted to know a lot about you before they gave you clearance to work. After a year at the job, your manager feels your progress has come
a long way, so she is giving you more responsibility and has asked you to analyze the benefits of reporting risks, threats, and vulnerabilities in an IT assessment that is under
way. Your manager would like for you to conduct research and report your findings about the type of vulnerabilities that require disclosure and when it are lawful or unlawful
to conceal information produced by vulnerability assessments. She would also like for you to include some trends on current security threats and the types of responsible
disclosure being performed by other organizations. - On your local computer, open a new Internet browser window.
- In the address box of your Internet browser, type the URL http://www.sans.org and press Enter to open the Web site.
- In the Custom Search box on the Web page’s upper right corner, search for “How do we define responsible disclosure?”
- On the search results page, click on the top link labeled “How do we define responsible disclosure?” to open the PDF article. Read about the following topics:
- Vulnerability Life Cycle
- Types of Disclosure
- Nondisclosure
- Full Disclosure
- Limited Disclosure
- Responsible Disclosure
- Existing Policies and Proposals
Note: When reading through the different types of disclosure, consider how the consequences differ from type to type. For example, a company’s nondisclosure policy about a vulnerability means little-to-no public knowledge. The consequence might mean the black hat (hacker) community has limited or no knowledge of the vulnerability. Consider also how a company’s reputation changes as it handles disclosure. And lastly, consider how too much or too little disclosure can jeopardize a company’s ability to manage vulnerabilities.
- In the address box of your Internet browser, type the URL https://docs.broadcom.com/doc/istr-14-april-volume-19-en and press Enter to open the document “Internet
Security Threat Report”. - Review the Highlights section of the document that discusses the main concepts in each section. Then, review the following topics in the document:
- Executive Summary
- 2014 in Numbers
- Targeted Attacks
- Appendix
Note: The “Internet Security Threat Report” contains several items that discuss zero-day vulnerabilities. As the name “zero-day” suggests, you have little lead time to be proactive. Even so, you can go on the offense by properly managing your company’s assets and possibly subscribing to an alerting service.
- In the address box of your Internet browser, type the URL http://www.zerodayinitiative.com/ and press Enter to open the Web site.
- Review the site to understand the purpose of this initiative.
- Research other available resources (Internet resources, your textbook, and so on) to validate how performing periodic security assessments throughout the seven domains of a
typical IT infrastructure can help an organization achieve compliance.
Overview
In this homework assignment, you reviewed the vulnerability life cycle and explained the different types of disclosure to mitigate different risk factors. You identified risks that attacks, vulnerabilities, malicious code phishing, underground economies, and spam have on organizations. You looked at the risks caused by zero-day vulnerabilities, HTTP client versus server-side attacks, malicious JavaScript, PHP remote file inclusion, botnets, and PDF attacks on organizations. You also looked at the practices of vulnerability management to prevent threats from old or previously performed attacks on known vulnerabilities within the seven domains of a typical IT infrastructure.
Please answer the following questions:
- What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today’s Internet world?
- What country is the top host of Structured Query Language (SQL) injection and SQL Slammer infections? Why can’t the U.S. government do anything to prevent these injection attacks and infections?
- What does it mean to have a policy of nondisclosure in an organization?
- What is phishing? Describe what a typical phishing attack attempts to accomplish.
- What is the Zero Day Initiative? Do you think this is valuable, and would you participate if you were the managing partner of a large firm?
- What is a Server Side Include (SSI)? What are the ramifications if an SSI exploit is successful?
- What is a zero-day attack, and how does this relate to an organization’s vulnerability window?
- How can you mitigate the risk of users and employees clicking on an embedded URL link or e-mail attachment from unknown sources?
- When auditing an organization for compliance, what role do IT security policies and an IT security policy framework play in the compliance audit?
- When performing a security assessment, why is it a good idea to examine compliance in separate compartments, such as the seven domains of a typical IT infrastructure?
- True or false: Auditing for compliance and performing security assessments to achieve compliance require a checklist of compliance requirements.