Oissg
1 like1,087 views
The Open Information Systems Security Group (OISSG) is a not-for-profit organization that provides free security resources and frameworks to help professionals assess security. Their goals for 2006 include releasing an updated Information Systems Security Assessment Framework (ISSAF) and a new Computer Crime Investigation Framework. OISSG conducts security research, has local chapters around the world, and aims to share knowledge and build the field of information security.
Oissg
- 1. Open Information Systems A not-for-profit Organization Security Group ….Share and Build your knowledge Christian Martorella christian.martorella@oissg.org laramies@gmail.com
- 2. Presentación • Qué es la OISSG? • Visión • Misión A not-for-profit Organization • Objetivos para el 2006 • Estrategia • Projectos Desarrollo de Frameworks Conferencias Capítulos locales Desafíos de seguridad Security Awareness Security Research & Labs Acreditaciones
- 3. Que es la OISSG? • Organización independiente, manejada por voluntarios , sin fines de lucro. • Brinda de manera libre recursos a la A not-for-profit Organization comunidad. Framework, metodologias, estandares, artículos. Herramientas para las auditorías de seguridad y la implementacion de la seguridad. Conferencias y listas de correos Base de conocimientos • Enfocada principalemente a resolver los problemas relacionados con las evaluaciones de seguridad.
- 4. Que es la OISSG?... • Que proveemos? Frameworks Information Systems Security Assessment Framework (ISSAF) Computer Crime Investigation Framework (CCIF)A not-for-profit Organization Security Essentials Framework Software Password Auditing (LeptonCrack) Database Security (Metacoretex-NG) Windows, Linux and Solaris Security Iniciativas de investigación Capítulos locales
- 5. Nuestra Vision Difundir la concienciación de la A not-for-profit Organization seguridad de la información. Brindar un medio donde los entusiastas y profesionales de la seguridad de todo el mundo compartan y construyan
- 6. Nuestra Misión Para alcanzar nuestra vision la OISSG determinara cuales son A not-for-profit Organization las necesidades profesionales, y asignará recursos para crear procesos para desarrollar To achieve its Vision OISSG will determine utmost professional need, it will
- 7. Objetivos 2006 • Objetivos primarios Liberar la próxima versión del draft de ISSAF. Facilitar la aceptacion de los A not-for-profit Organization ejecutivos claves de que ISSAF es un framework comprensivo para realizar analisis de seguridad. Acreditar profesionales en Análisis de Seguridad. Hacer público la primer versión del draft Computer Crime Investigation Framework (CCIF)
- 8. Objetivos 2006… • Objetivos secundarios • Aumentar el numero de miembros A not-for-profit Organization Develop localized presence Setup 50 Local Chapters Organisar (expandir) Conferencias Setup on-line research labs for members Organize Security Assessment challenges Build Computer Security Incident Response Teams (CSIRT) Spread Security Awareness
- 9. Estrategia • Identificar areas criticas parcialmente o no exploradas de la seguridad de la informacion. A not-for-profit Organization • Crear equipos para trabajar en esas areas. • Lograr que el resultado final de esos trabajos lleguen a los usuarios finales. • Trabajar con otros grupos que compartan los mismos objetivos y recursos.
- 10. Information Systems Security Assessment Framework (ISSAF) Misión: Investigar, A not-for-profit Organization desarrollar, publicar y promover un Framework completo, práctico y aceptado por la comunidad, para realizar Análisis de Seguridad de Sistemas.
- 11. ISSAF… • Estandares ya establecidos: NSA IAM: http:// www.nsa.gov/isso/iam/index.htm CESG CHECK: http:// www.cesg.gov.uk/site/check/index.cfm A not-for-profit Organization • Todos las metodologías y frameworks hablan del “Que”, en cambio ISSAF habla del “Que, Cuando, Donde, y Porque” y también del COMO. • ISSAF trata problemas practicos del mundo real. • Añade valor con un analisis de seguridad estructurado, efectivo y con un acercamiento efectivo.
- 12. ISSAF… • It’s primary value will derive from the fact that it frees security practitioners from having to invest in commercial resources or extensive internal research A not-for-profit Organization to address their information security needs. • Will evolve into a comprehensive body of knowledge for organizations seeking to conduct their assessments independently and neutrally. • It will be the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as an audit checklist for information policies.
- 13. Framework structure Enterprise Assessment Framework Identify Gross Risk Evaluate Enterprise Information Security Policy Evaluate Enterprise Information Security Organization & Management A not-for-profit Organization Assess Enterprise Security & Evaluate Enterprise Security Controls Operations Management Physical and Environmental Security Capacity Management Technical Controls Assessment Vulnerability Management Patch Management Secure Application Development Release Management Configuration Management Security Awareness Enterprise Incident Management Change Management Security Awareness Program Assess Business Continuity and Disaster Recovery Planning Evaluate Legal and Regulatory Compliance Manage Residual Risks
- 14. ISSAF – Tabla de Contenidos • About ISSAF • Assessment Framework • Engagement Management • Best Practices– Pre Assessment, Assessment And Post Assessment A not-for-profit Organization • Enterprise Security Policy • Enterprise Security Organization & Management • Assess Enterprise Security & Controls Penetration Testing - Methodology Penetration Testing Methodology: Descriptive – (Continue….) Password Security Password Cracking Strategies Unix /Linux System Security Assessment Windows System Security Assessment Novell Netware Security Assessment Database Security Assessment
- 15. ISSAF – Tabla de contenidos… WLAN Security Assessment Switch Security Assessment Router Security Assessment Firewall Security Assessment Intrusion Detection System Security Assessment A not-for-profit Organization VPN Security Assessment Anti-virus System Security Assessment And Management Strategy Web Application Security Assessment Web Application Security (Continue…) SQL Injections Web Application Security (Continue…) Web Server Security Assessment Storage Area Network (San) Security Internet User Security As 400 Security Lotus Notes Security
- 16. ISSAF – Tabla de contenidos… Source Code Auditing Binary Auditing Application Security Evaluation Checks A not-for-profit Organization • Social Engineering • Physical Security Assessment • Enterprise Security Operations Management • Security Awareness • Outsourcing Security Concerns • Business Continuity Planning And Disaster Recovery
- 17. ISSAF – Tabla de Contenidos… • Legal And Regulatory Compliance • Incident Analysis • Knowledge Base A not-for-profit Organization Build Foundation Desktop Security Check-list - Windows Linux Security Check-list Solaris Operating System Security Check-list Penetration Testing Lab Design Links Templates / Others
- 18. ISSAF - Relaciones con otros estandares • Se crearon comites mapear ISSAF con standares existentes. A not-for-profit Organization SAS70 COBIT SOX BS7799 BASEL-II (coming soon)
- 19. Computer Crime Investigation Framework (CCIF) • Que cubre el CCIF: Procesos para la A not-for-profit Organization Administración de Incidentes. Windows Forensics *nix Forensics Router Forensics Hacking Tool Forensics • Fecha de lanzamiento?
- 20. Capitulos locales • Objective - Share and Build knowledge Established 39 Chapters in 22 countries • Activities by local chapters Organizing periodic conferences/seminars and Workshops for sharing and building knowledge Organizing periodic informal meetings for A not-for-profit Organization each others developments Discuss contribution in security projects Visibility by representation in Media Promotions • How OISSG local chapters will help you? Knowledge Sharing Building and managing knowledge by documentation Know what your other friends are doing Introduce you to experts in information security industry Keep yourself updated with latest happening in security industry
- 21. Investigación en seguridad • Investigando en: Vulnerability Research Password Security Research A not-for-profit Organization Flawless Port Scanning Database Security (Metacoretex-NG) • Investigadores de primer nivel.
- 22. Investigación en seguridad • Vulnerability Research team is actively working on: Software Code Auditing Reverse Engineering Exploit Code/Proof-of-concept Analysis and Development A not-for-profit Organization • Key achievements Developed standard for Binary Auditing Found one Vulnerability in one Anti-Virus product Process for Vulnerability Disclosure is developed • How to become part of this team: Contact research@oissg.org Subscribe to vuln@oissg.org • Tools Development Tools development plan is in process for automation of ISSAF
- 23. Investigación en seguridad • Password Security Research Team Lepton Crack – One of the best password cracking tool in the A not-for-profit Organization world Process for Password Security Audit is developed Project Director – Bernardo Reino (aka Lepton) • Flawless Port Scanning • Information Risk Management • Business Continuity
- 24. Laboratorios de Investigación • HoneyNet’s in multiple locations • Identification of emerging security needs A not-for-profit Organization • Delivering solutions on critical security needs
- 25. Certificaciones • Proposed Certification OISSG Certified A not-for-profit Organization Penetration Tester (OCPT) OISSG Certified Security Assessor (OCSA)
- 26. Muchas gracias A not-for-profit Organization Fire at Will!