Certified Ethical Hacker Domain 5: Information Security Procedures and Assessment Methodologies
This is the fifth domain of the CEH exam. The domain carries a weight of 8.77%, with a total of 11 questions from two of the main sections: Security Procedures and Information Security Assessment Methodologies.
This article will discuss the sections in some detail and point out the things that candidates will be required to know before taking the exam, such as the key differences between security procedures and security policies. We shall also discuss the security assessment methodologies that are widely accepted across the information security industry.
Policies and Procedures
One of the main reasons that this is being discussed here (and will be evaluated by the exam) is because a good number of people do not quite understand the difference between security policies and security procedures. I have, during my many security audits, asked for policies and ended up receiving procedures and vice versa. We will seek to address that in this section. It should also be noted that this section will contain five items in the exam.
Information Security Procedures
A security procedure answers the question “How do I do it?” It should and will describe step-by-step methods that identify, prevent and enforce measures that protect against unwanted behavior. Security procedures can include, for example, documents indicating how system values should be configured and the steps that should be followed for instance while performing production system upgrades.
Security procedures are mainly meant for internal departments and should adhere to strict change control processes. Good security procedures have the following characteristics:
- They are detailed just enough to be understood by parties authorized to have access to them. In fact, they must not be too in-depth, so that only a small number of people can understand them
- They are normally the recipe that should be consulted when a set of repeatable processes needs to be accomplished
Examples of security procedures might center around installing operating systems, granting access rights within systems, performing system backups and setting up new user accounts.
Information Security Policies
A security policy, on the other hand, answers the question “Why do I need to do this?” It should (and often will) identify the acceptable or non-acceptable use of the organization’s assets. It is also important to note that this document does not determine how to identify, prevent and enforce measures that go against unwanted practices.
Another characteristic of security policies is that they are hugely supported by senior management. They can be approached as issue-specific, organization-wide or even system-specific, depending on the objectives of the organization. Good policies have the following characteristics:
- They are easily accessible and comprehensible by the intended readers
- They are resistant to change and are designed with the intent to be available for a number of years. Even so, when amendments are to be done, the changes should be made as needed
- They are driven by business objectives and will portray the amount of risks that senior management are willing to accept
Information Security Assessment Methodologies
Organizations today have found it a necessity to conduct detailed security assessments to determine security gaps within their environment that may pose any risks. It is important for candidates to understand the various security assessment methodologies that are available and what to consider while selecting an assessment methodology. This section will contain six test items in the exam.
Security Testing Overview
The generally accepted definition of a security assessment is “The process of determining how effectively an entity being assessed meets specific security objectives.”
There are three main assessment methods that can be used to achieve this, and they are:
- Testing: A test implements one or more assessment objects under specified conditions with the aim of comparing actual outcomes to the expected outcomes
- Examination: This involves reviewing, checking, inspecting and studying the assessment objects in order to further understand, clarify and/or obtain more evidence
- Interviewing: This entails having discussions with personnel within the organization in order to further understand, clarify and/or obtain more evidence.
There are quite a number of information security assessment methodologies available today. However, they all conform to a set of three phases that include:
Security Assessment Planning
Here, the information required for conducting the assessment is collected. Proper planning might mean the difference between a comprehensive and non-comprehensive assessment. Adequate planning comprises of the following actions:
- Developing a Security Assessment Policy: This is going to act as a guide to offer direction necessary for security assessments
- Assessment Logistics: This will allow for determining the resources required for conducting the assessment. These resources might be software-based, hardware-based or both
- Prioritizing and Scheduling Assessments: Determining the systems that should receive technical assessments and the frequency of these assessments will influence your assessment planning — allowing, of course, for categorizing systems as per risk
- Legal Consideration: All the legal implications and anxieties that might be encountered during the assessment also need to be addressed
Security Assessment Execution
In this phase, vulnerabilities and gaps are determined according to the methods agreed upon above and within the Rules of Engagement. Good execution of this phase will be dependent on proper:
- Data Handling: It is advisable to follow the organization’s guidelines regarding proper data collection, storage, transmission and eventual destruction. All data-handling needs must be properly documented
- Assessing: Reviewing the Rules of Engagement will ensure that the execution remains in scope and that other concerns are adhered to
- Coordination: Communication throughout the execution of the assessment ensures that the assessment execution progresses in a timely manner
- Analysis: One of the most common issues, especially with automation during assessments, is false positives. Organizations should be able to conduct analysis to determine false positives and their cause, and categorize any known vulnerabilities
In this final phase, the discovered vulnerabilities are risk-rated, and mitigations determined for each discovered vulnerability. This is also the phase in which the final report is actually created. The report will contain wording that is easily understandable by both C-suite and technical personnel at the organization. Some organizations will also have a plan to remediate or mitigate identified risks.
Examples of Assessment Methodologies
Assessments and reviews may be categorized into several sections, effectively covering the entire organization. These different sections may be:
- Application Assessment
- Source Code Review
- Infrastructure Assessment
- SCADA Assessment
- Wi-Fi Assessment
- Extended Internet Footprint Assessment
In order to effectively assess the sections above and not leave out important tests, there exist several methodologies that can be adhered to during testing. Let’s briefly discuss these methodologies.
Information Systems Security Assessment Framework (ISSAF)
This methodology provides very good penetration testing guidance. The following are just a few of the tests it defines:
- Unix/Linux System Security Assessment
- Database Security Assessment
- Switch Security Assessment
- Router Security Assessment
- Intrusion Detection System Security Assessment
Penetration Testing Execution Standard (PTES)
The PTES categorizes the assessment into seven stages, which are laid out as follows:
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modelling
- Vulnerability Analysis
PCI Penetration Testing Guide
The Payment Card Industry Data Security Standard (PCI DSS) defines the following requirements for assessments done:
- Testing for CDE and Critical Systems
- External and Internal Testing
- Application Layer Testing
- Test to Validate Scope Reduction
- Network Layer Tests for Both Network and OS
Penetration Testing Framework
This is a very detailed and hands-on testing guide. The following are some of the tests that it defines:
- Bluetooth-Specific Testing
- CISCO-Specific Testing
- Citrix-Specific Testing
- Server-Specific Tests
- Wireless Penetration Testing
Note that the list of tests suggested by this guide is far wider than the simple list above.
Open-Source Security Testing Methodology Manual (OSSTMM)
The OSSTMM methodology tests operational security of physical locations, human security workflow, wireless security testing, telecommunication security testing, data network security testing and compliance. This methodology can also be considered a supporting manual to the ISO 27001 standard. OSSTMM has the following key sections:
- Trust Analysis
- Physical Security Testing
- Data Networks Security Testing
- Compliance Regulations
- Reporting with the STAR (Security Test Audit Report)
It should be noted that there exist more security testing methodologies that have not been covered above. Two examples are NIST Special Publication 800-115 and the OWASP Security Methodology for both mobile and Web application security.
This is one of the most important domains within the exam. Candidates will be required to master almost everything discussed above, due to EC-Council’s fondness for testing them. A lot of emphasis should also be put on understanding how policies differ from procedures since most people do not seem to just get this right.
The most important thing to note, however, is that this article is not an exhaustive reference but just a pointer to what to expect. It is upon you, as the candidate, to find more information about assessment methodologies and the like.
All the best in your exam and good luck!
IS Policies and Procedures, SF ISACA
CEH Exam Blueprint v3.0, EC-Council