Beruflich Dokumente
Kultur Dokumente
1 ABOUT ISSAF
1.1 PREFACE
Today, the evaluation of Information Systems (IS) security in accordance with business
requirements is a vital component of any organizations business strategy. While there
are a few information security assessment standards, methodologies and frameworks
that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they
recommend controls to safeguard them.
The information in ISSAF is organized into well defined evaluation criteria, each of which
has been reviewed by subject matter experts in that domain. These evaluation criteria
include:
A description of the evaluation criteria.
Its aims & objectives
The pre-requisites for conducting the evaluations
The process for the evaluation
Displays the expected results
Recommended countermeasures
References to external documents
The goal of the ISSAF is to provide a single point of reference for security assessment.
It is a reference that is closely aligned with real world security assessment issues and
that is a value proposition for businesses. To this aim the ISSAF has the following high-
level agenda:
Evaluate the organizations information security policies and ensure that they meet
industry requirements & do not violate any applicable laws & regulations
Identify critical information systems infrastructure required for the organizations
business processes and evaluate their security
Conduct vulnerability assessments & penetration tests to highlight system
vulnerabilities thereby identifying weaknesses in systems, networks and applications
Evaluate controls applied to various security domains by:
o Finding mis-configurations and rectifying them
o Identify known and unknown risks related to technologies and address them
o Identify known and unknown risks within your people or business processes
and address them
o Strengthening existing processes and technologies
Prioritize assessment activities as per system criticality, testing expenses, and
expected benefits
This approach is based on using the shortest path required to achieve one’s goal by
finding flaws that can be exploited efficiently, with the minimal effort. The goal of this
framework is to give completeness and accuracy, efficiency to security assessments.
ISSAF is a comprehensive and in-depth framework that helps avoid the risk inherent in
narrow or ineffective security assessment methodologies. In ISSAF we have tried to
define an information system security assessment methodology that is more
comprehensive than other assessment frameworks, it seeks to mitigate the inherent risk
in the security assessment process itself. It helps us understand the business risks that
we face in performing our daily operations. The threats, vulnerabilities, and potential
exposures that affect our organizations are too huge to be ignored.
At this particular time it is not the answer to every question or situation, but we are
committed to continuous improvement by improving current topics and adding new
topics.
ISSAF has laid the foundation; now it’s your turn to benefit from it, whether you use it as
is or tailor the materials to suit your organization needs. Welcome to ISSAF, we hope
you will find it useful.
1.3 CONTRIBUTORS
1.3.1 Contributor Contacts and References
Umesh Chavan
Umesh Chavan is an information security professional with over 7 years of Experience &
holds a CISSP. He is currently working with CoreObjects, India where he is involved in
the development of security products. Prior to this he worked with JP Morgan Chase as
an Information Risk manager & as an Information Security Specialist with Larsen &
Toubro Infotech Ltd. He has exposure to the various domains in security and has a
unique blend of both process & technical knowledge. He likes conversing with people,
sharing new ideas and enriching his knowledge not necessarily restricted to the field on
information security.
Miguel Dilaj
Born in 1971 Started using computers in 1982 (venerable C64).
Migrated to Amiga in the late 80's (still have and use regularly a
PowerPC Amiga) Became involved with PC and AS/400 in the
90's. First serious use of Linux in 1998 (RedHat 5.1), tried
FreeBSD, NetBSD and OpenBSD and fall back to Linux RedHat-
based, Slackware-based and Debian-based distros tried.
Currently using Debian-based, Continuous Windows use from
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 4/19/2019 Page 9 of 15
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
3.0 up to XP Pro Became deeply into IT Security in '98, when it started to be possible to
have real control of the situation (i.e. Linux!) Started training other people in Linux and IT
Security in 2000, currently working in the Quality Assurance and Automation fields
(Computerized System Validation) Interested in clusters and their use for password
auditing
Piero Brunati
Co-founder of Nest (www.nestonline.com) where he performs
Research, Ethical Hacking and develops software, he tries hard
to mitigate customers' nightmares. He begun butchering
computers since the good old 70's, when he spent his first salary
to buy the components he used to solder his first computer (8008
CPU, 2k static RAM, 2k EPROM, serial and parallel I/O).
K. K. Mookhey
K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence
(www.nii.co.in), an information security consulting firm. He has provided security
consulting services to Fortune 500 companies and industry segment leaders in India,
Middle East, and North America. He has pioneered the development of the AuditPro
suite of security auditing software, as well as initiated the research efforts within the
company. His vulnerability research team has found security vulnerabilities in products
from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to
the Infocus series of articles on SecurityFocus, as well as various industry journals such
as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and
Controls" commissioned by the Information Systems Audit and Control Association
(ISACA). He is also the author of the chapter on “Web Application Attacks” in the
upcoming version of the OWASP Guide.
Dieter Sarrazyn
Dieter Sarrazyn has been an information security consultant and
trainer for more than 6 years now.
Dieter first worked as a Security Engineer in a Network Integration Company and then
moved towards Security Consulting at the company he's still working for. His main tasks
are performing penetration testing, security auditing and teaching the Hacking Inside Out
course. He is also a Local Mentor for SANS tracks 1 and 4.
Dieter has earned the following certifications: CISSP, GSEC, GCIH, CCSA & CCSE.
Binary Auditing
7. Social Engineering
8. Physical Security Assessment
9. Incident Analysis
10. Review Of Logging / Monitoring & Auditing Processes
11. Business Continuity Planning And Disaster Recovery
12. Security Awareness And Training
13. Outsourcing Security Concerns
14. Knowledge Base
Legal Aspects Of Security Assessment Projects
Non-Disclosure Agreement (NDA)
Security Assessment Contract
Request For Proposal Template
Desktop Security Check-List - Windows
Linux Security Check-List
Solaris Operating System Security Check-List
Default Ports - Firewall
Default Ports – IDS/IPS
Links
Penetration Testing Lab Design
Heading of Topic
Introduction
(Description / purpose / requirement / terminology / history)
Objective
Description
Description
Objective
Objective
Expected
Expected Result
Result
Pre-requisite
Pre-requisite
Process
Process (Steps
(Steps to
to complete
complete this
this task)
task)
[Description]
[Description]
[Example/Results]
[Example/Results]
[Example/Results]
[Example/Results]
[Countermeasure]
[Countermeasure]
Example/Results
Example/Results of
of common
common testing
testing tool(s)
tool(s)
Countermeasure(s)
Countermeasure(s)
Further
Further Reading(s)
Reading(s)
Contributor(s)
Contributor(s)
Global Comments
Global Countermeasure(s)
Contributor(s)
Further Reading(s)
1.5 DISCLAIMER
While all possible precautions have been taken to ensure accuracy during the
development of the Information System Security Assessment Framework (ISSAF), also
referred to as ISSAF, the Open Information System Security Group (OISSG) assumes no
responsibility for any damages, errors or downtime resulting or caused by the use of the
information contained herein.
OISSG does not warrant or assume any legal liability or responsibility for the
completeness, usefulness, accuracy of the information presented in this document.
OISSG will not be responsible for any damage, malfunction, downtime, or other errors
that might result from the usage of this document.
1.6 LICENSING
We impose no restrictions to any individual/organization for practicing the ISSAF
Any individual/organization will be granted unlimited distribution of the ISSAF
provided the copyright is included in the document & the authors name[s] are
maintained in the document after the final release of ISSAF. This release is a draft
and to distribute it, one needs to take permission from OISSG.
We impose no restrictions to any individual/organization to develop products based
on it.
A written authorization is required from OISSG for any individual or organization that
provides training based on ISSAF and/or wants to use ISSAF material for
commercial training purposes
Generally tools developed for ISSAF assessment are released under GNU GPL
(http://www.opensource.org/licenses/gpl-license.html)
OISSG reserves the right to change the licensing policy at its own discretion.