Information Systems Security Assessment Framework (ISSAF) Draft 0.

1 ABOUT ISSAF
1.1 PREFACE

Today, the evaluation of Information Systems (IS) security in accordance with business
requirements is a vital component of any organizations business strategy. While there
are a few information security assessment standards, methodologies and frameworks
that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they
recommend controls to safeguard them.

The Information System Security Assessment Framework (ISSAF) is a peer reviewed

structured framework that categorizes information system security assessment into
various domains & details specific evaluation or testing criteria for each of these
domains. It aims to provide field inputs on security assessment that reflect real life
scenarios. ISSAF should primarily be used to fulfill an organization’s security
assessment requirements and may additionally be used as a reference for meeting other
information security needs. ISSAF includes the crucial facet of security processes and,
their assessment and hardening to get a complete picture of the vulnerabilities that might
exists.

The information in ISSAF is organized into well defined evaluation criteria, each of which
has been reviewed by subject matter experts in that domain. These evaluation criteria
include:
 A description of the evaluation criteria.
 Its aims & objectives
 The pre-requisites for conducting the evaluations
 The process for the evaluation
 Displays the expected results
 Recommended countermeasures
 References to external documents

Overall framework is large, we chose to provide as much information as possible on the

assumption that it would be easier for users to delete material rather than develop it. The
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 4/19/2019 Page 2 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Information System Security Assessment Framework (ISSAF) is an evolving document

that will be expanded, amended and updated in future.

1.1.1 What are the Objectives of ISSAF?

 To act as an end-to-end reference document for security assessment
 To standardize the Information System Security Assessment process
 To set the minimal level of acceptable process
 To provide a baseline on which an assessment can (or should) be performed
 To asses safeguards deployed against unauthorized access
 To act as a reference for information security implementation
 To strengthen existing security processes and technology

1.1.2 What are the Goals of ISSAF?

The goal of the ISSAF is to provide a single point of reference for security assessment.
It is a reference that is closely aligned with real world security assessment issues and
that is a value proposition for businesses. To this aim the ISSAF has the following high-
level agenda:
 Evaluate the organizations information security policies and ensure that they meet
industry requirements & do not violate any applicable laws & regulations
 Identify critical information systems infrastructure required for the organizations
business processes and evaluate their security
 Conduct vulnerability assessments & penetration tests to highlight system
vulnerabilities thereby identifying weaknesses in systems, networks and applications
 Evaluate controls applied to various security domains by:
o Finding mis-configurations and rectifying them
o Identify known and unknown risks related to technologies and address them
o Identify known and unknown risks within your people or business processes
and address them
o Strengthening existing processes and technologies
 Prioritize assessment activities as per system criticality, testing expenses, and
expected benefits

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 3 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

 Educate people on performing security assessments

 Educate people on securing systems, networks and applications
 Provide information on
o The review of logging, monitoring & auditing processes
o The building and review of Disaster Recovery Plan
o The review of outsourcing security concerns
 Compliance to Legal & Regulatory Standards
 Create Security Awareness
 Effective Management of Security Assessment Projects
 Guarding against social engineering exploitation
 Physical security control review

This approach is based on using the shortest path required to achieve one’s goal by
finding flaws that can be exploited efficiently, with the minimal effort. The goal of this
framework is to give completeness and accuracy, efficiency to security assessments.

1.1.3 Why we had come up with ISSAF?

After working on many information assurance projects, the lack of a comprehensive

framework that provides information security assurance through performing standardized
vulnerability assessment, penetration testing, security assessment and security audit,
was felt.

ISSAF is a comprehensive and in-depth framework that helps avoid the risk inherent in
narrow or ineffective security assessment methodologies. In ISSAF we have tried to
define an information system security assessment methodology that is more
comprehensive than other assessment frameworks, it seeks to mitigate the inherent risk
in the security assessment process itself. It helps us understand the business risks that
we face in performing our daily operations. The threats, vulnerabilities, and potential
exposures that affect our organizations are too huge to be ignored.
At this particular time it is not the answer to every question or situation, but we are
committed to continuous improvement by improving current topics and adding new
topics.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 4 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

ISSAF has laid the foundation; now it’s your turn to benefit from it, whether you use it as
is or tailor the materials to suit your organization needs. Welcome to ISSAF, we hope
you will find it useful.

1.2 TARGET AUDIENCE

This framework is aimed at a wide spectrum of audiences that include:
 Internal and External Vulnerability Assessors, Penetration Testers, Security Auditors
and Security Assessors
 Professionals responsible for information security perimeter security
 Security engineers and consultants
 Security assessment project managers
 Information system staff responsible for information security
 System/network/Web administrators
 Technical and Functional Managers

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 5 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.3 CONTRIBUTORS
1.3.1 Contributor Contacts and References

-Ascending order by Name

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 6 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.3.2 Contributors as per Domain

Domain Author[s] Contributor[s]
S.Saravanan and Balwant
Project Management
Rathore
Best Practices – Pre-
S.Saravanan
Assessment, Assessment, Post Balwant Rathore
Omar Herrera
Assessment
Evaluation of Third Party Dieter Sarrazyn
Viraf Hathiram
Contracts Balwant Rathore
Balwant Rathore
Assessment Framework
Umesh Chavan
Johnny Long
Gareth Davies
Technical Control Assessment Pukhraj Singh
Balwant Rathore
Methodology Param Singh
Dieter Sarrazyn
Kartikeya Puri
Review Information Security
Policy And Security Umesh Chavan R.S. Sundar
Organization
Review Risk Assessment And Umesh Chavan
Major Gajendra Singh
Classification Balwant Rathore
Bernardo Reino aka lepton
Password Security Miguel Dilaj Piero Brunati
Matteo Brunati
Bernardo Reino aka lepton
Password Cracking Strategies Pietro Brunati
Miguel Dilaj
Arturo "Buanzo" Busleiman
Unix /Linux System Security
Balwant Rathore Kartikeya Puri
Assessment
Jayesh Thakur
Arturo "Buanzo" Busleiman
Linux Audit Check-List Hiten Desai
Dieter Sarrazyn
Linux Audit Tool Hiten Desai
Solaris Audit Check-List Jayesh Thakur R.S. Sundar
Solaris Audit Tool Vijay Ganpathy
Windows System Security Kartikeya Puri
Balwant Rathore
Assessment Oscar Marin
Windows Security Audit Tool Dieter Sarrazyn
Desktop Security Checklist -
Umesh Chavan Balwant Rathore
Windows
Novell Netware Security
Balwant Rathore Kartikeya Puri
Assessment
Database Security Assessment K. K. Mookhey Balwant Rathore
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 4/19/2019 Page 7 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Wireless Security Assessment Balwant Rathore

J Sheik Abdulla
Wi-fi Security Assessment Balwant Rathore
Anish Mohammed
Balwant Rathore
Physical Security Assessment
Umesh Chavan
Switch Security Assessment Balwant Rathore Cesar Tascon
Router Security Assessment Balwant Rathore Manish Uboveja
Firewall Security Assessment Balwant Rathore Dieter Sarrazyn
Dieter Sarrazyn
Default Ports – Firewall Vinay Tiwari
Oliver Karow
Intrusion Detection System Dragos
Balwant Rathore
Security Assessment Rishi Pande
Default Ports – IDS/IPS Vinary Tiwari
Gabrial O. Zabal
VPN Security Assessment
Balwant Rathore
Anti-Virus System Security
Balwant Rathore
Assessment And Management Miguel Dilaj
Umesh Chavan
Strategy
Balwant Rathore
Web Application Security
Hemil Shah
Web Application Security –
Balwant Rathore Hernan Marcelo Racciatti
SQL Injections
Web Server Security Balwant Rathore
IIS Audit Check-List Hernan Marcelo Racciatti
Rahul
Binary Auditing
Balwant Rathore
Business Continuity Planning
R.S. Sundar
And Disaster Recovery
Disaster Recovery Planning Kalpesh Doshi Balwant Rathore
Umesh Chavan
Social Engineering Balwant Rathore
Dragos
Incident Analysis Muhammad Faisal Rauf Danka
Storage Area Network (SAN) Balwant Rathore
Security Hari Prasad Chede
Internet User Security Balwant Rathore Kartikeya Puri
Review Of Logging / Monitoring R.S. Sundar
Thanzeer
& Auditing Processes Umesh Chavan
Assess Outsourcing Security
Umesh Chavan
Concerns
R.S.Sundar
Security Awareness And
Salman Ashraf Patrick
Training
Balwant Rathore
Knowledge Base
Legal Aspects Of Security Balwant Rathore

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 8 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Assessment Projects Sandhya Khamesra

Dos Attacks: Instigation And
Jeremy Martin
Mitigation
Virus & Worms Jeremy Martin
Cryptography Jeremy Martin
Non-Disclosure Agreement
Balwant Rathore
(NDA)
Security Assessment Balwant Rathore
Contract Sandhya Khamesra
Request For Proposal
Balwant Rathore
Template
Vulnerability Assessment /
Hamid kashfi Balwant Rathore
Penetration Testing Lab
Links Marko Marko Ruotsalainen
Balwant Rathore
Report Template
Umesh Chavan

1.3.3 Key Contributors Introduction

Umesh Chavan
Umesh Chavan is an information security professional with over 7 years of Experience &
holds a CISSP. He is currently working with CoreObjects, India where he is involved in
the development of security products. Prior to this he worked with JP Morgan Chase as
an Information Risk manager & as an Information Security Specialist with Larsen &
Toubro Infotech Ltd. He has exposure to the various domains in security and has a
unique blend of both process & technical knowledge. He likes conversing with people,
sharing new ideas and enriching his knowledge not necessarily restricted to the field on
information security.

Miguel Dilaj
Born in 1971 Started using computers in 1982 (venerable C64).
Migrated to Amiga in the late 80's (still have and use regularly a
PowerPC Amiga) Became involved with PC and AS/400 in the
90's. First serious use of Linux in 1998 (RedHat 5.1), tried
FreeBSD, NetBSD and OpenBSD and fall back to Linux RedHat-
based, Slackware-based and Debian-based distros tried.
Currently using Debian-based, Continuous Windows use from
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 4/19/2019 Page 9 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

3.0 up to XP Pro Became deeply into IT Security in '98, when it started to be possible to
have real control of the situation (i.e. Linux!) Started training other people in Linux and IT
Security in 2000, currently working in the Quality Assurance and Automation fields
(Computerized System Validation) Interested in clusters and their use for password
auditing

Piero Brunati
Co-founder of Nest (www.nestonline.com) where he performs
Research, Ethical Hacking and develops software, he tries hard
to mitigate customers' nightmares. He begun butchering
computers since the good old 70's, when he spent his first salary
to buy the components he used to solder his first computer (8008
CPU, 2k static RAM, 2k EPROM, serial and parallel I/O).

K. K. Mookhey
K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence
(www.nii.co.in), an information security consulting firm. He has provided security
consulting services to Fortune 500 companies and industry segment leaders in India,
Middle East, and North America. He has pioneered the development of the AuditPro
suite of security auditing software, as well as initiated the research efforts within the
company. His vulnerability research team has found security vulnerabilities in products
from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to
the Infocus series of articles on SecurityFocus, as well as various industry journals such
as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and
Controls" commissioned by the Information Systems Audit and Control Association

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 10 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

(ISACA). He is also the author of the chapter on “Web Application Attacks” in the
upcoming version of the OWASP Guide.

Dieter Sarrazyn
Dieter Sarrazyn has been an information security consultant and
trainer for more than 6 years now.

Dieter is a certified and experienced Professional in the areas of

creating secure information systems and network architectures,
Performing Security Audits of Systema and Network
infrastructures, performing penetration tests and installing and
configuring firewall and VPN solutions. Other expertise lays in the areas of system and
network management, installing and configuring antivirus solutions and installing &
configuring mail relay systems.

Dieter first worked as a Security Engineer in a Network Integration Company and then
moved towards Security Consulting at the company he's still working for. His main tasks
are performing penetration testing, security auditing and teaching the Hacking Inside Out
course. He is also a Local Mentor for SANS tracks 1 and 4.

Dieter has earned the following certifications: CISSP, GSEC, GCIH, CCSA & CCSE.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 11 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.4 DOCUMENT ORGANIZATION AND CONVENTIONS

1.4.1 Document Organization
This framework briefly discusses the requirements for security assessments and
explains in detail the methodology of security assessments. The sections are organized
as follows:
1. Project Management
2. Guidelines And Best Practices – Pre Assessment, Assessment And Post
Assessment
3. Assessment Methodology
4. Review Of Information Security Policy And Security Organization
5. Evaluation Of Risk Assessment Methodology
6. Technical Control Assessment
 Technical Control Assessment - Methodology
 Password Security
 Password Cracking Strategies
 Unix /Linux System Security Assessment
 Windows System Security Assessment
 Novell Netware Security Assessment
 Database Security Assessment
 Wireless Security Assessment
 Switch Security Assessment
 Router Security Assessment
 Firewall Security Assessment
 Intrusion Detection System Security Assessment
 VPN Security Assessment
 Anti-Virus System Security Assessment And Management Strategy
 Web Application Security Assessment
 Storage Area Network (San) Security
 Internet User Security
 As 400 Security
 Source Code Auditing

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 12 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

 Binary Auditing
7. Social Engineering
8. Physical Security Assessment
9. Incident Analysis
10. Review Of Logging / Monitoring & Auditing Processes
11. Business Continuity Planning And Disaster Recovery
12. Security Awareness And Training
13. Outsourcing Security Concerns
14. Knowledge Base
 Legal Aspects Of Security Assessment Projects
 Non-Disclosure Agreement (NDA)
 Security Assessment Contract
 Request For Proposal Template
 Desktop Security Check-List - Windows
 Linux Security Check-List
 Solaris Operating System Security Check-List
 Default Ports - Firewall
 Default Ports – IDS/IPS
 Links
 Penetration Testing Lab Design

1.4.2 Document Convention

Many places in this document we use following test case template:

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 13 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Heading of Topic

Introduction
(Description / purpose / requirement / terminology / history)

Objective

(SECURITY TESTER’S Expected ResultsAND

SYSTEM ADMINISTRATOR’S
PERSPECTIVE) Methodology
(Structured steps that needs to be followed to complete test case)

Per Test / Technique

Description
Description

Objective
Objective

Expected
Expected Result
Result

Pre-requisite
Pre-requisite

Process
Process (Steps
(Steps to
to complete
complete this
this task)
task)

[Description]
[Description]

[Example/Results]
[Example/Results]

[Example/Results]
[Example/Results]

[Countermeasure]
[Countermeasure]

Example/Results
Example/Results of
of common
common testing
testing tool(s)
tool(s)

Countermeasure(s)
Countermeasure(s)

Further
Further Reading(s)
Reading(s)

Contributor(s)
Contributor(s)

Global Comments

Global Countermeasure(s)

Contributor(s)

Further Reading(s)

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 14 of 15
 Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.5 DISCLAIMER
While all possible precautions have been taken to ensure accuracy during the
development of the Information System Security Assessment Framework (ISSAF), also
referred to as ISSAF, the Open Information System Security Group (OISSG) assumes no
responsibility for any damages, errors or downtime resulting or caused by the use of the
information contained herein.

OISSG does not warrant or assume any legal liability or responsibility for the
completeness, usefulness, accuracy of the information presented in this document.

OISSG will not be responsible for any damage, malfunction, downtime, or other errors
that might result from the usage of this document.

1.6 LICENSING
 We impose no restrictions to any individual/organization for practicing the ISSAF
 Any individual/organization will be granted unlimited distribution of the ISSAF
provided the copyright is included in the document & the authors name[s] are
maintained in the document after the final release of ISSAF. This release is a draft
and to distribute it, one needs to take permission from OISSG.
 We impose no restrictions to any individual/organization to develop products based
on it.
 A written authorization is required from OISSG for any individual or organization that
provides training based on ISSAF and/or wants to use ISSAF material for
commercial training purposes
 Generally tools developed for ISSAF assessment are released under GNU GPL
(http://www.opensource.org/licenses/gpl-license.html)
 OISSG reserves the right to change the licensing policy at its own discretion.

Do reach us for more detail on our licensing at licensing@oissg.org

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 4/19/2019 Page 15 of 15