Quality

Integrity

Sense of SecurityCompliance, Protection

and

info@senseofsecurity.com.auwww.senseofsecurity.com.au

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

Teamwork

Innovation

Passion

Multi-Platform Support for

enquiries@titania.comT: +44 (0)845 652 0621

Device Auditing Scanners Nipper Studio

Audit without Network Traffic

Authentication Configuration Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration Password Encryption Settings Timeout Configuration Physical Port Audit Routing Configuration VLAN Configuration Network Address Translation

Network Protocols Device Specific Options Time Synchronization Warning Messages (Banners) * Network Administration Services * Network Service Analysis * Password Strength Assessment * Software Vulnerability Analysis * Network Filtering (ACL) Audit * Wireless Networking * VPN Configuration **Limitationsandconstraintswillpreventadetailedaudit

It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.

Cisco

Business Benefits to Cisco

Nipperquicklyproduces•detailedreports,includingknownvulnerabilities.

ByusingNipper,manual•testinghasbeenaltogethereliminatedforparticularCiscodevices.

scanning isn’t enough

for free at

www.titania.com

Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will;

Summarize your network’s security1.

Highlight vulnerabilities in your device configurations2.

Rate vulnerabilities by potential system impact and ease of exploitation 3. (using CVSSv2 or the established Nipper Rating System)

Provide an easy to action mitigation plan based on customizable settings 4. that reflect your organizations systems and concerns.

Allow you to add previous reports and enable change tracking functionality. 5. You can then easily view the progress of your network security.

Cyber Security Auditing Software

• Device information remains confidential

• Settings that allow you to hide sensitive information in the report

• Low cost, scalable licensing

• Point and click GUI or CLI scripting

• Audit without network traffic

Page 4 http://pentestmag.com07/2012(7)

Editor’s notE

TEAMManaging Editor: Magdalena Królmagdalena.krol@software.com.pl

Associate Editor: Aby Raoabyrao@gmail.com

2nd Associate Editor: Gareth Wattersgarethwatters@gmail.com

Betatesters / Proofreaders: Jeff Weaver, William Whitney, Shrinath Nerlekar, Harish Chaudhary, Daniel Wood, Scott Christie, Dennis Distler, Johan Snyman, Eric Schultz, Ed Werzyn, David Kosorok, Stefanus Natahusada, Michael Munty

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@software.com.pl

Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.plDTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Marketing Director: Ewa Dudzicewa.dudzic@software.com.pl

Publisher: Software Media Sp. z o.o.ul. Bokserska 1, 02-682 WarszawaPhone: +48 22 427 36 56www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

dear readersAugust is usually a time for our holidays. When the sun is shining, the weather is great and we are spending nice time with our fam-ily and friends…So it’s hard to find even a moment to think about security of important data we left on our computer. However, taking some time to read PenTest Auditing & Standards can help you find new solutions to secure your information.

This month we give you some hints about Information Security and we focus especially on Risk Assessment Measurement in or-der to simplify taking care of data security. I know that many people call that subject boring, but with this issue you probably see that this topic could be also very interesting.

The issue opens with the Introduction section which describes the subject matter of Information Security and the basics of carrying out an information security risk assessment. This section confirms the importance of performing regular and systematic risk assess-ments. We can also find an explanation of how to provide secure environments that effectively protect the organizations assets, net-works, systems, vital business processes, and data.

In the Policies & Tactics section we have an opportunity to learn about successfully approach risk management and find out the rea-son why management can be seen as the dominantly force in every corner of organizations. We can also see how Steganography can be useful in Information Security.

In the Metrics and Measurement section the 4M of Management criteria are shown: Management needs Monitoring , Measurement and Metrics as a way to“ manage” risks, and the efficiency of con-trols. We can find also technical and practical description of how to measure IS Risk.

For the end we have something Extra for you, really interesting article about Biometrics, which explains us the possibility of predic-tion a web based face mask system only from fingerprints.

Enjoy reading!Magdalena Król

& PenTest Team

Aud&Stand

Page 5 http://pentestmag.com07/2012(7)

CONTENTS

INTRoDuCTIoNThe Information Security Risk Assessment – Security for the Enterpriseby Tarot “Taz”WakeAs the saying goes, nothing can ever be 100% secure and we all know that in practice security is always a trade-off between competing forces such as user requirements, cost, government regulations and the like. Risk manage-ment provides the overarching framework for this trade-off and one of the most fundamental parts of the risk management process is the risk assessment.

IT Risk Management and Risk Assessment by Timothy Nolan and Serge JorgensenIT Risk Assessment is an important component of Enter-prise Risk Management – detecting and dealing with new and emerging threats and vulnerabilities in a prudent, ef-fective and responsible manner.

PoLICIES & TACTICSRisky Business: IT security risk Management Demystifiedby Michael D. PetersAs a career security practitioner and Chief Security Of-ficer to several companies over the years, I was respon-sible for reduction or elimination threat exposures to its core business assets.

IS Risk Assessment & Measurementby Dan RossWith the ever changing world of Information Security and the rapid increase of users accessing the Internet over the past decade IS Risk Assessment and Measurement has in more recent years become a much higher priority for businesses around the world to address.

Rısk Management Approachby Ozan OzkaraWhy IT Security or general enterprise needs to under-stand risk management is? Risk Management is impor-tant fundamental element of security and can be seen as the dominantly force in every corner of organizations.

Security By Obscurity: Do Not Spurn In An Era Of Automated Hackingby Sang LeeCamouflage... if so successfully used by nature, why is obfuscation scorned in information security? Take a look at Steganography, which can be called Data Camouflage.

06

14

26

34

38

The Right way of Risk Assessmentby Marcus J. RanumThe concept of “vagueness” is important to philoso-phers, and (perhaps) is relevant to the real world of se-curity. Briefly, the idea of vague concepts is that it’s often difficult to determine a sharp dividing line between two states – at what point, for example, do we say that a per-son has “gone bald”?

METRICS & MEASuREMENTInformation Systems Metrics and Measurement by Berker TasolukIn order to “manage” our risks, and the efficiency of our controls, we have to depend on some quantitative crite-ria. Here comes the metrics.

Measuring the effectiveness of Infor-mation Security Risk Assessmentby Omoruyi OsagiedeThe cure for the headache is not to cut off the head. This proverb encapsulates the basic principle surrounding in-formation security risk assessment.

Measuring the imponderable: Auditing IT risksby Stefano Maccaglia and Prof. Anna ScaringellaMany technologies, today, offer a “click one and catch all” solution. But in our experience such technologies are just a good start.

Security Risk Assessment: How to measure and to be aware of the Risk Assessment element as part of Risk Management in the field of cyber se-curityby Predrag TasevskiMany organizations – both public and private – nowa-days, have implemented and developed their own secu-rity risk assessment template tool.

ExTRABiometrics: A web based face mask prediction system from only finger-printsby Seref Sagiroglu, Uraz Yavanoglu and Necla OzkayaMost efforts in biometrics have recently been focused on how to improve the accuracy and processing time of the biometric systems, to design more intelligent systems, and to develop more effective and robust techniques and algorithms.

44

50

54

58

64

70

74

INTRODuCTION

Aud&Stand

Page 6 http://pentestmag.com07/2012(7)

As the saying goes, nothing can ever be 100% secure and we all know that in prac-tice security is always a trade-off between

competing forces such as user requirements, cost, government regulations and the like. Risk man-agement provides the overarching framework for this trade-off and one of the most fundamental parts of the risk management process is the risk assessment.

In this article I will cover how you can carry out a detailed Information Security Risk Assessment and deliver genuine value to the end business. This is a process that I, and others, have used with numerous businesses, across all market sectors, and has proven to be resilient and straightforward to deliver.

What you will learn in this article

• Why you need an information security risk as-sessment.

• The basics of carrying out an information secu-rity risk assessment.

• What you need to do with your findings.

Risk management for dummiesRisks are everywhere – when we cross the road, when we take a flight, when we eat sushi, we are

taking a risk. We do this automatically, because throughout our lives we have taken on board the lessons of our parents, teachers and own experi-ences as to what risks are likely to happen and if so how much they will hurt us. We then weigh this up against what our benefit will be and decide how we will act (Figure 1). For most people, this be-comes so much “second nature” it happens with-out any conscious thought.

This is risk management on a personal level and while it may not be perfect (accidents still happen), it generally serves people throughout their lives and enables them to reap the benefits of taking oc-casional controlled risks.

The same principle applies to businesses [1] whereby taking risks allows them to open up new markets, deliver better services, or just enhance the quality of their offerings. Any business that re-

The Information Security Risk Assessment Security for the Enterprise

As the saying goes, nothing can ever be 100% secure and we all know that in practice security is always a trade-off between competing forces such as user requirements, cost, government regulations and the like. Risk management provides the overarching framework for this trade-off and one of the most fundamental parts of the risk management process is the risk assessment.

Figure 1. Risk Management

https://www.htbridge.com

INTRODuCTION

Aud&Stand

Page 14 http://pentestmag.com07/2012(7)

The assessment is often placed onto a rela-tive plot using these four items as axes and rating various items against each other. Fun-

damentally, a risk assessment can not be “done” by an outside agency. While the assessment can be “lead” through outside input, the information de-veloped is maintained by various business owners inside the company. Without continuous and intel-

ligent input from the business units discussed be-low, the assessors will rate the wrong risks, assign the wrong impact and generally deliver a flawed end product.

The primary consideration for conducting a suc-cessful risk assessment is to involve the right teams. A risk assessment conducted only with in-put from IT is almost immediately severely limit-ed in scope, knowledge and potential for success (Figure 1).

Teams should include input from: Legal, Human Resources, Audit, Finance as well as the specific areas of IT of operations, Security, Databases and Storage.

Each distinct group brings a unique perspective to the assessment, with different priorities, under-standing and knowledge. Specifically:

• Legal and Audit assist with regulatory compli-ance

• Legal assists with 3rd-party contracts and data exchange agreements

• Finance provides insight on valuation of risk• HR assists with identifying data repositories as

well as internal response and controls• IT involvement is two-fold

• Present the various data repositories to the group for identification

IT Risk Management And Risk Assessment

IT Risk Assessment is an important component of Enterprise Risk Management - detecting and dealing with new and emerging threats and vulnerabilities in a prudent, effective and responsible manner. Performing regular and systematic risk assessments is a crucial best practice and helps provide a secure environment and protect an organization’s assets, networks, systems, vital business processes, and data.

Figure 1. Risk Assessment Team Sources

POlICIES & TACTICS

Aud&Stand

Page 26 http://pentestmag.com07/2012(7)

As a career security practitioner and Chief Security officer to several companies over the years, my significant responsibility to

the organization I am responsible for is simply to reduce or eliminate threat exposures to its core business assets. Depending on the nature of that business and its size, this might be a daunting task at first blush, however, I have discovered that with an organized, systematic approach, you can ap-proach risk management effectively. Risk simply put is the negative impact to business assets by the exercise of vulnerabilities to those assets, con-sidering both the probability of that event as the Single Loss Expectancy (SLE) and the resulting impact of the occurrence, otherwise known as the Annualized Loss Expectancy (ALE) both terms of which I will define more in depth shortly.

This article is focused on helping you under-standing the core elements of a successful IT se-curity risk management program for a commercial enterprise, the processes of calculating the cost of a risk exposure and what the appropriate costs of mitigating those risks should be.

We must first understand what the essence of IT security risk management is which can be defined as the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The resulting impact of an event can be de-

scribed in terms of loss or degradation of any, or a combination of any, of the following three security characteristics: integrity, availability, and confiden-tiality. The following list provides a brief description of each security goal and the impact of its not be-ing met: Figure 1.

IT security risk management plays an essen-tial role in protecting an organization’s intellectual property and information assets and subsequently, the business mission, from information technology related security risks. Each organization is unique and the thresholds for how much risk it is willing to accept, otherwise known as their risk appetite, will have a measurable impact on the IT security risk management program implemented. Regard-less, every effective IT security risk management plan should contain three essential facets; some-thing I refer to as The Security Trifecta in one of my books, Governance Documentation and Infor-mation Technology Security Policies Demystified which is a combination of governance, technology and vigilance. If you are preparing to lead a com-pany’s security function or improve what you have implemented already, I’m going to lay out a sus-tainable IT security risk management plan for you that should be part of your first one-hundred days on the job or at the very least, implemented during your tenure as soon as possible.

Risky Business: IT security risk Management Demystified

As a career security practitioner and Chief Security Officer to several companies over the years, I was responsible for reduction or elimination threat exposures to its core business assets. Depending on the nature of that business and its size, this might be a daunting task at first blush, however, I have discovered that with an organized, systematic approach, you can approach risk management effectively.

POlICIES & TACTICS

Aud&Stand

Page 34 http://pentestmag.com07/2012(7)

With the ever changing world of Informa-tion Security and the rapid increase of users accessing the Internet over the

past decade IS Risk Assessment and Measure-ment has, in more recent years, become a much higher priority for businesses around the world to address. Thus clearly defined standards that have good procedural practice and policies in place have been created over time to allow these busi-nesses to operate with a greater sense of secu-rity in their IS Risk auditing process. This article will try to identify and outline some of the problems and issues these businesses have been required to overcome by addressing there IS Risk Assess-ment and Measurement needs.

The reason why a business is likely to adopt IS Risk Assessment and Measurement is to allow them to collect all the necessary data required to identify and audit their resources in a clear and ac-curate manner. This allows for the highest residual risks to be identified and then be rated into individ-ual auditable units and discrete segments in order for them to classify each individual risk into high-risk and low-risk areas or categories.

This mainly exists in relationship to their critical control systems that will help the business address its inherent high-risk areas so thus different tech-niques and methods are required to help build a

volume of data which can then be broken into all of the different audit-able units. This can then be understood and also more easily presented to as-sist with and provide a reasonable assurance in relation to the relevant information collected. This includes all of the different areas of the Information Security landscape to essentially assist the man-agement to effectively discharge their responsibili-ties while also providing a reasonable assurance that the IS Audit activities are directed to all the high business risk areas and thus adding true val-ue to the management of their assets.

There are several methods that are currently be-ing used to assist in IS Risk Assessments. A use-ful method that is widely used is a scoring system that identifies and prioritises it’s IS audits based upon the prior evaluation of these risk factors that will consider both the technical complexity, extent of system and process change and materiality up-on a weight score. The risk values are then juxta-posed upon one another in order to prepare an an-nual IS Audit plan to present to an audit committee or the CEo. once the IS plan is approved, reviews can then be scheduled accordingly. other forms of IS risk assessment can be judgmental or requiring an independent action based upon past directives and/or previous decisions made under the same business climate.

IS Risk Assessment & MeasurementWith the ever changing world of Information Security and the rapid increase of users accessing the Internet over the past decade IS Risk Assessment and Measurement has, in more recent years, become a much higher priority for businesses around the world to address.

POlICIES & TACTICS

Aud&Stand

Page 38 http://pentestmag.com07/2012(7)

Before setting up, why IT Security or gener-al enterprise needs to understand risk man-agement is? Risk Management is important

fundamental element of security and can be seen as the dominantly force in every corner of orga-nizations. We already have number of materials which is assuming in-to methods related to managing information risks. However, given that risk management is part of overall securi-ty program and must be work with other things, it is important role that we have to explore and find the relationships that must exist as well as new role of risk management in security program.

Ask a few security guys to define risk and you’ll get different kind of answers. If read any risk man-agement based security book and you are likely to find the author has used the terms of risk – threat, vulnerability, assets and interchangeability. The problem is that executive’s always thinking risk – threat and continuous business development is-sues base on new risks. The good thing is that some within our profession have recognized the need to focus on risk. The difficult part is that with-out understanding of what risk is, what elements are, metrics and measuring up the process.

Risk is a very large topic and detail the differ-ent approaches and methods are already using by security process. Almost fifty or more risk assess-ment and management models, tools and applica-tions available in the industry today. Although it is not enough, the problem may be somewhere else?

My Point is that risk management under-standing of your mind and well – defined ac-tions in your process-es. According to me,

risk management as it interconnected to enterprise management aspects. Risk Model identifies that ev-ery risk management model is based on the a few basic principles and is not interested what methods have been used before. Characterizing risk as a supportive feature opposed to being “the” program may be difficult for some, In an effort to summarize this new role of risk and what it may mean to exist-ing programs, consider the following points:

• It is exceedingly likely that what is• Being performed in the management of risk will

not have to change. How risk is evaluated,• Managed, and monitored.• Assessing risk as part of a risk management

program is usually detailed which utilizes ar-

Risk Management ApproachWhy IT Security or general enterprise needs to understand risk management is? Risk Management is important fundamental element of security and can be seen as the dominantly force in every corner of organizations

The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.

– Sun Tzu, Art of War

1. Which threat can be prevented by having unique usernames generated with a high degree of entropy?A. Authorization BypassB. Crypt-Analysis of Hash ValuesC. Spamming

2. An attack technique that forces a user’s session credential or session ID to an explicit value.A. Session HijackingB. Session FixationC. Brute Force AttackD. Dictionary Attack

3. For every link or form which invoke state-changing functions with an unpredictable token for each user what attack can be prevented?A. oS CommandingB. Cross Site Request ForgeryC. Cross Site TracingD. Cross Site Scripting

4. Which attack can execute scripts in the user’s browser and is capable of hijacking user sessions, defacing websites or redi-recting the user to malicious sites.A. SQL InjectionB. Malware uploadingC. Man in the MiddleD. Cross Site Scripting

5. What threat are you vulnerable to if you do not validate autho-rization of user for direct references to restricted resources?A. Cross-Site ScriptingB. SQL InjectionC. Cross-Site Request ForgeryD. Insecure Direct object References

6. What happens when an application takes user inputted data and sends it to a web browser without proper validation and es-caping?A. Security MisconfigurationB. Cross Site ScriptingC. Insecure Direct object ReferencesD. Broken Authentication and Session Management

7. What is the attack technique used to exploit web sites by al-tering backend database queries through inputting manipulat-ed queries?A. SQL InjectionB. Cross Site Request ForgeryC. oS CommandingD. xML Injection

8. For an an indirect reference, what happens if there’s no list of limited values authorized for a user in the direct reference?

A. xML InjectionB. SQL InjectionC. Access to Sensitive Data PossibleD. Brute Forcing of Stored Encrypted Credentials

9. Attack that exploits the trust that a site has in a user’s brows-er.A. Cross Site TracingB. SQL InjectionC. Cross Site ScriptingD. Cross Site Request Forgery

10. For a connection that changes from HTTP to HTTPS, what flaw arises if you do not change the session identifier?A. Cross Site ScriptingB. Session ReplayC. Cross Site Request ForgeryD. Session Hijacking

11. What threat arises from not flagging HTTP cookies with to-kens as secure?A. Access Control ViolationB. Session HijackingC. Session ReplayD. Insecure Cryptographic Storage

12. Role-Based Access control helps prevent this OWASP Top 10 weaknessA. Failure to Restrict uRL AccessB. Insufficient Transport Layer ProtectionC. unvalidated Redirect or ForwardD. Security Misconfiguration

13. What is the type of flaw that occurs when untrusted user entered data is sent to the interpreter as part of a query or com-mand?A. Insufficient Transport Layer ProtectinB. Cross Site Request ForgeryC. Insecure Direct object ReferencesD. Injection

14. What flaw can lead to exposure of resources or functionality to unintended actors?A. Session FixationB. Improper AuthenticationC. Insecure Cryptographic StorageD. unvalidated Redirects and Forwards

15. What flaw arises from session tokens having poor random-ness across a range of values?A. Session HijackingB. Session FixationC. Session ReplayD. Insecure Direct object References

OWASP Top 10 QuizSpecial quiz from MyAppSecurity. Solve it and send us the answers at malgorzata.skora@software.com.pl to get a gift from MyAppSecurity.

POlICIES & TACTICS

Aud&Stand

Page 44 http://pentestmag.com07/2012(7)

If you work in the information security space, you have heard it before. It is the first thing you learn, and it is almost axiomatic: security via

obscurity does not work.If you have not encountered this saying before,

Wikipedia has an excellent definition of security through obscurity: "a principle in security engineer-ing, which attempts to use secrecy of design or im-plementation to provide security." The Wikipedia entry goes on to note that the principle of security through obscurity has never been accepted, and that the United States National Institute of Stan-dards and Technology (NIST) disavows its use. In-deed, one would be hard pressed to find someone who works in the security space who disagrees with the above observation.

Security through obscurity is not a viable security strategy, especially in the long run. But is it a viable security tactic?

The latter is a valid and pertinent question. All too often, I come across security professionals who will ignore the use of anything that even re-motely hints at "obscurity" (or its brothers: hiding, disguising, etc.) because in the long run it does not work to secure or protect anything. Theoreti-cally, a successful attack could be carried out for no other reason than that someone managed to stumble across the obfuscation attempt. Further-

more, the argument goes, it is a waste of time and it breeds indolence. That last statement is a hard one to defend for proponents of transpar-ency, though: how many delay or forget to apply patches?

With attackers of all types trying to gain access to networks accessible via the internet, it pays to aim for security that does not rely on someone un-covering something, accidentally or otherwise, that causes a full-blown data breach.

But, whenever I hear of this long-run require-ment, I am frequently reminded of an economist's observation: "In the long run we are all dead." I am using John Maynard Keynes's quote out of context, but it still stands to reason that if one's guiding principle is the long run – and that on-ly its outcome dictates one's current behavior – then one would be crazy to eat right, exercise, get medical checkups, etc. After all, no matter how much one fights against it, all hearts cease beat-ing one day.

There is no argument that it pays to pay attention and to aim for security that will work for the long run, if not in the long run. But if obscurity works in the short run, why not employ it for short term ben-efits or as an extra layer of protection?

Before moving on, I would like to point out that "obfuscation" was chosen to refer to all instances

Security By ObscurityDo Not Spurn In An Era Of Automated Hacking

Camouflage... if so successfully used by nature, why is obfuscation scorned in information security? Take a look at Steganography, which can be called Data Camouflage. It is one of most extreme cases of obfuscation that I have heard of in the digital realm.

POlICIES & TACTICS

Aud&Stand

Page 50 http://pentestmag.com07/2012(7)

When they lose 50% of their hair? 60%? And is there one single critical hair that’s the one that makes them flip from “hir-

sute” to “bald”? This may seem like a philosophi-cal quibble, but it’s something we deal with rapidly and easily all the time in our day-to-day lives. It’s not simply the difference between the glass being half full or empty, it’s the difference between being “secure” and “insecure” and, ultimately, it comes down to our ability to confidently make assertions of knowledge about the state of our systems. We are asked: “is the network secure?” and are ex-pected by management to give a yes/no answer. In effect we’re being asked to boil down a hugely complex set of knowledge, belief, and unknowns into a very simple answer – an answer we’re really never qualified to give.

How secure are we – unanswerable question, isn't it? our (and our managers’) desire to have a clear answer to the question of “are we secure” has pushed security practitioners into perhaps trying too hard to quantify what may be unquantifiable. The field of risk management deals with trying to answer “how secure are we?” by extrapolating from estimates; something that can be useful, we suppose, but only if used with extreme caution.

Anyone who has ever studied the stock market ought to be familiar with the observation “past re-sults do not predict future performance!” That’s a casual recap of David Hume’s analysis of the problem of induction: [2] it’s easy to assess ob-servations about things that have happened in the past, but it’s very difficult if not outright im-possible to guarantee a cause/effect relationship. Again, this is not merely an academic objection based on obscure philosophical arguments; rath-er it is a manifestation of one of the most interest-ing problems in the philosophy of science, deal-ing as it were with the foundation of the scientific method itself. We have to remind ourselves of it every time we hear of a site that had passed a PCI audit getting compromised. The premise of standards such as PCI is that adhering to them will have some definite, positive, but indetermi-nate effect over not adhering to them. The skep-tic should ask, “if it’s an indeterminate effect, why do it at all?” To which the proponent must answer that that it’s most likely greater than zero. Where we wish to be, with risk assessment, is to be able to assert with confidence that, for example, use of a certain technology reduces our likelihood of compromise by 10%, whereas another does by 5%, etc. Why can’t we do that? Because risk as-

The Right way of Risk AssessmentThe concept of “vagueness” is important to philosophers, and (perhaps) is relevant to the real world of security. Briefly, the idea of vague concepts [1] is that it’s often difficult to determine a sharp dividing line between two states – at what point, for example, do we say that a person has “gone bald”?

METRICS & MEASuREMENT

Aud&Stand

Page 54 http://pentestmag.com07/2012(7)

Information Systems Security Management is all about risk management. “Risk” is general-ly defined as a possibility of a loss. That loss

occurs on our “assets”. What can cause harm is a “threat”. We have to be aware of our as-sets, possible threats to them and their conse- quences.

If we find the situation (our risks) acceptable, we do nothing, and that’s perfectly a risk management strategy. It’s called risk acceptance. If we find the situation (our risks) unbearable, then we have to reduce the risks to an acceptable level. So we put some countermeasures in place, thats our “con-trols”. Controls reduce our risks to an acceptable level.

That was the short risk management primer. In order to “manage” our risks, and the effective-

ness / efficiency of our controls, we have to de-pend on some quantitative criteria. Here comes the metrics. We have to monitor our processes, we have to measure them using our metrics. There is a famous saying, you can not manage what you can not measure.

Remember the 4M: Management needs Monitor-ing, Measurement and Metrics.

We can use several metrics from several infor-mation security activities / domains. Some exam-ples are stated below:

Metrics from auditing / compliance activitiesThe most widespread auditing / it control frame-work is ISACA’s CoBIT. Although CoBIT v5 is re-leased recently, the most widespread used frame-work is the version 4.1.

CoBIT has many processes and the metric used for CoBIT is a process’ maturity model. Taken from the Carnegie Mellon university’s Capability Maturi-ty Model and associated CMMI (CMM Integration) approach, this model uses a scale from 0 to 5 for a process’ maturity level. The levels are described as below:

0 Non-Existent: The process isn’t present. 1 Initial: The process is not consistent. It may

happen one way or another from time to time.2 Repeatable: The process seems to repeat it-

self.3 Defined: The processes are documented and

distributed across the organization.4 Managed: The processes are monitored, mea-

sured; thus managed.5 optimized: Best practices are implemented.

Some processes of CoBIT 4.1 framework are related to general IT management process-es, but some are directly related to IT security.

Information Systems Metrics and Measurement

In order to “manage” our risks, and the efficiency of our controls, we have to depend on some quantitative criteria. Here comes the metrics. We have to monitor our processes and measure them using our metrics. There is a famous saying, you can not manage what you can not measure. Remember the 4M: Management needs Monitoring , Measurement and Metrics.

Virscent Technologies Pvt. Ltd.

been Incubated in E-Cell IIT Kharagpur

Offering Web, Security and Network Solutions, IT Consulting and Support Services to

numerous clients across the Globe.

We provide the following services:

a. Penetration Testing

b. Multimedia Services

c. Web Development

d. Training:

a. Corporate Training

b. Classroom Training

c. Training programs for Educational Institutions.

Our Partners:

1. E-Cell IIT Kharagpur

2. Education Project Council of India

Website: www.virscent.com

Blog : www.virscent.com/blog

Virscent Technologies Pvt. Ltd., a Brainchild of a team of IIT Kharagpur Graduates

Cell IIT Kharagpur. It is an IT Solutions & Training

ffering Web, Security and Network Solutions, IT Consulting and Support Services to

numerous clients across the Globe.

We provide the following services:

Corporate Training

Classroom Training

Training programs for Educational Institutions.

Education Project Council of India

www.virscent.com/blog

IIT Kharagpur Graduates, has

& Training Company,

ffering Web, Security and Network Solutions, IT Consulting and Support Services to

METRICS & MEASuREMENT

Aud&Stand

Page 58 http://pentestmag.com07/2012(7)

A traditional proverb from the South West re-gion of Nigeria, when roughly translated-goes, “The cure for the headache is not to

cut off the head.” In other words, never expend ef-fort or resources that are disproportionate to the scale of the problem that you are trying to solve. This simple proverb encapsulates the basic prin-ciple surrounding information security (IS) risk as-sessment. The objective of IS risk assessment is to provide management with timely and meaningful information that will enhance their ability to make pragmatic decisions regarding the protection of in-formation assets. This article suggests five ways by which organisations can measure the effective-ness of their IS risk assessment processes.

Adopting a risk-based approach is considered to be acceptable practice when selecting, design-ing and implementing security controls to mitigate known vulnerabilities. This approach puts man-agement in a position where they are able to pri-oritise their available (and often scarce) resources, to address the exposures that present the greatest risk to the organisation. This would imply that or-ganisations that follow a risk-based approach have implemented information security management systems (ISMS); one which includes processes for conducting security risk assessments and pro-cesses for performing a cost-benefit analysis of

security controls based on an understanding of the risk of not implementing them. In many cases, the difference between effective and ineffective secu-rity control implementations is the extent to which the controls have been designed to address spe-cific risks.

The IS function should be set up as a business enabling function, and therefore IS processes (in-cluding risk assessments) should be geared to-wards achieving this goal. Much has been written about IS risk assessments including frameworks, methodologies, tools and techniques. However, like any other business process, impact can only be appreciated if there are clear and measurable indices, which provide management with a view of its effectiveness. When measuring the effective-ness of IS risk assessments, it is common to use quantitative indices such as the ‘number of vul-nerabilities identified on a given platform’ or the ‘number of outstanding remediation actions on a given system’. In my opinion, the true measure of the effectiveness of IS risk assessments is how much benefit the business derives from them. This article takes a different approach by deliber-ately deemphasising the commonly used quanti-tative measures and considering more qualitative measures of the effectiveness of IS risk assess-ments.

Measuring the effectiveness of Information Security Risk Assessment

The cure for the headache is not to cut off the head. This proverb encapsulates the basic principle surrounding information security risk assessment. The objective of IS risk assessment is to provide management with timely and meaningful information that will enhance their ability to make pragmatic decisions regarding the protection of information assets.

METRICS & MEASuREMENT

Aud&Stand

Page 64 http://pentestmag.com07/2012(7)

ok! We have been through exploits, persis-tence, and crime packs but now we should wear our suits, neckties, and blue suede

laptop suitcases to go high level. We are talking about IT Auditing this time. No place for nerdy talks.

Measuring the risk in an ICT environment is quite a complex task.

Blackhats, spies and reckless Internet users all constitute a risk which is something that could af-fect our environments and change them forever. At once, we could also consider our unpatched Web application, our not updated intrusion detec-tion system or even our browsers a risk. All these are potential risks. The difference between them is related to their impact on the specific environ-ment, the simplicity of the attack and the capability to limit the impact.

Measuring risk is a very complex task.The measurement is strongly related to the abil-

ity of the Auditor (the tester) to consider every pos-sible risk and to evaluate every possible conse-quence.

If we are aware of a risk we can try to mitigate it or choose to accept it, but we cannot deny it. If we are unaware of a risk, because we have not considered it, we are vulnerable. Denying or ignoring the risk is the quickest way to be hacked to the root!

The first problem is identifying the risk.

Many technologies today offer a “click one and catch all” solution. However, in our experience such technologies are simply just a good start. Technologies rely on a wide set of cases already collected and analysed but there is no technology that can “understand” your environment because it is unique and different from others.

Risk identification aims to generate a list of ICT security risks to be managed and next evaluates the appropriate approach to their treatment. Risk Management identifies at least five aspects to be considered when identifying risks:

• Strategic risk• operational risk (including those related to ser-

vice delivery, technology, people)• Financial risk• Reputation risk• Legal/regulatory/compliance.

Risk identification considers what is at risk along with the associated threats and vulnerabilities.

Sometimes we have been able to spot vulnera-bilities and risks in what appears to be normal user activity while participating in ICT auditing, such as downloading .pdf manuals from a site disguised as an original retailer’s website. Although, in reality, no one was controlling the manuals against poten-

Measuring the Imponderable: Auditing IT Risks

Many technologies today offer a “click one and catch all” solution. However, in our experience such technologies are simply just a good start. Technologies rely on a wide set of cases already collected and analysed but there is no technology that can “understand” your environment because it is unique and different from others.

METRICS & MEASuREMENT

Aud&Stand

Page 70 http://pentestmag.com07/2012(7)

Risk assessment is a vital step in Risk Man-agement, as it aims to determine the quan-titative or qualitative value of risks related to

an array of threats (i.e. attacks) at any given point in time. Many individual, organizations, and those they interconnect with will have to be able to identify, pri-oritize and estimate risks. Additionally, we have to keep in mind that a security incident happens when there are threats and at the same time vulnerability, and a likelihood the event will occur.

In general, risk is when the chosen action or ac-tivity will lead to organizational loss. In addition, risk is the likelihood that something wrong or/and bad will happen and it will cause harm to the orga-nizational information asset, or lead to the entire loss of the asset. In risk, vulnerability is a weak-ness that could be used to jeopardize or cause harm. Threat is anything (artificial or act of nature) that has the potential to cause harm to organiza-tional information assets [3].

Moreover, the probability that a threat will use a vulnerability to cause damage creates a risk to or-ganizations. When a threat does use a vulnerabil-ity to inflict damage, it has an impact. In the context of information security, the impact is a loss of avail-ability, integrity and confidentiality. Similarly, to in-formation security, in cyber security the additional impacts are: non-repudiation, authentication, infor-

mation systems importance and criticality from the standpoint of state Critical Information Infrastruc-ture / Critical Infrastructure. other possible losses can occur too, such as loss of income and loss of life, etc. It is very important to point out that it is not possible to identify all risks, nor is it possible to eliminate all risks.

Therefore, the main goal of this article is to pro-vide the readers with background information about information technology related to risks and an illustrated template tool for security risk assess-ment. Furthermore, it shows how to identify and evaluate the risk elements by delivering a solution with an expanded definition of risks and risk mea-surement techniques by probability, or even better, by the frequency of security incident occurrence.

BackgroundThe first book on computer security appeared in the 1970s, and it was tailored for professionals and the general public. It also served as a public rec-ognition of security as a problem and the value of the risk assessment process. Moreover, the intro-duction of networked systems had relatively lim-ited impact on the risk profiles of most organisa-tions, since unauthorised access to the network was physically and technically very difficult, and the growth in the numbers of people who entered

Security Risk AssessmentHow to measure and to be aware of the Risk Assessment element as part of Risk Management in the field of cyber security

Many organizations – both public and private – nowadays, have implemented and developed their own security risk assessment template tool. The main goal for the template is first to analyse work-flow, then to identify the assets, threat sources and vulnerabilities.

ExTRA

Aud&Stand

Page 74 http://pentestmag.com07/2012(7)

Although the numbers of these new tech-niques and algorithms increase, new tech-niques or approaches have been always

desired. Achieving faces from only fingerprints might be a challenging as well as pioneering study. Best of our knowledge, investigating relationships among fingerprints and face masks including the inner face parts and face borders has not been studied in the literature so far except the authors.

The authors have most recently introduced to literature for the first time that there have been close relationships among faces and fingerprints [3]. Generating the face borders, the face contours including face border and ears, the face models including eyebrows, eyes and mouth, the inner face parts including eyes, nose and mouth, the face parts including eyes, nose, mouth and ears and the face models including eyes, nose, mouth, ears and face border from only fingerprints without any need for face information have been the stud-ies to introduce these relationships. It is clear from these studies that an unknown biometric feature can be successfully achieved from a known bio-metric feature. The aim of the proposed study is to develop a web based automatic and intelligent face prediction system capable of providing more complex and distinguished solution. Web based experimental results and feedbacks have shown

that the proposed system yields good performance and it is capable of efficiently generating the whole face masks for web applications.

A new approach to generate face masks from fingerprints without having any information about faces is successfully achieved and introduced in this study. In addition, the relationship among fin-gerprints and faces (Fs&Fs) is also experimental-ly shown. This relationship among the face masks and the fingerprints can be mathematically repre-sented as:

y = H(x) (1)

where y is a vector indicating the feature set of the face mask and its parameters achieved from a person, x is a vector representing the feature set of the fingerprint acquired from the same per-son, H(.) is a highly nonlinear system approximat-ing y onto x. In this study, H(.) is approximated to a model to predict the relationship among Fs&Fs via artificial neural networks (ANNs). ANNs have been successfully applied in fingerprint recogni-tion and face recognition applications.

In this study, an ANN predicts the relationships among x and y vectors. An ANN model has been implemented with the help of 4-layered MLP struc-ture trained with the scaled conjugate gradient al-

A web based face mask prediction system from only fingerprints

Most efforts in biometrics have recently been focused on how to improve the accuracy and processing time of the biometric systems, to design more intelligent systems, and to develop more effective and robust techniques and algorithms [1]-[2].

http://www.ijiss.org/ijiss/index.php/ijiss

http://www.malwarebytes.org/

http://hackplanet.in/