1

ISI trademark Diamonds Certified Professionals Brands China made, Nokia, HTC Software?
Operating Systems Websites Application Software etc.
2

WEBSITE: www.thefrenchybee.com STATUS : McAfee Secure CERTIFICATION 13-JUL-2009 This site is tested and certified daily to pass the McAfee Secure Security Scan. To help address concerns about possible hacker access to your confidential data, and the safety of visiting this site, the "live" McAfee Secure mark appears only when this site passes the daily McAfee Secure tests.

 Security Reliability Privacy Protection

Against

Application level attacks Vulnerabilities Security Bugs

 Software

should not break down as enormous investment on part of developer and users are at stake, so proper tests should b performed to check the reliability of software The software reliability improves during testing as bugs are found and removed. Once the software is released, its reliability is xed, as long as the operating environment remains the same, and no modifying patches are applied.

vulnerability is defined as a defect which enables an attacker to bypass security measures. The databases for the vulnerabilities are maintained by organizations such as National Vulnerabilities Database [2], MITRE Corporation [3], Security Focus [4] and individual software developers.
6

 Input

Validation Error (IVE) (Boundary condition error (BCE), Buffer overflow (BOF)) Access Validation Error (AVE): Exceptional Condition Error Handling (ECHE) Environmental Error (EE) Configuration Error (CE) . Race Condition Error (RC) Design Error (DE)
7

 Network

Security Testing

Activities that provide information

about the integrity of an organization's networks and associated systems through testing and verification of network-related security controls on a regular basis.

 Complex systems Large volumes of code Complex internal interactions Interoperability with external

components Unknown dependencies Vendor cost Schedule pressures

 Uncover

design, implementation and operational flaws that could allow the violation of security policy Determine the adequacy of security mechanisms, assurances and other properties to enforce the security policy Assess the degree of consistency between the system documentation and its implementation.

10

11

 Network security testing conducted

during the operational stage of a systems life

12

 Network scanning (NMAP) Vulnerability scanning (NESSUS, Retina) Password cracking (john the ripper, LC5) Log review Integrity checkers (Tripwire, LANGuard) Virus detection War dialing Penetration testing

13

Check for unauthorized hosts connected to the organizations network, Identify vulnerable services, Identify deviations from the allowed services defined in the organizations security policy, Prepare for penetration testing, Assist in the configuration of the intrusion detection system (IDS), and Collect forensics evidence. Investigate and disconnect unauthorized hosts, Disable or remove unnecessary and vulnerable services, Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers), and Modify enterprise firewalls to restrict outside access to known vulnerable services.

14

Identifying active hosts on network Identifying active and vulnerable services (ports) on hosts. Identifying applications and banner grabbing. Identifying operating systems. Identifying vulnerabilities associated with discovered operating systems and applications. Identifying wrongly configured settings. Testing compliance with host application usage/security policies. Establishing a foundation for penetration testing. Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate. Deploy mitigating measures (technical or procedural) if the system cannot be immediately patched (e.g., operating system upgrade will make the application running on top of the operating system inoperable), in order to minimize the probability of this system being compromised. Improve configuration management program and procedures to ensure that systems are upgraded routinely. Assign a staff member to monitor vulnerability alerts and mailing lists, examine their applicability to the organization's environment and initiate appropriate system changes. Modify the organization's security policies, architecture, or other documentation to ensure that security practices include timely system updates and upgrades.

15

 Penetration

testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques used by attackers. Two types of penetration testing are commonly referred to as Blue Teaming and Red Teaming.
16

Additional Discovery

Planning

Discovery

Attack

Reporting

17

Domain Name System (DNS) interrogation Search of the target organizations web server(s) for information Search of the organizations Lightweight Directory Access Protocol server(s) (LDAP) for information Packet capture (generally only during internal tests) NetBIOS enumeration (generally only during internal tests) Network Information System ([NIS] generally only during internal tests) Banner grabbing

18

Discovery Phase

Gaining Access

Escalating Privilege

System Browsing

Install Additional test software

19

 Buffer Overflows Symbolic Links File Descriptor attacks Race Conditions File and Directory Permissions Trojans Social Engineering

20

Analyze

Design

Code

Unit testing No Yes Integration and acceptance tests Integration and acceptance

Security Tests
21

Analyze

Design

Code Unit testing Security Tests Integration and acceptance

No Yes

Integration and acceptance tests Security Tests

Security Tests
22

 US

National Security Agency India

National Computer Security

Center(NCSC)

DIT,

Standardization Testing and Quality

Certification (STQC)

National

Institute of Standards and Technology (NIST)

23

 Security

mechanisms to store and manage sensitive information Accounting software Ability to handle sensitive information of different lives

24

Gemini Trusted Network Processor, Honeywell SCOMP Getronics Wang Federal XTS-300 Honeywell MULTICS ,Trusted Xenix HP UX BLS, Cray Research trusted Unicos 8.0 Windows NT, IBM AS/400, Novell Netware Earlier versions of UNIX

25

C1
All users will be at same security level as in the

C2

normal UNIX installations. Provide only minimal security features.

B1

Controlled Access Protection Compulsory identification and Authorization Audit

Labeled security protection Compulsory security labeling of objects Auditing of all labeled objects Enhanced protection of OS

26

B2

B3

Structured Protection System Hierarchical Device Labels Improved Security Testing Updates, patch analysis

A1

Security Domains Based on Formal TCB models Minimum implementation flaws Verified Designs Theoretical Principles formal methods Proof of integrity

27

Numerical grade from EAL 1- 7 For an IT product or system (since 1999) www.niap-ccevs.org National Information Assurance Partnership (NIAP) NIAP Common Criteria Evaluation and Validation Scheme for IT Security Common Criteria security evaluation Increasing assurance level reflect higher confidence that systems principal security features are reliably implemented Does system meet the requirements as in Protection Profile

28

document used as part of the certification process according to the Common Criteria Implementation dependent specification of information assurance security requirements PP is a combination of
Threats Security Objectives Security functional requirement
29

 Anti Virus Biometrics DBMS Firewall IDS/IPS Multi function device Operating system PKI Wireless LAN Web Server
30

EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7

Functionally Tested. Structurally Tested Methodically Tested and Checked Methodically Designed, Tested and Reviewed Semi formally Designed and Tested Semi formally Verified Design and Tested Formally Verified Design and Tested
31

 Microsoft RHEL RHEL

EAL4 EAL4 EAL3

Products [Windows 2000, XP, server 2003, Vista, Server 2008], AIX, HP-UX, FreeBSD Advanced Server version 4, version 5, SuSE Linux enterprise Server 10 SP1 Advanced Server version 4 on UniSys ES7000 OS X and Apple MAC OS X Server

Apple MAC EAL3

32

 Network security should be a routine Integral part of system, network

operations and administration Test the most important systems first Security policy should reflect the organizations needs System are up-to-date with patches
33

 www.cesg.gov.uk www.niap-ccevs.org www.csrc.nist.gov http://www.iwar.org.uk/comsec/resource http://csrc.nist.gov/publications/history/d

34