• No results found

Suggestions for updates to the IT Risk Frameworks

7 Analysis and recommendations

7.1 Positioning of penetration testing in IT Risk Frameworks

7.2.1 Suggestions for updates to the IT Risk Frameworks

We noted that IT risk frameworks put little to no focus on penetration testing. Since these frameworks are actively used, we propose to update these frameworks with specific sections regarding penetration testing, in order to increase the focus on these activities.

In order to improve the various frameworks with more information regarding penetration testing, we will base our suggestions on the generic methodology as identified in paragraph 4.4, including the steps Scanning, Mapping and Exploiting.

In this chapter, we will provide suggestions for updates to the IT risk frameworks. In particular, subquestion four will be answered:

 How can the risks which are solely identified by performing a penetration test be covered and incorporated in the IT risk management frameworks?

By adding the proposed new sections to the IT risk frameworks, the frameworks will put more emphasis on penetration testing , its use and methods. This will greatly increase the chances of uncovering the IT-related risks which are typically identified by penetration testing. As a result, the overall security of IT-systems and organisations can be increased.

7.2.2 NIST 800-30 – Guide for conducting risk assessments – Information security (2011)

Based on the investigations performed in chapter Error! Reference source not found.5. we concluded that the NIST framework provides guidance on when to perform penetration testing in the risk management cycle. However, it does not provide any guidance on how to perform penetration testing itself.

Mapping

Chapter: 3.1 - Preparing for the Risk Assessment, Task 1-2 Identify the scope of the Risk Assessment (page 20)

In this chapter the scope of the risk assessment is determined. This scope is prone to risk analysis and also most likely to penetration testing. Therefore the outcome of this particular section can be used as input for the Mapping phase within the penetration testing approach.

Using this information the next penetration testing steps can be executed, which are displayed below.

As such, we do not deem it necessary to add additional text for this phase.

Scanning

Chapter: 3.2 – Conducting the risk assessment, Task 2-3 Identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts to the organisation (page 27)

After the second paragraph (..the space of potential risks to be assessed.), on page 27 we propose the following text to be added:

An important part of the identification of Vulnerabilities is to perform a penetration test.

In order to start the penetration test the scope identified in section 3.1 (task 1-2) can be used. The second step of the testing is to start the scanning. Scanning concerns the identification of services and known weaknesses on systems and applications that are likely to be vulnerable for exploiting. Depending on the engagement, scanning is to be performed automatically or manually.

Exploiting

Chapter: 3.2 – Conducting the risk assessment, Task 2-4 Determine the likelihood that threat events of concern result in adverse impacts to the organisation, considering: (1) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities and predisposing conditions identified; and (iii) organisational susceptibility reflecting safeguards/countermeasures planned or implemented to impede such events (page 28)

After the fourth paragraph (... similar rationale for the assessment.) , on page 28 we propose the following section to be added:

The identified vulnerabilities can be assessed by penetration testing in the next step:

exploiting. Exploiting is focused on exploiting identified vulnerabilities, or determining how difficult it would be to do so given unlimited time, based on a certain level of skills and experience. Exploiting is a form of testing whereby the techniques of a hacker are used. They serve to test the level of effectiveness of the implemented security measures, and real attempts are made to break in to the environment.

7.2.3 ISO/IEC TR 15443:2012 – Framework for IT security assurance

Based on the investigations performed in chapter 5 we conclude that the ISO – TR15443 framework does not provide guidance on when in the risk management cycle to perform penetration testing.

In section ‘7.2 Selecting Security Assurance Techniques’ the techniques are determined how to obtain correctness assurance. Please note that penetration testing can only be used to provide negative assurance. A penetration test which does not result in negative findings cannot be used to provide positive assurance. However, since negative assurance can be beneficial for the overall security of an organisation, the technique of performing a penetration test can be added specifically in this section.

We propose to add the following text to section ‘7.2 Selecting Security Assurance Techniques’

right above section 7.2.1 on page 25 in ISO15443:2012-1:

Penetration Testing

Please note that penetration testing can only be used to provide negative assurance. A penetration test which does not result in negative findings cannot be used to provide positive assurance. However, since negative assurance can be beneficial for the overall security of an organisation, the technique of performing a penetration test is mentioned within this section.

The penetration test generally consists of three steps, Mapping, Scanning and Exploiting.

The step Mapping is the identification of systems and applications of the IT environment in scope of the penetration testing engagement. The identified services and applications are discussed with the client to determine if the scope is correct and if additional scanning and testing should be performed.

Thereafter the step Scanning can occur. Scanning concerns the identification of services and known weaknesses on systems and applications that are likely to be vulnerable for exploiting. Depending on the engagement, scanning is performed automatically and manually.

Finally the Exploiting step is started. The identified vulnerabilities can be assessed by penetration testing in the next step, exploiting. Exploiting is focused on exploiting identified vulnerabilities, or determining how difficult it would be to do so given unlimited time, based on a certain level of skills and experience. Exploiting is a form of testing whereby the techniques of a hacker are used. They serve to test the level of effectiveness of the implemented security measures, and real attempts are made to break in to the environment. As part of testing, clean-up of changes (if any) is supported.

In addition, we recommend to include the following text in section ’10.8.2 – Operational considerations – Criteria’ on page 18 in ISO15443:2012-2:

Penetration testing is a means that can be used to test controls for effectiveness for IT systems and networks. In section 7.2 a description what steps are required to perform a penetration test is available.

7.2.4 ISACA – Risk IT

Based on the investigations performed in chapter 5 we conclude that the ISACA – Risk IT framework does not provide guidance on when in the Risk Management cycle to perform penetration testing.

In section ‘RE2.1 - Define the IT Risk analysis scope’ the scope is determined for which a penetration test can be performed. Therefore the outcome of this particular section can be used as input for the Mapping phase within the penetration testing approach. Using this information the next penetration testing steps can be executed, which are provided below.

We propose to add the following text in chapter ‘RE2.2 – Estimate IT risk’ right above the table:

Penetration Testing

In section ‘RE2.2 - Estimate IT Risk’ the risks can be determined for the IT systems defined in the scope of RE2.1. In order to aid in determining these risks it is beneficial to perform a penetration test.

The penetration test generally consists of three steps, Mapping, Scanning and Exploiting.

The step Mapping is, as mentioned earlier, already performed in section RE2.1.

Thereafter the step Scanning can occur. Scanning concerns the identification of services and known weaknesses on systems and applications which are vulnerable for exploiting.

Depending on the engagement, scanning is performed automatically or manually.

Finally the Exploiting step is started which concerns the assessment of the identified vulnerabilities. Exploiting is focused on exploiting identified vulnerabilities, or determining how difficult it would be to do so given unlimited time, based on a certain level of skills and experience. Exploiting is a form of testing whereby the techniques of a hacker are used. They serve to test the level of effectiveness of the implemented security measures, and real attempts are made to break in to the environment.

Another section where penetration testing could be useful is in section ‘RR2 Manage IT Risk, RR2.2 Monitor Operational alignment with Risk Tolerance thresholds’ on page 86. In this section it is described that the selected controls are to be tested for effectiveness. Penetration testing can be used to aid in this testing.

We suggest to add the following text in chapter ‘RR2.2 – Monitor operational alignment with risk tolerance thresholds’ right above the table:

Penetration testing is a means that can be used to test controls for effectiveness for IT systems and networks. In Section RE2.2 a description what steps are required to perform a penetration test is available.

Related documents