• No results found

Security Testing and Vulnerability Management Process. e-governance

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security Testing and Vulnerability Management Process. e-governance"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

Management Process

for

e-Governance

Draft

DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India.

(2)

Document Control

S/L Type of Information Document Data

1. Document Title

2. Document Code

3. Date of Release

4. Next Review Date

5. Document Revision Number

6. Document Owner

7. Document Author(s)

8. Document Reference

Document Approval

Sr. No. Document Approver Approver Designation Approver E-mail ID

Document Change History Version

(3)

T

T

Ta

a

ab

b

bl

l

le

e

e

o

o

of

f

f

C

C

Co

o

on

n

nt

t

te

e

en

n

nt

t

ts

s

s

1. INTRODUCTION ... 4 2. SCOPE ... 4 3. PURPOSE ... 4 4. PENETRATION TESTING ... 5

5. PENETRATION TESTING PROCESS ... 6

6. VULNERABILITY MANAGE MENT PROCESS ... 7

5.1 FREQUENCY ...7

5.2 METHODOLOGY ...7

Phase-1: Scoping and Communication ... 8

Phase-2: Vulnerability Scanning ... 8

Phase 3: Extraction of Reports... 9

Phase 4: Removal of False Positives ... 9

Phase 5: Final Report Generation ... 9

Phase 6: Tracking Closure of Vulnerabilities ... 9

Roles and Responsibilities Matrix for Vulnerability Assessment ... 10

(4)

1. INTRODUCTION

Security Testing and Vulnerability management encompasses measures taken to review the output from the application from the perspective of application security. The review of the outputs from penetration testing is done in alignment with the updates and recommendation from OWASP (Open Web Application Security Project) as well as WASC (Web Application Security Consortium). The review is also done in compliance with the e-Gov Security Policy.

Vulnerability is a flaw or weakness in the design or implementation of hardware, software, networks, or computer-based systems, including security procedures and controls associated with the systems.

A vulnerability assessment exercise identifies and categorizes all declared vulnerabilities but doesn’t permits exploits, whereas penetration testing allows for exploitation of all vulnerabilities found by assessors.

2. SCOPE

This process is applicable for all hosted applications in datacenters across all locations where information of e-Gov service delivery is processed and/or stored within the application.

3. PURPOSE

The objective of creating the vulnerability assessment process is to christen a formal methodology document for conducting vulnerability assessment critical systems; thereby pro-actively discovering to what extent the security of Information systems is threatened by attacks and whether the security measures in place are currently capable of ensuring Information security. This process will address the vulnerabilities before they can be exploited to compromise company resources. The process will end up providing

(5)

recommendations for closure of identified vulnerabilities and minimizing loss of confidentiality, integrity and availability of data.

4. PENETRATION TESTING

Penetration testing primarily targets the application security mechanisms (e.g., cryptography, data validation, and authentication) implemented in the identified application.

The attacks that are tried out during the testing includes OWASP Top 10 vulnerabilities: as well:

o Un-validated Input o Broken Access Control

o Broken Authentication and Session Management o Cross Site Scripting (XSS) Flaws

o Buffer Overflows o Injection Flaws

o Improper Error Handling o Insecure Storage

o Denial of Service

o Insecure Configuration Management

On identification of vulnerabilities are reported and prioritized on the basis of impact and likelihood.

A timeline is defined by the application Owner for closure of each of the vulnerabilities identified.

In case of the remediation being infeasible the risks should be minimized and the residual risks should be documented over email with a sign off.

(6)

Example: ‘IBM Rational Appscan’ tool is used for automated penetration testing. Vulnerabilities so found are reviewed manually before publishing the report and sharing with Application owner.

Thick client application penetration testing is carried out manually.

5. PENETRATION TESTING PROCESS

Penetration testing is to be carried out by any STQC empanelled auditor. In this document we shall be referring to the same as PT (Penetration testing) team.

Penetration testing A p p lic a ti o n O w n e r C IS O P T t e a m Start PT team asks or detail of Pre-prod and test environments Pre-prod/ Test environ ment Perform port scanning of application Manually validate test findings Generate and share report with

App owner

PT Report

Fix the vulnerabilities and share the evidences

with PT Team Validate the evidences to confirm fix of vulnerabilities Reviews PT report and seeks clarification from PT team if required. PT Report Stop

a. PT team asks for the details required to initiate the penetration testing. The details include:

o Application URL in pre-prod/test environment

o Minimum two user credentials (1 administrative level access, 1 normal user) o Any sensitive URLs that are out of scope

b. Application Owner ensures that application is stable enough and all the functionalities are working.

(7)

c. PT team requires at least 3-4 days for completing penetration testing.

d. Port scan is carried out on pre – production environment. The findings reported by tool are documented in the final Penetration Testing report which is shared with Application Owner. Automated Penetration Testing is carried out on the application. On completion of the automated testing, manual validation of vulnerabilities is carried out.

e. Report is created for the vulnerabilities found and shared with Application Owner. The vulnerabilities are classified and rated High, Medium and Low according to their severity. Severity is categorized based on impact, likelihood and results of tool output. Refer annexure for PT Report template.

f. Security gaps are worked on by the concerned team and necessary changes are incorporated to secure the application/environment.

g. Application team shares evidence supporting closure,

h. PT team then reviews the response and close the observations based on the evidence shared by Application team. If any discrepancy is observed, PT team gets back to Application team to seek clarifications.

i. Final Closures are to be approved by CISO.

6. VULNERABILITY MANAGEMENT PROCESS

5.1 FREQUENCY

The frequency for Vulnerability assessment cycle is annually. The full cycle covers end to end process staring from Scoping of devices to the closure tracker on scanned devices.

5.2 METHODOLOGY

(8)

Phase-1: Scoping and Communication

The scoping and communication phase of vulnerability management comprise the following:

 Approved list of selected devices for which vulnerability assessment is to be carried

out;

 Approved vulnerability assessment end to end plan

 Suitable dates for carrying out vulnerability assessment;

 Time slots for vulnerability assessment; and

 Communication of final dates and time slots to all stakeholders.

Phase-2: Vulnerability Scanning

In this phase an attempt is made to determine the existence of known vulnerabilities and to discover if any weak configuration settings are in use/set for the internal systems/devices. This is accomplished by using a tool based vulnerability scanning method.

(9)

Phase 3: Extraction of Reports

In this phase, the team conducting vulnerability assessment collects the output of vulnerability assessment from all relevant remote VA servers and extracts individual vulnerability data items. The information provided by vulnerability assessment about the target host includes, but not limited to the following.

 OS version, open ports, active services, Protocol etc.

 Vulnerabilities and rating of vulnerabilities risk

 Remediation steps

Phase 4: Removal of False Positives

The objective of this phase shall be to weed out any false positives appearing in the output of VA tools. These false positives may involve:

 Wrong reporting for existence of a vulnerability that may not be applicable to the

target environment / host

 Highlighting a configuration setting that is required for business purpose and the risk

is acceptable or is mitigated by other measures

 Reporting a service/open port which is actually not running/open

The execution of this phase may involve the need to have administrative privileges on the system/device under VA scope.

Phase 5: Final Report Generation

In this phase, the output of VA tools is used to formulate a management report for presenting to the key management representatives. This report presents an overall summary of VA findings and also consists of the detailed vulnerability observations. Refer Annexure for VA report template.

Phase 6: Tracking Closure of Vulnerabilities

Tracking the closure of identified vulnerabilities plays a very important role in the vulnerability management process. Once the report containing a final set of vulnerabilities is generated and

(10)

handed over to CISO; closure tracking needs to be done so that every critical-vulnerability is patched, remediation steps are followed and operating systems are hardened.

Roles and Responsibilities Matrix for Vulnerability Assessment

The roles and responsibilities matrix for accomplishing the tasks for conducting vulnerability management is given hereunder:

Role Responsibility

Team lead-

Data center

Operations

Team lead - VA has the overall responsibility for ensuring that VA objectives are met.

Responsibilities include:

 Maintaining VA measurements for reporting

 Ensuring proper implementation of Vulnerability Management Process

 Analyze trends and compliance thresholds

 Establish thresholds and exception (alerts) reporting procedures

 Implement approved VA process changes according to requirements

 Managing the VA Team resources

 Creation of VA Cycle Audit Plan

Ensuring availability of all resources (people and technical) before every

VA cycle Team

Member- VA

Team member - VA has responsibility for providing support to the Team lead for VA activities.

Specific responsibilities include:

 Provide technical support and advise to address VA gaps closure issues

 Performing VA Audit on selected devices as per the plan

 Create management report on the basis of VA report and take sign-off on

the same from relevant business representatives

 Advise the VA Team Lead of any required system configuration or

modifications to meet VA objectives

Infra and

Operations Team

 Provide Sign-Off on the Audit Plan

 Implement recommendations in the VA report as per set schedule

 Identify false positives from the tool report

 Raise change management requests for implementing patches /

vulnerability closure recommendations

 Submit closure status to Composite team - Security on a weekly basis

Composite Team- Security

 Provide the approved breakup plan for annual phases of vulnerability

audits

(11)

Role Responsibility

 Track the closure of vulnerabilities found as per required frequency

 Provide feedback for improvisation of VA process

CISO  Provide Sign-Off on the Management Report

 Provide management support to achieve set objectives for the success of

VM process

7. ANNEXURE

PT report.xlsx VA report.xlsx PT Indemnity Agreement.doc

References

Download now ( PDF - 11 Page - 0.98 MB )

Related documents

IT Tools and Performance Indicators: A Qualitative Overview of Managerial, Organizational, Financial Strategies within Healthcare Sector

Furthermore, users may perceive greater benefits from decentralized models as local authorities have greater opportunities to establish personal and more confidential

Disposal of Unwanted Medicines

There is an associated website ( www.nodrugsdownthedrain.org ) to provide more detailed information on the program such as why flushing is a problem, household hazardous waste

The effectiveness of loop unrolling for modulo scheduling in clustered VLIW architectures

In this section we first show how the number and latency of buses affect the final modulo scheduling in a VLIW clustered architecture compared to an

Half-height-pin GapWaveguide Technology and its Applications in High Gain Planar Array Antennas at MillimeterWave Frequency

As an example of the applications, a high gain planar array antenna at V band by using the half-height-pin gap waveguide has been designed and is presented in the paper with a

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

b) Identify the IT vulnerability and security incident monitoring processes in place. Inspect documentation to determine if IT vulnerabilities are identified.. Walkthrough the

2021 WYC SNOW KITING SERIES

BY PARTICIPATING, EACH PARTICIPANT FOREVER RELEASES, DISCHARGES AND WAIVES ANY AND ALL ACTIONS, SUITS AND CLAIMS WHATSOEVER AGAINST RACE ORGANIZERS FOR ANY DAMAGES TO ANY

Kansas City Market Profile. The City of Fountains

 KCWE is the only station in Kansas City to offer local

Growth and Poverty in Burkina Faso: A Reassessment of the Paradox

More precisely, the official poverty line in all three years 1994, 1998 and 2003 was based on the price of a 2,283 calorie food component, based on millet, sorghum, maize and