Transcription
IT Risk Management Based onISO 31000 and OWASPFramework using OSINT (CaseStudy: Election Commission ofX City)
Item 1 –DetailsItem 2 Agenda–DetailsItem 3 –DetailsItem 4 –DetailsItem 5 –DetailsItem 6 –Details
Open Source TalkThis medium talk based on how the open source project connects with ITsecurity aspects. Some open sources project that taking part on thispaper are OWASP and OSINT, and it will show how the combination ofopen source project can create a better security performance on thecontext of IT risk management concept of the related organization / casestudies.enjoy :)
Behind the Scene high mobility &Information disclosureillegal action of informationmanipulationwebsite security & protectionimportancetesting standardizationand availabilityrisks concernrisk handlingrecommended actions
Research Objective & Limitation§ Identify the security level andsystem vulnerabilities on theofficial website of the ElectionCommission of X City.§§ Identify the testing results andanalysis on the official website ofthe Election Commission of X Cityusing the OWASP Framework.§ Giving recommended actions toimprove security and protectionon the official website of theElection Commission of X City.§The research only focuses on thesecurity testing of the official website ofthe Election Commission of X Citythrough penetration testing methodusing the OWASP Testing Guide version4 and tools with the concept of OpenSourceIntelligencewithriskmanagement guidelines based on ISO31000 Framework.The research results only up to theevaluation report and recommendedactions that were offered, so thedecision of upgrading or changing thewebsite system depended on therelated organization
The Primary PartsOSINT // OWASP // ISO 31000OSINT (Open Source Intelligence) is part of an intelligence discipline that based bypublic data sources analysis for the information acquisition and certain intelligenceneeds. // OWASP is a non-profit organization that focused on improving softwaresecurity. // ISO 31000 is one of the guidelines issued by ISO (International StandardOrganization) for the treatment of risk management activities.
Research MethodologyThe research workflow is illustrated by 3 main flowchartswhich show the research primary points .CompleteWorkflowPenetrationTestingRiskManagement
Main Flowchart§Preliminary ObservationYour&Literature Study§Penetration Testing§Risk Management§Recommended Actions &Testing ReportsText Here
Penetration TestingFlowchartØOWASP Testing Guide Version 4ØOSINT based testingØ11 modules, 90 totalsubmodules
Risk ManagementFlowchart§ISO 31000§Risk assessment§Risk identification, analysis,evaluation
SUCCESS FAIL POSTPONEDPenetration Testing ResultsOWASP Testing Guide Version 4
OWASP Testing Guide V4 Testing Modules§§§§§Testing for InformationGatheringConfiguration andDeployment ManagementTesting§Session Management Testing§Input Validation Testing§Testing for Error Handling§Identity Management TestingAuthentication TestingAuthorization TestingTesting for WeakCryptography§Business Logic Testing§Client Side Testing
Penetration Testing ResultsOWASP Testing Guide Version 4ModulesTesting for Information Gathering10Submodules Test Results4 Success, 6 FailedConfiguration and Deployment Management Testing95 Success, 2 Failed, 2 PassedIdentity Management TestingAuthentication TestingAuthorization TestingSession Management TestingInput Validation TestingTesting for Error HandlingTesting for Weak CryptographyBusiness Logic TestingClient Side Testing5104817249125 Postponed2 Failed, 8 Postponed3 Failed, 1 Postponed3 Success, 5 Postponed3 Success, 9 Failed, 5 Postponed1 Success, 1 Failed3 Success, 1 Postponed2 Success, 6 Failed, 1 Postponed4 Success, 3 Failed, 5 PostponedDetails:Submodules11 main modules with 90 total submodules testing25 succeed submodules, 32 failed submodules, dan 33 submodules postponed
Risk Management ResultsISO 31000Risk Assessment; Identification Analysis Evaluation
Risk IdentificationRisk CodeRisk IdentificationR1Reviewing website developer comments and metadataR2Finding website system and workflow mappingR3Reviewing website developing frameworkR4Reviewing website versionR5R6Finding website main architecture and overall connected systemmappingFinding security verification of file extension typesR7Reviewing irrelevant files on the website.R8Testing the web server authentication mechanism.R9Testing the bypass action of the website authentication mechanism.R10Testing the parameters validation used in the website directory.R11Testing the bypass action of the website authorization mechanism.R12Reviewing website developer comments and metadataRisk identification processes willgenerate a list of risks that mayhappen on every IT resourcethatthecasestudiesorganization have. On this riskidentification context, the scopeof process will take on thevulnerabilities obtained fromtesting results of penetrationtesting using all of modules onOWASP Testing Guide Version 4framework, amounting to 11modules and OSINT-based toolsassistance.
Risk IdentificationLikelihood TableRatingImpact ikely2Minor3Possible3Moderate4Likely4Major5Almost Certain5CatastrophicThe risk analysis process willanalyze the risk calculationsbased on the risk identificationprocess. This process continueswith determining the level oflikelihood and impact of the risklisted. The level of likelihood andrisk impact will be a main sourcefor assessing the level of eachrisk.An assessment of the risk impactand likelihood level is givenbased on internal and externalconditions of the organization'ssystem and the sources relatedregarding the likelihood andimpact of each existing risk
Matrix Table of Risk Level AssessmentR1954R12, R13R11, R18R22R14, R17R1, R10, R20, R28, R9, R16R29ImpactDetail:3R30, R32R15R4, R6, R82R31R5, R27R3, R7, R21, R24R2, R25, R26R23R7Green: LowYellow: Medium1Red: High123Probability45
Risk EvaluationRisk CodeR1R2R3R4R5R6R7R8R9R10R11R12Risk IdentificationCalculating the amount of web applications that running on the targetweb server and knowing the open ports of the target website.Discovering the developer comments on the website target and findleaked information and metadata to have better system knowledge.Creating the system mapping of the target website and understandingthe main workflow.Discovering the type of used framework from the target website thatwill give better understanding and proper option of the securitytesting methodology.Discovering the version of the building component of the targetwebsite to determine weaknesses and exploitation methods that aresuitable when system penetration occurs.Discovering and knowing the overall system architecture andworkflow of the target website.Discovering the vulnerabilities and security holes in the way the targetwebsite works to validate the types of file extensions that can enterthe system.Finding files that are outdated, invalid, and no longer relevant to thecurrent conditions of target website to look for information leaks inthe context of deeper exploitation of the system.Discovering the vulnerabilities and security holes in the authenticationmechanism used in the application configuration and management ofcomputing resources on the target web server.Discovering the vulnerabilities and security holes in websiteauthentication mechanisms when receiving bypass actions from users.Discovering the vulnerabilities and security holes in the validationsystem of parameters used by the website.Discovering the vulnerabilities and security holes on the userauthorization page that displayed on the website.Risk hMediumMediumLowThe risk evaluation process iscarried out by starting thecalculation of the impact andlikelihood matrix table values todetermine level of each risk.Based on the ISO 31000standardization, the risks thatmust be prioritized by examinersare at medium and high levels.The matrix table that contains amapping and assessment of theimpact and likelihood valuesshows 21 out of 32 risks that areat medium and high levels.
The Explanation Continues The matrix table that explains a mapping and assessment of the impact and probability rating,shows 21 risks out of 32 risks that are at medium and high levels and those risks have asignificant effect and can cause major loss on the organization system if not handled properly.After the risk evaluation process is completed, it has been found that detailed explanation are11 risks with a low level, 15 risks with a medium level, and 6 risks with a high level. The final stepis to create and plan the recommended actions for later can be applied when the risks that havebeen identified, analyzed, and evaluated happen in related organizations.These actions are needed to overcome the outcome and consequences that will happen on theorganization if the risk occurs, and the proper handling of the condition’s aftermath.
IT Risk ManagementRecommended ActionsThe last stage of this research is making recommended actions and treatments to handle theoutcome and consequences of risks to the organization. All of the recommended actions forovercome the risks is expected to help maintain and enhance the capabilities of IT system,services, and information management from the organization to customers and also to keep theorganization stable in achieving the goals. The treatment of every each of the risk that arealready identified, analyzed, and evaluated are explained on next table
Risk CodeR1R3R4R6R7R8R9R10R11Risk TreatmentImplementing an Intrusion Detection System (IDS) and a Honeypot system that has the function to detect unauthorized loginactivity and prevent further attacks. Enabling the Port Scanner Detection function on a router can be a good recommendation toavoid advanced system penetration by attackers.Implementing an Intrusion Detection System (IDS) and a Honeypot system that has the function to detect unauthorized loginactivity and prevent attacks. The use of encryption and reducing sensitive information that opened to the public can also be done.Learn and apply how to secure a website framework that used on the website, which has different methods and procedures foreach framework to prevent penetration attacks and control switchover by attacker. More detailed recommendations foradvanced security action is administrators can use advanced queries or scripts to protect websites from various forms of maliciousattacks, such as XSS Scripting & SQL Injection.Website administrators can develop a website security mechanism as strong as possible to secure sensitive information from theentire web architecture when an attacker starts a scanning actions to gather information. Proxy Server, IDS, encryption, andsecurity modules on every part of the website system can be used as a solution to secure website architecture information.Implementing security and protection of files types or extensions that uploaded to website by knowing and learning theprogramming language used to build related websites, because each programming language has different ways and mechanismsin compiling the scripts used to make the system file extension validationAdministrators of the website are expected to do a files reviewing that stored and displayed to the public on websites withoutdated conditions and are no longer relevant based on the current situations to prevent the manipulated information by theattacker to be used as objects of further attacks. If there are such files, the administrator can immediately delete them from thewebsite.Implementing the security mechanism for application that has responsibility to configure the computing resources installed on aweb server (in this case: Cpanel & WHM), the application of security can be done by: Use strong passwords Uses firewall, anti-virus and anti-rootkit protection Update the application regularly Using brute-force protection Checking hosted websites, etc.Validating authentication security mechanisms that can be attacked by bypassing actions by properly checking the permissions ofeach role on the website and tightening system access policies to prevent falsification of identities that shouldn’t valid.Applying security and protection mechanisms against web tampering attacks by: Do not put parameters into the form of query string (URL) Using one session token to reference an object that is stored in the server side cache (HTML Form Field) Using cryptography on the HTTP Header sent from the server side (HTTP Header) Perform configuration on the server side to prevent parameter changes made by the attacker and so on until #risk29
CONCLUSIONThe making of risk treatment with recommended actions of every risks on the organization is themain goal of this research. All the result and analysis of system vulnerabilities, weaknesses, andrecommended actions from penetration testing security testing based in OWASP Testing GuideVersion 4 framework and with applied OSINT concept, will help to maintain and improving theservice capability of the company’s and also to keeping up the company’s main goal.Risk assessment process that consists of 3 main phases (identification, analysis, evaluation)carried out by using ISO 31000 framework and the results of penetration testing process, thatused as the main structure of the risk assessment.
FinishThank YouAll text and image content in this document is licensed under the Creative Commons Attribution-Share Alike 4.0 License (unless otherwise specified).
Penetration Testing Results OWASP Testing Guide Version 4 Modules Submodules Submodules Test Results Testing
