WIXLIB

IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)Processing of the information has been embedded inMaltego and can also be adjusted based on user needs(Petersen, 2017). Maltego have a useful graphingsoftware that places an accent on relationships betweennodes in the graph and uses a client/server architecturefor the purposes of data collection to determine therelationships and real-world links between pieces of dataof website infrastructures. In this way, Maltego generatesa node graph in which nodes called entities are plottedand relationships between nodes are represented withdirectional arrows (System & Marx, 2014). Maltego isdeveloped in the Java programming language and runs onthe Kali Linux operating system. Users are required toregister to be able to use Maltego for free. Afterregistered users, users can already use Maltego to collecttargeted digital information on the internet.C. Penetration TestingThe penetration testing method or often called “pentest”is the practice of computer system, network, or webapplication security testing to find security vulnerabilitiesthat can be exploited by attackers by providing stages ofsystem attacks to the system (Yeboah-Ofori, 2018). Thepenetration testing method can be facilitated by usingtools or done manually (Ghozali, Kusrini, &Sudarmawan, 2019). The processes contained in thepenetration testing method include information gathering,identifying penetration points, and also reporting theresults of testing. Implementation of security testing withthe penetration testing method is recommended to use arelated framework so that the stages of attack carried outtowards the system have standardization that has beendeveloped and recognized by certain organizations thatare experts in the field of security testing (Lubis &Tarigan, 2017). The main purpose of penetration testingis to identify system security weaknesses. In addition, itcan also be used to test organizational security policies,awareness of organizational employees on securityrequirements, and the ability of organizations to identifyand respond to security incidents (Hussain et al., 2017).The results of system security testing evaluations fromthe penetration testing method that have beensuccessfully identified or exploited will be collected andprovided to administrators, organizational owners, ororganizational system managers with the aim of givingthem recommendations for making decisions andprioritizing efforts to improve system security andprotection (Shanley & Johnstone, 2015). Penetrationtesting process approach audit web application securityand also can be used to secure associated layers andincludes to audit system for finding vulnerabilities, whichmay be existing in the system. The tester will find andexploit vulnerability same as an attacker exploit andproduce data which represent the risk level of the system(Hasan & Meva, 2018). Penetration testing depend onmany kinds of mechanisms or framework for identifyingflaws in attacks or tests to get beneficial results when thepenetration testing process is going down. A structuredwork and approach can therefore benefit both theexaminers and resources used under the testing processes.Copyright 2019 MECS19An additional benefit is that test results with good andstructured mechanism are easier to re-use in the future toensure that no regressions occur with the penetrationtesting method (Dahl, 2005).D. OWASPOWASP is a non-profit organization that focuses onimproving software security (Ghozali et al., 2019).OWASP guideline is applied throughout the softwaredevelopment life cycle (SDLC) phases in applicationdevelopment which are system planning, system analysis,system design, implementation, and testing (Sedek,Osman, Osman, & Jusoff, 2009). OWASP provides manytools, guides and testing methodologies for cyber securityunder an open source license, specifically the OWASPTesting Guide (OTG) (Dirgahayu et al., 2015). The OTGis divided into three main parts including the OWASPtesting framework for web application development, webapplication testing methodology, and system evaluationreporting. The web application testing methodology canbe used independently or can be used as a testingframework. A web application developer can use theframework to build web applications by considering theprotection and security aspects followed by securitytesting with the penetration testing method to test thesystem security of the web application developed 9(Pratama & Wiradarma, 2019). The OWASP TestingGuide Framework has a strong focus on the level ofsecurity of web applications in all software developmentlifecycles aspect that different with other penetrationtesting security testing frameworks, such as ISSAF andOSSTMM, which is both of them are intended to test thesecurity from implementation. The OWASP TestingGuide is specifically targeted to a single scope of domain,which as web applications (Lubis & Tarigan, 2017).OWASP Testing Guide can really help and veryimportant to a security practitioner because it is availablecompletely free of charge and open. Informationprotection and security must not be an agony that only afew persons can practice. OWASP Testing Guide have anopen-access and very detailed penetration testing phase,and because of that, it’s should go to the hands ofdevelopers and software examiners. There is sufficientsecurity experts applications in the world to make asignificant reduction in the security problem, and theresponsibility for application security must fall ondevelopers (Mariani et al., 2015).E. Risk Management // ISO 31000Risk can be defined as the chance of loss or anunexpected outcome associated with a preferred action.Uncertainty is not knowing what will happen in thefuture. The greater the uncertainty, the greater the riskwill come (Crane, Gantz, Isaacs, Jose, & Sharp, 2013).Risk management has been one of the major concernsconsidered today. As a rule, effective risk managementrequires the evaluation of events in a two-perspectiveapproach, on the one hand, from the uncertaintyoccurrence or probability, and on the other from theviewpoint of the effect result. One of the riskI.J. Computer Network and Information Security, 2019, 12, 17-29

20IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)management standards is ISO 31000. Based on the lastversion of ISO 31000 standard, which is issued on 2018,ISO 31000 summarizes risk management into three mainsteps. The first step is risk identification with aims togenerate a list of risks from different sources, the events,their causes and potential outcome, and the areas affected.The second step is risk analysis with aims to provide anunderstanding of risk to serve as the core for makingdecisions on the best reflections and methods. Riskanalysis can be carried out at various levels of detail,depending on the risk in question, the purpose of theanalysis and the information available. In this paper, therisk analysis will be based on the technical testing resultsof penetration testing used the combination of OSINTtools and OWASP Testing Guide Version 4 framework.The third step is risk evaluation with aims to providemore support for making decisions and comparing thelevel of each risk, based on the results of the risk analysis,by evaluating what risks that necessarily need treatmentand the priority of implementing the treatment (deOliveira, Marins, Rocha, & Salomon, 2017). ISO 31000had established risk management framework that is moreflexible and provided more control than the otherframework. The flexibility proof of ISO 31000 can beseen on the capability to fit on any organization riskmanagement process (Sukapto, Desena, Ariningsih, &Susanto, 2018). One of the main objectives of ISO 31000standard is to continually improve risk management inorganizations based on a general model that have purposeto adapt to a wide variety of risks. ISO 31000 provides astructured framework intended to meet the needs of anytype of organization or situation. The entire riskmanagement process on ISO 31000 will be documentedin order to maintain a reporting overview of decisionmaking and will be granted as a periodic review of theentire process of identifying, analyzing and addressingrisk in purpose to discover changes in the external andinternal environments (Lalonde & Boiral, 2012).Figure 1. is a illustration of the ISO 31000 based riskmanagement process. The ISO 31000 risk managementprocess includes five activities which can be explained asfollows.1. Communication and ConsultationThis process runs internally within organizations,divisions, and business units or externally aimed atexternal stakeholders.2. Establish the ContextOrganizational management determines the limits orinternal parameters and external parameters (external thatare taken into consideration in managing risk,determining the scope of work, and risk criteria forsubsequent processes.3. Risk AssessmentThese stages include Risk Identification, Risk Analysis,and Risk Evaluation. Risk identification is the process ofdetermining risks that have the potential to effect theorganization in achieving its objectives. Risk Analysis isan effort to understand risks more deeply. RiskEvaluation is the process of evaluating the likelihood andimpact level of each risk using predetermined criteria.4. Risk TreatmentRisk treatment includes efforts to select options thatcan reduce or eliminate the impact and likelihood of risks,then implement those choices.5. Monitoring and ReviewMonitoring and Review is part of risk managementthat ensures that all stages of the process and riskmanagement function are running well.III. RESEARCH METHODOLOGYA. Technical Testing Using OTG Version 4 DiagramTechnical testing phase is supported by a flowchartwith purpose to simplify the researchers determining thesequence of steps to be taken when finished out thepenetration testing process using the OWASP TestingGuide Version 4. Activities begin with planning andpreparing the penetration testing processes, which is setup the user's PC, the tools that will be used, and the targetwebsite that will be tested. Afterwards, the penetrationtesting phase with the OWASP framework will be started.There are 11 stages that tested on the target website basedon the objectives for each of these stages. The followingare figure from the workflow diagram of penetrationtesting phase using OTG Version 4.Fig.1. ISO 31000 Risk Assessment DiagramSource: ISO Official WebsiteCopyright 2019 MECSI.J. Computer Network and Information Security, 2019, 12, 17-29

IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)21Fig.2. Penetration Testing DiagramSource: Personal DocumentB.Risk Management Analysis Using ISO 31000DiagramTesting and analysis of risk management is supportedby a flowchart with purpose to simplify the researchers todetermine the sequence of steps to be taken whenfinished out the risk management guide using the ISO31000 framework. Activities begin with making theagreement for the consultation process with theorganization manager. The purpose of this consultingprocess is to find out and examine the risk managementthat has already been done before within the company.Afterwards, risk management assessment stage will bestarted which consist of risk analysis, risk analysis andrisk evaluation. The risk assessment stage in the ISO31000 framework is carried out by including the resultsof penetration tests for each phase in the assessment stage.The following are figure of the workflow diagram of riskCopyright 2019 MECSmanagement process using the ISO 31000 framework.C. Recommendations Analysis DiagramThe results of penetration testing and risk managementprocesses will be combined and collaborated at this stagewhich will produce IT risk management guidelines. Theprocess of making risk management guidelines will bebased on weaknesses and vulnerabilities of targetorganization website obtained from the penetrationtesting that has done before. These weaknesses andvulnerabilities will lead to various risks for theorganization's whole IT system. The IT administrator willneed the risk management guidelines to overcome therisks when the problem appears. The following are figureof the workflow diagram of IT Risk Managementdecision making process using the OWASP TestingGuide V4 & ISO 31000 framework.I.J. Computer Network and Information Security, 2019, 12, 17-29

22IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)Fig.3. Risk Management Processes DiagramSource: Personal DocumentFig.4. Evaluation Report & Risk Guidelines DiagramSource: Personal DocumentCopyright 2019 MECSI.J. Computer Network and Information Security, 2019, 12, 17-29

IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)IV. TEST RESULTSA. Maltego as OSINT ToolMaltego is the tools with the purpose to gather allspecific and detailed information about how a websitedeployed and worked on the internet. Open sourceintelligence (OSINT) concept applied on this software,because of the capabilities to gain the information for thecertain intelligence objective with the open source-basedprogram or software. Examination for the information23gathering phase, which is the first stage of OWASPTesting Guide Version 4 phases is done by using OSINTtools with a specific function to gather information of thewebsite target. This research paper used Maltego as oneof the tools to support the information gathering phase.Maltego version that used on this research is MaltegoCommunity Edition version 4. The following figure is theappearance of the startup from Maltego which runs onMacintosh OS High Sierra, the figure is showed toindicate the example of OSINT tools used in this research.Fig.5. Maltego Appearance on Macintosh OSSource: Personal DocumentB. Testing Results of OWASP Testing Guide Version 4FrameworkTesting phases are finished out on the target websiteusing the Testing for Information Gathering modulewhich the first stage of OWASP Testing Guide Version 4Framework and consists of 10 phases to find everydetailed information as complete as possible from thetarget website as the purpose of the information gatheringstage. The following table shown below is a table oftesting results on the target website.The testing of Information Gathering module isconducted by researcher with the skills and knowledge ofpenetration testing theory, recommended software onCopyright 2019 MECSOWASP Testing Guide guidelines, and a personalcomputer with the qualified specifications for supportingand ensuring the reliability of the testing results. On thesome phases at this Testing for Information Gatheringmodule there is some website system information thatcannot be covered or secured (Example: information ofwebsite framework with Wapplyzer). One way to preventattacks with that uncovered sensitive information isstrengthen security technically in developed structures onthe website (firewalls, IPS, IDS, etc.) OSINT used:Google Hacking Database, Google Hacking Diggity,Whatweb, Wapplyzer, Netcat, Nmap, robotstxt.org,Whois, reqbin.com, ZAP, Maltego.I.J. Computer Network and Information Security, 2019, 12, 17-29

24IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformation Gathering Stage (Case Study: X Company)Table 1. Objective Table of Testing for Information Gathering ModuleNumberModule4.2.1Conduct Search Engine Discovery andReconnaissance for Information Leakage(OTG-INFO-001)4.2.2Fingerprint Web Server mation Leakage (OTG-INFO-003)4.2.4Enumerate Applications on Webserver(OTG-INFO-004)4.2.5ReviewWebpageComments andMetadata for Information Leakage (OTGINFO-005)4.2.6Identify Application Entry Points (OTGINFO-006)4.2.7MapExecutionPathsApplication (OTG-INFO-007)4.2.8Fingerprint Web Application Framework(OTG-INFO-008)4.2.9Fingerprint Web Application ((OTGINFO-009)4.2.10Map Application Architecture (OTGINFO-010)ThroughObjectiveDiscovering the design and configurationinformation from website/systems/organizationsthat can be accessed openly either directly (onthe organization's website) or indirectly (on thirdparty websites).Discovering the version and type of web serverused by the target to find out the weaknesses andtypes of exploits when system penetrationoccurs.Knowing the leakage of information of directoryand folder path of the web application fromRobots/Crawler/Spiders analysis.Calculate the amount of web applications thatrunning on the target web server and knowingthe open ports of the target website.Discovering the developer comments on thewebsite target and find leaked information andmetadata to have better system knowledge.Discovering how requests and responses wereformed from target website based on theinformation given within GET and POSTrequests.Create the system mapping of the target websiteand understanding the main workflow.Discovering the type of used framework fromthe target website that will give betterunderstanding and proper option of the securitytesting methodology.Discovering the version of the buildingcomponent of the target website to determineweaknesses and exploitation methods that aresuitable when system penetration occurs.Discovering and knowing the overall systemarchitecture and workflow of the target website.C. Testing Analysis of OWASP Testing Guide Version 4FrameworkThe results of penetration testing using OWASPTesting Guide Version 4 Framework on Testing forInformation Gathering module in Table 1. shows thetarget website successfully passed in phase (OTG-INFO001), (OTG-INFO-002), (OTG-INFO-003), (OTGINFO-006) and failed in phase (OTG-INFO-004), (OTGINFO-005), (OTG- INFO-007), (OTG-INFO-008),(OTG-INFO-009), (OTG- INFO- 0010). Explanation offailure on every failed phase on the tested website iswhen the examiners can find detailed information withinthe purpose of the 10 phases from the Testing forInformation Gathering module. Phases that do not passedwill expose the vulnerabilities and weaknesses of thetarget website because in the penetration testing scenario,examiners are pretended to be as same role as the attackerthat need to find information for going further to thewebsite system. The following table shown below is atable of testing results on the target website.The purpose of reviewing these modules is to describeCopyright 2019 MECSResultSuccess(Google Hacking Database,Google Hacking Diggity)Success(Whatweb,Wapplyzer, Netcat, Nmap)Success (curl Robots.txt,robotstxt.org/robotstxt.html)Fail (Nmap, Whois)Fail (Wget, Inspect ElementChrome, HTML file)Success (reqbin.com, ZAP)Fail hatWeb,Fail (Maltego)and breakdown the effect to the website system when itfail to passed the testing processes. From the 10 kinds oftesting process that tested from the Testing forInformation Gathering module, 6 out of 10 testing werenot passed and will gave vulnerabilities and securityholes on the target website. The passing percentage ofinformation gathering scope is 40%, that later will becalculated further on risk management processes.D. Risk Management Assessment Analysis Based onOWASP Testing ResultsBased on the vulnerabilities and weaknesses of thewebsite obtained from the penetration testing usingOWASP Testing Guide framework, there is a few risksthat must considered on. Risks will be listed according tothe penetration testing results with the module Testingfor Information Gathering, where this module focused onhow to maintain and secure the specific, sensitive, anddeployment information of the targeted website. Riskassessment process started with risk identification, riskanalysis, and ended with risk evaluation process.I.J. Computer Network and Information Security, 2019, 12, 17-29

IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at theInformatio

1. Specific testing agreements that involve organizations The tools or software used on penetration testing security assessment and clients allow some information to be released before is limited on OSINT based tools and recommended tools on OWASP Testing Guide version 4 framework. 2. The standardization or framework used in this