"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Oissg
1. Open Information Systems A not-for-profit Organization
Security Group
….Share and Build your knowledge
Christian Martorella
christian.martorella@oissg.org
laramies@gmail.com
2. Presentación
• Qué es la OISSG?
• Visión
• Misión A not-for-profit Organization
• Objetivos para el 2006
• Estrategia
• Projectos
Desarrollo de Frameworks
Conferencias
Capítulos locales
Desafíos de seguridad
Security Awareness
Security Research & Labs
Acreditaciones
3. Que es la OISSG?
• Organización independiente, manejada
por voluntarios , sin fines de lucro.
• Brinda de manera libre recursos a la
A not-for-profit Organization
comunidad.
Framework, metodologias, estandares,
artículos.
Herramientas para las auditorías de
seguridad y la implementacion de la
seguridad.
Conferencias y listas de correos
Base de conocimientos
• Enfocada principalemente a resolver los
problemas relacionados con las
evaluaciones de seguridad.
4. Que es la OISSG?...
• Que proveemos?
Frameworks
Information Systems Security Assessment Framework (ISSAF)
Computer Crime Investigation Framework (CCIF)A not-for-profit Organization
Security Essentials Framework
Software
Password Auditing (LeptonCrack)
Database Security (Metacoretex-NG)
Windows, Linux and Solaris Security
Iniciativas de investigación
Capítulos locales
5. Nuestra Vision
Difundir la
concienciación de la A not-for-profit Organization
seguridad de la
información. Brindar un
medio donde los
entusiastas y
profesionales de la
seguridad de todo el
mundo compartan y
construyan
6. Nuestra Misión
Para alcanzar nuestra
vision la OISSG
determinara cuales son A not-for-profit Organization
las necesidades
profesionales, y asignará
recursos para crear
procesos para
desarrollar
To achieve its Vision OISSG
will determine utmost
professional need, it will
7. Objetivos 2006
• Objetivos primarios
Liberar la próxima versión del draft
de ISSAF.
Facilitar la aceptacion de los A not-for-profit Organization
ejecutivos claves de que ISSAF es
un framework comprensivo para
realizar analisis de seguridad.
Acreditar profesionales en
Análisis de Seguridad.
Hacer público la primer versión del
draft Computer Crime Investigation
Framework (CCIF)
8. Objetivos 2006…
• Objetivos secundarios
• Aumentar el numero de miembros
A not-for-profit Organization
Develop localized presence
Setup 50 Local Chapters
Organisar (expandir) Conferencias
Setup on-line research labs for members
Organize Security Assessment challenges
Build Computer Security Incident Response
Teams (CSIRT)
Spread Security Awareness
9. Estrategia
• Identificar areas criticas parcialmente o
no exploradas de la seguridad de la
informacion.
A not-for-profit Organization
• Crear equipos para trabajar en esas
areas.
• Lograr que el resultado final de esos
trabajos lleguen a los usuarios finales.
• Trabajar con otros grupos que compartan
los mismos objetivos y recursos.
10. Information Systems Security Assessment
Framework (ISSAF)
Misión:
Investigar, A not-for-profit Organization
desarrollar, publicar y
promover un
Framework completo,
práctico y aceptado
por la comunidad,
para realizar Análisis
de Seguridad de
Sistemas.
11. ISSAF…
• Estandares ya establecidos:
NSA IAM: http://
www.nsa.gov/isso/iam/index.htm
CESG CHECK: http://
www.cesg.gov.uk/site/check/index.cfm A not-for-profit Organization
• Todos las metodologías y frameworks
hablan del “Que”, en cambio ISSAF
habla del “Que, Cuando, Donde, y
Porque” y también del COMO.
• ISSAF trata problemas practicos del
mundo real.
• Añade valor con un analisis de
seguridad estructurado, efectivo y con
un acercamiento efectivo.
12. ISSAF…
• It’s primary value will derive from the fact that it
frees security practitioners from having to invest in
commercial resources or extensive internal research
A not-for-profit Organization
to address their information security needs.
• Will evolve into a comprehensive body of
knowledge for organizations seeking to conduct
their assessments independently and neutrally.
• It will be the first framework to provide validation
for bottom up security strategies such as
penetration testing as well as top down approaches
such as an audit checklist for information policies.
13. Framework structure Enterprise Assessment Framework
Identify Gross Risk
Evaluate Enterprise Information Security Policy
Evaluate Enterprise Information Security Organization & Management
A not-for-profit Organization
Assess Enterprise Security & Evaluate Enterprise Security
Controls Operations Management
Physical and Environmental Security Capacity Management
Technical Controls Assessment Vulnerability Management Patch Management
Secure Application Development Release Management Configuration Management
Security Awareness Enterprise Incident Management Change Management
Security Awareness Program
Assess Business Continuity and Disaster Recovery Planning
Evaluate Legal and Regulatory Compliance
Manage Residual Risks
14. ISSAF – Tabla de Contenidos
• About ISSAF
• Assessment Framework
• Engagement Management
• Best Practices– Pre Assessment, Assessment And Post Assessment
A not-for-profit Organization
• Enterprise Security Policy
• Enterprise Security Organization & Management
• Assess Enterprise Security & Controls
Penetration Testing - Methodology
Penetration Testing Methodology: Descriptive – (Continue….)
Password Security
Password Cracking Strategies
Unix /Linux System Security Assessment
Windows System Security Assessment
Novell Netware Security Assessment
Database Security Assessment
15. ISSAF – Tabla de contenidos…
WLAN Security Assessment
Switch Security Assessment
Router Security Assessment
Firewall Security Assessment
Intrusion Detection System Security
Assessment A not-for-profit Organization
VPN Security Assessment
Anti-virus System Security Assessment And
Management Strategy
Web Application Security Assessment
Web Application Security (Continue…) SQL
Injections
Web Application Security (Continue…) Web
Server Security Assessment
Storage Area Network (San) Security
Internet User Security
As 400 Security
Lotus Notes Security
16. ISSAF – Tabla de contenidos…
Source Code Auditing
Binary Auditing
Application Security Evaluation Checks
A not-for-profit Organization
• Social Engineering
• Physical Security Assessment
• Enterprise Security Operations Management
• Security Awareness
• Outsourcing Security Concerns
• Business Continuity Planning And Disaster Recovery
17. ISSAF – Tabla de Contenidos…
• Legal And Regulatory Compliance
• Incident Analysis
• Knowledge Base
A not-for-profit Organization
Build Foundation
Desktop Security Check-list - Windows
Linux Security Check-list
Solaris Operating System Security Check-list
Penetration Testing Lab Design
Links
Templates / Others
18. ISSAF - Relaciones con otros estandares
• Se crearon comites
mapear ISSAF con
standares existentes.
A not-for-profit Organization
SAS70
COBIT
SOX
BS7799
BASEL-II (coming soon)
19. Computer Crime Investigation Framework (CCIF)
• Que cubre el CCIF:
Procesos para la
A not-for-profit Organization
Administración de Incidentes.
Windows Forensics
*nix Forensics
Router Forensics
Hacking Tool Forensics
• Fecha de lanzamiento?
20. Capitulos locales
• Objective - Share and Build knowledge
Established 39 Chapters in 22 countries
• Activities by local chapters
Organizing periodic conferences/seminars
and Workshops for sharing and building knowledge
Organizing periodic informal meetings for A not-for-profit Organization
each others developments
Discuss contribution in security projects
Visibility by representation in Media
Promotions
• How OISSG local chapters will help you?
Knowledge Sharing
Building and managing knowledge by documentation
Know what your other friends are doing
Introduce you to experts in information
security industry
Keep yourself updated with latest
happening in security industry
21. Investigación en seguridad
• Investigando en:
Vulnerability Research
Password Security
Research A not-for-profit Organization
Flawless Port Scanning
Database Security
(Metacoretex-NG)
• Investigadores de
primer nivel.
22. Investigación en seguridad
• Vulnerability Research team is actively
working on:
Software Code Auditing
Reverse Engineering
Exploit Code/Proof-of-concept Analysis and
Development A not-for-profit Organization
• Key achievements
Developed standard for Binary Auditing
Found one Vulnerability in one Anti-Virus product
Process for Vulnerability Disclosure is developed
• How to become part of this team:
Contact research@oissg.org
Subscribe to vuln@oissg.org
• Tools Development
Tools development plan is in process for
automation of ISSAF
23. Investigación en seguridad
• Password Security
Research Team
Lepton Crack – One of the best
password cracking tool in the
A not-for-profit Organization
world
Process for Password Security
Audit is developed
Project Director – Bernardo
Reino (aka Lepton)
• Flawless Port Scanning
• Information Risk
Management
• Business Continuity
24. Laboratorios de Investigación
• HoneyNet’s in multiple locations
• Identification of emerging security needs
A not-for-profit Organization
• Delivering solutions on critical security needs