Penetration Testing mailing list archives
Re: CoBIT a Security Audit Framework?
From: "Andre Gironda" <andreg () gmail com>
Date: Mon, 1 Dec 2008 18:39:55 -0700
On Mon, Dec 1, 2008 at 12:14 PM, J. Oquendo <sil () infiltrated net> wrote: Another short list, taken from information from the BITS Shared Assessments V3WP document, which maps controls: AI2.3 AI2.4 AI3.3 AI4.4 AI6.2 AI7.7
PO2.3 Data Classification Scheme PO2.4 Integrity Management PO4.8 Responsibility for Risk, Security and Compliance PO4.9 Data and System Ownership PO4.10 Supervision PO4.11 Segregation of Duties
PO5.1 PO6.1 PO6.2
PO9.3 Event Identification PO9.4 Risk Assessment PO9.5 Risk Response PO9.6 Maintenance and Monitoring of a Risk Action Plan
DS5.5 DS5.6 DS5.7 DS5.8 DS8.1 DS8.2 DS8.3 DS8.4 DS8.5 DS9.2 DS10.1 DS10.2 DS10.3
But wait... That's not even breaking the ice. Of all the frameworks in place, CoBIT overlaps many and exceeds them all by all means.
It's a good _control_ framework (a checklist, "quants"). It doesn't specify principles or "qualities". There are other, better frameworks that do that (or do both). Other types of frameworks include maturity models. I wouldn't compare control frameworks to principle-based ones, or maturity-model based ones. Additionally, some frameworks are a mix of principles, controls, and models that can only be compared against other, similarly structured frameworks. If I were to compare COBIT against other similar _control-based_ frameworks, I would rate them in my order of preference when in use along with penetration-testing (if that is the goal): BITS Shared Assessments SIG SIG-Lite ISO27002 ITCG COBIT PCI-DSS Others (e.g. COSO, CoCo, FISCAM) The above doesn't make COBIT look that great, but it's really not that great... it's really out of date to today's standards, IMO. I'm also not saying that it is better than PCI-DSS (clearly there are lots of good/bad things in PCI-DSS), but it is very agnostic and very complete in comparison. If you want to look at frameworks that include a nice mix of principles and controls, see: ISO27000 NSA IEM (specific to pen-testing) and Red-Team Methodology (duh) OSSTMM (specific to pen-testing) NIST SP800-115 (specific to pen-testing) ISSAF (specific to pen-testing) Others (ITIL, NIST SP800-53, GASSP, SSAG, et al) My favorite maturity-models-based framework is the OWASP ASVS which could probably be applied to networks and non-web-based applications very easily. Although SSE-CMMI, ISM3, and others are also very worthwhile. I would avoid generic risk analysis frameworks such as FAIR, OCTAVE, NSA IAM, NIST SP800-30, CSA, CRSA, et al for pen-testing purposes. Generally, these are what you do *before* a pen-test. You did do one of these, correct? Additionally, assuming time means nothing to you, I suggest checking out DIACAP. It's how the US DoD does IT-systems-risk/vulnerability assessments. The predecessor to DIACAP was DITSCAP, although I hear rumors that these processes were based on either NSA IEM or OSSTMM (or both).
I suggest taking a peek at: http://blog.eiqnetworks.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/
I also suggest checking out the comments since I made a few there. COBIT isn't ideal for pen-testing (I concur that OSSTMM is often a good choice for this), but it can be used for pen-testing (as seen from the long list above). In fact, it certainly meets Jon's requirements based on his examples. It doesn't specify IPSec, but hey - IPSec is *one* VPN encryption technology of many, including SSL VPN, OpenVPN, SSH tunneling, Unisys Stealth, et al. I honestly think you could take the above controls out of the COBIT framework, turn them into a meaning checklist for a pen-tester, and get quite amazing results. Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? Andre Gironda (Dec 02)
- Re: CoBIT a Security Audit Framework? Jon Kibler (Dec 01)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)
- Re: CoBIT a Security Audit Framework? SD List (Dec 02)
- Re: CoBIT a Security Audit Framework? hightch0 (Dec 02)
- Re: CoBIT a Security Audit Framework? R. DuFresne (Dec 10)
- <Possible follow-ups>
- RE: CoBIT a Security Audit Framework? Katuruza, Patrick (Dec 02)
- Re: CoBIT a Security Audit Framework? J. Oquendo (Dec 01)