Re: CoBIT a Security Audit Framework?

["Andre Gironda" <andreg () gmail com>]

On Mon, Dec 1, 2008 at 12:14 PM, J. Oquendo <sil () infiltrated net> wrote:
Another short list, taken from information from the BITS Shared
Assessments V3WP document, which maps controls:
AI2.3
AI2.4
AI3.3
AI4.4
AI6.2
AI7.7
> PO2.3 Data Classification Scheme
> PO2.4 Integrity Management
> PO4.8 Responsibility for Risk, Security and Compliance
> PO4.9 Data and System Ownership
> PO4.10 Supervision
> PO4.11 Segregation of Duties
PO5.1
PO6.1
PO6.2
> PO9.3 Event Identification
> PO9.4 Risk Assessment
> PO9.5 Risk Response
> PO9.6 Maintenance and Monitoring of a Risk Action Plan
DS5.5
DS5.6
DS5.7
DS5.8
DS8.1
DS8.2
DS8.3
DS8.4
DS8.5
DS9.2
DS10.1
DS10.2
DS10.3
> But wait... That's not even breaking the ice. Of all the frameworks
> in place, CoBIT overlaps many and exceeds them all by all means.

It's a good _control_ framework (a checklist, "quants").  It doesn't
specify principles or "qualities".  There are other, better frameworks
that do that (or do both).  Other types of frameworks include maturity
models.  I wouldn't compare control frameworks to principle-based
ones, or maturity-model based ones.  Additionally, some frameworks are
a mix of principles, controls, and models that can only be compared
against other, similarly structured frameworks.

If I were to compare COBIT against other similar _control-based_
frameworks, I would rate them in my order of preference when in use
along with penetration-testing (if that is the goal):
BITS Shared Assessments SIG
SIG-Lite
ISO27002
ITCG
COBIT
PCI-DSS
Others (e.g. COSO, CoCo, FISCAM)

The above doesn't make COBIT look that great, but it's really not that
great... it's really out of date to today's standards, IMO.

I'm also not saying that it is better than PCI-DSS (clearly there are
lots of good/bad things in PCI-DSS), but it is very agnostic and very
complete in comparison.

If you want to look at frameworks that include a nice mix of
principles and controls, see:
ISO27000
NSA IEM (specific to pen-testing) and Red-Team Methodology (duh)
OSSTMM (specific to pen-testing)
NIST SP800-115 (specific to pen-testing)
ISSAF (specific to pen-testing)
Others (ITIL, NIST SP800-53, GASSP, SSAG, et al)

My favorite maturity-models-based framework is the OWASP ASVS which
could probably be applied to networks and non-web-based applications
very easily.  Although SSE-CMMI, ISM3, and others are also very
worthwhile.

I would avoid generic risk analysis frameworks such as FAIR, OCTAVE,
NSA IAM, NIST SP800-30, CSA, CRSA, et al for pen-testing purposes.
Generally, these are what you do *before* a pen-test.  You did do one
of these, correct?

Additionally, assuming time means nothing to you, I suggest checking
out DIACAP.  It's how the US DoD does IT-systems-risk/vulnerability
assessments.  The predecessor to DIACAP was DITSCAP, although I hear
rumors that these processes were based on either NSA IEM or OSSTMM (or
both).

> I suggest taking a peek at:
> http://blog.eiqnetworks.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/

I also suggest checking out the comments since I made a few there.

COBIT isn't ideal for pen-testing (I concur that OSSTMM is often a
good choice for this), but it can be used for pen-testing (as seen
from the long list above).  In fact, it certainly meets Jon's
requirements based on his examples.  It doesn't specify IPSec, but hey
- IPSec is *one* VPN encryption technology of many, including SSL VPN,
OpenVPN, SSH tunneling, Unisys Stealth, et al.

I honestly think you could take the above controls out of the COBIT
framework, turn them into a meaning checklist for a pen-tester, and
get quite amazing results.

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------