Re: CoBIT a Security Audit Framework?

["SD List" <list () security-database com>]

Hi there,

As for myself, Cobit is not suitable for penetration tests. It has been
designed to give indicators and processes to better cover IT security in
general.
Cobit would say "auditors" or "IT staff" to perform security auditing
using "controls". And one of the best practices (controls) is to apply a
well developped penetration tests methodology. It happens to look that
"OSSTMM" is on the greatest "Pentest" procedure to follow.

Watch out, OSSTMM does not give people techniques to conduct pentests but
what you expect to find during each stage. The techniques are different
from each ethical hacker, auditor to another (or call it whatever you
want). What counts here is the Procedure to follow. When digging for
documents what you expect to find. Now, it is up to you to play with
google or use automated softwares (like Maltego).

So, dont try to map Cobit and Pentests. Cobit is not a technical framework
but global overview. The view from the top of the IT Organization
Security. Penetration tests is just a detail and a little part of
"Security assessment" phase.

Here is a list of some Cobit mappings
http://www.isaca.org/Template.cfm?Section=COBIT_Mapping1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=30523

And the most suitable for you here is the mapping against NIST SP800-53.
But again, NIST SP800-53 is a set of best practices and requirements to
better develop and apply a security strategy.


Otherwise, i made some searches on Cobit 4.1. And the related topics to
everything security testing or vulnerabilities reviews are :

AI3.3 Infrastructure Maintenance
Develop a strategy and plan for infrastructure maintenance, and ensure
that changes are controlled in line with the organisation’s
change management procedure. Include periodic reviews against business
needs, patch management, upgrade strategies, risks,
vulnerabilities assessment and security requirements.

Chapter DS5 (Deliver and Support)

Especially this point :

DS5.5 Security Testing,Surveillance and Monitoring
Test and monitor the IT security implementation in a proactive way. IT
security should be reaccredited in a timely manner to ensure
that the approved enterprise’s information security baseline is
maintained. A logging and monitoring function will enable the early
prevention and/or detection and subsequent timely reporting of unusual
and/or abnormal activities that may need to be addressed.


Chapter ME (Monitor & Evaluate)

ME2.4 Control Self-assessment
Evaluate the completeness and effectiveness of management’s control over
IT processes, policies and contracts through a continuing
programme of self-assessment



Good Luck

Nabil Ouchn
security-database.com


> On Mon, 01 Dec 2008, Jon Kibler wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> > <rant>
> >
> > And what REALLY gets me is that organizations expect you to be able to
> > do a PEN TEST using CoBIT! When I explain that something like OSSTMM is
> > a more correct framework for a PEN TEST (or even NIST 800-115 or
> > 800-53A), they don't want to hear it -- its gotta be CoBIT! They have so
> > many misunderstandings as to what CoBIT is and is not useful for, it is
> > incredible -- and they are not interested in learning anything
> > different.
> >
> > Who / what is driving this "CoBIT is the only acceptable IT Security
> > audit framework" mentality and what can we do to change it?
> >
> > </rant>
>
>
> I should have been a little more clear on my initial post so
> apologies for the second email on this. You're comparing
> apples and oranges here. ISECOM's OSSTMM framework is great
> for the penetration tester and for the testing methodologies
> used, especially for the verification purposes however it is
> solely a pentesting framework. Your client is probably under-
> clued with the differences and wants to maintain CoBIT
> compliance, keeping in tune with the checks and balances of
> CoBIT's framework.
>
> If you have the modules' information, they correlate them
> for your client on how you will match them up so they can
> understand the difference in your testing and how it maps
> into the CoBIT framework. In either case of whatever a
> company is choosing, there will be overlap, there will be
> one over the other, but the bottom line for those asking
> for it is likely a need to maintain compliance with the
> CoBIT framework. It is a lot more than meets the eye and
> is well structured on the information security scale to
> both macro and micro manage many portions of security
> frameworks.
>
> Irrespective of the testing methodologies used, there is
> one end result and its this result that is likely what
> your client is worried about. Cobit maps most of the
> given frameworks and models and exceeds a lot of them,
> when you understand it a little better, you'll likely
> see the disconnect in someone asking for a pentest to
> help make sure the company is CoBIT compliant:
>
> Search ISACA for the term mapping it will give you a
> clearer picture of the mappings and overlap with the
> following:
>
> ITIL, CMM, ISO 17799, PMBOK, PRINCE2, NIST SP800-53, TOGAF
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
>
> "Each player must accept the cards life deals him
> or her: but once they are in hand, he or she alone
> must decide how to play the cards in order to win
> the game." Voltaire
>
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------