Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: CoBIT a Security Audit Framework?
From: "Andre Gironda" <andreg () gmail com>
Date: Mon, 1 Dec 2008 18:39:55 -0700

On Mon, Dec 1, 2008 at 12:14 PM, J. Oquendo <sil () infiltrated net> wrote:
Another short list, taken from information from the BITS Shared
Assessments V3WP document, which maps controls:
AI2.3
AI2.4
AI3.3
AI4.4
AI6.2
AI7.7
PO2.3 Data Classification Scheme
PO2.4 Integrity Management
PO4.8 Responsibility for Risk, Security and Compliance
PO4.9 Data and System Ownership
PO4.10 Supervision
PO4.11 Segregation of Duties
PO5.1
PO6.1
PO6.2
PO9.3 Event Identification
PO9.4 Risk Assessment
PO9.5 Risk Response
PO9.6 Maintenance and Monitoring of a Risk Action Plan
DS5.5
DS5.6
DS5.7
DS5.8
DS8.1
DS8.2
DS8.3
DS8.4
DS8.5
DS9.2
DS10.1
DS10.2
DS10.3
But wait... That's not even breaking the ice. Of all the frameworks
in place, CoBIT overlaps many and exceeds them all by all means.

It's a good _control_ framework (a checklist, "quants").  It doesn't
specify principles or "qualities".  There are other, better frameworks
that do that (or do both).  Other types of frameworks include maturity
models.  I wouldn't compare control frameworks to principle-based
ones, or maturity-model based ones.  Additionally, some frameworks are
a mix of principles, controls, and models that can only be compared
against other, similarly structured frameworks.

If I were to compare COBIT against other similar _control-based_
frameworks, I would rate them in my order of preference when in use
along with penetration-testing (if that is the goal):
BITS Shared Assessments SIG
SIG-Lite
ISO27002
ITCG
COBIT
PCI-DSS
Others (e.g. COSO, CoCo, FISCAM)

The above doesn't make COBIT look that great, but it's really not that
great... it's really out of date to today's standards, IMO.

I'm also not saying that it is better than PCI-DSS (clearly there are
lots of good/bad things in PCI-DSS), but it is very agnostic and very
complete in comparison.

If you want to look at frameworks that include a nice mix of
principles and controls, see:
ISO27000
NSA IEM (specific to pen-testing) and Red-Team Methodology (duh)
OSSTMM (specific to pen-testing)
NIST SP800-115 (specific to pen-testing)
ISSAF (specific to pen-testing)
Others (ITIL, NIST SP800-53, GASSP, SSAG, et al)

My favorite maturity-models-based framework is the OWASP ASVS which
could probably be applied to networks and non-web-based applications
very easily.  Although SSE-CMMI, ISM3, and others are also very
worthwhile.

I would avoid generic risk analysis frameworks such as FAIR, OCTAVE,
NSA IAM, NIST SP800-30, CSA, CRSA, et al for pen-testing purposes.
Generally, these are what you do *before* a pen-test.  You did do one
of these, correct?

Additionally, assuming time means nothing to you, I suggest checking
out DIACAP.  It's how the US DoD does IT-systems-risk/vulnerability
assessments.  The predecessor to DIACAP was DITSCAP, although I hear
rumors that these processes were based on either NSA IEM or OSSTMM (or
both).

I suggest taking a peek at:
http://blog.eiqnetworks.com/2008/11/20/puzzle-pieces-the-relationship-between-sox-coso-and-cobit/

I also suggest checking out the comments since I made a few there.

COBIT isn't ideal for pen-testing (I concur that OSSTMM is often a
good choice for this), but it can be used for pen-testing (as seen
from the long list above).  In fact, it certainly meets Jon's
requirements based on his examples.  It doesn't specify IPSec, but hey
- IPSec is *one* VPN encryption technology of many, including SSL VPN,
OpenVPN, SSH tunneling, Unisys Stealth, et al.

I honestly think you could take the above controls out of the COBIT
framework, turn them into a meaning checklist for a pen-tester, and
get quite amazing results.

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault