1.4 Information Security Methodologies (Black-box, White-box, Grey-box)
1.4.1 Need for a Methodology
Audits need to be planned and have a certain methodology to cover the total material risks of an organisation. A
planned methodology is also important as this clarifies the way forward to all in the organisation and the audit
teams. Which methodology and techniques is used is less important than having all the participants within the audit
approach the subject in the same manner.
There are two primary methods by which audits are performed. Start with the overall view of the corporate structure
and drill down to the minutiae; or begin with a discovery process that builds up a view of the organization.
Audit methods may also be classified according to type of activity. These include three types
A. Testing – Pen tests and other testing methodologies are used to explore vulnerabilities. In other words,
exercising one or more assessment objects to compare actual and expected behaviours.
B. Examination and Review – This include reviewing policies, processes, logs, other documents, practices,
briefings, situation handling, etc. In other words checking, inspecting, reviewing, observing, studying, or
analysing assessment objects
C. Interviews and Discussion – This involves group discussions, individual interviews, etc.
The three methods combine together to form an effective methodology for an overall audit.
1.4.2 Auditing techniques:
There are various Auditing techniques used:
Examination techniques, generally conducted manually to evaluate systems, applications, networks, policies, and
procedures to discover vulnerabilities. These techniques include:
• Documentation review
• Log review
• Ruleset and system configuration review
• Network sniffing
• File integrity checking
Target Identification and Analysis Techniques
Testing techniques generally performed using automated tools used to identify systems, ports, services, and
potential vulnerabilities. They techniques include
• Network discovery
• Network port and service identification
• Vulnerability scanning
• Wireless scanning
• Application security examination
Page | 5
Target Vulnerability Validation Techniques
Testing techniques that corroborate the existence of vulnerabilities, these may be performed manually or with
automated tools. These techniques include
• Password cracking
• Penetration testing
• Social engineering
• Application security testing
Organisations use a combination of these techniques to ensure effectiveness and meeting the objectives of the
1.4.3 Security Testing Frameworks:
There are numerous security testing methodologies being used today by security auditors for technical control
Four of the most common are as follows:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Information Systems Security Assessment Framework (ISSAF)
- NIST 800 – 115
- Open Web Application Security Project (OWASP)
1.4.4 Audit Process:
A successful audit will minimally:
- Establish a prioritized list of risks to an organization.
- Delineate a plan to alleviate those risks.
- Validate that the risks have been mitigated.
- Develop an ongoing process to minimize risk.
- Establish a cycle of reviews to validate the process on a perpetual basis.
Every successful audit has common properties:
Define the security perimeter – what is being examined?
Describe the components – and be detailed about it.
Determine threats – what kinds of damage could be done to the systems
Delineate the available tools – what documents and tools are in use or need to be created?
Reporting mechanism – how will you show progress and achieve validation in all areas?
Review history – is there institutional knowledge about existing threats?
Determine Network Access Control list – who really needs access to this?
Prioritize risk – calculate risk as Risk = probability * harm
Delineate mitigation plan – what are the exact steps required to minimize the threats?
Implement procedures – start making changes.
Review results – perform an AAR on the audit process.
Rinse and repeat – schedule the next iteration of the process.