Information System Security Assessment Framework (ISSAF)

The Information System Security Assessment Framework (ISSAF) methodology is supported by the Open Information Systems Security Group (OISSG).

Although it is no longer maintained and, therefore, a bit out of date, one of its strengths is that it links individual pentest steps with pentesting tools. It aims to provide a comprehensive guide in conducting a pentest and can be a good basis for developing your own custom methodology.

ISSAF breaks the pentesting project into three phases:

• Planning and preparation
• Assessment
• Reporting, clean-up and destroy artefacts

ISSAF Phase I: Planning and Preparation

This phase is brief and only describes the steps to exchange initial information, plan and prepare the test. It emphasises the need for a formal assessment agreement to be signed before any testing begins. The agreement provides the basis for this assignment and mutual legal protection, and specifies:

• The engagement teams
• Exact dates and times
• Escalation path
• Any other arrangements

Activities:

• Identify communication channels between the company and pentesting team
• Confirm scope, approach and methodology
• Agree to specific test cases and escalation paths

ISSAF Phase II: Assessment

This is the more useful phase – it’s relatively detailed and even describes some of the pentest tools to use. Targets are described as networks, hosts, applications, and databases. To some extent, it is out of date and not complete. We can use it as a starting point for the assessment phases in our pentest but not to govern the entire pentest framework.

ISSAF describes the individual assessment steps as ‘layers’ of pentesting:

• Information gathering – use both technical and non-technical methods to find out relevant information about the target
• Network mapping – identify all systems and resources within the target network
• Vulnerability identification – detect vulnerabilities in the targets
• Penetration – gain unauthorised access bypassing the security measures (get as wide access as possible)
• Gaining access and privilege escalation – get administrator-level privileges on the target (root the box)
• Enumerating further – obtain additional information about processes on the systems with the goal of exploiting the network/systems (moving laterally)
• Compromise remote users/sites – exploit the trust relationships and communication between remote users and enterprise networks
• Maintaining access – use covert channels, backdoors and rootkits to hide the hacker’s presence and provide continuous access to the system(s)
• Covering tracks – eliminate all signs of compromise by hiding files, clearing logs, defeating integrity checks and defeating antivirus software

ISSAF Targets

ISSAF also discusses the application of the layers (activities) on different types of targets. For each of these, the methodology provides some background information about the targets, their typical configurations, which attack tools to use and the assessment results which can be expected. The specific steps/examples in this section are out of date, so they will need to be adapted to the latest versions of the systems (OS, applications etc).

ISSAF Targets: Network Security

• Password security testing
• Switch security assessment
• Router security assessment
• Antivirus system security assessment and management strategy
• Storage Area Network (SAN) security
• Firewall security assessment
• Wireless Local Area Network (WLAN) security assessment
• Intrusion detection/prevention system security assessment
• Internet user security
• Virtual Private Network (VPN) security assessment
• AS 400 security
• Lotus notes security

ISSAF Targets: Host Security

• Unix/Linux system security assessment
• Windows systems security assessment
• Novell Netware security assessment
• Web server security assessment (not just the internet ones, but also the admin GUI for routers, etc)

ISSAF Targets: Application Security

• Web application security assessment (SQL injections)
• Source code auditing
• Binary auditing

ISSAF Targets: Database Security

• Remote enumeration of databases
• Brute-forcing of databases
• Process manipulation attack
• End-to-end audit of databases

ISSAF Targets: Social Engineering This section discusses mainly older and well-known techniques, though many of them are still quite effective.

ISSAF Phase III: Reporting

This phase discusses the communication channels and types of reports in the project. Two ways of reporting are proposed: verbal and written.

Verbal reporting is reserved only for critical and/or urgent issues. The verbal communication should be used in cases where issues are identified which require immediate attention and action. An example of that would be if during the penetration test we discover that the system is vulnerable and has been (or is currently being) compromised. A special case here is if we detect any illegal activities on the network and systems – in such cases, we might have to contact the legal authorities before (or even without) letting our client know.

The written report is the formal output of the penetration test. It could have different versions targeting different stakeholders in the organisation. It could also include information about the issues already discussed in the verbal report.

Under ISSAF, the written report would normally include:

• Management summary
• Project scope
• Pentest tools used
• Exploits used
• Date/time of the test
• All outputs of the tools and exploits
• A list of identified vulnerabilities
• Recommendations to mitigate identified vulnerabilities, sorted by priority

ISSAF Phase III: Clean-Up and Destroy Artefacts

This final part of the framework is quite brief and focuses on removing any artefacts left over from the pentest. It leaves the pentester free to choose how to encrypt, sanitise, and destroy data created during the pentest.

All information that is created and/or stored on the tested systems should be removed from these systems. If this is for some reason not possible from a remote system, all these files (with their location) should be mentioned in the technical report so that the client technical staff will be able to remove these after the report has been received

(Open Information Systems Security Group 2006)

Reference

_{Open Information Systems Security Group (2006) Information Systems Security Assessment Framework (ISSAF). OISSG}