This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:Control"

From OWASP
Jump to: navigation, search
m (typo correction)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Modelo de Auditoría de sistemas:  ==
+
This category is a parent category used to track categories of controls (or countermeasure, security mechanisms).
  
Éste es un modelo universal para securizar en un alto grado de seguridad al sistema operativo.
+
{{Social Media Links}}
  
#Sistema de cifrado congelado: Mantiene en secreto la ubicación del archivo del sistema, previniendo ataques de tipo monitoreo de redes.  
+
==What is a control==
#OpenVAS: Línea de comandos para cifrar- descifrar el protocolo TCP/Ip
+
As an abstract category of concepts, it can be difficult to grasp where controls fit into the collection of policies, procedures, and standards that create the structures of governance, management, practices and patterns necessary to secure software and data.  Where each of these conceptual business needs is addressed through documentation with differing levels of specificity, it is useful to look at where controls fit in relation to these other structures. Security controls can be categorized in several ways.  One useful breakdown is the axis that includes administrative, technical and physical controls.  Controls in each of these areas support the others.  Another useful breakdown is along the categories of preventive, detective and corrective.
#Filtro Web: Previene intrusiones a través de puertos inseguros
 
#Clam Antivirus: Previene, detecta y corrige virus informático
 
  
<br>
+
ISACA defines control as the means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.[1]
  
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
+
While the ISACA COBIT standard is frequently referenced with regard to information security control, the design of the standard places its guidance mostly at the level of governance with very little that will help us design or implement secure software.  U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53, ''Security and Privacy Controls for Federal Information Systems and Organizations'' is widely referenced for its fairly detailed catalog of security controls. It does not, however, define what a control should be.
|-
 
| Clam Antivirus
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| Filtro Web
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| OpenVAS
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| Sistema de Cifrado Congelado
 
|}
 
  
|}
+
The Council on CyberSecurity Critical Security Controls list provides very little detail on specific measures we can implement in software.  Among the 20 critical controls we find "Application Software Security" with 11 recommended implementation measures:
  
|}
+
#Patching
 +
#Implement a Web Application Firewall (WAF)
 +
#Error checking all input
 +
#Use an automated scanner to look for security weaknesses
 +
#Output sanitization of error messages
 +
#Segregation development and production environments
 +
#Secure code analysis, manual and automated
 +
#Verify vendor security processes
 +
#Database configuration hardening
 +
#Train developers on writing secure code
 +
#Remove development artifacts from production code
  
|}
+
Of these 11, it is interesting to note that two relate to infrastructure architecture, four are operational, two are part of testing processes, and only three are things that are done as part of coding.
  
== Descripción softwares de auditoría ==
+
While many controls are definitely of a technical nature, it is important to distinguish the way in which controls differ from coding techniques. Many things we might think of as controls, should more properly be put into coding standards or guidelines.  As an example, NIST SP800-53 suggests five controls related to session management:
 +
*Concurrent Session Control
 +
*Session Lock
 +
*Session Termination
 +
*Session Audit
 +
*Session Authenticity
  
*El sistema de cifrado http://truecrypt.org cifra el núcleo del sistema operativo y los discos lógicos impidiendo ataques espía.
+
Note that three of these are included within the category of Access Controls. In most cases, NIST explicitly calls for the organization to define some of the elements of how these controls should be implemented.
  
*Los comandos shell http://openvas.org sirven para analizar protocolos de red, detección de virus y cifrado del protocolo IpV4-6
+
In contrast, the OWASP [[Session_Management_Cheat_Sheet]] does a very good job at illustrating session management implementation techniques and suggests some standards.  These kinds of standards and guidelines spell out specific implementation of controls.
  
*El filtro web http://freenetproject.org es una técnica que reemplaza al Firewall, discriminando puertos inseguros, ahorrando tiempo de procesamiento en el núcleo del sistema.
+
While different organizations and standards will write controls at differing levels of abstraction, it is generally recognized that controls should be defined and implemented to address business needs for security.  COBIT 5 makes this explicit by mapping enterprise goals to IT-related goals, process goals, management practices and activities.  The management practices map to items that were described in COBIT 4 as control objectives. Each organization and process area will define their controls differently, but this alignment of controls to objectives and activities is a strong commonality between different standards.  Activities are often the means by which controls are implemented.  They are written out in procedures that specify the intended operation of controls.  A procedure is not, in itself, a control.  A given procedure may address multiple controls and a given control may require more than one procedure to fully implement.
  
*Clamwin.com es un software de código abierto, no usa computación en la nube y tiene una GUI que detecta virus en línea http://sourceforge.net/projects/clamsentinel
+
So, we've found that the concept of a security control is hard to define clearly in a way that enables practitioners to begin writing controls and putting them to use.  Some definitions exist, but are open to wide interpretation and may not be adaptable to every need.  At this point we can hazard some statements that may provide further clarity. Control statements should be concisely worded to specify required process outcomes.  While this is very similar to a policy statement, policies are generally more oriented toward enterprise goals, whereas controls are more oriented toward process goals.
  
== Macroinformática  ==
+
A control differs from a standard in that the standard is focused on requirements for specific tools that may be used, coding structures, or techniques.
  
La macroinformática comprende eficiencia, seguridad y naturaleza. La eficacia de un sistema operativo se mide por la interacción hombre-máquina, sintetizando aplicaciones minimalistas y ejecutándolas nuestro sistema operativo procesará los datos eficientemente, ejemplos:
+
[[Image:Control_support.jpg]]
  
*Transmisión cifrada: Cliente e-mail con GnuPG
+
'''Figure 1''' - Relationship of control statements to control objectives and other documentation
  
http://fellowship.fsfe.org
+
Necessary controls in an application should be identified using risk assessment. [[Threat modeling]] is one component of risk assessment that examines the threats, vulnerabilities and exposures of an application.  Threat modeling will help to identify many of the technical controls necessary for inclusion within the application development effort.  It should be combined with other risk assessment techniques that also take into account the larger organizational impacts of the application.
  
*Sistema de cifrado: Cifra y descifra texto plano, imágenes, etc..
+
==Examples of controls==
 +
*[[Authentication]]
 +
*[[Authorization]]
 +
*[[Audit]]
 +
*[[Data_Security]]
 +
*[[Integrity]]
  
#ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe
+
==Further References==
#http://cryptophane.googlecode.com/files/cryptophane-0.7.0.exe
+
#Glossary. ISACA. http://www.isaca.org/Pages/Glossary.aspx?tid=2011&char=C As viewed on 24 May 2015.
 +
#''Cobit 5: Enabling Processes''. ISACA. (2012). http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
 +
# Joint Task Force Transformation Initiative. ''Security and Privacy Controls for Federal Information Systems and organizations''. Special Publication 800-53 revision 4. (2013) U.S. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-53r4
 +
#Critical Security Controls. Center for Internet Security. Retrieved from http://www.cisecurity.org/critical-controls.cfm on 24 May 2015.
  
*Ruby: Lenguaje de programación experimental
+
{{Template:PutInCategory}}
  
http://ruby-lang.org
+
[[Category:Article Type]]
 
+
[[Category:OWASP ASDR Project]]
*J2re1.3.1_20: Ejecutable de objetos interactivos o applets
 
 
 
http://java.sun.com/products/archive/j2se/1.3.1_20/index.html
 
 
 
*Escritorio: Gestor de ventanas X11
 
 
 
http://windowmaker.info
 
 
 
*Gnuzilla: Navegador seguro y de uso libre
 
 
 
http://code.google.com/p/iceweaselwindows/downloads/list
 
 
 
*Gnupdf: Visor de formato de texto universal pdf
 
 
 
http://blog.kowalczyk.info/software/sumatrapdf
 
 
 
*Gnuflash: Jugador alternativo a flash player
 
 
 
http://gnu.org/software/gnash
 
 
 
*Zinf: Reproductor de audio
 
 
 
http://zinf.org
 
 
 
*Informática forense: Análisis de datos ocultos en el disco duro
 
 
 
http://sleuthkit.org
 
 
 
*Compresor: Comprime datos sobreescribiendo bytes repetidos
 
 
 
http://peazip.sourceforge.net
 
 
 
*Ftp: Gestor de descarga de archivos
 
 
 
http://dfast.sourceforge.net
 
 
 
*AntiKeylogger: Neutraliza el seguimiento de escritorios remotos (Monitoring)
 
 
 
http://psmantikeyloger.sourceforge.net
 
 
 
*Password manager: Gestión de contraseñas
 
 
 
http://passwordsafe.sourceforge.net
 
 
 
*Limpiador de disco: Borra archivos innecesrios del sistema
 
 
 
http://bleachbit.sourceforge.net
 
 
 
*Desfragmentador: Reordena los archivos del disco duro, generando espacio virtual
 
 
 
http://kessels.com/jkdefrag
 
 
 
*X11: Gestor de ventanas, reemplazo de escritorio Xwindow's
 
 
 
http://bb4win.org
 
 
 
*Open Hardware: Hardware construído por la comunidad Linux
 
 
 
http://open-pc.com
 
 
 
*Open WRT: Firmware libre para configurar transmisión de Internet
 
 
 
http://openwrt.org
 
 
 
*Gnu- Linux: Sistema operativo universal
 
 
 
http://gnewsense.org
 
 
 
== Biocriptoseguridad ==: Es la unión de la biología, criptografía y hacking ético para formar una defensa stándar contra virus complejos.
 
 
 
Implementación de la biocriptoseguridad informática:
 
 
 
#Amplificar la banda ancha
 
#Optimizar (limpiar- modificar) el sistema operativo
 
#Desfragmentar los discos lógicos
 
#Ocultar el sistema operativo
 
#Configurar antivirus
 
#Limpiar y desfragmentar
 
#Congelar
 
 
 
*Sistema inmune._ Defensa biológica natural contra infecciones como virus http://immunet.com
 
 
 
*Criptografía._ Método de escritura oculta por caractes, números y letras:—{H}/gJa¢K¡Ng÷752%\*)A>¡#(W|a— http://diskcryptor.net
 
 
 
*Hacking ético._ Auditoría de sistemas informáticos que preserva la integridad de los datos.
 
 
 
Congelador: Mantiene el equilibrio en la integridad de los datos, el sistema operativo, red , memoria ram, ciclos de CPU, espacio en disco duro e incidencias de malware
 
 
 
*http://code.google.com/p/hzr312001/downloads/detail?name=Deep%20systemze%20Standard%20Version%206.51.020.2725.rar&amp;can=2&amp;q= (para Window's)
 
*http://sourceforge.net/projects/lethe (para GNU/Linux)
 
 
 
<br>Auditoría de virus cifrado._ Un criptovirus se oculta tras un algoritmo de criptografía, generalmente es híbrido simétrico-asimétrico con una extensión de 1700bit's, burla los escáneres antivirus con la aleatoriedad de cifrado, facilitando la expansión de las botnet's. La solución es crear un sistema operativo transparente, anonimizarlo y usar herramientas de cifrado stándar de uso libre:
 
 
 
*Gnupg: Sirve para cifrar mensajes de correo electrónico http://gpg4win.org/download.html
 
 
 
*Open Secure Shell: Ofuscador TcpIp, protege el túnel de comunicación digital cifrando la Ip. http://openvas.org
 
 
 
*Red protegida: DNS libre http://namespace.org/switch
 
 
 
*Criptosistema simétrico: Encapsula el disco duro, incluyendo el sistema operativo,usando algoritmo Twofish http://truecrypt.org/downloads.php
 
 
 
*Proxy cifrado: Autenticación de usuario anónimo http://torproject.org
 
 
 
Energías renovables._ Son energías adquiridas por medios naturales: hidrógeno, aire, sol que disminuyen la toxicidad de las emisiones de Co2 en el medio ambiente, impulsando políticas ecologistas contribuímos a preservar el ecosistema. Ejm: Usando paneles solares fotovoltaicos.
 

Latest revision as of 01:13, 9 June 2015

This category is a parent category used to track categories of controls (or countermeasure, security mechanisms).


What is a control

As an abstract category of concepts, it can be difficult to grasp where controls fit into the collection of policies, procedures, and standards that create the structures of governance, management, practices and patterns necessary to secure software and data. Where each of these conceptual business needs is addressed through documentation with differing levels of specificity, it is useful to look at where controls fit in relation to these other structures. Security controls can be categorized in several ways. One useful breakdown is the axis that includes administrative, technical and physical controls. Controls in each of these areas support the others. Another useful breakdown is along the categories of preventive, detective and corrective.

ISACA defines control as the means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.[1]

While the ISACA COBIT standard is frequently referenced with regard to information security control, the design of the standard places its guidance mostly at the level of governance with very little that will help us design or implement secure software. U.S. National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations is widely referenced for its fairly detailed catalog of security controls. It does not, however, define what a control should be.

The Council on CyberSecurity Critical Security Controls list provides very little detail on specific measures we can implement in software. Among the 20 critical controls we find "Application Software Security" with 11 recommended implementation measures:

  1. Patching
  2. Implement a Web Application Firewall (WAF)
  3. Error checking all input
  4. Use an automated scanner to look for security weaknesses
  5. Output sanitization of error messages
  6. Segregation development and production environments
  7. Secure code analysis, manual and automated
  8. Verify vendor security processes
  9. Database configuration hardening
  10. Train developers on writing secure code
  11. Remove development artifacts from production code

Of these 11, it is interesting to note that two relate to infrastructure architecture, four are operational, two are part of testing processes, and only three are things that are done as part of coding.

While many controls are definitely of a technical nature, it is important to distinguish the way in which controls differ from coding techniques. Many things we might think of as controls, should more properly be put into coding standards or guidelines. As an example, NIST SP800-53 suggests five controls related to session management:

  • Concurrent Session Control
  • Session Lock
  • Session Termination
  • Session Audit
  • Session Authenticity

Note that three of these are included within the category of Access Controls. In most cases, NIST explicitly calls for the organization to define some of the elements of how these controls should be implemented.

In contrast, the OWASP Session_Management_Cheat_Sheet does a very good job at illustrating session management implementation techniques and suggests some standards. These kinds of standards and guidelines spell out specific implementation of controls.

While different organizations and standards will write controls at differing levels of abstraction, it is generally recognized that controls should be defined and implemented to address business needs for security. COBIT 5 makes this explicit by mapping enterprise goals to IT-related goals, process goals, management practices and activities. The management practices map to items that were described in COBIT 4 as control objectives. Each organization and process area will define their controls differently, but this alignment of controls to objectives and activities is a strong commonality between different standards. Activities are often the means by which controls are implemented. They are written out in procedures that specify the intended operation of controls. A procedure is not, in itself, a control. A given procedure may address multiple controls and a given control may require more than one procedure to fully implement.

So, we've found that the concept of a security control is hard to define clearly in a way that enables practitioners to begin writing controls and putting them to use. Some definitions exist, but are open to wide interpretation and may not be adaptable to every need. At this point we can hazard some statements that may provide further clarity. Control statements should be concisely worded to specify required process outcomes. While this is very similar to a policy statement, policies are generally more oriented toward enterprise goals, whereas controls are more oriented toward process goals.

A control differs from a standard in that the standard is focused on requirements for specific tools that may be used, coding structures, or techniques.

Control support.jpg

Figure 1 - Relationship of control statements to control objectives and other documentation

Necessary controls in an application should be identified using risk assessment. Threat modeling is one component of risk assessment that examines the threats, vulnerabilities and exposures of an application. Threat modeling will help to identify many of the technical controls necessary for inclusion within the application development effort. It should be combined with other risk assessment techniques that also take into account the larger organizational impacts of the application.

Examples of controls

Further References

  1. Glossary. ISACA. http://www.isaca.org/Pages/Glossary.aspx?tid=2011&char=C As viewed on 24 May 2015.
  2. Cobit 5: Enabling Processes. ISACA. (2012). http://www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx
  3. Joint Task Force Transformation Initiative. Security and Privacy Controls for Federal Information Systems and organizations. Special Publication 800-53 revision 4. (2013) U.S. National Institute of Standards and Technology. http://dx.doi.org/10.6028/NIST.SP.800-53r4
  4. Critical Security Controls. Center for Internet Security. Retrieved from http://www.cisecurity.org/critical-controls.cfm on 24 May 2015.

How to add a new Control article

You can follow the instructions to make a new Control article. Please use the appropriate structure and follow the Tutorial. Be sure to paste the following at the end of your article to make it show up in the Control category:

[[Category:Control]]