IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

Safeguard Catalogue - Organisation Remarks<br />

____________________________________________________________________ .........................................<br />

<strong>The</strong> test object or the test environment can be damaged or impaired by<br />

penetration tests. To ensure that such damage does not have any<br />

repercussions, backups should be made before penetration tests are carried<br />

out.<br />

Penetration tests can be supported by the use of security configuration- and<br />

logging tools. <strong>The</strong>se tools examine a system configuration and search for<br />

common flaws such as, for example, generally legible files and missing<br />

passwords.<br />

Using penetration tests, the product should be examined for design flaws by<br />

employing the same methods a potential ‘invader’ would use to exploit weak<br />

points, such as, for example,<br />

- changing the pre-defined command sequence,<br />

- executing an additional function,<br />

- direct or indirect reading, writing or modification of internal data,<br />

- execution of data whose execution is not planned,<br />

- use of a function in an unexpected context or for an unexpected purpose,<br />

- activation of the error recovery,<br />

- use of the delay between the time of checking and the time of use,<br />

- breaking the sequence by interrupts, or<br />

- generating an unexpected input for a function.<br />

<strong>The</strong> mechanism strengths are defined using the terms specialised knowledge,<br />

opportunities and operating resources. <strong>The</strong>se are explained in more detail in<br />

<strong>IT</strong>SEM. For example, the following rules can be used for defining mechanism<br />

strength:<br />

- If the mechanism can be mastered by a lay person alone within minutes, it<br />

cannot even be classified as low.<br />

- If a successful ‘invasion’ can be carried out by anyone except a lay person,<br />

the mechanism must be classified as low.<br />

- If an expert is required for a successful ‘invasion’ and the expert takes<br />

some days with the available equipment, the mechanism must be classified<br />

as medium.<br />

- If the mechanism can only be mastered by an expert with special<br />

equipment and the expert takes months to do it and has to come to a secret<br />

arrangement with a system manager, it must be classified as high.<br />

It must be ensured that the tests carried out cover all specific security<br />

functions. It is important to note that only errors or differences from the<br />

specifications can ever be determined by testing, never the absence of errors.<br />

Typical aspects of investigation can be shown by a number of examples:<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!