Penetration testing in accordance with the requirements of the STO BR IBBS-1.0-2014

Today we will talk about conducting penetration testing in accordance with the requirements of the STO BR IBBS-1.0-2014 on our own.

Order of the Bank of Russia of 10.07.2014 N -556 http://www.consultant.ru/document/cons_doc_LAW_165504/ “On the implementation of recommendations in the field of standardization of the Bank of Russia“ Ensuring the information security of organizations of the banking system of the Russian Federation. Ensuring information security at the stages of the life cycle of automated banking systems ”from September 1, 2014, the Recommendations in the field of standardization of the Bank of Russia“ Ensuring the information security of organizations of the banking system of the Russian Federation ”were put into effect. Ensuring information security at the stages of the life cycle of automated banking systems "RS BR IBBS-2.6-2014" http://www.cbr.ru/credit/Gubzi_docs/rs-26-14.pdf (although the document is only advisory in nature, in essence, serves as a guide to action).

In accordance with the requirements of Clause 7.3 “General Requirements for Ensuring the Information Security of Automated Banking Systems at Life Cycle Stages” of the Bank of Russia Standard “Ensuring the Information Security of Organizations of the Banking System of the Russian Federation. General provisions "organizations of the banking system of the Russian Federation are required to take measures to ensure the information security of automated banking systems (ABS) at all stages of their life cycle.
')
The following life cycle stages are distinguished:

• development of technical specifications;
• design;
• creation and testing;
• acceptance and commissioning;
• exploitation;
• maintenance and modernization;
• decommissioning.

Let us consider in more detail those stages of the life cycle, within the framework of which penetration testing is recommended.

At the stage of acceptance and commissioning, in particular, in the framework of pilot operation, it is recommended to conduct a comprehensive assessment of security, including penetration testing and identifying known vulnerabilities of ABS components (Section 9.5 of RS BR IBBS-2.6-2014). At the operational stage, it is also necessary to carry out a periodic assessment of the security of the ABS and to monitor and respond to ABS vulnerabilities (para 10.1 of the RS BR IBBS-2.6-2014). And finally, at the stage of modernization of the ABS, it is recommended to conduct a comprehensive assessment of security in the required volume (clause 11.3 of RS BR IBBS-2.6-2014).

An indisputable advantage of RS BR IBBS-2.6-2014 is the description of typical flaws in the implementation of security functions of automated systems, as well as recommendations for conducting security assessments and monitoring the settings of technical protective measures (detection of configuration errors). But for obvious reasons, the document does not contain a step-by-step guide for the implementation of these activities. How, in this case, should the employees responsible for ensuring information security in their organization be guided by? Where can I get the necessary information / knowledge?

For penetration testing, there are techniques and recommendations in which it is described in detail for which it is necessary to carry out pentest, as well as with what. The following can be distinguished from the current ones:

• Open Source Security Testing Methodology Manual (OSSTMM) http://www.isecom.org/research/osstmm.html
• NIST SP 800-115 Technical Guide to Information Security Testing and Assessment (NIST SP 800-115). http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
• Penetration Testing Execution Standard (PTES) http://www.pentest-standard.org/
• OWASP Testing Guide https://www.owasp.org/index.php/OWASP_Testing_Project

For tracking of published messages about software vulnerabilities in RS BR IBBS-2.6-2014, there are already links to useful resources. You can add to them:

• software vulnerability mailing list (bugtrack) SecurityFocus http://www.securityfocus.com/archive/1
• SecLists.Org http://seclists.org/bugtraq/
• CVE Vulnerability Database http://www.cvedetails.com/
• Open Source Vulnerabilities Data Base (OSVDB) http://osvdb.org/
• FSTEC of Russia information security threats data bank http://www.bdu.fstec.ru
• Vulnerability Database Secunia http://secunia.com/community/advisories/historic/
• Bugs Collector vulnerability database (including unpatched) https://bugscollector.com/
• XSSposed.org XSS vulnerability database (including unpatched) https://www.xssposed.org/
• Microsoft Security Bulletins https://technet.microsoft.com/security/bulletin/

The National Checklist Program instructions https://web.nvd.nist.gov/view/ncp/repository and CIS Security Benchmarks http://benchmarks.cisecurity.org help you to install (check) secure settings for operating systems and software.

The result of the above work is to increase business resilience by reducing information security risks and meeting not only the requirements of the recognized industry standard, which is STO BR IBBS, but also legislative requirements, including the requirements of the Federal Law “On Personal Data”.

What if an employee lacks or does not have enough knowledge to conduct penetration testing?

In this case, you can contact us. Pentestit provides initial and professional training in penetration testing .