Auditing DDOS Resilience

DDOS has been gaining acceptance in recent days due to troubled economics, religion and political reasons. This checklist serves as a basic/intermediate reference source for IS professionals who wish to have their critical IT assets protected against Distributed Denial Of Service Attacks commonly known as ‘DDOS’.

The approach used to prepare the checklist was from a ‘PPT’ perspective – ‘People, Process and Technology’.

1. Study the organization chart to see:

a. Persons responsible for the various critical assets of the organization

b. Their roles and responsibilities

2. Check to see if the employees have gone through a background check such as:

a. Employment verification and character profiling.

b. Educational verification

3. Check if they are properly trained in latest technologies and tools. Verify:

a. Training documents

b. Knowledge management – How are they sharing their knowledge among their peers, does a mechanism exist to share their knowledge, is the mechanism documented

4. Check if there is a proper Security Policy

a. Check the version number and update date

b. Check to see if they are constantly reviewed and updated

c. Verify if the updates are being done by the responsible personnel and whether they are going through a process of discussion.

d. Cross check with employees on a random basis to see if they are aware on the Security policies and procedure

e. Check whether there is an end point management security policy.

5. Change management procedures

a. Check whether the organization has documented roles and responsibilities chart for change management

b. Check the awareness of the staff members on change management policy

c. Check the documentation of Emergency change management procedures

6. Incident management procedures

a. Check to see if an incident management policy is in place

b. Review the documentation date and periodicity of update

c. Check whether focal points have been identified for incident management communication

d. Conduct mini quizzes using pointed questions with the Help desk and other staff members to check their awareness on incident management

7. Help desk Management

a. Are there clear roles and responsibilities identified for the help desk staff members

b. Are they trained on Incident management, change management?

c. Verify training documentation

d. Check their awareness levels.

8. Patch management policy

a. Check to see if the patch management policy goes through the change management mechanism

b. Does the patch management policy go through the CAB (Change Advisory Board)

c. How are emergency and critical patches installed, verify whether proper process and procedures are in place for tracking and recording them

d. Check to see if the organization has established procedures for release management of patches

e. Verify whether they have a list of their critical assets that needs to be patched

f. Check the log of patches that have been done on the assets to see if they tally with the ones present in change management and release management dates.

g. Are the owners, incharges and team members identified or is it a single person who takes care of all the patching.

9. Risk management of the change management and release management process has to be documented

a. Verify if proper process has been established to assess the impacts of change

b. Verify whether a risk management program exists in the first place with periodic reviews conducted at regular intervals

c. Are the patches that are being installed going through a risk management phase.

10. Perform vulnerability assessment to test the critical systems and networks against latest threats and vulnerabilities

a. Test the critical applications against known and unknown vulnerabilities.

b. Test the systems under purview for known process weakness and vulnerabilities.

c. Verify if best practices are being followed in line with leading industrial standards such as NIST etc.

d. Verify if the software is developed in line with the SDLC ( Software Development Life Cycle).

e. Verify if the software that is being developed goes through stress penetration test.

f. Verify if a threat management system/team exists in place to protect the software against known and unknown threats.

g. If the software development has been outsourced? If so check if they have a stringent SLA with the developer who has agreed to develop application subject to SDLC, follow proper change and release management process, update patches in line with the organizational policy and are in line with the organizational security policies and procedures.

h. Check to see if they have a stringent Service Level agreement with the vendor who can respond immediately to block threats in case of an incident and bring back normalcy in place as early as possible

i. Verify Backup policies and if they match to latest standards, backup logs, restoration testing logs and their outcomes.

Overall being resilient to DDOS attacks require a multi pronged approach and as the frequency and nature of these attacks increase and go complex, more trends will evolve over time and this checklist will have to be improved upon.

Note: This article is adapted from the ISACA UAE magazine of which this author is a main contributing author. Changes are made at certain areas and a new parameter introduced to match to current standards.

Reference: www.isacauae.org