1、 ETSI GS ISI 005 V1.1.1 (2015-11) Information Security Indicators (ISI); Guidelines for security event detection testing and assessment of detection effectiveness Disclaimer This document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry Specification Group (I
2、SG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 2 Reference DGS/ISI-005 Keywords ICT, security ETSI 650 Route des Lucioles F-06921 Sophia A
3、ntipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The presen
4、t document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such version
5、s and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the curr
6、ent status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be
7、reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restr
8、iction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of
9、its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 7g3Introduction 7g31 Scope 8g32 References 8g3
10、2.1 Normative references . 8g32.2 Informative references. . 8g33 Definitions and abbreviations . 9g33.1 Definitions 9g33.2 Abbreviations . 9g34 Objectives of security event detection testing 10g34.1 Assessment of detection effectiveness . 10g34.1.0 Introduction on assessment of detection effectivene
11、ss . 10g34.1.1 Examples of quantitative results . 10g34.1.1.1 Detection level 10g34.1.1.2 Coverage of events specified in ETSI GS ISI 001-1 . 10g34.1.1.3 False-positive rate . 10g34.1.2 Examples of qualitative results . 11g34.2 Conformity evaluation 11g34.3 Resistance to attacks . 11g35 Test framewo
12、rk 11g35.0 Introduction 11g35.1 Active vs. passive testing . 12g35.2 Active testing by stimulation 12g35.2.1 Objectives . 12g35.2.2 Testing strategy . 12g35.2.3 Stimulation location 12g35.2.3.0 Introduction on stimulation location . 12g35.2.3.1 Noise generation . 13g35.2.3.2 Generation of events . 1
13、4g35.2.3.3 Generation of the event effects 15g35.2.3.4 Generation of alerts . 16g35.3 Test methodology . 17g35.3.0 Introduction on test methodology . 17g35.3.1 Test planning 18g35.3.2 Test identification . 18g35.3.3 Test specification 19g35.3.4 Test generation 19g35.3.5 Test adaptation 19g35.3.6 Tes
14、t execution . 19g35.3.7 Test results analysis 19g35.4 Tests side-effects 19g35.4.0 Introduction on tests side-effects 19g35.4.1 Production disturbance . 19g35.4.2 Access to personal data . 19g35.4.3 Unwanted personal stress 20g35.5 Summary of the methodology for the generation of test scenarios 20g3
15、6 Instruments for stimulation (tools Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, in
16、cluding IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has
17、 been produced by ETSI Industry Specification Group (ISG) Information Security Indicators (ISI). The present document is included in a series of 6 ISI specifications. These 6 specifications are the following (see figure 1 summarizing the various concepts involved in event detection and interactions
18、between all specifications): - ETSI GS ISI 001-1 i.8 addressing (together with its associated guide ETSI GS ISI 001-2 i.12) information security indicators, meant to measure application and effectiveness of preventative measures, - ETSI GS ISI 002 i.9 addressing the underlying event classification m
19、odel and the associated taxonomy, - ETSI GS ISI 003 i.11 addressing the key issue of assessing an organizations maturity level regarding overall event detection (technology/process/ people) in order to evaluate event detection results, - ETSI GS ISI 004 i.10 addressing demonstration through examples
20、 how to produce indicators and how to detect the related events with various means and methods (with a classification of the main categories of use cases/symptoms), - ETSI GS ISI 005 addressing ways to test the effectiveness of existing detection means within an organization, which is a more detaile
21、d and a more case by case approach than ISI 003 i.11 one and which can therefore be complementary. GS ISG ISI Series Summary DefinitionReal eventsSecurity prevention measuresEvent detection measuresFake events (Simulation) Event reaction measuresDetectedeventsResidual risk (event model-centric visio
22、n)Figure 1: Positioning the 6 GS ISI against the 3 main security measures ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 7 Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described
23、 in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction The purpose of the present document is to describe strategies and techniques to test security event
24、detection systems and to assess the effectiveness of such systems. The present document also includes few examples of tests scenarios. ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 8 1 Scope The present document provides an introduction and guidelines for the development of tests to check the capabilities o
25、f security event detection systems. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest versi
26、on of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ET
27、SI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references. References are either specific (identified by date of publication and/or edition number or version number) or non-sp
28、ecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long t
29、erm validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO 27004:2009: “Information technology - Security techniques - Information security management - Measurement“. i.2 IS
30、O/IEC/IEEE 29119-2: “Software and system engineering - Software Testing - Part 2 : Test process, 2013“. i.3 IEEE 829-2008: “Standard for Software and System Test Documentation“. i.4 Recommendation ITU-T X.294: “OSI conformance testing methodology and framework for protocol Recommendations for ITU-T
31、applications - Requirements on test laboratories and clients for the conformance assessment process“. i.5 ISO/IEC 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. i.6 Common Weakness Enumeration (CWE). NOTE: Available at https:/cwe.mitre.org. i.7 Common At
32、tack Pattern Enumeration and Classification (CAPEC). NOTE: Available at https:/capec.mitre.org. i.8 ETSI GS ISI 001-1: “Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture“. i.9 ETSI GS ISI
33、 002: “Information Security Indicators (ISI); Event Model A security event classification model and taxonomy“. ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 9 i.10 ETSI GS ISI 004: “Information Security Indicators (ISI); Guidelines for event detection implementation“. i.11 ETSI GS ISI 003: “Information Secu
34、rity Indicators (ISI); Key Performance Security Indicators (KPSI) to evaluate the maturity of security event detection“. i.12 ETSI GS ISI 001-2: “Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators based on the full set given in part 1“. i.13 DIAMO
35、NDS project deliverables. NOTE: http:/www.itea2-diamonds.org/_docs/D3_WP4_T1_v1_0_FINAL_initial_test_patterns_catalogue.pdf. i.14 A. Vouffo Feudjio:“A Methodology For Pattern-Oriented Model-Driven Testing of Reactive Software Systems“, PhD Thesis, February 2011. NOTE: http:/opus.kobv.de/tuberlin/vol
36、ltexte/2011/3103/pdf/vouffofeudjio_alaingeorges.pdf. i.15 OWASP-AT-003: “Testing for Default or Guessable User Account“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI GS ISI 001-1 i.8 and the following apply. stimula
37、tion: single or sequence of activities in order to produce a security event: security incident (e.g. installation of an unauthorized application) or introduction of a vulnerability (e.g. misconfiguration of a critical device) system under test: security event detection system or software to be teste
38、d system under monitoring: system where the security event detection system is installed test case: set of conditions or variables under which a tester will determine whether a system under test satisfies requirements or works correctly test pattern: expression of the essence of a well-understood so
39、lution to a recurring testing problem test priority: level of (business) importance assigned to a test case test selection: means of adapting Test Suites to the options supported by the Implementation and/or the priorities provided by the test developers, customer or other stakeholders or algorithms
40、 i.4 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AV AntiVirus CAPEC Common Attack Pattern Enumeration and Classification (Mitre) CCHIT Certification Commission for Health Information Technology CIA Confidentiality Integrity Availability CPU Central
41、Processing Unit CVE Common Vulnerabilities and Exposures CWE Common Weakness Enumeration DNS Directory Name Service DOS Denial of service EICAR European Expert Group for IT-Security HTTP Hyper Text Transfer Protocol IDS Intrusion Detection System IETF Internet Engineering Task Force IPS Intrusion Pr
42、evention System ISO International Organization for Standardization ETSI ETSI GS ISI 005 V1.1.1 (2015-11) 10 IT Information Technology NIST National Institute of Standards and Technology (USA) OS Operating System PC Personal ComputerPIN Persona Identification number SFR Security Functional Requiremen
43、t SIEM Security Information and Event Management SQL Structured Query Language SSL Secure Socket LayerSUT System Under Test TCP Transport Control Protocol UML Unified Modelling Language URL Uniform Resource Locator XML Extensible Markup Language 4 Objectives of security event detection testing 4.1 A
44、ssessment of detection effectiveness 4.1.0 Introduction on assessment of detection effectiveness The objective of testing security event detection systems is to be able to assess the effectiveness of the detection functionality. This evaluation can be performed in a laboratory (the detection system
45、under test is not connected to an operational system) or in real operation (the detection system under test is connected to the real operational system). Detection capability testing can be done before the deployment of the detection system. Test campaigns can also be organized regularly to assess t
46、he sustainability of the detection capability. It should be noted that when detection capabilities are outsourced, specific audit clauses have to be defined in the contract. The result of the assessment is not a single result but a set of both quantities and qualitative data. 4.1.1 Examples of quant
47、itative results 4.1.1.1 Detection level This measurement determines the rate of security events detected correctly by the SUT in a given environment during a particular time frame. The accuracy of that detection level is directly based on the sample of events used to perform the measurement. Due to
48、the fact that as of today no standardized sample database exists, current published detection levels are not comparable between each other. The other reason why results are not comparable is due to the fact that the detection level is directly linked to the detection rules configured in the tools (I
49、DS, SIEM). The list of configured rules depends on each particular deployment and not on the installed tools. 4.1.1.2 Coverage of events specified in ETSI GS ISI 001-1 ETSI GS ISI 001-1 i.8 specifies a list of events that may be detected in order to generate accurate indicators. The measurement of the detection level could be the amount (in percent) of security events that the system under test can detect compared to the list specified in the ETSI GS ISI 001-1 i.8. 4.1.1.3 False-positive rate This measurement determine
