40
Ben Christensen Senior Compliance Risk Analyst, Cyber Security Best Practices for Conducting Cyber Security Assessments June 5, 2014 CIPUG Meeting, Salt Lake City
Ben Christensen Senior Compliance Risk Analyst,
Cyber Security
Best Practices for Conducting Cyber Security Assessments June 5, 2014
CIPUG Meeting, Salt Lake City
2
• Why are security assessments important? • Types of security assessments • Risks related to security assessments • Best practices for security assessments • How security assessments can help with
CIP-005 & CIP-007
Agenda
3
• Help maintain CIP compliance • Verify security controls that should already
be in place • Define the risks associated with your cyber
security systems and how to mitigate them • Highlight your controls to help you
determine the risk to reliability
Benefits to Entities
4
• IT focuses on accidental outages, hardware failures, and uptime
• Security risk assessment is the analysis of issues relating directly to security threats
Traditional IT assessment vs. security risk assessment
5
Types of Assessments
Security audits
Policies, procedures, other admin controls
Change management
Architectural review
Penetration tests
Vulnerability assessments
6
Manual or systematic measurable technical assessment of how the organization's security policy is employed.
Security audits
7
• Looks at how effectively the security policy has been implemented
• Measure security policy compliance • Recommends solutions to deficiencies • May be performed through: o Informal self audits o Formal IT audits
Security audits
8
Components of a security audit File system security
Physical security
Ports & services
Installation/configuration
Security event logging
Account security
Backups & Disaster recovery
Network device restrictions
9
• Security assessment ultimately shows the effectiveness of policies
• Assess your policies to know how effectively they have been implemented
Policies, procedures and other administrative controls
10
Policies, procedures and other administrative controls
Documents • What are they? • How often are
they reviewed? • Acknowledge
adherence to • Who has them?
Training • Who is trained? • How often? • Does it
measure effectiveness?
Updates • Who makes the
updates? • How often are
they made? • How are
employees notified?
11
• Have you assessed how your change management is doing?
• Are personnel really following it? • How do you know?
Change management
12
• Is the change management performed on a regular basis?
• Is physical security part of the change management process?
• How are changes approved? • Where are changes documented? • Who signs off on the changes? • Who implements the changes?
Change management
13
• Review network artifacts o Network diagrams o Security requirements o Inventory
• Identify data flows • Identify controls • Identify gaps
Architectural review
14
Architectural review
Firewall review Remote access connections Process to evaluate risk of
opening ports and services?
Network devices Logging enabled? Restricted access? Remote admin
connections?
Current network diagram Physical
walkthrough Trace cables Look for modems
15
Attacking a computer system to find security weaknesses and to potentially gain access. Warning: penetration tests can have serious consequences to the systems involved!
Penetration testing
16
Penetration testing
Penetration Test
Planning & Preparation Gather Information & Analysis
Vulnerability Detection Penetration Attempt Analysis & Reporting
Clean Up
17
Penetration testing
Plan & Prep
• Scope • Duration • Decide who
to inform • Legal
agreements
Info Gathering & Analysis
• Get info about target
• Network survey
• Port scanning
Vulnerability Detection
• Determine vulnerabilities
• Manual vulnerability scanning
18
Penetration testing
Penetration Attempt
• Choose targets • Choose exploit • Password
cracking • Social
engineering • Physical
security
Analysis & Reporting
• Generate report • Analysis &
commentary • Highlight
vulnerabilities • Summary • Details • Suggestions
Clean Up
• Get rid of mess • List of actions • Verified by
organization
19
As documented by SANS, “Vulnerabilities are the gateways by which threats are manifested”. “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise”. http://www.sans.org/reading-room/whitepapers/basics/vulnerability-assessment-421
Vulnerability assessments
20
Vulnerability assessments
Catalog assets
Assign value and
importance
Identify vulnerabilities
or threats
Mitigate or eliminate
vulnerabilities
21
• Methods to counteract weaknesses o Use baselines o Patching o Vulnerability scanning o Following security advisors o Use perimeter defenses o Use intrusion detection systems and AV
Vulnerability assessments
22
• Vulnerability assessment uncovers the weaknesses and shows how to fix them
• Penetration test shows if someone can break in and what information they can get
Vulnerability assessments vs. Penetration test
Vulnerability Assessment
Penetration Test
23
• Depends on your requirements and goals • Security assessment might be too broad • Penetration test may not identify all
vulnerabilities and could cause harm • Can’t we just do the CVA as required for
CIP?
Which assessment should I use?
24
• Vulnerability assessment or penetration test might cause instability or harm to systems
• Penetration test might not uncover all your vulnerabilities
• You might incorrectly rely on results and assume you are secure
• Results may not be presented in a way to provide value
Risks of assessments
Best practices
• Assessment should provide value beyond the raw data – Analyze the data to see what it means for your
organization • Identify trends that highlight underlying
problems – Might reveal a bigger problem
26
• Use combination of techniques to provide a complete picture of your security o No one size fits all
• Use the techniques that best meet your requirements
• Provide answers in your assessment, not just problems
• Share what you learn with employees o Bring security to the forefront
Best practices
27
• The assessments presented today can work hand in hand with the CVA
• CIP Standards provide a minimum set of controls
• Consider performing these assessments in conjunction with your CIP-005 and CIP-007 obligations
CIP-005 and CIP-007
28
CVA Checklist
Review process • Do personnel know about the process? • Are personnel regularly trained on process? • Are personnel following the process?
Current inventory of devices • How do you account for changes? • Who updates the inventory? • Where is it stored?
29
CVA Checklist
Verify ports and services • Which tools will be used? • Are personnel trained on the tools? • How and where will the raw data be stored?
Discover all access points • Don’t forget multi-homed devices • Wireless • Physical walkthrough
30
CVA Checklist
Review controls for • Default accounts • Passwords • Network management & community strings
Results • How will the results be stored? • Where will the results be stored?
31
CVA Checklist
Plan to mitigate vulnerabilities • Who will implement fixes? • How will the fixes be implemented?
Execution status of action plan • When will the fixes be implemented? • Are dates current?
32
CIP-005 and CIP-007
Assessments Process
Ports and services
Default accounts Passwords
Community strings
Results & action plan
Additional Resources
34
• SANS – Implementing a Successful Security Assessment Process o http://www.sans.org/reading-
room/whitepapers/basics/implementing-successful-security-assessment-process-450
• NIST – Security Assessment Provider Requirements and Customer Responsibilities o http://csrc.nist.gov/publications/drafts/nistir-
7328/NISTIR_7328-ipdraft.pdf
Additional Resources
35
• SANS – Security Auditing: A Continuous Process o http://www.sans.org/reading-
room/whitepapers/auditing/security-auditing-continuous-process-1150
• NIST Special Publication 800-53 o http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf
Additional Resources
36
• SANS - Conducting a Penetration Test on an Organization o http://www.sans.org/reading-
room/whitepapers/auditing/conducting-penetration-test-organization-67
• SANS - Vulnerability Assessment o http://www.sans.org/reading-
room/whitepapers/basics/vulnerability-assessment-421
Additional Resources
37
• NIST - Technical Guide to Information Security Testing and Assessment o http://csrc.nist.gov/publications/nistpubs/800-
115/SP800-115.pdf • ISACA – Project: Vendor Security Risk
Assessment o http://www.isaca.org/Groups/Professional-
English/information-secuirty-management/GroupDocuments/Vendor%20Security%20Risk%20Assessment%20report.pdf
Additional Resources
38
• Dark Reading - How To Conduct An Effective IT Security Risk Assessment o http://www.darkreading.com/how-to-conduct-
an-effective-it-security-risk-assessment/d/d-id/1138995?
Additional Resources
39
Summary
Importance of assessments
Many types you can perform
Why you should go beyond the CVA
Best practices
Other resources
