Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | mike97 |
View: | 307 times |
Download: | 0 times |
Security Audit at Jackson County
Stan Liss - Information Security Consultant
OACDP Summer Conference 2002
Marc Christensen – Director of Information Technology
Housekeeping Issues
• Duration: 75 minutes +/-
• Questions/Comments: Early & Often
Background
• Risk of losses from security breaches increasing
• County Government increased risk– E-government– Sensitive information– HIPAA
•unwanted disruption or denial of service
•the unauthorized use of a system for the processing or storage of data
•changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent •attempts (either failed or successful) to gain unauthorized access to a system or it's data
Computer Security Institute/FBI Survey for 2001
• “…the threat from computer crime and other information security breaches continues unabated and…the financial toll is mounting.”
• 538 organizations surveyed…85% suffered breaches
• 64% suffered financial losses; 35% willing to disclose amount: $377,828,700 .
Report: U.S. Businesses Skimp on Cyberattack Protections
• “…cybersecurity (typically observed) today is far worse than what best practices can provide.”
• “…shortchanging security could be catastrophic for companies…”
National Academy of Sciences, Computer Science and Tele-communications Board – January 2002.
Background
• Jackson County desired baseline assessment • Outsourced services vs. in-house
– Objectivity– Skill set– Time constraints
RFP Overview
• Provide sufficient information for bidders to define a tangible scope of work– Scope– Goal
• Prioritize specific aspects of audit work you wish to focus bidders’ attention toward– Audit Objectives
RFP - Audit Objectives
• Try to make these as specific as practicable• Determine the standard to follow, and
specify the auditor must assess to that standard. Examples - – National Institute of Standards and Technology
(NIST) Security Self-Assessment Guide– ISO 17799 International Security Standard
RFP – Due Diligence
• Mandatory Items of Proposal– Allows selection committees to “separate wheat
from the chaff”– Consider pre-requisites, for example -
• No less than X years performing this kind of service• CISSP certification• No less than X audits performed in the last 12
months
Evaluation and Selection
• The goal – compare “apples with apples”– The guidelines of the RFP will largely
determine the ease (objectivity) of selecting the successful bidder
The Audit
• First, let’s look at an overview of what Information Security Audits should address…
Security vs. Privacy
• Different issues• “…think of privacy as the use of data by
someone you gave it to, and security as the theft of the data…by the unknown third party.”
Fred H. Cate, professor of law Indiana University
Important Security Definitions
• Confidentiality, Integrity, Availability (CIA) – the three primary ways your data/information
can be compromised
Important Security Definitions
• Denial of Service (DoS) – typically a flood of packet traffic that clogs the
network, rendering some or all services inaccessible
Important Security Definitions
• Owned “to be owned” – total loss of administrative rights to a given
system, often a web server or email server (stems from having “Root”)
Impact
• Losing CIA or Being Owned– Down-time– Embarrassment, loss of constituency
confidence– Potential legal liability if your servers are used
in a distributed attack or your negligence causes constituent/another business CIA loss
Distributed Denial of ServiceLegal Risks
• “…experts say it’s only a matter of time before juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security.”
“See You in Court,” Sarah D. Scalet, CIO Magazine November 1, 2001
General ThreatsMajor Types of Attacks
• Disaster– Physical damage (fire/flood/earthquake, etc)
• Cracking (Criminal Hacking)– Breaking into a system through direct electronic attack, or
breaking the copyright protections on Intellectual Property.
• Spoofing– Altering the content or apparent origin of information, such as
faking an email origin or altering a web site.
• Snooping– Intercepting information through physical or electronic methods
without the knowledge of the recipient or the sender.
General ThreatsMajor Types of Attacks
• Denial of Service– Preventing your systems from functioning due to a
weakness or a simple traffic volume attack.• Malicious Software
– Viruses, hostile applets, web bugs, Trojan horses, unsecured remote control.
– Increasing in danger as people increase their methods of interaction.
• Social Engineering– Involves the manipulation of people, rather than computers,
to reveal confidential information.
How we conducted the audit
• Pre-launch meeting• Information Security Policy review• Remote Testing• Social Engineering• Physical Security• Internal Security• Compile results• Formal Presentation
For each element assessed
• Vulnerabilities found• Assigned to a risk categories
– Acceptable risk– Risk to be managed or controlled– Risk to be eliminated
• Recommended remediation
Information Security ProgramHow to implement
• Identify resources to be protected• Perform a Threat Analysis
– Assess your vulnerability to each of the General Threats.• Vulnerability testing• SANS/FBI top twenty Internet vulnerabilities; www.sans.org
• Determine Business impact– What $ risks do you face in case of various types of
successful attacks.– Exposure = (Likelihood vulnerability is successful) X
(Business Impact expressed in dollars)
Information Security ProgramHow to implement
• Categorize Risks– Acceptable Risk– Risk to be Managed/Controlled– Risk to be Eliminated
• Define your organization’s Security Policies and Procedures.
• Like accounting or legal policies, Security Policies define an operational framework for managing everything related to security for your organization on a day to day basis.
• Procedures outlines who does what, when, how.
Information Security ProgramHow to implement
• Define your Security Architecture.– Risk/Reward
• Develop a Layered Defense, never depend on a single product or solution to defend yourself.
• Look for single points of failure; introduce redundancy if it makes business sense.
Information Security ProgramHow to implement
Make the Investment– Properly educated users and administrators are by far
your best defense.• Training should be constant and updated to reflect changes in both your
organization and the outside world.
– Purchase the right tools.• Don’t depend on home-grown solutions, use well documented and
robust tools developed by an established provider.
– If your organization is large enough hire security specialists or consider managed services, don’t depend on overworked network administrators to stay current on your security needs.
Best Practice Elements• Recognize the Need for Security at the Executive
Level– Allocate resources for training & auditing– Set a standard for behavior
• Security Policies and Procedures– Create and enforce them
• Training/Education– Your best first line of defense– Thwart Social Engineering exploits
Best Practice Elements• Security Infrastructure
– Linked control mechanisms to ensure protection of sensitive information
• Administrative controls• Physical controls• Technological controls
• Track Security Developments– Implement a method to regularly research security
initiatives that may modify Best Practices
Best Practice Elements• Vulnerability Testing
– In-house IT staff may not be expert in all areas of security and/or management may not be objective
– Pay close attention to proposal scope, contract & references
– Recognize that they represent merely a snapshot
– Different Approaches:• Full audit vs. perimeter study only • Business practices firms vs. technology firms
Thank you for your time!
Questions or Comments?