Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | geraldine-carson |
View: | 216 times |
Download: | 1 times |
Security Assessments
Keith Watson, [email protected]
Research EngineerCenter for Education and Research in Information Assurance and Security
Overview
Part 1: Introduction to Security Assessments
What is a security assessment? Why is it needed? How do you do an assessment?
Overview
Part 2: Conducting Security AssessmentsAsset IdentificationThreat AssessmentLaws, Regulation, and PolicyPersonnelSecurity Assessment ComponentsReporting and Follow-up
Overview
Part 3: The Assessment “Experience”Tools
• Demonstration of Nessus• Report Template
TrainingCertification
Part 1: Overview of Assessments
What?Why?How?
What?
A security assessment is an evaluation of the security posture of an organization.
What?
Evaluation of• Policy• Security practices• Management of systems and resources• Security perimeters• Handling of sensitive information
Provided in the form of • Report• Presentation
What?
Security Assessments are…• A process
• Step-by-step (with variation)
• An examination• See how things work (or don’t work)
• An evaluation• Making a judgment on relative security
Why?: Need for Assessments
Due Diligence• Mergers and Acquisitions• Customer/Partnership Evaluation
Regulatory Requirement• Banks, Financial Institutions, Hospitals• Publicly Traded Companies• OMB, CBO, Federal Offices of the Inspector General
Insurance• Set premiums for “Hacker” Insurance
Just Good Security Management Practice• “Know your problems”
How?
Negotiate Project Scope• Don’t make the project too big to finish
Spend time on site• Best examination made from the inside
Talk with everyone• A little insider knowledge goes a long way
Look at similar organizations• Useful in judging relative security posture
Make cost-effective recommendations• Don’t scare them with overpriced fixes and
complicated solutions
Part 2: Conducting Security Assessments
Project ManagementAsset IdentificationThreat AssessmentLaws, Regulations, and PoliciesPersonnelSecurity Assessment ComponentsReporting and Follow-up
Project Management
Project Management
Scope DefinitionSetting ExpectationsSchedulingTravelLogisticsCompletion
Asset Identification
Assets
An asset is anything that has some value to an organization.
Asset Identification
It is necessary to determine the assets that need protection, their value, and level of protection required
Two Types:• Tangible• Intangible
Tangible Assets
Tangible assets are physicalExamples:
• Personnel• Offices, workspaces, warehouses, etc.• Inventory, stores, supplies, etc.• Servers and workstations• Network infrastructure and external
connections• Data centers and support equipment
Intangible Assets
Intangible assets are intellectual propertyExamples:
• Custom software• Databases (the data, not the DBMS)• Source code, documentation, development
processes, etc.• Training materials• Product development and marketing
materials• Operational and financial data
Replace/Restore
What would it cost to restore or replace this asset in terms of time, effort, and money?
Tangible assets: • $?
Intangible assets: • $$$$?
Loss of Assets
Loss of key assets could result in harm to the organization• Damaged reputation• Lost customers• Lost shareholder confidence• Lost competitive advantage• Exposure to lawsuits• Government/Regulatory fines• Failure of organization
For Organizations
It is important to know what assets are critical to the viability of the
organization so that they can be adequately protected.
For Assessments
It is important to determine an organization’s assets* to see if there is
adequate protection in place
* Your list of assets may not be the same as the organization’s list.
Threat Assessment
Threats
An event that can impact the normal operations of an organization is a threat.
Threat Assessment
It is necessary to determine the threats, threat sources, and the likelihood of occurrence
Threat types:• Natural Events• Unintentional• Intentional
Natural Threats
Tornadoes, Hurricanes, TyphoonsEarthquakes, Mud SlidesFloodingLightning, Thunderstorms, Hail, Strong
WindIce Storms, Heavy SnowfallTemperature and Humidity Extremes
Intentional Threats
Alteration of DataAlteration of SoftwareDisclosureDisruptionEmployee SabotageTheftUnauthorized UseElectronic Vandalism
Unintentional Threats
Disclosure Electrical Disturbance (surges, dips, outage <1
hour) Electrical Interruption (outage >1 hour) Environmental Failure (HVAC, humidity) Fire Hardware Failure (disk, fan, server) Liquid Leakage (steam, water, sewage) Operator/User Error Software Error (bugs) Telecommunication Interruption (cable cut)
Threat Sources - Threat Agents
Murphy’s LawUnhappy CustomersDisgruntled EmployeesActivists (Hack-tivists)Script-KiddiesSophisticated Attackers
• Government/Foreign/Terrorist Agents• “Blackhats”
Likelihood of Occurrence
Qualitative• High, Moderate, Low
Quantitative• Sophisticated formulas needed• Provides useful data to “numbers” people
FBI Uniform Crime Reports• Crime Index data useful
Sample Threat Assessment
Threat Source Likelihood
Impact
Alteration of Data
“Hacker” Low Moderate
Alteration of Data
Disgruntled Employee
Moderate High
Power Loss (>6 hours)
Severe Weather
Low Moderate
Hardware Failure
Disgruntled Employee
Low High
Operator Error
Untrained Employee
Moderate High
Laws, Regulations, and Policies
Laws
Depending on the organization’s business, there may be several laws that govern the protection of information• CA Database Breach Notification Act • Sarbanes-Oxley Act of 2002• Health Insurance Portability and Accountability Act of
1996 (HIPAA)• Gramm-Leach-Bliley Act of 1999• Computer Security Act of 1987• Computer Fraud and Abuse Act of 1986• Federal Education Rights and Privacy Act (FERPA)• European Union Data Privacy Directive
Law Surveys
A survey may be necessary to determine which laws apply to an organization
Look for Federal “interest” systems, private data, health info, public company financials, market data, etc.
Organizations that operate operate on behalf of the government subject to various laws
Get a lawyer for the in depth stuff
Policy
Policies are statements of intentions and/or principles by which an
organization is organized, guided, and evaluated.
Policy Types
Organization ProgramIssue-SpecificSystem-Specific
Policy Reviews
Reviews are necessary to evaluate adequacy and compliance
Some organizations have no security policies at all
Most do not follow their own policiesMost employees are unaware of policiesMost policies are out-of-date
Personnel
Personnel
Interviews are needed to assess knowledge and awareness of information security
Valuable for determining unwritten rules
Employees should be divided into categories
Interview groups and ask questions relevant to the job function
Do not be adversarial or demanding
Security Assessment Components
Security Assessment Components
Network SecuritySystem SecurityApplication SecurityOperational SecurityPhysical Security
Network Security
Involves the actions taken and controls in place to secure the network and
networked systems
Network Security Assessment
Gather network maps, installation procedures, checklists; evaluate
Scan networks and networked systems• Vulnerability Scanners: Nessus (free), ISS• Port Scanners: nmap, hping• Application Scanners: whisker, nikto
Target Selection• Key systems (where the goodies are stored)• Exposed systems (where the bad guys play)• Gateway systems (intersection of networks)
System Security
Involves the actions taken tosecure computing systems
System Security Assessment
Gather software/system inventory info, security standards, checklists, management procedures; evaluate
Review configuration with admin Use a security checklist to evaluate current
configuration Target Selection:
• Database Systems and File Servers• Network Application Servers• A typical Desktop
Application Security
Consists of the requirements, specifications, architecture,
implementation, and test procedures used to secure applications
Application Security Assessment
Gather application and internal development docs, source code
Review source code for common programming flaws
Use static code analysis tools• Fortify, RATS, ITS4, FlawFinder
Skill dependent task; time consumingAt minimum, evaluate development
procedures
Operational Security
Consists of the day-to-day security management planning and actions taken to support the mission of the
organization
Operational Security Assessment
Gather procedures, contingency plansEvaluate overall security managementReview backup, disposal proceduresExamine business continuity, disaster
recovery plansLook at automated security tasks (virus
updates, patches, integrity checks)Look at administrator security practices
Physical Security
Consists of the planning and protective measures taken to prevent
unauthorized access to the facilities and damage to and loss of assets
Physical Security Assessment
Gather policy and procedure documents Examine facility and take pictures Building
• Life Safety (fire/smoke detection, alarms, suppression)• Burglar alarms, security guards, police response time
Security Perimeter• Strong doors, locks, visitor areas, sign-in procedures
Server Rooms• Environmental controls and monitoring• Sufficient power and HVAC• Locked cabinets and equipment
Reporting and Follow-up
Reporting and Follow-up
Once the assessment is complete, a report is needed to inform the client of issues found
Report should explain findings in simple terms (remember the audience)
Be available to answer questions and provide explanations
Part 3: The Assessment “Experience”
Tools• Demonstration of Nessus• Report Template
TrainingCertification