Security Baselines and RiskAssessments

Baseline

• When a new system is implemented, a preliminary assessment called a security baseline needs to be performed.

• A baseline provides a starting point to measure changes in configurations and improvements to the system.

Risk assessments

• Risk assessments educate the administrators about their systems.

• Assessments are a mechanism to identify the strengths and implemented controls of a system, not just the weaknesses and risks.

INFORMATION SECURITY ASSESSMENT: A PHASED APPROACH

• Areas of increased risk within an organization:– Operating environment– Security organization– Security planning, administration, and

management– Information security policies, standards, and

procedures– Information security risk assessment– Information classification and control

Requirements

• Organization chart• Security policies, standards, and procedures

documentation• Network diagrams• List of applications• List of network management tools• List of security assessment tools• Asset inventory• List of databases• Reports from previous assessments and audits

Information Security Assessment Workplan

• Section I:– Provides an overview concentrating on the

management of specific programs developed as a part of the ISA and the allocation of security responsibilities.

• Section II:– Security monitoring– Computer virus controls– Microcomputer security– Compliance with legal and regulatory requirements

• Section III, Computer Operations, includes:– Physical and environmental security– Computer systems management– Backup and recovery– Problem management

• Section IV reviews those areas related to applications: access controls, application development and implementation, and change management.

HIGH-LEVEL SECURITY ASSESSMENT (SECTION I)

• Assessing the Organization of the Security Function– An assessment of the security organization should

document the number of individuals performing security functions, including full-time security positions as well as individuals that dedicate only a portion of their time to security.

– To whom these positions report.

• Assessing the Security Plan– The Information Security Plan should be

documented and describe support for the goals and objectives of the Strategic Information Technology Plan.

– Determine who is responsible for its development, review, approval, and implementation.

– Responsibility for, as well as target completion dates, should be defined for each project, initiative, or strategy defined in the Plan.

• Assessing Security Policies, Standards, and Procedures– Determine how policies, standards, and procedures

are developed, reviewed, approved, and modified and who is responsible for each step of this process.

• Assessing Risk-Related Programs– Programs for risk assessment include classification

methodologies, business impact analysis (BIA), incident and emergency reporting and response, disaster recovery planning (DRP), business continuity planning (BCP), and incident monitoring, investigation, and remediation.

– Determine who is responsible for each of these programs

• Assessment Document Checklist– Organization chart– IT strategic plan– Information security plan– Security charter or mission statement– Security policies, standards, and procedures– Policy acknowledgment forms– Confidentiality agreements/statements

• Network diagrams• Maintenance and service contracts with third-party service

providers• Application inventory• Hardware asset inventory• Network management tools inventory• Security assessment tools inventory• Database inventory• Classification methodology• Audit programs• Compliance checklists• Security assessment reports• Resource ownership matrix

SECURITY OPERATIONS (SECTION II)

• Security Monitoring– Security monitoring includes those processes in place to

identify and investigate suspected access violations and attempted system intrusions.

– For Ex.• Daily review of remote access log-ins to identify failed access

attempts• Review of system access logs for access to systems during non-work

hours• Review of traffic on external gateways• Review of access to application system utilities and privileged user

activities• Review of access to sensitive files or data

– Procedures are necessary for reporting and responding to suspected violations.

• Computer Virus Controls– Effective computer virus controls are an absolute

necessity.

For anti-virus security assessments, it is necessary to ensure that procedures

exist to:

• Download current definitions from the appropriate sources on a timely basis

• Test virus software before distribution• Distribute and upload current definitions to all platforms

(servers, mail servers, firewalls, and workstations)• Validate that distribution of software and definition files is

effective• Ensure compliance with all anti-virus software procedures• Assess the communications mechanism between

administrators and users on potential viruses and the reporting of suspected viruses

• Microcomputer Security:– Monitoring licenses registered versus licenses

used– Inventorying PC software– Defining and distributing approved software lists– Developing software usage policies

COMPLIANCE WITH LEGAL AND REGULATORY REQUIREMENTS

• A security review of these areas should be conducted to ensure:– Guidelines on the retention, storage, and handling

of regulated information– Appropriate protection of classified data– Compliance with regulatory requirements– Compliance with legislation protecting information

COMPUTER OPERATIONS (SECTION III)

• Computer operations personnel are responsible for the physical security of the central processing facility, ensuring the proper execution of programs, maintaining system and critical data backups, responding to and resolving execution errors, and providing assistance in the recovery of systems, programs, and information.

Physical and Environmental Security

• Cypher or key pad locks• Fencing• Guards• Monitoring devices• Maintaining authorized personnel access lists• Limiting access to only essential operations

personnel• Maintaining sign-in logs• Badges

Environmental controls include

• Backup power (uninterruptible power systems [UPS])• Air conditioning• Fire suppression devices (fire extinguishers, halon,

other)• Fire detection devices (sensors)• Heat detection devices• Business continuity plans (BCPs)• Alternative processing facilities• Disaster recovery plans (DRPs)• System and data backups

Backup and Recovery

• Removing backups from the facility creates a requirement for ensuring that those critical backups are not subject to unauthorized access by vendors or outside personnel. Review who, when, and how third-party vendors obtain, transport, and store those critical business system backup tapes.

• Internal tape management as well as by third-party vendors is also very important.

• As a part of physical security, backup processing locations are important.

• Recovery plans should be tested annually.

Computer Systems Management

• Computer systems management includes the daily execution and maintenance of systems, applications, and information.

• Maintain a log that details the execution, completion, and issues identified during the shift.

• This log should be reviewed by management and jointly reviewed by both the outgoing shift personnel and incoming shift personnel so that continuity and efficiency are maintained.

• Computer operations personnel should be restricted from read, write, and delete access of computer programs.

• Change logs: documentation of changes, validation of changes, and follow-up testing.

Problem Management

• A problem management process needs to be in place to report, track, and resolve problems incurred in computer operations, as well as in dealing with security-related issues.

• Reduction of failures to an acceptable level• Prevention of the reoccurrence of problems• Reduction of the impact on service

Problem resolution should include:• Providing a centralized point of contact for problems• Logging problem calls• Resolution of problems quickly and efficiently• Transferring unresolved problems to more technically qualified

personnel• Tracking and managing difficult problems• Identifying recurring problems, analyzing root causes, and providing

permanent resolution• Improving communication and training to end users• Reporting the status of issues to management, users, and departments

impacted• Evaluating vendor performance and service-level contracts based on

the level of support provided in resolving issues

APPLICATION CONTROLS ASSESSMENTS

• Security control assessments related to applications primarily focus on the appropriate access of – users, – administrators, and – programmers to application data and functionality,

system files, program modules, and hardware resources.

Access Controls

• Data owners approve access based on job requirements and functionality.

• Role-based access is the most logical method for setting up access to an application.

• Role-based access is determined by an employee’s job function — not by who the employee is as a person.

• Access control lists (ACLs)• Application access is typically controlled by menus that

restrict user access to certain functionalities of the application.

Separation (or Segregation) of Duties

• Separation of duties ensures that no single employee has control of a transaction from beginning to end.

• Separation of duties guards against manipulating a transaction for personal gain.

Audit Trails

• Audit logs are a record of system activities that provide the capability to reconstruct the sequence of events related to a transaction.

• Audit logs can be used to determine errors in system processing as well as misuse of the system.

• Violation reports that log security-related events, such as unsuccessful access attempts, should be monitored daily.

• It is necessary to test that users cannot break out of the menu and obtain the system prompt.

• Application system utilities are sensitive because they bypass application access controls and allow direct access to production code and data.

• These utilities should be protected by passwords and should not be accessible from the application.

Authentication

• Authentication as it relates to application access is defined as the reconciliation of evidence of user identity.

• The use of a password for authenticating a user is the most common method and is known as simple authentication.

There are three ways a user can identify himself to an application or system:

• Presenting something that only the user knows.

• Presenting something that only the user has. • Presenting something that the user is.

• Passwords are something that a user knows.• It is the least secure method of authentication

because a password can be stolen and used by someone else.

Presenting something that only the user knows.

Something the user has

• Secure token.• An example of secure tokens are credit card-

size hardware that produce a one-time password only valid and usable for a small window of time, such as one minute.

Something that the user is

• Passwords and tokens can be stolen.• Fingerprints and retinas are unique to every

person and they represent who the person is.

Using combinations of methods increases the strength of the authentication.

• something you know + something you have = two-factor authentication

• something you know + something you are = two-factor authentication

• something you have + something you are = two-factor authentication

• something you know + something you know = two-factor authentication

• something you have + something you have = two-factor authentication

• something you are + something you are = two-factor authentication

Password parameters include:

• Application lockout after so many failed attempts to log on (e.g., three failed attempts)

• Minimum password length (e.g., eight characters)

• Specified password structure• Password change frequency (e.g., every 30

days)

• Passwords must be unique• Passwords must be encrypted• Maintain encrypted password files• Maintain password history (e.g., last ten

passwords cannot be reused)• Establish password cycle time • Non-displayed fields• Validation of password before passwords can

be changed• Limitations on sharing passwords

Application Development and Implementation

• A formal program for application development and implementation is necessary to ensure that appropriate controls are built into the application to provide authentication, authorization, and integrity.

The application development and implementation program should ensure:

• Appropriate access to source libraries• The ability to audit access to source libraries• Integrity checks for the input of data to detect

out-of-range values, invalid characters in data fields, incomplete data, upper and lower data volume limits, two character data ranges, and inconsistent control data

• Session or batch controls to reconcile file balances after transaction updates

• Balance controls to validate opening balances with previously closed balances, including run-to-run totals, file update totals, program-to-program totals, and hash totals on records and files

• Management authorization for the initiation of application acquisition, development, and maintenance

• Change requests documents that record the reason for the amendment, date of amendment, and appropriate approvals

• Separate test and production environments• Documented acceptance criteria for test plans

• New programs and program changes are formally approved during appropriate phases of the development process and prior to implementation

• Formal sign-off and acceptance procedures• Cut-over procedures to move applications from

the test to the production environment• Programmers are prevented from updating

production programs• Programmers are restricted from adding

programs to the production libraries

• Segregation of duties in programming and execution of programs

• System documentation and user documentation is updated to reflect all program and operations changes

• Emergency maintenance and temporary fixes to application and system software are covered by the same procedures applied to normal maintenance

• Backup versions of software are maintained prior to making any changes to the code

Change Management

• Change management refers to changes in program code, operating system configurations, or network architectures.

• An effective change management program uses an application or tool to register changes.

• This tool should record the change requestor’s name, details of the request, business justification, approvers, estimated time to perform or implement the change, individuals responsible for modifications, individuals affected by the change, testing requirements, requestor’s approval on tests, management approval, and a scheduled date of change.

Check to make sure that:

• The library control systems ensure that all changes to production programs are implemented by library control administrators — and not the programmers who coded the program

• Only the applications programmers involved in the changes have access to application programs under development

• Only systems programmers have access to system programs under development

• Only library administrators have write access to system and application libraries

• Access to live data is only through programs that are in the application libraries

Database Security

• Access is controlled through discretionary access controls (DACs) or mandatory access controls (MACs).

• With DACs, access must be granted before a user can gain access to a view.

• MACs secure information by assigning classification levels or labels to data.

Network Assessments

• Obtain an understanding of the network architecture:– Review network diagrams and documentation– Interview data network administrators– Interview voice network administrators– Interview network device administrators– Review standards relating to networked systems– Review planned migration to new technologies– Review network software inventory– Review network hardware inventory– Identify business functions utilizing the network

• Obtain an understanding of network management:– Identify network management tools and other utility

software used in managing the network– Identify how the network management tools are utilized– Identify the devices managed through network– Identify plans or changes to network managers

• Obtain an understanding of network security administration:– Identify policies, procedures, standards, and guidelines for

network security administration– Identify responsibilities for network security administration– Identify monitoring capabilities and reports used in

network security administration

• Obtain an understanding of new technology assessments and deployment:– Identify responsibilities for change control– Identify audit/security participation in new

technology plans– Identify documentation of risks in new technologies– Identify general control strategy used in

introduction of new technologies– Identify testing/acceptance methods used for new

technologies– Identify review process for approval of new

technology plans

• Obtain an understanding of outage/threat response capabilities:– Identify tools and approaches to reducing risks– Identify responsibility for emergency response– Identify tools/strategies for responding to

emergency conditions– Identify threat incidents and priorities

Emergency Response

• It is necessary to ensure that bugs, security holes, and vulnerabilities are disseminated to the appropriate individuals and that those individuals are addressing the problem.

• Include follow-up efforts to ensure that alerts, advisories, and fixes are applied in a timely manner.

Remote Access

• For each of the dial-in connections, the following activities will be performed:

• Evaluate external connections and dial access:– Identify external network service providers– Identify external network users (customers, business partners,

employees, service providers)– Identify access methods– Identify frequency of access– Identify nature of access– Identify services used for access– Identify time-of-day access required– Identify services used when access granted

• Evaluate network security features:– Identify points of control for each access path– Identify points of control for each service accessed– Identify points of external control– Identify nature of control points (intended for

authentication, monitoring, etc.)– Identify level of functionality for each control point– Identify responsibility for each control point

• Develop access path schematic:– Document access paths and control points– Report observations and recommendations