Security, Targetting & Analysis of Risk (STAR)
Download
Report
Transcript Security, Targetting & Analysis of Risk (STAR)
Unit 2 – Security,
Targetting & Analysis of
Risk (STAR)
Risk Analysis
Know what to protect before
protecting it….
Educause MARC 2003
Copyright 2002, Marchany
1
The Layers of Security
Policy
Awareness
Risk Analysis
Incident Response
Free Tools
Educause MARC 2003
Copyright 2002, Marchany
2
98% On-Time Return Rate
We have 180+ administrative, academic
depts.
Each dept is required to turn in an IT
risk analysis. State Directive.
We get 98% on-time return rate on the
risk analysis reports.
How?
Educause MARC 2003
Copyright 2002, Marchany
3
How Do We Do It?
University IT Security Office convinces CFO of
the need to do a departmental risk analysis.
CFO controls the budget for all depts.
CFO issues directive to all dept heads stating
the need to turn in the reports on time.
Or else, he’ll review their budget request .
You must obtain the buy-in of the top
university officials. Period.
Educause MARC 2003
Copyright 2002, Marchany
4
Case Study – The 1st Time
Sort of…..
We applied some but not all TBS concepts in
our first attempt to determine the status of
our asset security.
This process took about 12 months. Security
committee met once every 2-3 weeks.
We’re starting the sixth iteration now.
Now it only takes 1 month max.
Educause MARC 2003
Copyright 2002, Marchany
5
The Committee
Management and Technical Personnel
from the major areas of IS
University Libraries
Educational Technologies
University Network Management Group
University Computing Center
Administrative Information Systems
Educause MARC 2003
Copyright 2002, Marchany
6
The Committee’s Scope
Information Systems Division only
Identified and prioritized Assets
RISKS associated with those ASSETS
CONTROLS that may applied to the ASSETS to
mitigate the RISKS
Did NOT specifically consider assets outside
IS control. However, those assets are
included as clients when considering access
to assets we wish to protect
Educause MARC 2003
Copyright 2002, Marchany
7
Identifying the Assets
Compiled a list of assets (+100 hosts)
Categorize them as critical, essential,
normal
Critical - VT can’t operate w/o this asset for even
a short period of time.
Essential - VT could work around the loss of the
asset for up to a week. The asset needs to be
returned to service asap.
Normal - VT could operate w/o this asset for a
finite period but entities may need to identify
alternatives.
Educause MARC 2003
Copyright 2002, Marchany
8
Educause MARC 2003
Copyright 2002, Marchany
9
Educause MARC 2003
Copyright 2002, Marchany
10
Prioritizing the Assets
The network(router, bridges, cabling, etc.)
was treated as a single entity and deemed
critical.
Some assets were classified as critical and
then rank ordered using a matrix prioritization
technique. Each asset was compared to the
other and members voted on their relative
importance. Members could split their vote.
Educause MARC 2003
Copyright 2002, Marchany
11
Prioritizing the Assets
Asset weight values calculated by a
simple formula. Weight = sum of
vote values.
Criteria:
Criticality
Value to the Org
Impact of Outage
Educause MARC 2003
Copyright 2002, Marchany
12
Identifying the Risks
A RISK was selected if it caused an
incident that would:
Be extremely expensive to fix
Result in the loss of a critical service
Result in heavy, negative publicity especially
outside the university
Have a high probability of occurring
Risks were prioritized using matrix
prioritization technique
Educause MARC 2003
Copyright 2002, Marchany
13
Prioritizing the Risks
Same as formula for prioritizing Assets
Criteria:
Scope of Impact
Probability of an incident
Weight = sum of vote values
Educause MARC 2003
Copyright 2002, Marchany
14
How STAR Looked Originally
Original STAR Asset, Risk, Asset-Risk,
Control Matrices
Original STAR Compliance Matrices
Educause MARC 2003
Copyright 2002, Marchany
15
How STAR Looks Now
Do most of the work for them
Business Recovery Plan Template
Intro to the BIA/RA Process
General Instructions for Dept BIA/RA
Blank BIA/RA Template
IS Risks For Dummies
Example R/A Spreadsheet
Blank R/A Voting Spreadsheet
Educause MARC 2003
Copyright 2002, Marchany
16
The Audit/Security Checklist Yesterday
The detailed commands used to check an asset.
Based on the Defense Information Infrastructure
(DII) and Common Operating Environment (COE)
initiative.
We took the checklists from this site, modified them
according to our R/A matrix and built checklists for
Sun, IBM, NT.
Our thanks to the unknown author who wrote the
original document.
The original checklist is available from
http://security.vt.edu in the Checklists section.
Educause MARC 2003
Copyright 2002, Marchany
17
The Audit/Security Checklist Today
We’re now using the CIS Benchmark Rulers
as our checklists.
The CIS provides a scanning tool that lets us
check the status of our systems quickly.
See http://www.cisecurity.org to download
the scanning tool and the checklist.
Another example of changing times….
Educause MARC 2003
Copyright 2002, Marchany
18
STAR – The Future
STAR is an evolving process
We are now linking Asset identification to the
mgt org chart
Assets can now be:
Physical systems
Groups of systems that support a service
Business process that requires a group of systems
Business process that depends on other business
processes
Educause MARC 2003
Copyright 2002, Marchany
19
Educause MARC 2003
Copyright 2002, Marchany
20
Conclusions
TBS provides a quantitative, repeatable
method of prioritizing your assets.
The matrices provide an easy to read
summary of the state of your assets.
These matrices can be used to provide your
auditors with the information they need.
The checklist contains the detailed commands
to perform the audit/security check.
Educause MARC 2003
Copyright 2002, Marchany
21
Building Your IT Audit
Plan/Checklist
Sample checklist/audit plans for
Unix, NT and Windows 2000
Active Directory
Educause MARC 2003
Copyright 2002, Marchany
22
What Risks Should We
Examine?
The
SANS/FBI Top 20 vulnerabilities
meet our TBS risk criteria:
•Have
a high probability of occurring
•Result in the loss of a critical service
•Be extremely expensive to fix later
•Result in heavy, negative publicity
•Examine your IT Assets for these vulnerabilities
Educause MARC 2003
Copyright 2002, Marchany
23
Assessing the Cost
A complete IT audit is a set of component
audits. Master Equation: E=D+R
E = time you’re exposed
D = time to detect the attack
R = time to react to the attack
Components
Procedural: E = D+R
Perimeter(Firewall): E = D+R
UNIX: E = D+R
NT/Windows 2000: E =D+R
Educause MARC 2003
Copyright 2002, Marchany
24
CIS Rulers
Rulers list a set of minimal actions that need
to be done on a host system.
This is a consensus list derived from security
checklists provided by CIS charter members
(VISA, IIA, ISACA, First Union, Pitney Bowes,
Allstate Insurance, DOJ, Chevron, Shell Oil,
VA Tech, Stanford, Catepillar, Pacific Gas &
Electric, RCMP, DOD CIRT, Lucent, Edu
Testing Services and others)
Can’t develop your own set? Use these!
http://www.cisecurity.org
Educause MARC 2003
Copyright 2002, Marchany
25
Applying Security to Assets
General Strategy
Use STAR to identify critical risks and
assets
Use CIS benchmarks to determine what
computer services are required to allow the
business function to work
Remove unnecessary services
Create the “security” script
Educause MARC 2003
Copyright 2002, Marchany
26
Applying Security to Assets
The CD to Production Cycle
Install OS from CD or “install” server.
Install applications
Apply vendor/application recommended
and security patches
Install local tools (security, etc.)
Run CIS-based/STAR based customization
System is ready for production
Educause MARC 2003
Copyright 2002, Marchany
27
The CIS Checklists
CIS Solaris Benchmark Document
CIS Rating: After OS Installation - no patches
CIS Rating: After Security/Vendor Patch
Installation
CIS Rating: After Applying Local Configuration
Rules
CIS Linux Benchmark Document
CIS Windows 2000 Benchmark Document
CIS Solaris Customization Script based on VT
Risk Analysis
Educause MARC 2003
Copyright 2002, Marchany
28
Require Vendor Security
Compliance
Terms and conditions of Purchase
Vendor must certify their product is not
vulnerable to the threats listed in the
SANS/FBI Top 20 Internet Vulnerabilities
document (www.sans.org/top20.htm)
We’ve been doing this since 7/1/02. Only 2
vendors out of 700+ have declined.
Prevent vendors from hampering our
security efforts.
Educause MARC 2003
Copyright 2002, Marchany
29
Summary
Use STAR for Risk Analysis of IT assets.
Use SANS/FBI Top 20 Internet Threats
lists as a starting point.
Use CIS benchmarks to get the actual
commands needed to implement your
policy based on your R/A.
Educause MARC 2003
Copyright 2002, Marchany
30