Transcript Security Environment Assessment

Security Environment Assessment
Outline
 Overview
 Key Sources and
Participants
 General Findings
 Policy / Procedures
 Host Systems
 Network Components
 Applications
 Overall Assessment Compliance with Policy
 Next Steps
Overview
 Objective
 Broad sweep to find significant strengths / weaknesses
 Baseline - not final statement of vulnerabilities
 Approach
 Interviews
 Review of system configurations
 Automated assessment tools (GFI)
 Examined policy, procedures, host systems, network
infrastructure, and some applications
General Findings - Strengths
 Linksys Router /Firewall protects the network perimeter
 Mostly Standardized Intel Platform with an OS, of which
is XP
 Customer security requirements have positively
influenced security awareness
 Regulatory requirements dictate due diligence
General Findings - Weaknesses
 External (e.g., Internet) access is not restricted i.e.
(Filter inappropriate network traffic)
 Critical Identified internal systems are not isolated
 Production systems are not subject to configuration
management
 Security program lacking key components and scope
necessary to effectively influence all systems
 Security staff not required but security knowledge and
emphasis lacking technical expertise to perform effective
oversight of all systems
 Policies not used to guide internal activities
 Security responsibilities not well defined
 Available technical features not used to best advantage
Policy / Procedures - Weaknesses
 System specific practices not tied to top-level policy
 User account / password management practices
 Access control decisions




Workstation policy not clear; basic features not implemented
High level policies for internet usage etc… does not exist
Procedures well defined for systems not defined
Training / user awareness for system specific features not
provided
 Training / user orientation emphasizes personal responsibility
does not exist
 Incident detection and response not addressed
General Findings - Weaknesses (cont)
 System specific procedures lacking
 Security not integrated with business processes
 Security responsibility for new systems and applications
not well defined
 Staff lacks technical expertise to effectively influence
design of new systems
Policy/Procedures
 Strengths
 High level policy has good components
 Training / user orientation emphasizes personal
responsibility
 Procedures well defined for mainframe systems
 Weaknesses
 System-specific practices not tied to top-level policy
 User account/password/access practices not consistent
 No provisions for incident detection / response
Host Systems
 Strengths
 Privileged access limited
 Security enhancements being implemented on some
systems
 Weaknesses
 Available features not used to best advantage
 Technical vulnerabilities on many systems
 Unnecessary services are available
 Configuration not guided by security policy
Network Infrastructure
 Strengths
 Firewall/address translator limits external access
 Router filters limit access within the network
 Weaknesses
 Network security responsibility not well defined;
configuration not guided by a security policy
 No capability for encrypted internal communications,
remote access, or Internet links
 Dial-up access not well controlled or secured
Applications
 Strengths
 Development and production environments are segregated
 Application security features are used to restrict access
 Weaknesses
 Password management practices are inconsistent
 Personal accountability is not always maintained
Overall Assessment -- Compliance with Security Policies
 Comparison of observed practice with the published
“Information Security Policy”
 Policy does not influence security configuration /
management of non-mainframe systems
 Most policy statements have not been implemented
consistently across the enterprise
Next Steps
 Reaction to vulnerabilities/weaknesses
 Recommend, prioritize, and implement fixes
 Implementation of Internet and remote access
solution
 Validate design; implement technical fixes, policy, and
procedures
 Define network security enhancements
 Refine requirements; select and implement solution