Transcript Security Assessments

Security Assessments
Keith Watson, CISSP
[email protected]
Research Engineer
Center for Education and Research in
Information Assurance and Security
Overview
Part 1: Introduction to Security Assessments
 What is a security assessment?
 Why is it needed?
 How do you do an assessment?
Overview
Part 2: Conducting Security Assessments
 Asset Identification
 Threat Assessment
 Laws, Regulation, and Policy
 Personnel
 Security Assessment Components
 Reporting and Follow-up
Overview
Part 3: The Assessment “Experience”
 Tools
• Demonstration of Nessus
• Report Template
 Training
 Certification
Part 1: Overview of Assessments
What?
Why?
How?
What?
A security assessment is an evaluation of
the security posture of an organization.
What?
 Evaluation of
• Policy
• Security practices
• Management of systems and resources
• Security perimeters
• Handling of sensitive information
 Provided in the form of
• Report
• Presentation
What?
 Security Assessments are…
• A process
• Step-by-step (with variation)
• An examination
• See how things work (or don’t work)
• An evaluation
• Making a judgment on relative security
Why?: Need for Assessments
 Due Diligence
• Mergers and Acquisitions
• Customer/Partnership Evaluation
 Regulatory Requirement
• Banks, Financial Institutions, Hospitals
• Publicly Traded Companies
• OMB, CBO, Federal Offices of the Inspector General
 Insurance
• Set premiums for “Hacker” Insurance
 Just Good Security Management Practice
• “Know your problems”
How?
 Negotiate Project Scope
• Don’t make the project too big to finish
 Spend time on site
• Best examination made from the inside
 Talk with everyone
• A little insider knowledge goes a long way
 Look at similar organizations
• Useful in judging relative security posture
 Make cost-effective recommendations
• Don’t scare them with overpriced fixes and
complicated solutions
Part 2: Conducting Security Assessments
 Project Management
 Asset Identification
 Threat Assessment
 Laws, Regulations, and Policies
 Personnel
 Security Assessment Components
 Reporting and Follow-up
Project Management
Project Management
 Scope Definition
 Setting Expectations
 Scheduling
 Travel
 Logistics
 Completion
Asset Identification
Assets
An asset is anything that has some value to
an organization.
Asset Identification
 It is necessary to determine the assets
that need protection, their value, and
level of protection required
 Two Types:
• Tangible
• Intangible
Tangible Assets
 Tangible assets are physical
 Examples:
• Personnel
• Offices, workspaces, warehouses, etc.
• Inventory, stores, supplies, etc.
• Servers and workstations
• Network infrastructure and external
connections
• Data centers and support equipment
Intangible Assets
 Intangible assets are intellectual property
 Examples:
• Custom software
• Databases (the data, not the DBMS)
• Source code, documentation, development
processes, etc.
• Training materials
• Product development and marketing
materials
• Operational and financial data
Replace/Restore
 What would it cost to restore or replace
this asset in terms of time, effort, and
money?
 Tangible assets:
• $?
 Intangible assets:
• $$$$?
Loss of Assets
 Loss of key assets could result in harm to
the organization
• Damaged reputation
• Lost customers
• Lost shareholder confidence
• Lost competitive advantage
• Exposure to lawsuits
• Government/Regulatory fines
• Failure of organization
For Organizations
It is important to know what assets are
critical to the viability of the organization
so that they can be adequately
protected.
For Assessments
It is important to determine an
organization’s assets* to see if there is
adequate protection in place
* Your list of assets may not be the same as the organization’s list.
Threat Assessment
Threats
An event that can impact the normal
operations of an organization is a threat.
Threat Assessment
 It is necessary to determine the threats,
threat sources, and the likelihood of
occurrence
 Threat types:
• Natural Events
• Unintentional
• Intentional
Natural Threats
 Tornadoes, Hurricanes, Typhoons
 Earthquakes, Mud Slides
 Flooding
 Lightning, Thunderstorms, Hail, Strong
Wind
 Ice Storms, Heavy Snowfall
 Temperature and Humidity Extremes
Intentional Threats
 Alteration of Data
 Alteration of Software
 Disclosure
 Disruption
 Employee Sabotage
 Theft
 Unauthorized Use
 Electronic Vandalism
Unintentional Threats
 Disclosure
 Electrical Disturbance (surges, dips, outage <1








hour)
Electrical Interruption (outage >1 hour)
Environmental Failure (HVAC, humidity)
Fire
Hardware Failure (disk, fan, server)
Liquid Leakage (steam, water, sewage)
Operator/User Error
Software Error (bugs)
Telecommunication Interruption (cable cut)
Threat Sources - Threat Agents
 Murphy’s Law
 Unhappy Customers
 Disgruntled Employees
 Activists (Hack-tivists)
 Script-Kiddies
 Sophisticated Attackers
• Government/Foreign/Terrorist Agents
• “Blackhats”
Likelihood of Occurrence
 Qualitative
• High, Moderate, Low
 Quantitative
• Sophisticated formulas needed
• Provides useful data to “numbers” people
 FBI Uniform Crime Reports
• Crime Index data useful
Sample Threat Assessment
Threat
Source
Likelihood
Impact
Alteration
of Data
Alteration
of Data
Power Loss
(>6 hours)
Hardware
Failure
Operator
Error
“Hacker”
Low
Moderate
Disgruntled
Employee
Severe
Weather
Disgruntled
Employee
Untrained
Employee
Moderate
High
Low
Moderate
Low
High
Moderate
High
Laws, Regulations,
and Policies
Laws
 Depending on the organization’s business, there
may be several laws that govern the protection
of information
• CA Database Breach Notification Act
• Sarbanes-Oxley Act of 2002
• Health Insurance Portability and Accountability Act of 1996
(HIPAA)
• Gramm-Leach-Bliley Act of 1999
• Computer Security Act of 1987
• Computer Fraud and Abuse Act of 1986
• Federal Education Rights and Privacy Act (FERPA)
• European Union Data Privacy Directive
Law Surveys
 A survey may be necessary to determine
which laws apply to an organization
 Look for Federal “interest” systems,
private data, health info, public
company financials, market data, etc.
 Organizations that operate operate on
behalf of the government subject to
various laws
 Get a lawyer for the in depth stuff
Policy
Policies are statements of intentions and/or
principles by which an organization is
organized, guided, and evaluated.
Policy Types
 Organization
 Program
 Issue-Specific
 System-Specific
Policy Reviews
 Reviews are necessary to evaluate
adequacy and compliance
 Some organizations have no security
policies at all
 Most do not follow their own policies
 Most employees are unaware of policies
 Most policies are out-of-date
Personnel
Personnel
 Interviews are needed to assess
knowledge and awareness of information
security
 Valuable for determining unwritten rules
 Employees should be divided into
categories
 Interview groups and ask questions
relevant to the job function
 Do not be adversarial or demanding
Security Assessment
Components
Security Assessment Components
 Network Security
 System Security
 Application Security
 Operational Security
 Physical Security
Network Security
Involves the actions taken and controls in
place to secure the network and
networked systems
Network Security Assessment
 Gather network maps, installation procedures,
checklists; evaluate
 Scan networks and networked systems
• Vulnerability Scanners: Nessus (free), ISS
• Port Scanners: nmap, hping
• Application Scanners: whisker, nikto
 Target Selection
• Key systems (where the goodies are stored)
• Exposed systems (where the bad guys play)
• Gateway systems (intersection of networks)
System Security
Involves the actions taken to
secure computing systems
System Security Assessment
 Gather software/system inventory info, security
standards, checklists, management
procedures; evaluate
 Review configuration with admin
 Use a security checklist to evaluate current
configuration
 Target Selection:
• Database Systems and File Servers
• Network Application Servers
• A typical Desktop
Application Security
Consists of the requirements, specifications,
architecture, implementation, and test
procedures used to secure applications
Application Security Assessment
 Gather application and internal
development docs, source code
 Review source code for common
programming flaws
 Use static code analysis tools
• Fortify, RATS, ITS4, FlawFinder
 Skill dependent task; time consuming
 At minimum, evaluate development
procedures
Operational Security
Consists of the day-to-day security
management planning and actions
taken to support the mission of the
organization
Operational Security Assessment
 Gather procedures, contingency plans
 Evaluate overall security management
 Review backup, disposal procedures
 Examine business continuity, disaster
recovery plans
 Look at automated security tasks (virus
updates, patches, integrity checks)
 Look at administrator security practices
Physical Security
Consists of the planning and protective
measures taken to prevent unauthorized
access to the facilities and damage to
and loss of assets
Physical Security Assessment
 Gather policy and procedure documents
 Examine facility and take pictures
 Building
• Life Safety (fire/smoke detection, alarms, suppression)
• Burglar alarms, security guards, police response time
 Security Perimeter
• Strong doors, locks, visitor areas, sign-in procedures
 Server Rooms
• Environmental controls and monitoring
• Sufficient power and HVAC
• Locked cabinets and equipment
Reporting and Follow-up
Reporting and Follow-up
 Once the assessment is complete, a
report is needed to inform the client of
issues found
 Report should explain findings in simple
terms (remember the audience)
 Be available to answer questions and
provide explanations
Part 3: The Assessment “Experience”
 Tools
• Demonstration of Nessus
• Report Template
 Training
 Certification