Security Assessments
Download
Report
Transcript Security Assessments
Security Assessments
Keith Watson, CISSP
[email protected]
Research Engineer
Center for Education and Research in
Information Assurance and Security
Overview
Part 1: Introduction to Security Assessments
What is a security assessment?
Why is it needed?
How do you do an assessment?
Overview
Part 2: Conducting Security Assessments
Asset Identification
Threat Assessment
Laws, Regulation, and Policy
Personnel
Security Assessment Components
Reporting and Follow-up
Overview
Part 3: The Assessment “Experience”
Tools
• Demonstration of Nessus
• Report Template
Training
Certification
Part 1: Overview of Assessments
What?
Why?
How?
What?
A security assessment is an evaluation of
the security posture of an organization.
What?
Evaluation of
• Policy
• Security practices
• Management of systems and resources
• Security perimeters
• Handling of sensitive information
Provided in the form of
• Report
• Presentation
What?
Security Assessments are…
• A process
• Step-by-step (with variation)
• An examination
• See how things work (or don’t work)
• An evaluation
• Making a judgment on relative security
Why?: Need for Assessments
Due Diligence
• Mergers and Acquisitions
• Customer/Partnership Evaluation
Regulatory Requirement
• Banks, Financial Institutions, Hospitals
• Publicly Traded Companies
• OMB, CBO, Federal Offices of the Inspector General
Insurance
• Set premiums for “Hacker” Insurance
Just Good Security Management Practice
• “Know your problems”
How?
Negotiate Project Scope
• Don’t make the project too big to finish
Spend time on site
• Best examination made from the inside
Talk with everyone
• A little insider knowledge goes a long way
Look at similar organizations
• Useful in judging relative security posture
Make cost-effective recommendations
• Don’t scare them with overpriced fixes and
complicated solutions
Part 2: Conducting Security Assessments
Project Management
Asset Identification
Threat Assessment
Laws, Regulations, and Policies
Personnel
Security Assessment Components
Reporting and Follow-up
Project Management
Project Management
Scope Definition
Setting Expectations
Scheduling
Travel
Logistics
Completion
Asset Identification
Assets
An asset is anything that has some value to
an organization.
Asset Identification
It is necessary to determine the assets
that need protection, their value, and
level of protection required
Two Types:
• Tangible
• Intangible
Tangible Assets
Tangible assets are physical
Examples:
• Personnel
• Offices, workspaces, warehouses, etc.
• Inventory, stores, supplies, etc.
• Servers and workstations
• Network infrastructure and external
connections
• Data centers and support equipment
Intangible Assets
Intangible assets are intellectual property
Examples:
• Custom software
• Databases (the data, not the DBMS)
• Source code, documentation, development
processes, etc.
• Training materials
• Product development and marketing
materials
• Operational and financial data
Replace/Restore
What would it cost to restore or replace
this asset in terms of time, effort, and
money?
Tangible assets:
• $?
Intangible assets:
• $$$$?
Loss of Assets
Loss of key assets could result in harm to
the organization
• Damaged reputation
• Lost customers
• Lost shareholder confidence
• Lost competitive advantage
• Exposure to lawsuits
• Government/Regulatory fines
• Failure of organization
For Organizations
It is important to know what assets are
critical to the viability of the organization
so that they can be adequately
protected.
For Assessments
It is important to determine an
organization’s assets* to see if there is
adequate protection in place
* Your list of assets may not be the same as the organization’s list.
Threat Assessment
Threats
An event that can impact the normal
operations of an organization is a threat.
Threat Assessment
It is necessary to determine the threats,
threat sources, and the likelihood of
occurrence
Threat types:
• Natural Events
• Unintentional
• Intentional
Natural Threats
Tornadoes, Hurricanes, Typhoons
Earthquakes, Mud Slides
Flooding
Lightning, Thunderstorms, Hail, Strong
Wind
Ice Storms, Heavy Snowfall
Temperature and Humidity Extremes
Intentional Threats
Alteration of Data
Alteration of Software
Disclosure
Disruption
Employee Sabotage
Theft
Unauthorized Use
Electronic Vandalism
Unintentional Threats
Disclosure
Electrical Disturbance (surges, dips, outage <1
hour)
Electrical Interruption (outage >1 hour)
Environmental Failure (HVAC, humidity)
Fire
Hardware Failure (disk, fan, server)
Liquid Leakage (steam, water, sewage)
Operator/User Error
Software Error (bugs)
Telecommunication Interruption (cable cut)
Threat Sources - Threat Agents
Murphy’s Law
Unhappy Customers
Disgruntled Employees
Activists (Hack-tivists)
Script-Kiddies
Sophisticated Attackers
• Government/Foreign/Terrorist Agents
• “Blackhats”
Likelihood of Occurrence
Qualitative
• High, Moderate, Low
Quantitative
• Sophisticated formulas needed
• Provides useful data to “numbers” people
FBI Uniform Crime Reports
• Crime Index data useful
Sample Threat Assessment
Threat
Source
Likelihood
Impact
Alteration
of Data
Alteration
of Data
Power Loss
(>6 hours)
Hardware
Failure
Operator
Error
“Hacker”
Low
Moderate
Disgruntled
Employee
Severe
Weather
Disgruntled
Employee
Untrained
Employee
Moderate
High
Low
Moderate
Low
High
Moderate
High
Laws, Regulations,
and Policies
Laws
Depending on the organization’s business, there
may be several laws that govern the protection
of information
• CA Database Breach Notification Act
• Sarbanes-Oxley Act of 2002
• Health Insurance Portability and Accountability Act of 1996
(HIPAA)
• Gramm-Leach-Bliley Act of 1999
• Computer Security Act of 1987
• Computer Fraud and Abuse Act of 1986
• Federal Education Rights and Privacy Act (FERPA)
• European Union Data Privacy Directive
Law Surveys
A survey may be necessary to determine
which laws apply to an organization
Look for Federal “interest” systems,
private data, health info, public
company financials, market data, etc.
Organizations that operate operate on
behalf of the government subject to
various laws
Get a lawyer for the in depth stuff
Policy
Policies are statements of intentions and/or
principles by which an organization is
organized, guided, and evaluated.
Policy Types
Organization
Program
Issue-Specific
System-Specific
Policy Reviews
Reviews are necessary to evaluate
adequacy and compliance
Some organizations have no security
policies at all
Most do not follow their own policies
Most employees are unaware of policies
Most policies are out-of-date
Personnel
Personnel
Interviews are needed to assess
knowledge and awareness of information
security
Valuable for determining unwritten rules
Employees should be divided into
categories
Interview groups and ask questions
relevant to the job function
Do not be adversarial or demanding
Security Assessment
Components
Security Assessment Components
Network Security
System Security
Application Security
Operational Security
Physical Security
Network Security
Involves the actions taken and controls in
place to secure the network and
networked systems
Network Security Assessment
Gather network maps, installation procedures,
checklists; evaluate
Scan networks and networked systems
• Vulnerability Scanners: Nessus (free), ISS
• Port Scanners: nmap, hping
• Application Scanners: whisker, nikto
Target Selection
• Key systems (where the goodies are stored)
• Exposed systems (where the bad guys play)
• Gateway systems (intersection of networks)
System Security
Involves the actions taken to
secure computing systems
System Security Assessment
Gather software/system inventory info, security
standards, checklists, management
procedures; evaluate
Review configuration with admin
Use a security checklist to evaluate current
configuration
Target Selection:
• Database Systems and File Servers
• Network Application Servers
• A typical Desktop
Application Security
Consists of the requirements, specifications,
architecture, implementation, and test
procedures used to secure applications
Application Security Assessment
Gather application and internal
development docs, source code
Review source code for common
programming flaws
Use static code analysis tools
• Fortify, RATS, ITS4, FlawFinder
Skill dependent task; time consuming
At minimum, evaluate development
procedures
Operational Security
Consists of the day-to-day security
management planning and actions
taken to support the mission of the
organization
Operational Security Assessment
Gather procedures, contingency plans
Evaluate overall security management
Review backup, disposal procedures
Examine business continuity, disaster
recovery plans
Look at automated security tasks (virus
updates, patches, integrity checks)
Look at administrator security practices
Physical Security
Consists of the planning and protective
measures taken to prevent unauthorized
access to the facilities and damage to
and loss of assets
Physical Security Assessment
Gather policy and procedure documents
Examine facility and take pictures
Building
• Life Safety (fire/smoke detection, alarms, suppression)
• Burglar alarms, security guards, police response time
Security Perimeter
• Strong doors, locks, visitor areas, sign-in procedures
Server Rooms
• Environmental controls and monitoring
• Sufficient power and HVAC
• Locked cabinets and equipment
Reporting and Follow-up
Reporting and Follow-up
Once the assessment is complete, a
report is needed to inform the client of
issues found
Report should explain findings in simple
terms (remember the audience)
Be available to answer questions and
provide explanations
Part 3: The Assessment “Experience”
Tools
• Demonstration of Nessus
• Report Template
Training
Certification