Forging partnerships between auditors and security managers breakthrough methods that work
Download
1 / 26

Forging Partnerships Between Auditors and Security Managers - PowerPoint PPT Presentation


  • 216 Views
  • Uploaded on

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 [email protected] 540-231-9523. JCSC 2000. The Auditor’s Goals.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Forging Partnerships Between Auditors and Security Managers' - Mia_John


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Forging partnerships between auditors and security managers breakthrough methods that work l.jpg

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work

Randy Marchany

VA Tech Computing Center

Blacksburg, VA 24060

[email protected]

540-231-9523

JCSC 2000

Copyright 2000, Marchany


Slide2 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


Slide3 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


Slide4 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


Slide5 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


Slide6 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


Slide7 l.jpg

Copyright 2000, Marchany Breakthrough Methods That Work


The auditor s goals l.jpg
The Auditor’s Goals Breakthrough Methods That Work

  • Ensure Assets are protected according to company, local,state and federal regulatory policies.

  • Determine what needs to be done to ensure the protection of the above assets.

  • Make life miserable for sysadmins…:-)

    • Not really. They can save a sysadmin if a problem occurs.

Copyright 2000, Marchany


The sysadmin s goals l.jpg
The Sysadmin’s Goals Breakthrough Methods That Work

  • Keep the systems up.

  • Keep users happy and out of our hair.

  • Keep auditors at arms’ length.

  • Get more resources to do the job properly.

  • Wear jeans or shorts to work when everyone else has to wear suits…….

Copyright 2000, Marchany


The sysadmin s audit strategy l.jpg
The Sysadmin’s Audit Strategy Breakthrough Methods That Work

  • Turn a perceived weakness (the audit) into a strength (security checklists).

  • Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures.

  • The above info can be used to help develop your incident response plan.

Copyright 2000, Marchany


The committee l.jpg
The Committee Breakthrough Methods That Work

  • Management and Technical Personnel from the major areas of IS

    • University Libraries

    • Educational Technologies

    • University Network Management Group

    • University Computing Center

    • Administrative Information Systems

Copyright 2000, Marchany


The committee s scope l.jpg
The Committee’s Scope Breakthrough Methods That Work

  • Information Systems Division only

  • Identified and prioritized Assets

    • RISKS associated with those ASSETS

    • CONTROLS that may applied to the ASSETS to mitigate the RISKS

  • Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

Copyright 2000, Marchany


The committee s charge l.jpg
The Committee’s Charge Breakthrough Methods That Work

  • From our VP for Information Systems

  • “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service”

  • “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.”

Copyright 2000, Marchany


Identifying the assets l.jpg
Identifying the Assets Breakthrough Methods That Work

  • Compiled a list of IS assets (+100 systems)

  • Categorize them as critical, essential, normal

    • Critical - VT can’t operate w/o this asset for even a short period of time.

    • Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap

    • Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Copyright 2000, Marchany


Prioritizing the assets l.jpg
Prioritizing the Assets Breakthrough Methods That Work

  • The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical.

  • X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Copyright 2000, Marchany


Identifying the risks l.jpg
Identifying the Risks Breakthrough Methods That Work

  • A RISK was selected if it caused an incident that would:

    • Be extremely expensive to fix

    • Result in the loss of a critical service

    • Result in heavy, negative publicity especially outside the university

    • Have a high probability of occurring.

  • Risks were prioritized using matrix prioritization technique.

Copyright 2000, Marchany


Mapping risks and assets l.jpg
Mapping Risks and Assets Breakthrough Methods That Work

  • We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not

    • A particular risk actually applied to the asset

    • Controls exist and/or already in place.

  • The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually.

Copyright 2000, Marchany


Identifying controls l.jpg
Identifying Controls Breakthrough Methods That Work

  • Specific controls identified by the committee were put in a matrix

  • The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset.

Copyright 2000, Marchany


Recommendations l.jpg
Recommendations Breakthrough Methods That Work

  • The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks.

  • For each asset, as directed by mgt, appropriate staff should:

    • Review the risks & controls

    • Add any further risks/controls not identified

    • Assess the potential cost of an incident

    • Assess the cost of control purchases and deployment

    • Analyze cost vs. benefit for each asset

    • Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions

Copyright 2000, Marchany


References l.jpg
References Breakthrough Methods That Work

  • http://security.vt.edu

  • www.sans.org

  • www.nipc.gov

  • www.jmu.edu/info-security

  • www.cornell.edu/CPL

  • www.securityfocus.com

  • www.insecure.org

Copyright 2000, Marchany


Appendix 1 l.jpg
APPENDIX 1 Breakthrough Methods That Work

  • The following matrices are examples of your matrix reports

    • Exhibit A (ASSET Matrix)

    • Exhibit B (ASSET WEIGHT Matrix)

    • Exhibit C (RISKS Matrix)

    • Exhibit D (RISK WEIGHT Matrix)

    • Exhibit E (ASSET-RISK Matrix)

    • Exhibit F (CONTROLS Matrix)

Copyright 2000, Marchany


Appendix 2 l.jpg
APPENDIX 2 Breakthrough Methods That Work

  • The following spreadsheets are the compliance reports.

  • Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors.

  • Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific.

  • Controls Matrix lists what controls are in place for a given system.

  • Individual Action Matrix lists the details of an audit for each node. Did the system comply?

Copyright 2000, Marchany


Appendix 3 l.jpg
APPENDIX 3 Breakthrough Methods That Work

  • The following checklist gives the detailed commands to be performed in the “audit”.

  • The categories are based on the Risk Matrices in Appendix 1.

  • The results of the checklist commands are inserted in the Compliance matrices of Appendix 2.

  • This checklist and the matrices form the overall audit/security checklist package.

Copyright 2000, Marchany


Appendix 4 l.jpg
APPENDIX 4 Breakthrough Methods That Work

  • Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain.

  • There are 2 strategies:

    • Protect and Proceed

    • Pursue and Prosecute

Copyright 2000, Marchany


Incident handling protect and proceed l.jpg
Incident Handling: Breakthrough Methods That WorkProtect and Proceed?

- Which strategy should your organization follow to handle an incident? This

dictates the level of record keeping needed to fulfill the strategy. (RFC2196)

- the protection and preservation of site facilities

- return to normal operations as soon as possible

- actively interfere with intruder attempts

- begin immediate damage assessment and recovery

Use if:

- assets are not well protected

- continued penetration could result in financial risk

- possibility or willingness to prosecute is not present

- user community is unknown

- unsophisticated users and their work is vulnerable

- the site is vulnerable to lawsuits from users if their resources

are undermined

Copyright 2000, Marchany


Incident handling pursue and prosecute l.jpg
Incident Handling: Breakthrough Methods That WorkPursue and Prosecute?

- allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies

- Use if:

- system assets are well protected

- good backups are available

- Asset risks are outweighed by risk of future penetrations

- it's a concentrated and frequent attack

- the site has a natural attraction to intruders, e.g. university, bank

- the site is willing to spend the money and risk to catch the guy

- intruder access can be controlled

- well-developed monitoring tools are available

- you have a technically competent support staff

- management is willing to prosecute

- system administrators know in general what evidence will aid in

prosecution

- there is established contact with law enforcement agencies

- the site has involved their legal staff

Copyright 2000, Marchany


ad