1 / 54

Security Assessments

Security Assessments. Keith Watson, CISSP kaw@cerias.purdue.edu Research Engineer Center for Education and Research in Information Assurance and Security. Overview. Part 1: Introduction to Security Assessments What is a security assessment? Why is it needed?

octavia
Download Presentation

Security Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Assessments Keith Watson, CISSP kaw@cerias.purdue.edu Research Engineer Center for Education and Research in Information Assurance and Security

  2. Overview Part 1: Introduction to Security Assessments • What is a security assessment? • Why is it needed? • How do you do an assessment?

  3. Overview Part 2: Conducting Security Assessments • Asset Identification • Threat Assessment • Laws, Regulation, and Policy • Personnel • Security Assessment Components • Reporting and Follow-up

  4. Overview Part 3: The Assessment “Experience” • Tools • Demonstration of Nessus • Report Template • Training • Certification

  5. Part 1: Overview of Assessments What? Why? How?

  6. What? A security assessment is an evaluation of the security posture of an organization.

  7. What? • Evaluation of • Policy • Security practices • Management of systems and resources • Security perimeters • Handling of sensitive information • Provided in the form of • Report • Presentation

  8. What? • Security Assessments are… • A process • Step-by-step (with variation) • An examination • See how things work (or don’t work) • An evaluation • Making a judgment on relative security

  9. Why?: Need for Assessments • Due Diligence • Mergers and Acquisitions • Customer/Partnership Evaluation • Regulatory Requirement • Banks, Financial Institutions, Hospitals • Publicly Traded Companies • OMB, CBO, Federal Offices of the Inspector General • Insurance • Set premiums for “Hacker” Insurance • Just Good Security Management Practice • “Know your problems”

  10. How? • Negotiate Project Scope • Don’t make the project too big to finish • Spend time on site • Best examination made from the inside • Talk with everyone • A little insider knowledge goes a long way • Look at similar organizations • Useful in judging relative security posture • Make cost-effective recommendations • Don’t scare them with overpriced fixes and complicated solutions

  11. Part 2: Conducting Security Assessments • Project Management • Asset Identification • Threat Assessment • Laws, Regulations, and Policies • Personnel • Security Assessment Components • Reporting and Follow-up

  12. Project Management

  13. Project Management • Scope Definition • Setting Expectations • Scheduling • Travel • Logistics • Completion

  14. Asset Identification

  15. Assets An asset is anything that has some value to an organization.

  16. Asset Identification • It is necessary to determine the assets that need protection, their value, and level of protection required • Two Types: • Tangible • Intangible

  17. Tangible Assets • Tangible assets are physical • Examples: • Personnel • Offices, workspaces, warehouses, etc. • Inventory, stores, supplies, etc. • Servers and workstations • Network infrastructure and external connections • Data centers and support equipment

  18. Intangible Assets • Intangible assets are intellectual property • Examples: • Custom software • Databases (the data, not the DBMS) • Source code, documentation, development processes, etc. • Training materials • Product development and marketing materials • Operational and financial data

  19. Replace/Restore • What would it cost to restore or replace this asset in terms of time, effort, and money? • Tangible assets: • $? • Intangible assets: • $$$$?

  20. Loss of Assets • Loss of key assets could result in harm to the organization • Damaged reputation • Lost customers • Lost shareholder confidence • Lost competitive advantage • Exposure to lawsuits • Government/Regulatory fines • Failure of organization

  21. For Organizations It is important to know what assets are critical to the viability of the organization so that they can be adequately protected.

  22. For Assessments It is important to determine an organization’s assets* to see if there is adequate protection in place * Your list of assets may not be the same as the organization’s list.

  23. Threat Assessment

  24. Threats An event that can impact the normal operations of an organization is a threat.

  25. Threat Assessment • It is necessary to determine the threats, threat sources, and the likelihood of occurrence • Threat types: • Natural Events • Unintentional • Intentional

  26. Natural Threats • Tornadoes, Hurricanes, Typhoons • Earthquakes, Mud Slides • Flooding • Lightning, Thunderstorms, Hail, Strong Wind • Ice Storms, Heavy Snowfall • Temperature and Humidity Extremes

  27. Intentional Threats • Alteration of Data • Alteration of Software • Disclosure • Disruption • Employee Sabotage • Theft • Unauthorized Use • Electronic Vandalism

  28. Unintentional Threats • Disclosure • Electrical Disturbance (surges, dips, outage <1 hour) • Electrical Interruption (outage >1 hour) • Environmental Failure (HVAC, humidity) • Fire • Hardware Failure (disk, fan, server) • Liquid Leakage (steam, water, sewage) • Operator/User Error • Software Error (bugs) • Telecommunication Interruption (cable cut)

  29. Threat Sources - Threat Agents • Murphy’s Law • Unhappy Customers • Disgruntled Employees • Activists (Hack-tivists) • Script-Kiddies • Sophisticated Attackers • Government/Foreign/Terrorist Agents • “Blackhats”

  30. Likelihood of Occurrence • Qualitative • High, Moderate, Low • Quantitative • Sophisticated formulas needed • Provides useful data to “numbers” people • FBI Uniform Crime Reports • Crime Index data useful

  31. Sample Threat Assessment

  32. Laws, Regulations, and Policies

  33. Laws • Depending on the organization’s business, there may be several laws that govern the protection of information • CA Database Breach Notification Act • Sarbanes-Oxley Act of 2002 • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Gramm-Leach-Bliley Act of 1999 • Computer Security Act of 1987 • Computer Fraud and Abuse Act of 1986 • Federal Education Rights and Privacy Act (FERPA) • European Union Data Privacy Directive

  34. Law Surveys • A survey may be necessary to determine which laws apply to an organization • Look for Federal “interest” systems, private data, health info, public company financials, market data, etc. • Organizations that operate operate on behalf of the government subject to various laws • Get a lawyer for the in depth stuff

  35. Policy Policies are statements of intentions and/or principles by which an organization is organized, guided, and evaluated.

  36. Policy Types • Organization • Program • Issue-Specific • System-Specific

  37. Policy Reviews • Reviews are necessary to evaluate adequacy and compliance • Some organizations have no security policies at all • Most do not follow their own policies • Most employees are unaware of policies • Most policies are out-of-date

  38. Personnel

  39. Personnel • Interviews are needed to assess knowledge and awareness of information security • Valuable for determining unwritten rules • Employees should be divided into categories • Interview groups and ask questions relevant to the job function • Do not be adversarial or demanding

  40. Security Assessment Components

  41. Security Assessment Components • Network Security • System Security • Application Security • Operational Security • Physical Security

  42. Network Security Involves the actions taken and controls in place to secure the network and networked systems

  43. Network Security Assessment • Gather network maps, installation procedures, checklists; evaluate • Scan networks and networked systems • Vulnerability Scanners: Nessus (free), ISS • Port Scanners: nmap, hping • Application Scanners: whisker, nikto • Target Selection • Key systems (where the goodies are stored) • Exposed systems (where the bad guys play) • Gateway systems (intersection of networks)

  44. System Security Involves the actions taken tosecure computing systems

  45. System Security Assessment • Gather software/system inventory info, security standards, checklists, management procedures; evaluate • Review configuration with admin • Use a security checklist to evaluate current configuration • Target Selection: • Database Systems and File Servers • Network Application Servers • A typical Desktop

  46. Application Security Consists of the requirements, specifications, architecture, implementation, and test procedures used to secure applications

  47. Application Security Assessment • Gather application and internal development docs, source code • Review source code for common programming flaws • Use static code analysis tools • Fortify, RATS, ITS4, FlawFinder • Skill dependent task; time consuming • At minimum, evaluate development procedures

  48. Operational Security Consists of the day-to-day security management planning and actions taken to support the mission of the organization

  49. Operational Security Assessment • Gather procedures, contingency plans • Evaluate overall security management • Review backup, disposal procedures • Examine business continuity, disaster recovery plans • Look at automated security tasks (virus updates, patches, integrity checks) • Look at administrator security practices

  50. Physical Security Consists of the planning and protective measures taken to prevent unauthorized access to the facilities and damage to and loss of assets

More Related