ASIS International Security Conference

Financial Advisory & Litigation Consulting ServicesFinancial Advisory & Litigation Consulting Services

February 5-7, 2007Raffles City Convention Center, Singapore

Education Session 11

Conducting Synchronized Physical and IT Security AssessmentsPresented by: George G. McBride, CISSP, CISMAon Consulting

2

What we’ll cover during this presentationWhat we’ll cover during this presentation

• Do you need to do assessments?

• What is a “synchronized assessment”

• Why do I need to do it this way?

• What are the benefits?

• Wrap-Up

• Questions

3

Do I need to do an “assessment”?Do I need to do an “assessment”?

• New employees?• New facilities, buildings, locations, etc?• Mergers or Acquisitions?• Can’t remember when your last assessment was?• New technologies deployed?• New vulnerabilities announced by your vendors?• New software or hardware upgrades?• New business partner connection or customer portal?• New tenants in a shared facility?• New threats poised to attack?• Industry best practices recommend third-party

assessments

4

Synchronized AssessmentsSynchronized Assessments

What does Synchronized mean?

• Adding logical assessments to physical assessments

• Adding physical assessments to logical assessments

• Conducting a synchronized and coordinated data collection phase

• Delivering a consolidated report to the client

• Supports an enterprise wide risk management program

• And addresses the physical and logical security vulnerabilities in a cohesive and coordinated fashion

5

Why do we do it the “old” way?Why do we do it the “old” way?

• That is all that the client wants (or can afford) (or thinks that they want!)

• Separate groups responsible for the assessment activities

• The consulting firm only focuses on or has capabilities in only one area—Some “do the due diligence” process to find

vulnerabilities in the other realm• Some people just do it “the way its always been done”• Complexity of one area is believed to be more than

enough to focus on and they’ll get to the other one eventually

6

Complexity: The root of evil!

(Why you need to look at all aspects of risk)

Complexity: The root of evil!(Why you need to look at all aspects of risk)

7

What are our options?What are our options?

1 2 3

Where many organizations are Where they want to be

8

What are the benefits?What are the benefits?

• It’s a step towards “Enterprise Risk Management”

• Types of risk:— Strategic— Operational— Human Capital— Legal / Regulatory— Technology— Financial

Risk (Asset) =Threats X Vulnerabilities

Controls

Total Risk(Asset) = RS(Asset) + RO(Asset) + RHC(Asset) + RLR(Asset) + RT(Asset) + RF(Asset)

9

Benefits of Holistic Risk MeasurementBenefits of Holistic Risk Measurement

1. Identify the threats to specific business areas2. Assess the level of vulnerability3. Gauge the potential impact4. Develop security option path

Transfer

Control

Manage

Security Options

Risk Framework (Example)

10

Information Security and Risk Services Information Security and Risk Services

Deliverables

Tools

Approach

Activities

Phase

• Executive summary and detailed report, including:

• Significant findings• Benchmark/scoring • Continuous risk

improvement process

• Commercial and proprietary tools

• Methodologies

Assess

• Identify and analyze information security risk profile

• Facilitated sessions• Documentation review• Data collection• Testing and validation• Valuation exercises

• Analyze risk/security gaps

• Document improvement recommendations

• Conduct strategic security planning

• Vendor evaluation and selection

• Information Security Roadmap

• Solution architecture• Prioritized objectives• Implementation plan• Timeline• Success criteria• Team structure• Industry best practices

and standards framework

• Knowledgebases

Plan

• Security solutions based on:

• Regulatory compliance• Industry standards and

best practices• Objectives that are

important to the organization

• Security technology center

• Project management and reporting tools

• Solution design and architecture

• Program/project management

• Solution deployment

Implement

11

Some other benefitsSome other benefits

• Increased reliance on logical controls to protect physical controls— And on physical controls to protect the logical controls

• New regulations that transcend the physical and logical realms— Privacy Data Laws, Sarbanes-Oxley (and equivalents), etc.

• Better utilization of staff to maintain security through a shrinking staff

• Convergence of access tokens (smart cards, RFID, ProxCards, etc).

12

Consider A Typical AssessmentConsider A Typical Assessment

• Has three locations:— One stand alone data center which houses all of the IT

Infrastructure— One building owned— One floor leased in another city

• 325 employees— Small IT staff— Nobody dedicated to “Security”

• Contracts to a firm to identify their vulnerabilities, measure the risk, and make appropriate recommendations

13

How can we tackle this?How can we tackle this?

• Logical/IT Focus:— Perform vulnerability scans— Review IDS/IPS— Attack the public facing web

servers— Review the procedures followed

to build machines, secure the network, configure the Firewall, etc

— Conduct some interviews— Perform some observations

during the tours and to and from the office and during the day

—Identify vulnerabilities, measure risk—Document findings, recommendations, summary, etc—Deliver to the client

• Physical Focus:— Review physical perimeter including

doors and windows— Review camera placement, access

controls, and alarms— Return at night to see if they can

get in— Review the procedures for

evacuation, for new employees, etc.— Conduct some interviews— Conduct observations during the

tours and during the work day

14

Conducting the AssessmentConducting the Assessment

• Involve physical and logical team leads in all planning sessions and initial client meetings

• Develop a comprehensive, yet flexible schedule.— The team is bigger. Learn everybody’s schedule

requirements

• Resources permitting, the physical and logical team focus on their respective areas— Teams ensure awareness of issues during the daily meeting

15

Conducting the AssessmentConducting the Assessment

• One of the biggest complaints / comments that I’ve heard from a customer is:— Not asking too many questions— Not asking questions out of scope or going too deep in an area— Not exceeding the timeframe

• The biggest complaint is:

Asking the same question more than onceAsking the same question more than once

16

To make the client happy… CoordinationTo make the client happy… Coordination

• Plan ahead to integrate the two activities• Query the client as to how they will conduct the

mitigation activities— This drives how you collect and report the information

• At the start of the day, have a short meeting to review the planned activities— Usually “Breakfast”

• At the end of the day, have a short meeting daily to review the completed activities and what remains

• Also at the end of the day, have another short meeting with the client to identify the open items, closed items, and issues

17

Reporting: Think GCD in this scenarioReporting: Think GCD in this scenario

Logical Security Vulnerabilities• DBServer (Data Center)

— Unnecessary ports open— Admin password guessed— No service packs applied— No AV Software Installed

• WWW Server (Data Center)— Unnecessary ports open— Admin password guessed

• FileServer (Telecom Closet)— No Service packs applied— No AV Software Installed

• VoIP Server (Telecom Closet)— No Service packs applied— Console/Terminal Logged In

Physical Security Vulnerabilities

• Data Center— Door propped open— No alarm— Fire extinguisher not fully

charged— No video surveillance— No fire / smoke detection

under raised floor

• Telecom Closet— Door not locked— Excessive beat— No door alarm

18

Reporting the DataReporting the Data

High Level Findings:

• FileServer (Telecom Closet)— No Service packs applied— No AV Software Installed

• VoIP Server (Telecom Closet)— No Service packs applied— Console/Terminal Logged In

• Telecom Closet— Door not locked— Excessive beat— No door alarm

Here’s what happens:

• The IT guys figure that they’ll get to it because they believe that the door is locked and that only authorized individuals can access the equipment

• The Physical guys don’t know that the entire telecom infrastructure could be disabled from the console and are only thinking about theft of the equipment. Knowing that there are guards that check large packages, they are not worried.

19

A better way to report the findingsA better way to report the findings

• Telecommunications Equipment

—A combination of unlocked doors with a terminal session on a console provides the capability to a malicious individual of adding users, reconfiguring existing users, and disabling the VoIP Server located in the Telecommunications Closet.• All telecommunications closets should be locked to

prevent unauthorized access.• Intrusion alarms and temperature alarms should be

installed at all network and telecom equipment locations• All terminal sessions should be set to automatically log

out within 20 minutes of inactivity

20

Another WayAnother Way

• Critical Areas Not Secured

— Critical areas throughout the organization including Telecommunications closets, Data Centers, and Disbursements are not always secured. With IT vulnerabilities being introduced on a regular basis and new tenants in our facility, all doors should be locked to reduce the risk of unauthorized access.• All doors should be locked by default and require card key

access to unlock• All doors should have swings to automatically close the door• All doors should alarm when propped open• All entrances should be monitored with motion activated

video surveillance

21

Synchronization allows a greater scopeSynchronization allows a greater scope

• Utilize the Greatest Common Denominator to illustrate— Illustrates impact across all of the affected assets

• Helps client secure funding to show the value across the organization or enterprise

— Corrective actions have the greatest benefit as they reach the greatest number of assets

— Provides for greater opportunity to incorporate and synchronize Physical and Logical threats and then ultimately, Enterprise Risk

• And equally important, the recommendations are synchronized and incorporate physical and logical technologies.

22

The ultimate blend of logical and physical security…The ultimate blend of logical and physical security…

Contact MeContact Me

George G. McBride

Financial Advisory & Litigation Consulting Services

Director, IT Risk Consulting Services Practice Office: +1.732.389.8944 Mobile: +1.732.429.0676 Email: george_mcbride@aon.com