asis international security conference financial advisory & litigation consulting services...
TRANSCRIPT
ASIS International Security Conference
Financial Advisory & Litigation Consulting ServicesFinancial Advisory & Litigation Consulting Services
February 5-7, 2007Raffles City Convention Center, Singapore
Education Session 11
Conducting Synchronized Physical and IT Security AssessmentsPresented by: George G. McBride, CISSP, CISMAon Consulting
2
What we’ll cover during this presentationWhat we’ll cover during this presentation
• Do you need to do assessments?
• What is a “synchronized assessment”
• Why do I need to do it this way?
• What are the benefits?
• Wrap-Up
• Questions
3
Do I need to do an “assessment”?Do I need to do an “assessment”?
• New employees?• New facilities, buildings, locations, etc?• Mergers or Acquisitions?• Can’t remember when your last assessment was?• New technologies deployed?• New vulnerabilities announced by your vendors?• New software or hardware upgrades?• New business partner connection or customer portal?• New tenants in a shared facility?• New threats poised to attack?• Industry best practices recommend third-party
assessments
4
Synchronized AssessmentsSynchronized Assessments
What does Synchronized mean?
• Adding logical assessments to physical assessments
• Adding physical assessments to logical assessments
• Conducting a synchronized and coordinated data collection phase
• Delivering a consolidated report to the client
• Supports an enterprise wide risk management program
• And addresses the physical and logical security vulnerabilities in a cohesive and coordinated fashion
5
Why do we do it the “old” way?Why do we do it the “old” way?
• That is all that the client wants (or can afford) (or thinks that they want!)
• Separate groups responsible for the assessment activities
• The consulting firm only focuses on or has capabilities in only one area—Some “do the due diligence” process to find
vulnerabilities in the other realm• Some people just do it “the way its always been done”• Complexity of one area is believed to be more than
enough to focus on and they’ll get to the other one eventually
6
Complexity: The root of evil!
(Why you need to look at all aspects of risk)
Complexity: The root of evil!(Why you need to look at all aspects of risk)
7
What are our options?What are our options?
1 2 3
Where many organizations are Where they want to be
8
What are the benefits?What are the benefits?
• It’s a step towards “Enterprise Risk Management”
• Types of risk:— Strategic— Operational— Human Capital— Legal / Regulatory— Technology— Financial
Risk (Asset) =Threats X Vulnerabilities
Controls
Total Risk(Asset) = RS(Asset) + RO(Asset) + RHC(Asset) + RLR(Asset) + RT(Asset) + RF(Asset)
9
Benefits of Holistic Risk MeasurementBenefits of Holistic Risk Measurement
1. Identify the threats to specific business areas2. Assess the level of vulnerability3. Gauge the potential impact4. Develop security option path
Transfer
Control
Manage
Security Options
Risk Framework (Example)
10
Information Security and Risk Services Information Security and Risk Services
Deliverables
Tools
Approach
Activities
Phase
• Executive summary and detailed report, including:
• Significant findings• Benchmark/scoring • Continuous risk
improvement process
• Commercial and proprietary tools
• Methodologies
Assess
• Identify and analyze information security risk profile
• Facilitated sessions• Documentation review• Data collection• Testing and validation• Valuation exercises
• Analyze risk/security gaps
• Document improvement recommendations
• Conduct strategic security planning
• Vendor evaluation and selection
• Information Security Roadmap
• Solution architecture• Prioritized objectives• Implementation plan• Timeline• Success criteria• Team structure• Industry best practices
and standards framework
• Knowledgebases
Plan
• Security solutions based on:
• Regulatory compliance• Industry standards and
best practices• Objectives that are
important to the organization
• Security technology center
• Project management and reporting tools
• Solution design and architecture
• Program/project management
• Solution deployment
Implement
11
Some other benefitsSome other benefits
• Increased reliance on logical controls to protect physical controls— And on physical controls to protect the logical controls
• New regulations that transcend the physical and logical realms— Privacy Data Laws, Sarbanes-Oxley (and equivalents), etc.
• Better utilization of staff to maintain security through a shrinking staff
• Convergence of access tokens (smart cards, RFID, ProxCards, etc).
12
Consider A Typical AssessmentConsider A Typical Assessment
• Has three locations:— One stand alone data center which houses all of the IT
Infrastructure— One building owned— One floor leased in another city
• 325 employees— Small IT staff— Nobody dedicated to “Security”
• Contracts to a firm to identify their vulnerabilities, measure the risk, and make appropriate recommendations
13
How can we tackle this?How can we tackle this?
• Logical/IT Focus:— Perform vulnerability scans— Review IDS/IPS— Attack the public facing web
servers— Review the procedures followed
to build machines, secure the network, configure the Firewall, etc
— Conduct some interviews— Perform some observations
during the tours and to and from the office and during the day
—Identify vulnerabilities, measure risk—Document findings, recommendations, summary, etc—Deliver to the client
• Physical Focus:— Review physical perimeter including
doors and windows— Review camera placement, access
controls, and alarms— Return at night to see if they can
get in— Review the procedures for
evacuation, for new employees, etc.— Conduct some interviews— Conduct observations during the
tours and during the work day
14
Conducting the AssessmentConducting the Assessment
• Involve physical and logical team leads in all planning sessions and initial client meetings
• Develop a comprehensive, yet flexible schedule.— The team is bigger. Learn everybody’s schedule
requirements
• Resources permitting, the physical and logical team focus on their respective areas— Teams ensure awareness of issues during the daily meeting
15
Conducting the AssessmentConducting the Assessment
• One of the biggest complaints / comments that I’ve heard from a customer is:— Not asking too many questions— Not asking questions out of scope or going too deep in an area— Not exceeding the timeframe
• The biggest complaint is:
Asking the same question more than onceAsking the same question more than once
16
To make the client happy… CoordinationTo make the client happy… Coordination
• Plan ahead to integrate the two activities• Query the client as to how they will conduct the
mitigation activities— This drives how you collect and report the information
• At the start of the day, have a short meeting to review the planned activities— Usually “Breakfast”
• At the end of the day, have a short meeting daily to review the completed activities and what remains
• Also at the end of the day, have another short meeting with the client to identify the open items, closed items, and issues
17
Reporting: Think GCD in this scenarioReporting: Think GCD in this scenario
Logical Security Vulnerabilities• DBServer (Data Center)
— Unnecessary ports open— Admin password guessed— No service packs applied— No AV Software Installed
• WWW Server (Data Center)— Unnecessary ports open— Admin password guessed
• FileServer (Telecom Closet)— No Service packs applied— No AV Software Installed
• VoIP Server (Telecom Closet)— No Service packs applied— Console/Terminal Logged In
Physical Security Vulnerabilities
• Data Center— Door propped open— No alarm— Fire extinguisher not fully
charged— No video surveillance— No fire / smoke detection
under raised floor
• Telecom Closet— Door not locked— Excessive beat— No door alarm
18
Reporting the DataReporting the Data
High Level Findings:
• FileServer (Telecom Closet)— No Service packs applied— No AV Software Installed
• VoIP Server (Telecom Closet)— No Service packs applied— Console/Terminal Logged In
• Telecom Closet— Door not locked— Excessive beat— No door alarm
Here’s what happens:
• The IT guys figure that they’ll get to it because they believe that the door is locked and that only authorized individuals can access the equipment
• The Physical guys don’t know that the entire telecom infrastructure could be disabled from the console and are only thinking about theft of the equipment. Knowing that there are guards that check large packages, they are not worried.
19
A better way to report the findingsA better way to report the findings
• Telecommunications Equipment
—A combination of unlocked doors with a terminal session on a console provides the capability to a malicious individual of adding users, reconfiguring existing users, and disabling the VoIP Server located in the Telecommunications Closet.• All telecommunications closets should be locked to
prevent unauthorized access.• Intrusion alarms and temperature alarms should be
installed at all network and telecom equipment locations• All terminal sessions should be set to automatically log
out within 20 minutes of inactivity
20
Another WayAnother Way
• Critical Areas Not Secured
— Critical areas throughout the organization including Telecommunications closets, Data Centers, and Disbursements are not always secured. With IT vulnerabilities being introduced on a regular basis and new tenants in our facility, all doors should be locked to reduce the risk of unauthorized access.• All doors should be locked by default and require card key
access to unlock• All doors should have swings to automatically close the door• All doors should alarm when propped open• All entrances should be monitored with motion activated
video surveillance
21
Synchronization allows a greater scopeSynchronization allows a greater scope
• Utilize the Greatest Common Denominator to illustrate— Illustrates impact across all of the affected assets
• Helps client secure funding to show the value across the organization or enterprise
— Corrective actions have the greatest benefit as they reach the greatest number of assets
— Provides for greater opportunity to incorporate and synchronize Physical and Logical threats and then ultimately, Enterprise Risk
• And equally important, the recommendations are synchronized and incorporate physical and logical technologies.
22
The ultimate blend of logical and physical security…The ultimate blend of logical and physical security…
Contact MeContact Me
George G. McBride
Financial Advisory & Litigation Consulting Services
Director, IT Risk Consulting Services Practice Office: +1.732.389.8944 Mobile: +1.732.429.0676 Email: [email protected]