Security Assessments

Keith Watson, CISSPkaw@cerias.purdue.edu

Research EngineerCenter for Education and Research in Information Assurance and Security

Overview

Part 1: Introduction to Security Assessments

What is a security assessment? Why is it needed? How do you do an assessment?

Overview

Part 2: Conducting Security AssessmentsAsset IdentificationThreat AssessmentLaws, Regulation, and PolicyPersonnelSecurity Assessment ComponentsReporting and Follow-up

Overview

Part 3: The Assessment “Experience”Tools

• Demonstration of Nessus• Report Template

TrainingCertification

Part 1: Overview of Assessments

What?Why?How?

What?

A security assessment is an evaluation of the security posture of an organization.

What?

Evaluation of• Policy• Security practices• Management of systems and resources• Security perimeters• Handling of sensitive information

Provided in the form of • Report• Presentation

What?

Security Assessments are…• A process

• Step-by-step (with variation)

• An examination• See how things work (or don’t work)

• An evaluation• Making a judgment on relative security

Why?: Need for Assessments

Due Diligence• Mergers and Acquisitions• Customer/Partnership Evaluation

Regulatory Requirement• Banks, Financial Institutions, Hospitals• Publicly Traded Companies• OMB, CBO, Federal Offices of the Inspector General

Insurance• Set premiums for “Hacker” Insurance

Just Good Security Management Practice• “Know your problems”

How?

Negotiate Project Scope• Don’t make the project too big to finish

Spend time on site• Best examination made from the inside

Talk with everyone• A little insider knowledge goes a long way

Look at similar organizations• Useful in judging relative security posture

Make cost-effective recommendations• Don’t scare them with overpriced fixes and

complicated solutions

Part 2: Conducting Security Assessments

Project ManagementAsset IdentificationThreat AssessmentLaws, Regulations, and PoliciesPersonnelSecurity Assessment ComponentsReporting and Follow-up

Project Management

Project Management

Scope DefinitionSetting ExpectationsSchedulingTravelLogisticsCompletion

Asset Identification

Assets

An asset is anything that has some value to an organization.

Asset Identification

It is necessary to determine the assets that need protection, their value, and level of protection required

Two Types:• Tangible• Intangible

Tangible Assets

Tangible assets are physicalExamples:

• Personnel• Offices, workspaces, warehouses, etc.• Inventory, stores, supplies, etc.• Servers and workstations• Network infrastructure and external

connections• Data centers and support equipment

Intangible Assets

Intangible assets are intellectual propertyExamples:

• Custom software• Databases (the data, not the DBMS)• Source code, documentation, development

processes, etc.• Training materials• Product development and marketing

materials• Operational and financial data

Replace/Restore

What would it cost to restore or replace this asset in terms of time, effort, and money?

Tangible assets: • $?

Intangible assets: • $$$$?

Loss of Assets

Loss of key assets could result in harm to the organization• Damaged reputation• Lost customers• Lost shareholder confidence• Lost competitive advantage• Exposure to lawsuits• Government/Regulatory fines• Failure of organization

For Organizations

It is important to know what assets are critical to the viability of the

organization so that they can be adequately protected.

For Assessments

It is important to determine an organization’s assets* to see if there is

adequate protection in place

* Your list of assets may not be the same as the organization’s list.

Threat Assessment

Threats

An event that can impact the normal operations of an organization is a threat.

Threat Assessment

It is necessary to determine the threats, threat sources, and the likelihood of occurrence

Threat types:• Natural Events• Unintentional• Intentional

Natural Threats

Tornadoes, Hurricanes, TyphoonsEarthquakes, Mud SlidesFloodingLightning, Thunderstorms, Hail, Strong

WindIce Storms, Heavy SnowfallTemperature and Humidity Extremes

Intentional Threats

Alteration of DataAlteration of SoftwareDisclosureDisruptionEmployee SabotageTheftUnauthorized UseElectronic Vandalism

Unintentional Threats

Disclosure Electrical Disturbance (surges, dips, outage <1

hour) Electrical Interruption (outage >1 hour) Environmental Failure (HVAC, humidity) Fire Hardware Failure (disk, fan, server) Liquid Leakage (steam, water, sewage) Operator/User Error Software Error (bugs) Telecommunication Interruption (cable cut)

Threat Sources - Threat Agents

Murphy’s LawUnhappy CustomersDisgruntled EmployeesActivists (Hack-tivists)Script-KiddiesSophisticated Attackers

• Government/Foreign/Terrorist Agents• “Blackhats”

Likelihood of Occurrence

Qualitative• High, Moderate, Low

Quantitative• Sophisticated formulas needed• Provides useful data to “numbers” people

FBI Uniform Crime Reports• Crime Index data useful

Sample Threat Assessment

Threat Source Likelihood

Impact

Alteration of Data

“Hacker” Low Moderate

Alteration of Data

Disgruntled Employee

Moderate High

Power Loss (>6 hours)

Severe Weather

Low Moderate

Hardware Failure

Disgruntled Employee

Low High

Operator Error

Untrained Employee

Moderate High

Laws, Regulations, and Policies

Laws

Depending on the organization’s business, there may be several laws that govern the protection of information• CA Database Breach Notification Act • Sarbanes-Oxley Act of 2002• Health Insurance Portability and Accountability Act of

1996 (HIPAA)• Gramm-Leach-Bliley Act of 1999• Computer Security Act of 1987• Computer Fraud and Abuse Act of 1986• Federal Education Rights and Privacy Act (FERPA)• European Union Data Privacy Directive

Law Surveys

A survey may be necessary to determine which laws apply to an organization

Look for Federal “interest” systems, private data, health info, public company financials, market data, etc.

Organizations that operate operate on behalf of the government subject to various laws

Get a lawyer for the in depth stuff

Policy

Policies are statements of intentions and/or principles by which an

organization is organized, guided, and evaluated.

Policy Types

Organization ProgramIssue-SpecificSystem-Specific

Policy Reviews

Reviews are necessary to evaluate adequacy and compliance

Some organizations have no security policies at all

Most do not follow their own policiesMost employees are unaware of policiesMost policies are out-of-date

Personnel

Personnel

Interviews are needed to assess knowledge and awareness of information security

Valuable for determining unwritten rules

Employees should be divided into categories

Interview groups and ask questions relevant to the job function

Do not be adversarial or demanding

Security Assessment Components

Security Assessment Components

Network SecuritySystem SecurityApplication SecurityOperational SecurityPhysical Security

Network Security

Involves the actions taken and controls in place to secure the network and

networked systems

Network Security Assessment

Gather network maps, installation procedures, checklists; evaluate

Scan networks and networked systems• Vulnerability Scanners: Nessus (free), ISS• Port Scanners: nmap, hping• Application Scanners: whisker, nikto

Target Selection• Key systems (where the goodies are stored)• Exposed systems (where the bad guys play)• Gateway systems (intersection of networks)

System Security

Involves the actions taken tosecure computing systems

System Security Assessment

Gather software/system inventory info, security standards, checklists, management procedures; evaluate

Review configuration with admin Use a security checklist to evaluate current

configuration Target Selection:

• Database Systems and File Servers• Network Application Servers• A typical Desktop

Application Security

Consists of the requirements, specifications, architecture,

implementation, and test procedures used to secure applications

Application Security Assessment

Gather application and internal development docs, source code

Review source code for common programming flaws

Use static code analysis tools• Fortify, RATS, ITS4, FlawFinder

Skill dependent task; time consumingAt minimum, evaluate development

procedures

Operational Security

Consists of the day-to-day security management planning and actions taken to support the mission of the

organization

Operational Security Assessment

Gather procedures, contingency plansEvaluate overall security managementReview backup, disposal proceduresExamine business continuity, disaster

recovery plansLook at automated security tasks (virus

updates, patches, integrity checks)Look at administrator security practices

Physical Security

Consists of the planning and protective measures taken to prevent

unauthorized access to the facilities and damage to and loss of assets

Physical Security Assessment

Gather policy and procedure documents Examine facility and take pictures Building

• Life Safety (fire/smoke detection, alarms, suppression)• Burglar alarms, security guards, police response time

Security Perimeter• Strong doors, locks, visitor areas, sign-in procedures

Server Rooms• Environmental controls and monitoring• Sufficient power and HVAC• Locked cabinets and equipment

Reporting and Follow-up

Reporting and Follow-up

Once the assessment is complete, a report is needed to inform the client of issues found

Report should explain findings in simple terms (remember the audience)

Be available to answer questions and provide explanations

Part 3: The Assessment “Experience”

Tools• Demonstration of Nessus• Report Template

TrainingCertification