security consulting methodology
TRANSCRIPT
Consulting Methodology
Security Management Training Series
October 2, 2006
Security Management Training Series
• Security, Legal & Risk Management
• Consulting Methodology
• Policy Structure
• Risk Assessment
Assumptions
• Assume methodology is important for now
• More to come on the why later
• This is the reader’s digest version
• Based on significant worldwide experience and across numerous sectors and verticals
• Based on IBM’s consulting approach and my own experience
Overview
• Why?• Project Sponsor• Scope definition• Kickoff• Information gathering• Analysis• Development• Recommendations• Documentation• Debrief• Case
Methodology
a set of processes and approachesProven and documentedSupported by toolsAdopted by a group
Methodology
The purpose of a method is to provide a framework for solving problems and getting results
It isnot statica panaceaa cookbook or substitute for good judgment
Why Methodology?
• Repeatable Results– Process (Defined Engagements)
• Verifiable Results– Measurement (CoS Card)
• Reliable Results– Toolsets (Standards, Best practices)
• Resource requirements are less– Time to engage and complete– Cost– Effort
Project Sponsor
• Identify– Purpose of the project sponsor is….
• Publish if required or a good idea– Politics– Highly decentralized sphere of scope– If you know there is resistance to the project– Very senior project sponsor– If you can leverage the sponsor’s clout
Scope Definition
• In writing –what resources are required• Process for scope change• Document what success means• Understand what presentation format will be
required• level of detail• Audience• Understand purpose of engagement-how will
results be used?
Money
Time Resources
Project Triangle
Project
Scope
Kickoff
• Project management
• Resource acquisition
• Re-state scope, timelines and budget
• Be aware of scope creep
• Project Triangle
Money
Time Resources
Project Triangle
Project
Scope
Information Gathering
• Document reviews– policy– strategic plans– missions and visions– diagrams– historical documents
Information Gathering
• Interviews– statements– opinions
• Develop question tree– Who will be asked what– What order
Information Gathering
• Gap Review– compare against contemporaries– best practices– Industry opinion– Colleagues– Case Studies– Survey Research
Information Gathering
• Tools– Forms– Report Templates– Comparison spreadsheets– Organization Standards
• Structure• Esthetics
– WBS– Dependency Diagrams
Analysis
• Qualitative– Survey Response data– Interview question
data
• Quantitative– Statistical Analysis– Financial analysis
• ROI, NPV, IRR
• Trends• Changes in the
situation or environment
• Seek conclusions• Sanity Check
Business process Plane
Organisation Plane
Solutions Plane
Infrastructure Plane
Security
Security
Security
Security
Analysis
"BUSINESS RISK"
VULNERABILITIES
Severity
Probability
1
2
3
4
5
1 2 3 4 5
A
B
C
E
D
F
Development
• Reports
• Flowcharts
• Presentations
• Deliverables
Recommendations
• Findings and Conclusions – related to standards• Current Security level• Risks to the business• Short term "quick win" recommendations• Longer term strategic recommendations• Should be:
– Timely– Financially considerate– Politically sensitive– Prioritized
Decrease of
services or abilities
Loss of revenue
Loss of taxpayer confidence
Increase of operating expenses
Conflicts with others
Loss of employee trust
Damage to Image
Security level
Staff
Management
Assessment
Documentation
• Document process, participants and project authorizations and scope changes
• Ensure copies of important paper work are retained and properly filed– Licenses– Project Documents
• Consultant input should be documented and stored for long term knowledge transfer
• Re-usable content– Learner Quicker– Deliver Faster– Customize solutions
Debrief
• Presentation to interested parties of the report and awareness material – May be technical review if required
• Knowledge transfer from consultants• Asking of questions• Demonstration of findings and conclusions• Presentation of the quick wins• Staff are assigned with responsibilities for implementing
quick wins• Validation of results• Closing of project• Security improvements can be seen immediately,
increasing the value of the engagement
Kick-off meeting
Interviews
Document Review
Physical Security Review
IT Infastructure Review
AnalysisDevelopment
& recommendation
Security Process Review
Security Implementation Review
Follow-on workshop
Questions??
Sample Processes
ReconnaissanceIdentify all possible entrances/exitsIdentify coverage of surveillance systemsIdentify reception staff and security guard behaviour
Gain Building AccessEnter site perimeterEnter building and office premises
Assess Internal Physical ControlsDetermine vulnerabilities in all possible entrances/exitsDetermine vulnerabilities in monitoring, surveillance and alarm controlsAssess incident management/response controlsAssess access to workspace, cabinets, desks, wasteReview clean desk policy
Assess availability of LAN accessIdentify live LAN connection portsAssess security of cabling systemsAssess security of wiring closets, network devices and computer rooms
Access Business AssetsObtain copies of sensitive documents and materialsObtain access to other important company assetsRecord evidence: document hardcopies, photographs
VULNERABILITIES
Security Review Processes
Company Information ScanSearch the Internet for information about the company, its services, locations and IT environment
Access the company's public web sites
Gain Network ConnectivityIf testing internally, gain physical access to LAN infrastructure and then an IP address
If testing externally, connect via Internet and also search for dial-in connections (wardialling)
Map NetworkGain access to and review DNS informationDetermine network structure, external connections, and LAN services
Identify systems, O/S, middleware and applicationsDetermine targets
Identify & Exploit vulnerabilitiesIdentify vulnerabilitiesExploit vulnerabilities to gain system accessObtain privileged user statusIdentify and exploit system/network connections and trust relations
Determine CapabilityCopy sensitive documents, e-mail & reportsAssess capabilities from access gained to applications and databases
Record evidence: screenshots, files, reports
VULNERABILITIES
Sample Case
Converged Investigation’s Methodology
Project Sponsor
• Dave
• My purpose in this engagement is…..?
Scope Definition
• The development of a set of processes, procedures and tools sufficient for CoV security staff to conduct ongoing investigations with both traditional and electronic investigation components
Kickoff
• PM?
• Resources?
• Re-state scope, timelines and budget
• How will you defend against scope creep?
Project Triangle
Tools
• Report Template Example
• Checklist
• Shared Workspace
Information Gathering
• What to review?
Analysis
• Review gathered material
Development
• Flowchart
• Recommended changes – New policy– procedures, – standards or guidelines– SOP
• Reports
• Presentations
Recommendations
• Relate to standards and best practices if possible
• Gap analysis
• Prioritize with quick wins up front
• Get input whenever possible
Documentation
• Flowchart
• Sources
• Filing and storage
• Re-usability
Debrief
• Process to validate?
• How do we make this a process?
• PM--Close project with sponsor and stakeholders
Questions