i nformation t echnology s ecurity s ervices recon risk evaluation of computers and open networks...
Post on 11-Jan-2016
213 Views
Preview:
TRANSCRIPT
INFORMATIONTECHNOLOGYSECURITYSERVICES
RECONRisk Evaluation of Computers and Open Networks
Developed by
Kirk SolukUniversity of Michigan
Information Technology Security Services
INFORMATIONTECHNOLOGYSECURITYSERVICES
2
Risk Assessment Drivers
• No such thing as perfect security• Need to balance effectively risk against other factors• Need a foundation for well-informed decisions that
justify IT expenditures• Regulations
The entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
- HIPAA Security Rule
INFORMATIONTECHNOLOGYSECURITYSERVICES
3
Why RECON?
• Facilitate consistent decisions across the University Especially when combined with data classification
• Facilitate rollup of results So the University’s overall security posture can be measured
• “Michiganize”• Outsourcing misses the point
Security issue #1: The Business-Trust Divide
• Leverage University expertise Training Address risk assessment requirements of all regulations at
once …
To be more effective, security professionals must learn how to speak the language of the businesses they serve - Meta Group Practice 2104: The Top 10 Security Issues
INFORMATIONTECHNOLOGYSECURITYSERVICES
4
All regulations legislate similar best practices
SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA
One Common Risk Assessment Methodology (RECON)One Common Risk Assessment Methodology (RECON)
SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA
SOX RASOX RAProcessProcess
FERPA RAFERPA RAProcessProcess
HIPAA RAHIPAA RAProcessProcess
GLBA RAGLBA RAProcessProcess
YouYou
YouYou
INFORMATIONTECHNOLOGYSECURITYSERVICES
5
What is RECON?
• Derived from ISO 17799 (2005) NIST 800-53 not available at the time
• A Questionnaire (Excel Spreadsheet) Built-in Risk analysis Logic & Visualization
• A Set of Security Tests
• A Template for Reporting ResultsA Risk Assessment Facilitator (IT Security Professional) leverages these RECON components to identify risks and potential mitigation strategies and to present/discuss this information with unit leadership. Unit leadership is responsible for approving the final risk treatment decisions
INFORMATIONTECHNOLOGYSECURITYSERVICES
6
RECON Process Flow
INFORMATIONTECHNOLOGYSECURITYSERVICES
7
Scope is critical
• Provides the context within which the RECON questions are answered Don’t combine systems with different security
requirements in the same assessment If the answer for one system in scope is “No”,
the answer is “No” for the entire scope.
• Focus is on Systems that process “sensitive” information Mission critical systems
INFORMATIONTECHNOLOGYSECURITYSERVICES
8
The RECON Questionnaire
• 219 questions about 54 control objectives in 11 different areas: 1. Organizational Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security 5. Operations 6. Network Security 7. Access Control 8. Host Security 9. Data Security 10. Incident Management 11. Business Continuity
INFORMATIONTECHNOLOGYSECURITYSERVICES
9
Network Security Area Example:25 questions about 7 control objectives
• 6. Network Security 6.1 Perimeter Security
6.1.1 A firewall (or equivalent mechanism) exists between your unit's (or department's) network, other University networks, and public networks such as the Internet
6.1.2 The firewall (or equivalent mechanism) uses a "default deny" posture where all access that is not explictly allowed is automatically denied
6.1.3 Firewall changes are subject to a formal approval process 6.2 User authentication for external connections
6.2.1 Access to the internal network by remote users is subject to user authentication
6.2.2 Users are authorized (out of band) before they are allowed to access the internal network from remote locations
6.3 Authorization process for information processing facilities 6.3.1 New systems must be authorized by management before they can be
connected to the network 6.3.2 Rogue System Detection
... 6.7 Intrusion detection
INFORMATIONTECHNOLOGYSECURITYSERVICES
10
RECON Questionnaire Responses
• For each question, two responses are needed: Are there policies and/or procedures requiring the control? Is the control operationally implemented? Answers: "Yes", No", "n/a", "n/r"
Industry Standard Best Practices
derived from ISO 17799:2005
Response 1:Documented
Policies, Procedures, Guidelines
Response 2:Implementation/
Operations
INFORMATIONTECHNOLOGYSECURITYSERVICES
11
RECON Security Tests
• Used to answer specific RECON questions accurately. For example, Do you have a password policy that prevents dictionary words? Have you minimized the attack surface of of your hosts Is your firewall configured as expected? Are your systems up to date with respect to patches? Etc.
• Current RECON Test Suite Attack Surface Enumeration Password Audit Account Security Firewall Security War walking RAS Authentication Encryption Verification Vulnerability Scanning
INFORMATIONTECHNOLOGYSECURITYSERVICES
12
Risk Analysis
• Answers to the questions determine the degree to which best practice security controls are adopted
• Risk is proportional to the lack of control adoption• Both documentation and implementation are considered in
the risk calculation Implementation weighs more
Documented?
Implemented?
Summary Risk
7.7 Removal of access rights 80%7.7.1 Access rights are removed upon
termination of employment, contract, or agreement
No Yes 60%
7.7.2 Personnel files are periodically matched with user accounts to ensure that terminated or transferred individuals do not retain access to systems
No No 100%
7.8 Unattended user equipment
INFORMATIONTECHNOLOGYSECURITYSERVICES
13
Risk Identification and Prioritization
•Focus on Severe and High Risk controls identified in the RECON Questionnaire
•In the RECON Report Template, severe and high-risk controls are referred to as Non-existent and in Need of major improvement respectively
INFORMATIONTECHNOLOGYSECURITYSERVICES
14
RECON Report
• Description of scope• Systems & Applications
• Description of methodology
• Detailed list of severe and high risks along with mitigation strategies
• Appendix lists every accepted risk
• Executive summary
INFORMATIONTECHNOLOGYSECURITYSERVICES
15
Further Action
• It is the responsibility of the Risk Assessment Facilitator to educate unit leadership about the risks and to make recommendations
• It is the responsibility of Unit Leadership to make the final business (i.e. risk) decisions: Mitigate at some (approved) cost OR Continue to accept the current risk
INFORMATIONTECHNOLOGYSECURITYSERVICES
16
RECON Process Summary
INFORMATIONTECHNOLOGYSECURITYSERVICES
17
RECON Case Study Effort
• Scope Complete (14 hours) 3 x 1hour “kick-off” meetings to understand the major apps 3 x 1hour “investigative” meetings to refine scope and network diagram 1 x 8 hour drawing diagrams and filling in scope details
• Questionnaire Complete (20 hours) 1 x 1hour meeting with HR 7 x 2hour technical meetings (Lot’s of working lunches) 5 x 1hour “follow-up” meetings
• Test Complete (60 hours) 3 x 1hour meetings for securing authorization 3 x 8hours for network scanning (50 hosts x 5 networks) 3 x 8hours for other tests 3 x 1hour meetings for verifying results 3 x 2hour meetings for analyzing results
• Total (94 Hours) ~2.5 full-time weeks spread over a 2 month period Doesn’t count time to write final report!
INFORMATIONTECHNOLOGYSECURITYSERVICES
18
RECON Experience
• 104 + 17 RECON assessments in ITS 101 Campus Computer Security training course (2005 - present)
• GLBA was a driver for several wide-ranging assessments 1. Student Financial Operations - Higher Education
Production Systems in MAIS. 2. Student Accounts - i.e. Financial Aid Systems 3. UM Dearborn Financial Systems 4. UM Flint Financial Systems
UM Flint risk assessment provided the foundation for Flint's annual IT appropriations request.
INFORMATIONTECHNOLOGYSECURITYSERVICES
19
RECON Experience
• 5. The UM Windows Forest The UM Windows Forest assessment
resulted in the formation of a technical committee from four major units (Engineering, Business, LSA, Housing) that unanimously endorsed and will soon be presenting to the Forest IT Directors a request for 15 major security enhancements.
top related