security consulting methodology

Consulting Methodology

Security Management Training Series

October 2, 2006

Security Management Training Series

• Security, Legal & Risk Management

• Consulting Methodology

• Policy Structure

• Risk Assessment

Assumptions

• Assume methodology is important for now

• More to come on the why later

• This is the reader’s digest version

• Based on significant worldwide experience and across numerous sectors and verticals

• Based on IBM’s consulting approach and my own experience

Overview

• Why?• Project Sponsor• Scope definition• Kickoff• Information gathering• Analysis• Development• Recommendations• Documentation• Debrief• Case

Methodology

a set of processes and approachesProven and documentedSupported by toolsAdopted by a group

Methodology

The purpose of a method is to provide a framework for solving problems and getting results

It isnot statica panaceaa cookbook or substitute for good judgment

Why Methodology?

• Repeatable Results– Process (Defined Engagements)

• Verifiable Results– Measurement (CoS Card)

• Reliable Results– Toolsets (Standards, Best practices)

• Resource requirements are less– Time to engage and complete– Cost– Effort

Project Sponsor

• Identify– Purpose of the project sponsor is….

• Publish if required or a good idea– Politics– Highly decentralized sphere of scope– If you know there is resistance to the project– Very senior project sponsor– If you can leverage the sponsor’s clout

Scope Definition

• In writing –what resources are required• Process for scope change• Document what success means• Understand what presentation format will be

required• level of detail• Audience• Understand purpose of engagement-how will

results be used?

Money

Time Resources

Project Triangle

Project

Scope

Kickoff

• Project management

• Resource acquisition

• Re-state scope, timelines and budget

• Be aware of scope creep

• Project Triangle

Money

Time Resources

Project Triangle

Project

Scope

Information Gathering

• Document reviews– policy– strategic plans– missions and visions– diagrams– historical documents

Information Gathering

• Interviews– statements– opinions

• Develop question tree– Who will be asked what– What order

Information Gathering

• Gap Review– compare against contemporaries– best practices– Industry opinion– Colleagues– Case Studies– Survey Research

Information Gathering

• Tools– Forms– Report Templates– Comparison spreadsheets– Organization Standards

• Structure• Esthetics

– WBS– Dependency Diagrams

Analysis

• Qualitative– Survey Response data– Interview question

data

• Quantitative– Statistical Analysis– Financial analysis

• ROI, NPV, IRR

• Trends• Changes in the

situation or environment

• Seek conclusions• Sanity Check

Business process Plane

Organisation Plane

Solutions Plane

Infrastructure Plane

Security

Security

Security

Security

Analysis

"BUSINESS RISK"

VULNERABILITIES

Severity

Probability

1

2

3

4

5

1 2 3 4 5

A

B

C

E

D

F

Development

• Reports

• Flowcharts

• Presentations

• Deliverables

Recommendations

• Findings and Conclusions – related to standards• Current Security level• Risks to the business• Short term "quick win" recommendations• Longer term strategic recommendations• Should be:

– Timely– Financially considerate– Politically sensitive– Prioritized

Decrease of

services or abilities

Loss of revenue

Loss of taxpayer confidence

Increase of operating expenses

Conflicts with others

Loss of employee trust

Damage to Image

Security level

Staff

Management

Assessment

Documentation

• Document process, participants and project authorizations and scope changes

• Ensure copies of important paper work are retained and properly filed– Licenses– Project Documents

• Consultant input should be documented and stored for long term knowledge transfer

• Re-usable content– Learner Quicker– Deliver Faster– Customize solutions

Debrief

• Presentation to interested parties of the report and awareness material – May be technical review if required

• Knowledge transfer from consultants• Asking of questions• Demonstration of findings and conclusions• Presentation of the quick wins• Staff are assigned with responsibilities for implementing

quick wins• Validation of results• Closing of project• Security improvements can be seen immediately,

increasing the value of the engagement

Kick-off meeting

Interviews

Document Review

Physical Security Review

IT Infastructure Review

AnalysisDevelopment

& recommendation

Security Process Review

Security Implementation Review

Follow-on workshop

Questions??

Sample Processes

ReconnaissanceIdentify all possible entrances/exitsIdentify coverage of surveillance systemsIdentify reception staff and security guard behaviour

Gain Building AccessEnter site perimeterEnter building and office premises

Assess Internal Physical ControlsDetermine vulnerabilities in all possible entrances/exitsDetermine vulnerabilities in monitoring, surveillance and alarm controlsAssess incident management/response controlsAssess access to workspace, cabinets, desks, wasteReview clean desk policy

Assess availability of LAN accessIdentify live LAN connection portsAssess security of cabling systemsAssess security of wiring closets, network devices and computer rooms

Access Business AssetsObtain copies of sensitive documents and materialsObtain access to other important company assetsRecord evidence: document hardcopies, photographs

VULNERABILITIES

Security Review Processes

Company Information ScanSearch the Internet for information about the company, its services, locations and IT environment

Access the company's public web sites

Gain Network ConnectivityIf testing internally, gain physical access to LAN infrastructure and then an IP address

If testing externally, connect via Internet and also search for dial-in connections (wardialling)

Map NetworkGain access to and review DNS informationDetermine network structure, external connections, and LAN services

Identify systems, O/S, middleware and applicationsDetermine targets

Identify & Exploit vulnerabilitiesIdentify vulnerabilitiesExploit vulnerabilities to gain system accessObtain privileged user statusIdentify and exploit system/network connections and trust relations

Determine CapabilityCopy sensitive documents, e-mail & reportsAssess capabilities from access gained to applications and databases

Record evidence: screenshots, files, reports

VULNERABILITIES

Sample Case

Converged Investigation’s Methodology

Project Sponsor

• Dave

• My purpose in this engagement is…..?

Scope Definition

• The development of a set of processes, procedures and tools sufficient for CoV security staff to conduct ongoing investigations with both traditional and electronic investigation components

Kickoff

• PM?

• Resources?

• Re-state scope, timelines and budget

• How will you defend against scope creep?

Project Triangle

Tools

• Report Template Example

• Checklist

• Shared Workspace

Information Gathering

• What to review?

Analysis

• Review gathered material

Development

• Flowchart

• Recommended changes – New policy– procedures, – standards or guidelines– SOP

• Reports

• Presentations

Recommendations

• Relate to standards and best practices if possible

• Gap analysis

• Prioritize with quick wins up front

• Get input whenever possible

Documentation

• Flowchart

• Sources

• Filing and storage

• Re-usability

Debrief

• Process to validate?

• How do we make this a process?

• PM--Close project with sponsor and stakeholders

Questions