educause marc 2003copyright 2002, marchany1 risk analysis know what to protect before protecting...

Educause MARC 2003

Copyright 2002, Marchany 1

Risk AnalysisKnow what to protect before

protecting it….

Unit 2 – Security, Targetting & Analysis of Risk (STAR)

Educause MARC 2003


The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools

Educause MARC 2003


98% On-Time Return Rate We have 180+ administrative,

academic depts. Each dept is required to turn in an

IT risk analysis. State Directive. We get 98% on-time return rate on

the risk analysis reports. How?

Educause MARC 2003


How Do We Do It? University IT Security Office convinces CFO of

the need to do a departmental risk analysis. CFO controls the budget for all depts. CFO issues directive to all dept heads stating

the need to turn in the reports on time. Or else, he’ll review their budget request . You must obtain the buy-in of the top

university officials. Period.

Educause MARC 2003


Case Study – The 1st Time Sort of….. We applied some but not all TBS concepts

in our first attempt to determine the status of our asset security.

This process took about 12 months. Security committee met once every 2-3 weeks.

We’re starting the sixth iteration now. Now it only takes 1 month max.

Educause MARC 2003


The Committee Management and Technical

Personnel from the major areas of IS University Libraries Educational Technologies University Network Management Group University Computing Center Administrative Information Systems

Educause MARC 2003


The Committee’s Scope Information Systems Division only Identified and prioritized Assets

RISKS associated with those ASSETS CONTROLS that may applied to the ASSETS

to mitigate the RISKS Did NOT specifically consider assets

outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

Educause MARC 2003


Identifying the Assets Compiled a list of assets (+100 hosts) Categorize them as critical, essential,

normal Critical - VT can’t operate w/o this asset for

even a short period of time. Essential - VT could work around the loss of

the asset for up to a week. The asset needs to be returned to service asap.

Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Educause MARC 2003


Educause MARC 2003


Prioritizing the Assets The network(router, bridges, cabling,

etc.) was treated as a single entity and deemed critical.

Some assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Educause MARC 2003


Prioritizing the Assets Asset weight values calculated

by a simple formula. Weight = sum of vote values.

Criteria: Criticality Value to the Org Impact of Outage

Educause MARC 2003


Identifying the Risks A RISK was selected if it caused

an incident that would: Be extremely expensive to fix Result in the loss of a critical service Result in heavy, negative publicity

especially outside the university Have a high probability of occurring

Risks were prioritized using matrix prioritization technique

Educause MARC 2003


Prioritizing the Risks Same as formula for prioritizing

Assets Criteria:

Scope of Impact Probability of an incident

Weight = sum of vote values

Educause MARC 2003


How STAR Looked Originally

Original STAR Asset, Risk, Asset-Risk, Control Matrices

Original STAR Compliance Matrices

Educause MARC 2003


How STAR Looks Now Do most of the work for them Business Recovery Plan Template Intro to the BIA/RA Process General Instructions for Dept BIA/RA Blank BIA/RA Template IS Risks For Dummies Example R/A Spreadsheet Blank R/A Voting Spreadsheet

Educause MARC 2003


The Audit/Security Checklist - Yesterday

The detailed commands used to check an asset. Based on the Defense Information Infrastructure

(DII) and Common Operating Environment (COE) initiative.

We took the checklists from this site, modified them according to our R/A matrix and built checklists for Sun, IBM, NT.

Our thanks to the unknown author who wrote the original document.

The original checklist is available from http://security.vt.edu in the Checklists section.

Educause MARC 2003


The Audit/Security Checklist - Today We’re now using the CIS Benchmark

Rulers as our checklists. The CIS provides a scanning tool that

lets us check the status of our systems quickly.

See http://www.cisecurity.org to download the scanning tool and the checklist.

Another example of changing times….

Educause MARC 2003


STAR – The Future STAR is an evolving process We are now linking Asset identification to

the mgt org chart Assets can now be:

Physical systems Groups of systems that support a service Business process that requires a group of

systems Business process that depends on other

business processes

Educause MARC 2003


Educause MARC 2003


Conclusions TBS provides a quantitative, repeatable

method of prioritizing your assets. The matrices provide an easy to read

summary of the state of your assets. These matrices can be used to provide your

auditors with the information they need. The checklist contains the detailed

commands to perform the audit/security check.

Educause MARC 2003


Building Your IT Audit Plan/Checklist

Sample checklist/audit plans for Unix, NT and Windows

2000 Active Directory

Educause MARC 2003


What Risks Should We Examine?

The SANS/FBI Top 20 vulnerabilities meet our TBS risk criteria:

•Have a high probability of occurring•Result in the loss of a critical service•Be extremely expensive to fix later•Result in heavy, negative publicity

•Examine your IT Assets for these vulnerabilities

Educause MARC 2003


Assessing the Cost A complete IT audit is a set of component

audits. Master Equation: E=D+R E = time you’re exposed D = time to detect the attack R = time to react to the attack

Components Procedural: E = D+R Perimeter(Firewall): E = D+R UNIX: E = D+R NT/Windows 2000: E =D+R

Educause MARC 2003


CIS Rulers Rulers list a set of minimal actions that need

to be done on a host system. This is a consensus list derived from security

checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others)

Can’t develop your own set? Use these! http://www.cisecurity.org

Educause MARC 2003


Applying Security to Assets General Strategy

Use STAR to identify critical risks and assets

Use CIS benchmarks to determine what computer services are required to allow the business function to work

Remove unnecessary services Create the “security” script

Educause MARC 2003


Applying Security to Assets The CD to Production Cycle

Install OS from CD or “install” server. Install applications Apply vendor/application recommended

and security patches Install local tools (security, etc.) Run CIS-based/STAR based

customization System is ready for production

Educause MARC 2003


The CIS Checklists CIS Solaris Benchmark Document

CIS Rating: After OS Installation - no patches CIS Rating: After Security/Vendor Patch

Installation CIS Rating: After Applying Local

Configuration Rules CIS Linux Benchmark Document CIS Windows 2000 Benchmark Document CIS Solaris Customization Script based on

VT Risk Analysis

Educause MARC 2003


Require Vendor Security Compliance Terms and conditions of Purchase

Vendor must certify their product is not vulnerable to the threats listed in the SANS/FBI Top 20 Internet Vulnerabilities document (www.sans.org/top20.htm)

We’ve been doing this since 7/1/02. Only 2 vendors out of 700+ have declined.

Prevent vendors from hampering our security efforts.

Educause MARC 2003


Summary Use STAR for Risk Analysis of IT

assets. Use SANS/FBI Top 20 Internet

Threats lists as a starting point. Use CIS benchmarks to get the

actual commands needed to implement your policy based on your R/A.

educause marc 2003copyright 2002, marchany1 risk analysis know what to protect before protecting...

Documents