Unit 2 – Security, Targetting & Analysis of Risk (STAR) Risk Analysis Know what to protect before protecting it…. Educause MARC 2003 Copyright 2002, Marchany 1 The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools Educause MARC 2003 Copyright 2002, Marchany 2 98% On-Time Return Rate We have 180+ administrative, academic depts. Each dept is required to turn in an IT risk analysis. State Directive. We get 98% on-time return rate on the risk analysis reports. How? Educause MARC 2003 Copyright 2002, Marchany 3 How Do We Do It? University IT Security Office convinces CFO of the need to do a departmental risk analysis. CFO controls the budget for all depts. CFO issues directive to all dept heads stating the need to turn in the reports on time. Or else, he’ll review their budget request . You must obtain the buy-in of the top university officials. Period. Educause MARC 2003 Copyright 2002, Marchany 4 Case Study – The 1st Time Sort of….. We applied some but not all TBS concepts in our first attempt to determine the status of our asset security. This process took about 12 months. Security committee met once every 2-3 weeks. We’re starting the sixth iteration now. Now it only takes 1 month max. Educause MARC 2003 Copyright 2002, Marchany 5 The Committee Management and Technical Personnel from the major areas of IS University Libraries Educational Technologies University Network Management Group University Computing Center Administrative Information Systems Educause MARC 2003 Copyright 2002, Marchany 6 The Committee’s Scope Information Systems Division only Identified and prioritized Assets RISKS associated with those ASSETS CONTROLS that may applied to the ASSETS to mitigate the RISKS Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect Educause MARC 2003 Copyright 2002, Marchany 7 Identifying the Assets Compiled a list of assets (+100 hosts) Categorize them as critical, essential, normal Critical - VT can’t operate w/o this asset for even a short period of time. Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap. Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives. Educause MARC 2003 Copyright 2002, Marchany 8 Educause MARC 2003 Copyright 2002, Marchany 9 Educause MARC 2003 Copyright 2002, Marchany 10 Prioritizing the Assets The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. Some assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote. Educause MARC 2003 Copyright 2002, Marchany 11 Prioritizing the Assets Asset weight values calculated by a simple formula. Weight = sum of vote values. Criteria: Criticality Value to the Org Impact of Outage Educause MARC 2003 Copyright 2002, Marchany 12 Identifying the Risks A RISK was selected if it caused an incident that would: Be extremely expensive to fix Result in the loss of a critical service Result in heavy, negative publicity especially outside the university Have a high probability of occurring Risks were prioritized using matrix prioritization technique Educause MARC 2003 Copyright 2002, Marchany 13 Prioritizing the Risks Same as formula for prioritizing Assets Criteria: Scope of Impact Probability of an incident Weight = sum of vote values Educause MARC 2003 Copyright 2002, Marchany 14 How STAR Looked Originally Original STAR Asset, Risk, Asset-Risk, Control Matrices Original STAR Compliance Matrices Educause MARC 2003 Copyright 2002, Marchany 15 How STAR Looks Now Do most of the work for them Business Recovery Plan Template Intro to the BIA/RA Process General Instructions for Dept BIA/RA Blank BIA/RA Template IS Risks For Dummies Example R/A Spreadsheet Blank R/A Voting Spreadsheet Educause MARC 2003 Copyright 2002, Marchany 16 The Audit/Security Checklist Yesterday The detailed commands used to check an asset. Based on the Defense Information Infrastructure (DII) and Common Operating Environment (COE) initiative. We took the checklists from this site, modified them according to our R/A matrix and built checklists for Sun, IBM, NT. Our thanks to the unknown author who wrote the original document. The original checklist is available from http://security.vt.edu in the Checklists section. Educause MARC 2003 Copyright 2002, Marchany 17 The Audit/Security Checklist Today We’re now using the CIS Benchmark Rulers as our checklists. The CIS provides a scanning tool that lets us check the status of our systems quickly. See http://www.cisecurity.org to download the scanning tool and the checklist. Another example of changing times…. Educause MARC 2003 Copyright 2002, Marchany 18 STAR – The Future STAR is an evolving process We are now linking Asset identification to the mgt org chart Assets can now be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes Educause MARC 2003 Copyright 2002, Marchany 19 Educause MARC 2003 Copyright 2002, Marchany 20 Conclusions TBS provides a quantitative, repeatable method of prioritizing your assets. The matrices provide an easy to read summary of the state of your assets. These matrices can be used to provide your auditors with the information they need. The checklist contains the detailed commands to perform the audit/security check. Educause MARC 2003 Copyright 2002, Marchany 21 Building Your IT Audit Plan/Checklist Sample checklist/audit plans for Unix, NT and Windows 2000 Active Directory Educause MARC 2003 Copyright 2002, Marchany 22 What Risks Should We Examine? The SANS/FBI Top 20 vulnerabilities meet our TBS risk criteria: •Have a high probability of occurring •Result in the loss of a critical service •Be extremely expensive to fix later •Result in heavy, negative publicity •Examine your IT Assets for these vulnerabilities Educause MARC 2003 Copyright 2002, Marchany 23 Assessing the Cost A complete IT audit is a set of component audits. Master Equation: E=D+R E = time you’re exposed D = time to detect the attack R = time to react to the attack Components Procedural: E = D+R Perimeter(Firewall): E = D+R UNIX: E = D+R NT/Windows 2000: E =D+R Educause MARC 2003 Copyright 2002, Marchany 24 CIS Rulers Rulers list a set of minimal actions that need to be done on a host system. This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others) Can’t develop your own set? Use these! http://www.cisecurity.org Educause MARC 2003 Copyright 2002, Marchany 25 Applying Security to Assets General Strategy Use STAR to identify critical risks and assets Use CIS benchmarks to determine what computer services are required to allow the business function to work Remove unnecessary services Create the “security” script Educause MARC 2003 Copyright 2002, Marchany 26 Applying Security to Assets The CD to Production Cycle Install OS from CD or “install” server. Install applications Apply vendor/application recommended and security patches Install local tools (security, etc.) Run CIS-based/STAR based customization System is ready for production Educause MARC 2003 Copyright 2002, Marchany 27 The CIS Checklists CIS Solaris Benchmark Document CIS Rating: After OS Installation - no patches CIS Rating: After Security/Vendor Patch Installation CIS Rating: After Applying Local Configuration Rules CIS Linux Benchmark Document CIS Windows 2000 Benchmark Document CIS Solaris Customization Script based on VT Risk Analysis Educause MARC 2003 Copyright 2002, Marchany 28 Require Vendor Security Compliance Terms and conditions of Purchase Vendor must certify their product is not vulnerable to the threats listed in the SANS/FBI Top 20 Internet Vulnerabilities document (www.sans.org/top20.htm) We’ve been doing this since 7/1/02. Only 2 vendors out of 700+ have declined. Prevent vendors from hampering our security efforts. Educause MARC 2003 Copyright 2002, Marchany 29 Summary Use STAR for Risk Analysis of IT assets. Use SANS/FBI Top 20 Internet Threats lists as a starting point. Use CIS benchmarks to get the actual commands needed to implement your policy based on your R/A. Educause MARC 2003 Copyright 2002, Marchany 30