Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Best Practices for Conducting Security Assessments

advertisement 
Ben Christensen
Senior Compliance Risk Analyst,
Cyber Security
Best Practices for Conducting Cyber Security
Assessments
June 5, 2014
CIPUG Meeting, Salt Lake City
Agenda
•
•
•
•
•
2
Why are security assessments important?
Types of security assessments
Risks related to security assessments
Best practices for security assessments
How security assessments can help with
CIP-005 & CIP-007
Benefits to Entities
• Help maintain CIP compliance
• Verify security controls that should already
be in place
• Define the risks associated with your cyber
security systems and how to mitigate them
• Highlight your controls to help you
determine the risk to reliability
3
Traditional IT assessment vs. security
risk assessment
• IT focuses on accidental outages, hardware
failures, and uptime
• Security risk assessment is the analysis of
issues relating directly to security threats
4
Types of Assessments
Security audits
Policies, procedures, other admin controls
Change management
Architectural review
Penetration tests
Vulnerability assessments
5
Security audits
Manual or systematic measurable technical
assessment of how the organization's security
policy is employed.
6
Security audits
• Looks at how effectively the security policy
has been implemented
• Measure security policy compliance
• Recommends solutions to deficiencies
• May be performed through:
o Informal self audits
o Formal IT audits
7
Components of a security audit
File system security
Physical security
Ports & services
Installation/configuration
Security event logging
Account security
Backups & Disaster recovery
Network device restrictions
8
Policies, procedures and other
administrative controls
• Security assessment ultimately shows the
effectiveness of policies
• Assess your policies to know how
effectively they have been implemented
9
Policies, procedures and other
administrative controls
10
Documents
Training
Updates
• What are they?
• How often are
they reviewed?
• Acknowledge
adherence to
• Who has them?
• Who is trained?
• How often?
• Does it
measure
effectiveness?
• Who makes the
updates?
• How often are
they made?
• How are
employees
notified?
Change management
• Have you assessed how your change
management is doing?
• Are personnel really following it?
• How do you know?
11
Change management
• Is the change management performed on a
regular basis?
• Is physical security part of the change
management process?
• How are changes approved?
• Where are changes documented?
• Who signs off on the changes?
• Who implements the changes?
12
Architectural review
• Review network artifacts
o Network diagrams
o Security requirements
o Inventory
• Identify data flows
• Identify controls
• Identify gaps
13
Architectural review
Current network diagram
Physical
walkthrough
Trace cables
Look for modems
Network devices
Logging enabled?
Restricted access?
Remote admin
connections?
Firewall review
Remote access connections
14
Process to evaluate risk of
opening ports and services?
Penetration testing
Attacking a computer system to find security
weaknesses and to potentially gain access.
Warning: penetration tests can have serious
consequences to the systems involved!
15
Penetration testing
Penetration Test
Planning & Preparation
Gather Information & Analysis
Vulnerability Detection
Penetration Attempt
Analysis & Reporting
Clean Up
16
Penetration testing
Plan & Prep
• Scope
• Duration
• Decide who
to inform
• Legal
agreements
17
Info Gathering
& Analysis
Vulnerability
Detection
• Get info
about target
• Network
survey
• Port scanning
• Determine
vulnerabilities
• Manual
vulnerability
scanning
Penetration testing
Penetration
Attempt
Analysis &
Reporting
• Choose targets
• Choose exploit
• Password
cracking
• Social
engineering
• Physical
security
• Generate report
• Analysis &
commentary
• Highlight
vulnerabilities
• Summary
• Details
• Suggestions
18
Clean Up
• Get rid of mess
• List of actions
• Verified by
organization
Vulnerability assessments
As documented by SANS, “Vulnerabilities are
the gateways by which threats are
manifested”.
“A vulnerability assessment is a search for
these weaknesses/exposures in order to
apply a patch or fix to prevent a compromise”.
http://www.sans.org/reading-room/whitepapers/basics/vulnerabilityassessment-421
19
Vulnerability assessments
Catalog
assets
20
Assign value
and
importance
Identify
vulnerabilities
or threats
Mitigate or
eliminate
vulnerabilities
Vulnerability assessments
• Methods to counteract weaknesses
o
o
o
o
o
o
21
Use baselines
Patching
Vulnerability scanning
Following security advisors
Use perimeter defenses
Use intrusion detection systems and AV
Vulnerability assessments vs.
Penetration test
• Vulnerability assessment uncovers the
weaknesses and shows how to fix them
• Penetration test shows if someone can
break in and what information they can get
Vulnerability
Assessment
22
Penetration
Test
Which assessment should I use?
• Depends on your requirements and goals
• Security assessment might be too broad
• Penetration test may not identify all
vulnerabilities and could cause harm
• Can’t we just do the CVA as required for
CIP?
23
Risks of assessments
• Vulnerability assessment or penetration test
might cause instability or harm to systems
• Penetration test might not uncover all your
vulnerabilities
• You might incorrectly rely on results and
assume you are secure
• Results may not be presented in a way to
provide value
24
Best practices
• Assessment should provide value beyond
the raw data
– Analyze the data to see what it means for your
organization
• Identify trends that highlight underlying
problems
– Might reveal a bigger problem
Best practices
• Use combination of techniques to provide a
complete picture of your security
o No one size fits all
• Use the techniques that best meet your
requirements
• Provide answers in your assessment, not
just problems
• Share what you learn with employees
o Bring security to the forefront
26
CIP-005 and CIP-007
• The assessments presented today can
work hand in hand with the CVA
• CIP Standards provide a minimum set of
controls
• Consider performing these assessments in
conjunction with your CIP-005 and CIP-007
obligations
27
CVA Checklist
Review process
• Do personnel know about the process?
• Are personnel regularly trained on process?
• Are personnel following the process?
Current inventory of devices
• How do you account for changes?
• Who updates the inventory?
• Where is it stored?
28
CVA Checklist
Verify ports and services
• Which tools will be used?
• Are personnel trained on the tools?
• How and where will the raw data be stored?
Discover all access points
• Don’t forget multi-homed devices
• Wireless
• Physical walkthrough
29
CVA Checklist
Review controls for
• Default accounts
• Passwords
• Network management & community strings
Results
• How will the results be stored?
• Where will the results be stored?
30
CVA Checklist
Plan to mitigate vulnerabilities
• Who will implement fixes?
• How will the fixes be implemented?
Execution status of action plan
• When will the fixes be implemented?
• Are dates current?
31
CIP-005 and CIP-007
Default
accounts
Passwords
Ports and
services
Process
32
Community
strings
Assessments
Results &
action plan
Additional Resources
Additional Resources
• SANS – Implementing a Successful
Security Assessment Process
o http://www.sans.org/readingroom/whitepapers/basics/implementingsuccessful-security-assessment-process-450
• NIST – Security Assessment Provider
Requirements and Customer
Responsibilities
o http://csrc.nist.gov/publications/drafts/nistir7328/NISTIR_7328-ipdraft.pdf
34
Additional Resources
• SANS – Security Auditing: A Continuous
Process
o http://www.sans.org/readingroom/whitepapers/auditing/security-auditingcontinuous-process-1150
• NIST Special Publication 800-53
o http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf
35
Additional Resources
• SANS - Conducting a Penetration Test on
an Organization
o http://www.sans.org/readingroom/whitepapers/auditing/conductingpenetration-test-organization-67
• SANS - Vulnerability Assessment
o http://www.sans.org/readingroom/whitepapers/basics/vulnerabilityassessment-421
36
Additional Resources
• NIST - Technical Guide to Information
Security Testing and Assessment
o http://csrc.nist.gov/publications/nistpubs/800115/SP800-115.pdf
• ISACA – Project: Vendor Security Risk
Assessment
o http://www.isaca.org/Groups/ProfessionalEnglish/information-secuirtymanagement/GroupDocuments/Vendor%20Security%2
0Risk%20Assessment%20report.pdf
37
Additional Resources
• Dark Reading - How To Conduct An
Effective IT Security Risk Assessment
o http://www.darkreading.com/how-to-conductan-effective-it-security-risk-assessment/d/did/1138995?
38
Summary
Importance of assessments
Many types you can perform
Why you should go beyond the CVA
Best practices
Other resources
39
Questions?
Ben Christensen
(801) 819-7666
bchristensen@wecc.biz
Related documents
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
Comparison of career texts
Comparison of career texts
Penetration Testing
Penetration Testing
Age Appropriate Transition Assessments Questions
Age Appropriate Transition Assessments Questions
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Below grade level in math
Below grade level in math
Web Security: Deep Dive
Web Security: Deep Dive
Download
advertisement