Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

ppt - Common Solutions Group

advertisement 
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON
Risk Evaluation of Computers and Open Networks
Developed by
Kirk Soluk
University of Michigan
Information Technology Security Services
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Risk Assessment Drivers
• No such thing as perfect security
• Need to balance effectively risk against other factors
• Need a foundation for well-informed decisions that
justify IT expenditures
• Regulations
The entity must decide whether a given addressable implementation
specification is a reasonable and appropriate security measure to apply
within its particular security framework.
This decision will depend on a variety of factors, such as, among
others, the entity’s risk analysis, risk mitigation strategy, what
security measures are already in place, and the cost of
implementation.
- HIPAA Security Rule
2
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Why RECON?
• Facilitate consistent decisions across the University
 Especially when combined with data classification
• Facilitate rollup of results
 So the University’s overall security posture can be measured
• “Michiganize”
• Outsourcing misses the point
 Security issue #1: The Business-Trust Divide
To be more effective, security professionals must learn how
to speak the language of the businesses they serve
- Meta Group Practice 2104: The Top 10 Security Issues
• Leverage
 University expertise
 Training
 Address risk assessment requirements of all regulations at
once …
3
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
All regulations legislate similar
best practices
SOX
FERPA
HIPAA
GLBA
SOX RA
Process
FERPA RA
Process
HIPAA RA
Process
GLBA RA
Process
You
SOX
FERPA
HIPAA
GLBA
One Common Risk Assessment Methodology (RECON)
You
4
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
What is RECON?
• Derived from ISO 17799 (2005)
 NIST 800-53 not available at the time
• A Questionnaire (Excel Spreadsheet)
 Built-in Risk analysis Logic & Visualization
• A Set of Security Tests
• A Template for Reporting Results
A Risk Assessment Facilitator (IT Security Professional)
leverages these RECON components to identify risks and
potential mitigation strategies and to present/discuss this
information with unit leadership. Unit leadership is
responsible for approving the final risk treatment decisions
5
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Process Flow
6
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Scope is critical
• Provides the context within which the
RECON questions are answered
 Don’t combine systems with different security
requirements in the same assessment
 If the answer for one system in scope is “No”,
the answer is “No” for the entire scope.
• Focus is on
 Systems that process “sensitive” information
 Mission critical systems
7
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
The RECON Questionnaire
• 219 questions about 54 control objectives in 11
different areas:











1. Organizational Security
2. Asset Management
3. Human Resources Security
4. Physical and Environmental Security
5. Operations
6. Network Security
7. Access Control
8. Host Security
9. Data Security
10. Incident Management
11. Business Continuity
8
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Network Security Area Example:
25 questions about 7 control objectives
• 6. Network Security
 6.1 Perimeter Security



6.1.1 A firewall (or equivalent mechanism) exists between your unit's (or
department's) network, other University networks, and public networks
such as the Internet
6.1.2 The firewall (or equivalent mechanism) uses a "default deny" posture
where all access that is not explictly allowed is automatically denied
6.1.3 Firewall changes are subject to a formal approval process
 6.2 User authentication for external connections


6.2.1 Access to the internal network by remote users is subject to user
authentication
6.2.2 Users are authorized (out of band) before they are allowed to access
the internal network from remote locations
 6.3 Authorization process for information processing facilities


6.3.1 New systems must be authorized by management before they can
be connected to the network
6.3.2 Rogue System Detection
 ...
 6.7 Intrusion detection
9
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Industry Standard
Best Practices
derived from ISO
17799:2005
RECON Questionnaire
Responses
Response 1:
Documented
Policies, Procedures,
Guidelines
Response 2:
Implementation/
Operations
• For each question, two responses are needed:
 Are there policies and/or procedures requiring the control?
 Is the control operationally implemented?
 Answers: "Yes", No", "n/a", "n/r"
10
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Security Tests
• Used to answer specific RECON questions accurately. For
example,





Do you have a password policy that prevents dictionary words?
Have you minimized the attack surface of of your hosts
Is your firewall configured as expected?
Are your systems up to date with respect to patches?
Etc.
• Current RECON Test Suite








Attack Surface Enumeration
Password Audit
Account Security
Firewall Security
War walking
RAS Authentication
Encryption Verification
Vulnerability Scanning
11
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Risk Analysis
• Answers to the questions determine the degree to which
best practice security controls are adopted
• Risk is proportional to the lack of control adoption
• Both documentation and implementation are considered
in the risk calculation
 Implementation weighs more
Documented?
Implemented?
7.7 Removal of access rights
Summary Risk
80%
7.7.1 Access rights are removed upon
termination of employment, contract, or
agreement
No
Yes
60%
7.7.2 Personnel files are periodically matched
with user accounts to ensure that
terminated or transferred individuals do
not retain access to systems
No
No
100%
7.8 Unattended user equipment
12
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Risk Identification and
Prioritization
•Focus on Severe and High Risk
controls identified in the RECON
Questionnaire
•In the RECON Report Template,
severe and high-risk controls are
referred to as Non-existent and in
Need of major improvement
respectively
13
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Report
• Description of scope
• Systems & Applications
• Description of methodology
• Detailed list of severe and high risks along with
mitigation strategies
• Appendix lists every accepted risk
• Executive summary
14
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
Further Action
• It is the responsibility of the Risk Assessment Facilitator to educate
unit leadership about the risks and to make recommendations
• It is the responsibility of Unit Leadership to make the final business
(i.e. risk) decisions:
 Mitigate at some (approved) cost OR
 Continue to accept the current risk
15
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Process Summary
16
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Case Study Effort
• Scope Complete (14 hours)
 3 x 1hour “kick-off” meetings to understand the major apps
 3 x 1hour “investigative” meetings to refine scope and network diagram
 1 x 8 hour drawing diagrams and filling in scope details
• Questionnaire Complete (20 hours)
 1 x 1hour meeting with HR
 7 x 2hour technical meetings (Lot’s of working lunches)
 5 x 1hour “follow-up” meetings
•
Test Complete (60 hours)





3 x 1hour meetings for securing authorization
3 x 8hours for network scanning (50 hosts x 5 networks)
3 x 8hours for other tests
3 x 1hour meetings for verifying results
3 x 2hour meetings for analyzing results
• Total (94 Hours)
 ~2.5 full-time weeks spread over a 2 month period
 Doesn’t count time to write final report!
17
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Experience
• 104 + 17 RECON assessments in ITS 101
Campus Computer Security training course
(2005 - present)
• GLBA was a driver for several wide-ranging
assessments
 1. Student Financial Operations - Higher Education
Production Systems in MAIS.
 2. Student Accounts - i.e. Financial Aid Systems
 3. UM Dearborn Financial Systems
 4. UM Flint Financial Systems
 UM Flint risk assessment provided the foundation
for Flint's annual IT appropriations request.
18
INFORMATION
TECHNOLOGY
SECURITY
SERVICES
RECON Experience
• 5. The UM Windows Forest
 The UM Windows Forest assessment
resulted in the formation of a technical
committee from four major units
(Engineering, Business, LSA, Housing) that
unanimously endorsed and will soon be
presenting to the Forest IT Directors a
request for 15 major security enhancements.
19
Related documents
Hacking Techniques
Hacking Techniques
Troop Leading Procedures
Troop Leading Procedures
School Security Master Plan--Assessing Prevention
School Security Master Plan--Assessing Prevention
Visual Reverse Engineering
Visual Reverse Engineering
2016 Reunion Information - Alpha Recon Association
2016 Reunion Information - Alpha Recon Association
ODF Aviation
ODF Aviation
RECON Overview (Spring 2013)
RECON Overview (Spring 2013)
Common RECON Recommended Controls
Common RECON Recommended Controls
REBEL YELL Vol. 34 - HMGS
REBEL YELL Vol. 34 - HMGS
Download
advertisement