Presentation on theme: "ASIS International Security Conference Financial Advisory & Litigation Consulting Services February 5-7, 2007 Raffles City Convention Center, Singapore."— Presentation transcript:
ASIS International Security Conference Financial Advisory & Litigation Consulting Services February 5-7, 2007 Raffles City Convention Center, Singapore Education Session 11 Conducting Synchronized Physical and IT Security Assessments Presented by: George G. McBride, CISSP, CISM Aon Consulting
1 What we’ll cover during this presentation Do you need to do assessments? What is a “synchronized assessment” Why do I need to do it this way? What are the benefits? Wrap-Up Questions
2 Do I need to do an “assessment”? New employees? New facilities, buildings, locations, etc? Mergers or Acquisitions? Can’t remember when your last assessment was? New technologies deployed? New vulnerabilities announced by your vendors? New software or hardware upgrades? New business partner connection or customer portal? New tenants in a shared facility? New threats poised to attack? Industry best practices recommend third-party assessments
3 Synchronized Assessments What does Synchronized mean? Adding logical assessments to physical assessments Adding physical assessments to logical assessments Conducting a synchronized and coordinated data collection phase Delivering a consolidated report to the client Supports an enterprise wide risk management program And addresses the physical and logical security vulnerabilities in a cohesive and coordinated fashion
4 Why do we do it the “old” way? That is all that the client wants (or can afford) (or thinks that they want!) Separate groups responsible for the assessment activities The consulting firm only focuses on or has capabilities in only one area —Some “do the due diligence” process to find vulnerabilities in the other realm Some people just do it “the way its always been done” Complexity of one area is believed to be more than enough to focus on and they’ll get to the other one eventually
5 Complexity: The root of evil! (Why you need to look at all aspects of risk)
6 What are our options? 1 2 3 Where many organizations are Where they want to be
7 What are the benefits? It’s a step towards “Enterprise Risk Management” Types of risk: —Strategic —Operational —Human Capital —Legal / Regulatory —Technology —Financial Risk (Asset) = Threats X Vulnerabilities Controls Total Risk(Asset) = R S (Asset) + R O (Asset) + R HC (Asset) + R LR (Asset) + R T (Asset) + R F (Asset)
8 Benefits of Holistic Risk Measurement 1.Identify the threats to specific business areas 2.Assess the level of vulnerability 3.Gauge the potential impact 4.Develop security option path Transfer Control Manage Security Options Risk Framework (Example)
9 Information Security and Risk Services Deliverables Tools Approach Activities Phase Executive summary and detailed report, including: Significant findings Benchmark/scoring Continuous risk improvement process Commercial and proprietary tools Methodologies Assess Identify and analyze information security risk profile Facilitated sessions Documentation review Data collection Testing and validation Valuation exercises Analyze risk/security gaps Document improvement recommendations Conduct strategic security planning Vendor evaluation and selection Information Security Roadmap Solution architecture Prioritized objectives Implementation plan Timeline Success criteria Team structure Industry best practices and standards framework Knowledgebases Plan Security solutions based on: Regulatory compliance Industry standards and best practices Objectives that are important to the organization Security technology center Project management and reporting tools Solution design and architecture Program/project management Solution deployment Implement
10 Some other benefits Increased reliance on logical controls to protect physical controls —And on physical controls to protect the logical controls New regulations that transcend the physical and logical realms —Privacy Data Laws, Sarbanes-Oxley (and equivalents), etc. Better utilization of staff to maintain security through a shrinking staff Convergence of access tokens (smart cards, RFID, ProxCards, etc).
11 Consider A Typical Assessment Has three locations: —One stand alone data center which houses all of the IT Infrastructure —One building owned —One floor leased in another city 325 employees —Small IT staff —Nobody dedicated to “Security” Contracts to a firm to identify their vulnerabilities, measure the risk, and make appropriate recommendations
12 How can we tackle this? Logical/IT Focus: —Perform vulnerability scans —Review IDS/IPS —Attack the public facing web servers —Review the procedures followed to build machines, secure the network, configure the Firewall, etc —Conduct some interviews —Perform some observations during the tours and to and from the office and during the day —Identify vulnerabilities, measure risk —Document findings, recommendations, summary, etc —Deliver to the client Physical Focus: —Review physical perimeter including doors and windows —Review camera placement, access controls, and alarms —Return at night to see if they can get in —Review the procedures for evacuation, for new employees, etc. —Conduct some interviews —Conduct observations during the tours and during the work day
13 Conducting the Assessment Involve physical and logical team leads in all planning sessions and initial client meetings Develop a comprehensive, yet flexible schedule. —The team is bigger. Learn everybody’s schedule requirements Resources permitting, the physical and logical team focus on their respective areas —Teams ensure awareness of issues during the daily meeting
14 Conducting the Assessment One of the biggest complaints / comments that I’ve heard from a customer is: —Not asking too many questions —Not asking questions out of scope or going too deep in an area —Not exceeding the timeframe The biggest complaint is: Asking the same question more than once
15 To make the client happy… Coordination Plan ahead to integrate the two activities Query the client as to how they will conduct the mitigation activities —This drives how you collect and report the information At the start of the day, have a short meeting to review the planned activities —Usually “Breakfast” At the end of the day, have a short meeting daily to review the completed activities and what remains Also at the end of the day, have another short meeting with the client to identify the open items, closed items, and issues
16 Reporting: Think GCD in this scenario Logical Security Vulnerabilities DBServer (Data Center) —Unnecessary ports open —Admin password guessed —No service packs applied —No AV Software Installed WWW Server (Data Center) —Unnecessary ports open —Admin password guessed FileServer (Telecom Closet) —No Service packs applied —No AV Software Installed VoIP Server (Telecom Closet) —No Service packs applied —Console/Terminal Logged In Physical Security Vulnerabilities Data Center —Door propped open —No alarm —Fire extinguisher not fully charged —No video surveillance —No fire / smoke detection under raised floor Telecom Closet —Door not locked —Excessive beat —No door alarm
17 Reporting the Data High Level Findings: FileServer (Telecom Closet) —No Service packs applied —No AV Software Installed VoIP Server (Telecom Closet) —No Service packs applied —Console/Terminal Logged In Telecom Closet —Door not locked —Excessive beat —No door alarm Here’s what happens: The IT guys figure that they’ll get to it because they believe that the door is locked and that only authorized individuals can access the equipment The Physical guys don’t know that the entire telecom infrastructure could be disabled from the console and are only thinking about theft of the equipment. Knowing that there are guards that check large packages, they are not worried.
18 A better way to report the findings Telecommunications Equipment —A combination of unlocked doors with a terminal session on a console provides the capability to a malicious individual of adding users, reconfiguring existing users, and disabling the VoIP Server located in the Telecommunications Closet. All telecommunications closets should be locked to prevent unauthorized access. Intrusion alarms and temperature alarms should be installed at all network and telecom equipment locations All terminal sessions should be set to automatically log out within 20 minutes of inactivity
19 Another Way Critical Areas Not Secured —Critical areas throughout the organization including Telecommunications closets, Data Centers, and Disbursements are not always secured. With IT vulnerabilities being introduced on a regular basis and new tenants in our facility, all doors should be locked to reduce the risk of unauthorized access. All doors should be locked by default and require card key access to unlock All doors should have swings to automatically close the door All doors should alarm when propped open All entrances should be monitored with motion activated video surveillance
20 Synchronization allows a greater scope Utilize the Greatest Common Denominator to illustrate —Illustrates impact across all of the affected assets Helps client secure funding to show the value across the organization or enterprise —Corrective actions have the greatest benefit as they reach the greatest number of assets —Provides for greater opportunity to incorporate and synchronize Physical and Logical threats and then ultimately, Enterprise Risk And equally important, the recommendations are synchronized and incorporate physical and logical technologies.
21 The ultimate blend of logical and physical security…
Contact Me George G. McBride Financial Advisory & Litigation Consulting Services Director, IT Risk Consulting Services Practice Office: +1.732.389.8944 Mobile: +1.732.429.0676 Email: firstname.lastname@example.org