Presentation is loading. Please wait.

Presentation is loading. Please wait.

Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk.

Published byAmos Blake Modified over 9 years ago

Similar presentations

Presentation on theme: "Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk."— Presentation transcript:

1 Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk (STAR)

2 Educause MARC 2003Copyright 2002, Marchany2 The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools

3 Educause MARC 2003Copyright 2002, Marchany3 98% On-Time Return Rate We have 180+ administrative, academic depts. Each dept is required to turn in an IT risk analysis. State Directive. We get 98% on-time return rate on the risk analysis reports. How?

4 Educause MARC 2003Copyright 2002, Marchany4 How Do We Do It? University IT Security Office convinces CFO of the need to do a departmental risk analysis. CFO controls the budget for all depts. CFO issues directive to all dept heads stating the need to turn in the reports on time. Or else, he’ll review their budget request. You must obtain the buy-in of the top university officials. Period.

5 Educause MARC 2003Copyright 2002, Marchany5 Case Study – The 1 st Time Sort of….. We applied some but not all TBS concepts in our first attempt to determine the status of our asset security. This process took about 12 months. Security committee met once every 2-3 weeks. We’re starting the sixth iteration now. Now it only takes 1 month max.

6 Educause MARC 2003Copyright 2002, Marchany6 The Committee Management and Technical Personnel from the major areas of IS University Libraries Educational Technologies University Network Management Group University Computing Center Administrative Information Systems

7 Educause MARC 2003Copyright 2002, Marchany7 The Committee’s Scope Information Systems Division only Identified and prioritized Assets RISKS associated with those ASSETS CONTROLS that may applied to the ASSETS to mitigate the RISKS Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

8 Educause MARC 2003Copyright 2002, Marchany8 Identifying the Assets Compiled a list of assets (+100 hosts) Categorize them as critical, essential, normal Critical - VT can’t operate w/o this asset for even a short period of time. Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap. Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

9 Educause MARC 2003Copyright 2002, Marchany9

10 Educause MARC 2003Copyright 2002, Marchany10

11 Educause MARC 2003Copyright 2002, Marchany11 Prioritizing the Assets The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. Some assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

12 Educause MARC 2003Copyright 2002, Marchany12 Prioritizing the Assets Asset weight values calculated by a simple formula. Weight = sum of vote values. Criteria: Criticality Value to the Org Impact of Outage

13 Educause MARC 2003Copyright 2002, Marchany13 Identifying the Risks A RISK was selected if it caused an incident that would: Be extremely expensive to fix Result in the loss of a critical service Result in heavy, negative publicity especially outside the university Have a high probability of occurring Risks were prioritized using matrix prioritization technique

14 Educause MARC 2003Copyright 2002, Marchany14 Prioritizing the Risks Same as formula for prioritizing Assets Criteria: Scope of Impact Probability of an incident Weight = sum of vote values

15 Educause MARC 2003Copyright 2002, Marchany15 How STAR Looked Originally Original STAR Asset, Risk, Asset-Risk, Control Matrices Original STAR Asset, Risk, Asset-Risk, Control Matrices Original STAR Compliance Matrices

16 Educause MARC 2003Copyright 2002, Marchany16 How STAR Looks Now Do most of the work for them Business Recovery Plan Template Intro to the BIA/RA Process General Instructions for Dept BIA/RA Blank BIA/RA Template IS Risks For Dummies Example R/A Spreadsheet Blank R/A Voting Spreadsheet

17 Educause MARC 2003Copyright 2002, Marchany17 The Audit/Security Checklist - Yesterday The detailed commands used to check an asset. Based on the Defense Information Infrastructure (DII) and Common Operating Environment (COE) initiative. We took the checklists from this site, modified them according to our R/A matrix and built checklists for Sun, IBM, NT. Our thanks to the unknown author who wrote the original document. The original checklist is available from http://security.vt.edu in the Checklists section. http://security.vt.edu

18 Educause MARC 2003Copyright 2002, Marchany18 The Audit/Security Checklist - Today We’re now using the CIS Benchmark Rulers as our checklists. The CIS provides a scanning tool that lets us check the status of our systems quickly. See http://www.cisecurity.org to download the scanning tool and the checklist.http://www.cisecurity.org Another example of changing times….

19 Educause MARC 2003Copyright 2002, Marchany19 STAR – The Future STAR is an evolving process We are now linking Asset identification to the mgt org chart Assets can now be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes

20 Educause MARC 2003Copyright 2002, Marchany20

21 Educause MARC 2003Copyright 2002, Marchany21 Conclusions TBS provides a quantitative, repeatable method of prioritizing your assets. The matrices provide an easy to read summary of the state of your assets. These matrices can be used to provide your auditors with the information they need. The checklist contains the detailed commands to perform the audit/security check.

22 Educause MARC 2003Copyright 2002, Marchany22 Building Your IT Audit Plan/Checklist Sample checklist/audit plans for Unix, NT and Windows 2000 Active Directory

23 Educause MARC 2003Copyright 2002, Marchany23 What Risks Should We Examine? u The SANS/FBI Top 20 vulnerabilities meet our TBS risk criteria: Have a high probability of occurring Result in the loss of a critical service Be extremely expensive to fix later Result in heavy, negative publicity Examine your IT Assets for these vulnerabilities

24 Educause MARC 2003Copyright 2002, Marchany24 Assessing the Cost A complete IT audit is a set of component audits. Master Equation: E=D+R E = time you’re exposed D = time to detect the attack R = time to react to the attack Components Procedural: E = D+R Perimeter(Firewall): E = D+R UNIX: E = D+R NT/Windows 2000: E =D+R

25 Educause MARC 2003Copyright 2002, Marchany25 CIS Rulers Rulers list a set of minimal actions that need to be done on a host system. This is a consensus list derived from security checklists provided by CIS charter members (VISA, IIA, ISACA, First Union, Pitney Bowes, Allstate Insurance, DOJ, Chevron, Shell Oil, VA Tech, Stanford, Catepillar, Pacific Gas & Electric, RCMP, DOD CIRT, Lucent, Edu Testing Services and others) Can’t develop your own set? Use these! http://www.cisecurity.org

26 Educause MARC 2003Copyright 2002, Marchany26 Applying Security to Assets General Strategy Use STAR to identify critical risks and assets Use CIS benchmarks to determine what computer services are required to allow the business function to work Remove unnecessary services Create the “security” script

27 Educause MARC 2003Copyright 2002, Marchany27 Applying Security to Assets The CD to Production Cycle Install OS from CD or “install” server. Install applications Apply vendor/application recommended and security patches Install local tools (security, etc.) Run CIS-based/STAR based customization System is ready for production

28 Educause MARC 2003Copyright 2002, Marchany28 The CIS Checklists CIS Solaris Benchmark Document CIS Rating: After OS Installation - no patches CIS Rating: After Security/Vendor Patch Installation CIS Rating: After Security/Vendor Patch Installation CIS Rating: After Applying Local Configuration Rules CIS Rating: After Applying Local Configuration Rules CIS Linux Benchmark Document CIS Windows 2000 Benchmark Document CIS Solaris Customization Script based on VT Risk Analysis CIS Solaris Customization Script based on VT Risk Analysis

29 Educause MARC 2003Copyright 2002, Marchany29 Require Vendor Security Compliance Terms and conditions of Purchase Vendor must certify their product is not vulnerable to the threats listed in the SANS/FBI Top 20 Internet Vulnerabilities document (www.sans.org/top20.htm)www.sans.org/top20.htm We’ve been doing this since 7/1/02. Only 2 vendors out of 700+ have declined. Prevent vendors from hampering our security efforts.

30 Educause MARC 2003Copyright 2002, Marchany30 Summary Use STAR for Risk Analysis of IT assets. Use SANS/FBI Top 20 Internet Threats lists as a starting point. Use CIS benchmarks to get the actual commands needed to implement your policy based on your R/A.

Download ppt "Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk."

Similar presentations

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Similar presentations

Ads by Google