Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Slides:



Advertisements
Similar presentations
PhoenixPro Procurement. technology. contracts. projects.
Advertisements

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works
Information Security Policies and Standards
Network Security Testing Techniques Presented By:- Sachin Vador.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
By: Ashwin Vignesh Madhu
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd ( A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, Kuala Lumpur,
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Systems Security Computer System Life Cycle Security.
Hosted by How to Conduct an Information Security (INFOSEC) Assessment The NSA INFOSEC Assessment Methodology (IAM) Stephen Mencik, CISSP ACS Defense, Inc.
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
AASSA Conference 2012 Quito, Ecuador March 16 th 2012 All the rights reserved.Instructor: Francisco Bolaños, Ing. InterAmerican Academy Ethical Hacking.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Solutions Within Reach
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Frontline Enterprise Security
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
SecSDLC Chapter 2.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
Ensuring Information Security through Audit Umesh Kulkarni.
IT Audit and Penetration Testing What’s the difference and why should I care?
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Defining your requirements for a successful security (and compliance
Cloud readiness assessment
WSU IT Risk Assessment Process
Patch Management Patch Management Best Practices
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Introduction to the Federal Defense Acquisition Regulation
USAID/Peru Risk Assessment In-Briefing
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Validating Your Information Security Program (ISP 3 of 3)
National Cyber Security
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
Presentation transcript:

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP

2 ©2005 George J. Dolicker. All Rights Reserved Agenda Fully Buzz-Word Compliant Key Factors to be Considered Hierarchical Investigations Standards, Regs, and Methodologies The IAM and IEM from NSA Conclusions Q&A

3 ©2005 George J. Dolicker. All Rights Reserved Fully Buzz-Word Compliant Security Assessment Security Audit Security Evaluation Risk Assessment Risk Analysis Vulnerability Analysis Vulnerability Assessment

4 ©2005 George J. Dolicker. All Rights Reserved Fully Buzz-Word Compliant Pen Test Red Team Tiger Team Ethical Hack White Hat Hack

5 ©2005 George J. Dolicker. All Rights Reserved Key Factors to be Considered What’s important to you What it’s worth to you Who your enemies are What it’s worth to them How secure you want to be How secure you need to be How to get there from where you are today

6 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 1 –Cooperative High Level Overview –Information Criticality Analysis –Includes Policy, Procedures, & Information Flow –No Hands-on Testing

7 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 2 –Hands-on process –Cooperative Testing –Diagnostic Tools –Penetration Tools –Specific Technical –Expertise

8 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 3 –Adversarial –External Penetration Tests –Simulation of Anticipated Adversary –Good Place for Clear Rules of Engagement!

9 ©2005 George J. Dolicker. All Rights Reserved Why Some Don’t WANT to Know Ignorance remains a defense… »…but not a good one Blame Management »“How did you let it get this way?” Budget Constraints Turf Issues Span of Control

10 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies COBiT BS7799 ISO-17799

11 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies SOX HIPAA

12 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies X-Corp Security X-Ray NIST NSA IAM NSA IEM

13 ©2005 George J. Dolicker. All Rights Reserved NIST Step 1: System Characterization Step 2: Vulnerability Identification Step 3: Threat Identification Step 4: Control Analysis Step 5: Likelihood Determination

14 ©2005 George J. Dolicker. All Rights Reserved NIST Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation

15 ©2005 George J. Dolicker. All Rights Reserved

16 ©2005 George J. Dolicker. All Rights Reserved

17 ©2005 George J. Dolicker. All Rights Reserved The NSA Infosec Assessment Methodology Characteristics Pre-Assessment On-Site Activities Post-Assessment

18 ©2005 George J. Dolicker. All Rights Reserved Characteristics By request only Management Buy-in Success depends on cooperation of people Non-attribution Strong focus on policy, practice, process and procedure Findings protected as proprietary Timeliness

19 ©2005 George J. Dolicker. All Rights Reserved Phase 1: Pre-Assessment Purpose –Refine customer needs –Gain an understanding of the criticality of the customer’s systems and information –Identify systems, including system boundaries –Coordinate logistics with the customer –Write an assessment plan

20 ©2005 George J. Dolicker. All Rights Reserved The Assessment Plan 1.Points of Contact 2.Organization 3.Information Criticality 4.System Criticality 5.Concerns/Constraints

21 ©2005 George J. Dolicker. All Rights Reserved The Assessment Plan 6.System Configurations 7.Interviewees 8.Documents 9.Project Plan

22 ©2005 George J. Dolicker. All Rights Reserved Phase 2: On-Site Activities Purpose –To explore and confirm the information and conclusions made during the Pre-Assessment Phase –To perform data gathering and validation Interviews Documentation System demonstrations –To provide initial analysis and feedback to the customer

23 ©2005 George J. Dolicker. All Rights Reserved 18 Areas of Investigation 1. Documentation 2. Roles and Responsibilities 3. Contingency Planning 4. Configuration Management 5. Identification and Authentication 6. Account Management 7. Session Controls 8. Auditing 9. Malicious Code Protection 10. Maintenance 11. System Assurance 12. Networking/Connectivity 13. Communications Security 14. Media Controls 15. Labeling 16. Physical Environment 17. Personnel Security 18. Education Training and Awareness

24 ©2005 George J. Dolicker. All Rights Reserved Phase 3: Post-Assessment Purpose –Finalize analysis –Prepare and delivery of a final report

25 ©2005 George J. Dolicker. All Rights Reserved The Final Report Executive Summary –Overview of organization/mission –Purpose and methodology of assessment –System description/information criticality –Major findings and recommendations

26 ©2005 George J. Dolicker. All Rights Reserved The Final Report Introduction –Provides background information Overview of organization’s mission Purpose of the assessment Organizational mission information and information criticality System criticality Customer concerns

27 ©2005 George J. Dolicker. All Rights Reserved The Final Report System Descriptions –Description of the systems assessed Network components (e.g., firewalls, modems, routers, wireless) Connectivity Number/type of users Operational schedules –Diagrams

28 ©2005 George J. Dolicker. All Rights Reserved The Final Report Analysis –Topic areas –Findings –Discussions –Recommendations

29 ©2005 George J. Dolicker. All Rights Reserved The Final Report Conclusions –Overall posture description –Recognition of good security practices

30 ©2005 George J. Dolicker. All Rights Reserved The NSA Infosec Evaluation Methodology What is IEM? –Analysis of the network structure –Examination of the security configuration of the servers, workstations, and network devices for vulnerabilities and exposures –Provide recommendations for improvement of the network security –Provide an “easy to understand” view of technical security at the organization

31 ©2005 George J. Dolicker. All Rights Reserved IEM Characteristics Includes hands-on testing Intrusive, but with no exploitation Repeatable processes Findings are protected as proprietary Provides a technical security roadmap customized to the environment

32 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 1: Pre-Evaluation –Pull information from IAM Pre-Assessment –Coordination with the customer to determine Rules of Engagement –Define customer expectations –Define customer constraints or concerns –Develop the Technical Evaluation Plan

33 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 2: On-Site –Verification of “known” components –Discovery of rogue components –Testing –Validating findings via manual checks

34 ©2005 George J. Dolicker. All Rights Reserved 10 Baseline Activities 1.Port Scanning 2.SNMP Scanning 3.Enumeration & Banner Grabbing 4.Wireless Enumeration 5.Vulnerability Scanning 6.Host Evaluation 7.Network Device Analysis 8.Password Compliance Testing 9.Application Specific Scanning 10.Network Sniffing

35 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 3: Post Evaluation –Create the final report for the customer Provide complete findings for the evaluation Provide recommendations and alternatives to resolve each solution Provide a security roadmap based on customer input and industry standards Follow up with customer to provide support for questions or concerns

36 ©2005 George J. Dolicker. All Rights Reserved Conclusions Don’t let the Buzz-Words throw you Know what you want to know Insist on actionable results

37 ©2005 George J. Dolicker. All Rights Reserved Questions? Don’t Forget the Evaluations! (Session 132)

38 ©2005 George J. Dolicker. All Rights Reserved Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.