Assessing Current Network Concerns Lesson 5

CERT/CC Stats

CERT/CC

The Assessment Two important elements you will need to determine in order to produce a valuable assessment Determine the value of the information and resources that are to be protected Determine the threats that may exist which jeopardize the confidentiality, integrity, or availability of the information and resources

Asset Valuation Can be qualitative or quantitative Business Impact Assessment/Analysis (BIA): used to determine what is important for inclusion in a BCP/DRP (check to see if they have accomplished one already). Will assess how unavailability of each system/process would affect the organization. Business Continuity Plan (BCP) and Disaster Recovery Plans: Desire is to protect the operations of the organization, not just the computing systems. May/ Should have done a BIA as part of one of these and you can possibly use the results to save some time.

Goals of a BIA Identification of the processes that are critical to the profitability and continued viability of the organization Quantification of the financial and operational impact of an outage over time A determination of the recovery priority, recovery time, and recovery point for each application that supports a critical business process. For our purposes we want to use the BIA to help us determine what needs to be protected and how valuable these assets are.

Asset Valuation So, either using the BIA or the BIA process, we should know: What the essential processes are for the organization. What the process consists of/requires (in terms of information and resources). What the value is of these processes (or more appropriately, what the impact is on the organization should they be lost). Knowing what the assets are can help us better determine what the threat might be to the organization. May also be used later when we start evaluating acceptable residual risks.

Threats to the systems “To control the risks of operating an information system, managers and users must know the vulnerabilities of the system and the threats that might exploit them.” “Knowledge of the threat environment allows management to implement the most cost- effective security measures.” “In some cases, managers may find it most cost-effective to simply tolerate the expected loss.”

Types of Threats Computer Viruses Computer Hackers Denial of Service Attacks Mistakes Abuse of can become public affecting image of organization Disgruntled Employees Industrial Spying Which one of these is most likely to occur? Which will have the greatest impact? Which will be the hardest to protect against?

Prioritizing Risks and Threats According to the text: “Once the possible threats have been identified, it is necessary to prioritize those risks so that the NVA can focus on those of highest concern. To accomplish this task as quickly as possible, it is necessary to assemble a team of interested employees. This team will determine the probability that the identified risk might occur and what its impact would be if it did occur.” What’s the chance that a “team of interested employees” will be able to “determine the probability that the identified risk might occur and what its impact would be if it did occur”? Thus, the reason to obtain the BIA if available.

Prioritizing Risks and Threats To simplify things a bit, try these definitions: Impact: a measure of the magnitude of loss or harm on the value of an asset Low impact: when the business objective or mission of enterprise is not significantly affected. Medium impact: when the event is limited to a business objective or a business unit is affected High impact: when the entire business or mission of the enterprise is affected Probability: the chance that an event will occur or that a specific loss value will be incurred should the event occur Low probability: highly unlikely that the risk will occur during the next year Medium probability: possible that the risk will occur during the next year High probability: very likely that the risk will occur within the next year (don’t like the term “risk” being used in the above)

What to look at Text discusses how to prioritize what to look at during the assessment. Impact LowMediumHigh Low147 Prob.Medium258 High369 Concentrate first on items of level 6 or higher. If time permits continue with levels 5 then 4. Impact is one thing, how do you (or the team) determine the probability of an event occurring?

Checklists Lots of checklists available out there, can prove very useful. Do not rely solely on checklists – use them as a guide or a starting point. 3 included as appendices in text: ISO Self Assessment Questionnaire Lots of good information covering a variety of areas. Look at and adapt to specific environment. Network Vulnerability Assessment Checklist Again, some good, useful information. Look at and adapt. Windows Server Checklists/Security Guides Focused checklists such as this often very useful – can contain very valuable data. This one a bit light, others available on line (check NIST)

Problems with checklists What do you do with the results? Great, so I have 20-Y’s, 32-N’s, and 4-N/A’s, now what? Does this mean that I’m in good shape, bad shape, or somewhere in between? Are all questions of equal importance? Do you need to add some sort of weighting system to help identify the most critical? Checklists might overlook key components of your security plan, may also include unimportant aspects. Checklists need to be tailored.

Composition of the Assessment Team So, who should be part of an assessment team? Need to cover all of the areas of concern Information protection Operations Telecommunications Systems support Network management Desktop deployment Account administration Auditing Physical Security Ideally, you’d have an “expert” in each of these areas. In practice, you may not have that many folks to draw on so a SME you can ask questions of may be all you can hope for.

Assessment Timeline How long should an assessment take? Book mentions that one can take as long as 12 weeks. In reality the real answer is “it depends”. Assessment can take considerably longer than 12 weeks or can be as short as only a few weeks. Depends on scope (especially size). In establishing the timeline, pay attention to: Activities that must be accomplished before others Activities that you can conduct in parallel Make sure you allow sufficient time to write, and review the final report. Might include a preliminary “outbrief” for organization upon completion of the assessment, to be followed by official report at a later date.

Timeline for class assessments For us, driven by academic calendar A bit artificial but a constraint we must live with Final report to be presented during finals week External to be performed before internal, why? Internal and review of policies etc. can be done concurrently Need approximately two weeks for each part Public presence review, if requested, can be done quickly and should be accomplished before external begins How will you use Spring Break

Summary What is the importance and significance of this material? How does this topic fit into the subject of “Security Risk Analysis”?