Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keith Watson, CISSP Research Engineer

Published byHector Barnett Modified over 6 years ago

Similar presentations

Presentation on theme: "Keith Watson, CISSP Research Engineer"— Presentation transcript:

1 Keith Watson, CISSP kaw@cerias.purdue.edu Research Engineer
This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit Security Assessments Keith Watson, CISSP Research Engineer Center for Education and Research in Information Assurance and Security © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

2 Overview Part 1: Introduction to Security Assessments
What is a security assessment? Why is it needed? How do you do an assessment? © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

3 Overview Part 2: Conducting Security Assessments Asset Identification
Threat Assessment Laws, Regulation, and Policy Personnel Security Assessment Components Reporting and Follow-up © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

4 Overview Part 3: The Assessment “Experience” Tools Training
Demonstration of Nessus Report Template Training Certification © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

5 Part 1: Overview of Assessments
What? Why? How? © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

6 What? A security assessment is an evaluation of the security posture of an organization. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

7 What? Evaluation of Provided in the form of Policy Security practices
Management of systems and resources Security perimeters Handling of sensitive information Provided in the form of Report Presentation

8 What? Security Assessments are… A process An examination An evaluation
Step-by-step (with variation) An examination See how things work (or don’t work) An evaluation Making a judgment on relative security © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

9 Why?: Need for Assessments
Due Diligence Mergers and Acquisitions Customer/Partnership Evaluation Regulatory Requirement Banks, Financial Institutions, Hospitals Publicly Traded Companies OMB, CBO, Federal Offices of the Inspector General Insurance Set premiums for “Hacker” Insurance Just Good Security Management Practice “Know your problems” © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

10 How? Negotiate Project Scope Spend time on site Talk with everyone
Don’t make the project too big to finish Spend time on site Best examination made from the inside Talk with everyone A little insider knowledge goes a long way Look at similar organizations Useful in judging relative security posture Make cost-effective recommendations Don’t scare them with overpriced fixes and complicated solutions

11 Part 2: Conducting Security Assessments
Project Management Asset Identification Threat Assessment Laws, Regulations, and Policies Personnel Security Assessment Components Reporting and Follow-up © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

12 Project Management © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

13 Project Management Scope Definition Setting Expectations Scheduling
Travel Logistics Completion © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

14 Asset Identification © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

15 An asset is anything that has some value to an organization.
Assets An asset is anything that has some value to an organization. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

16 Asset Identification It is necessary to determine the assets that need protection, their value, and level of protection required Two Types: Tangible Intangible © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

17 Tangible Assets Tangible assets are physical Examples: Personnel
Offices, workspaces, warehouses, etc. Inventory, stores, supplies, etc. Servers and workstations Network infrastructure and external connections Data centers and support equipment © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

18 Intangible Assets Intangible assets are intellectual property
Examples: Custom software Databases (the data, not the DBMS) Source code, documentation, development processes, etc. Training materials Product development and marketing materials Operational and financial data © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

19 Replace/Restore What would it cost to restore or replace this asset in terms of time, effort, and money? Tangible assets: $? Intangible assets: $$$$? © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

20 Loss of Assets Loss of key assets could result in harm to the organization Damaged reputation Lost customers Lost shareholder confidence Lost competitive advantage Exposure to lawsuits Government/Regulatory fines Failure of organization © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

21 For Organizations It is important to know what assets are critical to the viability of the organization so that they can be adequately protected. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

22 * Your list of assets may not be the same as the organization’s list.
For Assessments It is important to determine an organization’s assets* to see if there is adequate protection in place * Your list of assets may not be the same as the organization’s list. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

23 Threat Assessment © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

24 Threats An event that can impact the normal operations of an organization is a threat. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

25 Threat Assessment It is necessary to determine the threats, threat sources, and the likelihood of occurrence Threat types: Natural Events Unintentional Intentional © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

26 Natural Threats Tornadoes, Hurricanes, Typhoons
Earthquakes, Mud Slides Flooding Lightning, Thunderstorms, Hail, Strong Wind Ice Storms, Heavy Snowfall Temperature and Humidity Extremes © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

27 Intentional Threats Alteration of Data Alteration of Software
Disclosure Disruption Employee Sabotage Theft Unauthorized Use Electronic Vandalism © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

28 Unintentional Threats
Disclosure Electrical Disturbance (surges, dips, outage <1 hour) Electrical Interruption (outage >1 hour) Environmental Failure (HVAC, humidity) Fire Hardware Failure (disk, fan, server) Liquid Leakage (steam, water, sewage) Operator/User Error Software Error (bugs) Telecommunication Interruption (cable cut) © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

29 Threat Sources Threat Agents
Murphy’s Law Unhappy Customers Disgruntled Employees Activists (Hack-tivists) Script-Kiddies Sophisticated Attackers Government/Foreign/Terrorist Agents “Blackhats” © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

30 Likelihood of Occurrence
Qualitative High, Moderate, Low Quantitative Sophisticated formulas needed Provides useful data to “numbers” people FBI Uniform Crime Reports Crime Index data useful © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

31 Sample Threat Assessment
Source Likelihood Impact Alteration of Data “Hacker” Low Moderate Disgruntled Employee High Power Loss (>6 hours) Severe Weather Hardware Failure Operator Error Untrained Employee © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

32 Laws, Regulations, and Policies
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

33 Laws Depending on the organization’s business, there may be several laws that govern the protection of information CA Database Breach Notification Act Sarbanes-Oxley Act of 2002 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act of 1999 Computer Security Act of 1987 Computer Fraud and Abuse Act of 1986 Federal Education Rights and Privacy Act (FERPA) European Union Data Privacy Directive © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

34 Law Surveys A survey may be necessary to determine which laws apply to an organization Look for Federal “interest” systems, private data, health info, public company financials, market data, etc. Organizations that operate operate on behalf of the government subject to various laws Get a lawyer for the in depth stuff © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

35 Policy Policies are statements of intentions and/or principles by which an organization is organized, guided, and evaluated. © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

36 Policy Types Organization Program Issue-Specific System-Specific
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

37 Policy Reviews Reviews are necessary to evaluate adequacy and compliance Some organizations have no security policies at all Most do not follow their own policies Most employees are unaware of policies Most policies are out-of-date © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

38 Personnel © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

39 Personnel Interviews are needed to assess knowledge and awareness of information security Valuable for determining unwritten rules Employees should be divided into categories Interview groups and ask questions relevant to the job function Do not be adversarial or demanding © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

40 Security Assessment Components
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

41 Security Assessment Components
Network Security System Security Application Security Operational Security Physical Security © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

42 Network Security Involves the actions taken and controls in place to secure the network and networked systems © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

43 Network Security Assessment
Gather network maps, installation procedures, checklists; evaluate Scan networks and networked systems Vulnerability Scanners: Nessus (free), ISS Port Scanners: nmap, hping Application Scanners: whisker, nikto Target Selection Key systems (where the goodies are stored) Exposed systems (where the bad guys play) Gateway systems (intersection of networks) © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

44 Involves the actions taken to secure computing systems
System Security Involves the actions taken to secure computing systems © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

45 System Security Assessment
Gather software/system inventory info, security standards, checklists, management procedures; evaluate Review configuration with admin Use a security checklist to evaluate current configuration Target Selection: Database Systems and File Servers Network Application Servers A typical Desktop © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

46 Application Security Consists of the requirements, specifications, architecture, implementation, and test procedures used to secure applications © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

47 Application Security Assessment
Gather application and internal development docs, source code Review source code for common programming flaws Use static code analysis tools Fortify, RATS, ITS4, FlawFinder Skill dependent task; time consuming At minimum, evaluate development procedures © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

48 Operational Security Consists of the day-to-day security management planning and actions taken to support the mission of the organization © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

49 Operational Security Assessment
Gather procedures, contingency plans Evaluate overall security management Review backup, disposal procedures Examine business continuity, disaster recovery plans Look at automated security tasks (virus updates, patches, integrity checks) Look at administrator security practices © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

50 Physical Security Consists of the planning and protective measures taken to prevent unauthorized access to the facilities and damage to and loss of assets © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

51 Physical Security Assessment
Gather policy and procedure documents Examine facility and take pictures Building Life Safety (fire/smoke detection, alarms, suppression) Burglar alarms, security guards, police response time Security Perimeter Strong doors, locks, visitor areas, sign-in procedures Server Rooms Environmental controls and monitoring Sufficient power and HVAC Locked cabinets and equipment © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

52 Reporting and Follow-up
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

53 Reporting and Follow-up
Once the assessment is complete, a report is needed to inform the client of issues found Report should explain findings in simple terms (remember the audience) Be available to answer questions and provide explanations © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

54 Part 3: The Assessment “Experience”
Tools Demonstration of Nessus Report Template Training Certification © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

55 Tools © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

56 Tools Software Google Hacking Configuration Guides and Checklists
Report Template Nessus © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

57 Software Security Auditor CD Nmap Nessus
Nmap Nessus © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

58 Google Hacking Used for information gathering on targets
Useful for finding sensitive information (org charts, passwords, account names, employee name and phone numbers) Google Cache captures removed data too! Advanced search operators site: limit search to site or domain filetype: specify file types to search intext: search within text inurl: search with URL © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

59 Google Hacking filetype:xls inurl:internal | inurl:admin
Find administrative or internal spreadsheets filetype:doc proposal Competitive intelligence gathering site:bsu.edu login | logon | username Find login portals and access info for BSU filetype:doc intext:"internal use only” Find sensitive Word documents filetype:xls intext:salary | intext:salaries Find salary data in spreadsheet form © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

60 Google Hacking Example
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

61 Configuration Guides and Checklists
NSA Security Configuration Guides NIST Security Technical Implementation Guides and Checklists Center for Internet Security Benchmarks © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

62 Report Template A report report template is available
Taken from a real security assessment In Word and RTF formats Includes suggestions/instructions Text replacement for frequent terms {CLIENT ORGANIZATION} © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

63 Nessus Network vulnerability scanner Scans networked systems
Uses plug-ins for extensibility Examines available network services Enumerates services (What’s running on the system?) Looks for known problems (What’s wrong with what’s running?) Examines local services (new feature) Open Source and Free! © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

64 Nessus Demonstration Client/Server Usage User Interface
Dedicated Scanners Remote Assessments User Interface Default Settings Report Sample © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

65 Nessus Client-Server Architecture
Configures Parameters Selects Target(s) Displays Reports Nessus Server Loads Plug-ins Scans Network Devices Collect Data Targets Any IP-addressable device © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

66 Nessus Client Login Screen
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

67 Nessus Client Plug-in Configuration
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

68 Nessus Client Preferences
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

69 Nessus Client Scan Options
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

70 Nessus Client Target Selection
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

71 Nessus Client Scan Activity
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

72 Nessus Client Report Screen
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

73 Training and Certification
© Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

74 Training Conferences Professional Association Training
Black Hat Security Briefings SANS CSI Professional Association Training (ISC)2 ISACA © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

75 Certification Professional Technical-Niche Vendor
(ISC)2 CISSP and SSCP ISACA CISA and CISM Technical-Niche SANS GIAC EC-Council Certified Ethical Hacker Vendor Cisco CCSP and CCIE Security © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

76 Thanks… Questions? © Copyright Center for Education and Research in Information Assurance and Security, Purdue University,

Download ppt "Keith Watson, CISSP Research Engineer"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security and Personnel

Security and Personnel
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.

1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Network security policy: best practices

Network security policy: best practices
Security Assessments Keith Watson, CISSP Research Engineer Center for Education and Research in Information Assurance and Security.

Security Assessments Keith Watson, CISSP Research Engineer Center for Education and Research in Information Assurance and Security.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Module 02: 1 Introduction to Computer Security and Information Assurance Objectives Recognize that physical security and cyber security are related Recognize.

Module 02: 1 Introduction to Computer Security and Information Assurance Objectives Recognize that physical security and cyber security are related Recognize.
Www.TASK.to GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Similar presentations

Ads by Google