SlideShare a Scribd company logo

Introduction_to_Security_Assessments.ppt

Download as ppt, pdf
S
sudsdeep

Security Assessment

1 of 54
Download to read offline
Security Assessments Keith Watson, CISSP kaw@cerias.purdue.edu Research Engineer Center for Education and Research in Information Assurance and Security
Overview Part 1: Introduction to Security Assessments  What is a security assessment?  Why is it needed?  How do you do an assessment?
Overview Part 2: Conducting Security Assessments  Asset Identification  Threat Assessment  Laws, Regulation, and Policy  Personnel  Security Assessment Components  Reporting and Follow-up
Overview Part 3: The Assessment “Experience”  Tools • Demonstration of Nessus • Report Template  Training  Certification
Part 1: Overview of Assessments What? Why? How?
What? A security assessment is an evaluation of the security posture of an organization.
What?  Evaluation of • Policy • Security practices • Management of systems and resources • Security perimeters • Handling of sensitive information  Provided in the form of • Report • Presentation
What?  Security Assessments are… • A process • Step-by-step (with variation) • An examination • See how things work (or don’t work) • An evaluation • Making a judgment on relative security
Why?: Need for Assessments  Due Diligence • Mergers and Acquisitions • Customer/Partnership Evaluation  Regulatory Requirement • Banks, Financial Institutions, Hospitals • Publicly Traded Companies • OMB, CBO, Federal Offices of the Inspector General  Insurance • Set premiums for “Hacker” Insurance  Just Good Security Management Practice • “Know your problems”
How?  Negotiate Project Scope • Don’t make the project too big to finish  Spend time on site • Best examination made from the inside  Talk with everyone • A little insider knowledge goes a long way  Look at similar organizations • Useful in judging relative security posture  Make cost-effective recommendations • Don’t scare them with overpriced fixes and complicated solutions
Part 2: Conducting Security Assessments  Project Management  Asset Identification  Threat Assessment  Laws, Regulations, and Policies  Personnel  Security Assessment Components  Reporting and Follow-up
Project Management
Project Management  Scope Definition  Setting Expectations  Scheduling  Travel  Logistics  Completion
Asset Identification
Assets An asset is anything that has some value to an organization.
Asset Identification  It is necessary to determine the assets that need protection, their value, and level of protection required  Two Types: • Tangible • Intangible
Tangible Assets  Tangible assets are physical  Examples: • Personnel • Offices, workspaces, warehouses, etc. • Inventory, stores, supplies, etc. • Servers and workstations • Network infrastructure and external connections • Data centers and support equipment
Intangible Assets  Intangible assets are intellectual property  Examples: • Custom software • Databases (the data, not the DBMS) • Source code, documentation, development processes, etc. • Training materials • Product development and marketing materials • Operational and financial data
Replace/Restore  What would it cost to restore or replace this asset in terms of time, effort, and money?  Tangible assets: • $?  Intangible assets: • $$$$?
Loss of Assets  Loss of key assets could result in harm to the organization • Damaged reputation • Lost customers • Lost shareholder confidence • Lost competitive advantage • Exposure to lawsuits • Government/Regulatory fines • Failure of organization
For Organizations It is important to know what assets are critical to the viability of the organization so that they can be adequately protected.
For Assessments It is important to determine an organization’s assets* to see if there is adequate protection in place * Your list of assets may not be the same as the organization’s list.
Threat Assessment
Threats An event that can impact the normal operations of an organization is a threat.
Threat Assessment  It is necessary to determine the threats, threat sources, and the likelihood of occurrence  Threat types: • Natural Events • Unintentional • Intentional
Natural Threats  Tornadoes, Hurricanes, Typhoons  Earthquakes, Mud Slides  Flooding  Lightning, Thunderstorms, Hail, Strong Wind  Ice Storms, Heavy Snowfall  Temperature and Humidity Extremes
Intentional Threats  Alteration of Data  Alteration of Software  Disclosure  Disruption  Employee Sabotage  Theft  Unauthorized Use  Electronic Vandalism
Unintentional Threats  Disclosure  Electrical Disturbance (surges, dips, outage <1 hour)  Electrical Interruption (outage >1 hour)  Environmental Failure (HVAC, humidity)  Fire  Hardware Failure (disk, fan, server)  Liquid Leakage (steam, water, sewage)  Operator/User Error  Software Error (bugs)  Telecommunication Interruption (cable cut)
Threat Sources - Threat Agents  Murphy’s Law  Unhappy Customers  Disgruntled Employees  Activists (Hack-tivists)  Script-Kiddies  Sophisticated Attackers • Government/Foreign/Terrorist Agents • “Blackhats”
Likelihood of Occurrence  Qualitative • High, Moderate, Low  Quantitative • Sophisticated formulas needed • Provides useful data to “numbers” people  FBI Uniform Crime Reports • Crime Index data useful
Sample Threat Assessment Threat Source Likelihood Impact Alteration of Data “Hacker” Low Moderate Alteration of Data Disgruntled Employee Moderate High Power Loss (>6 hours) Severe Weather Low Moderate Hardware Failure Disgruntled Employee Low High Operator Error Untrained Employee Moderate High
Laws, Regulations, and Policies
Laws  Depending on the organization’s business, there may be several laws that govern the protection of information • CA Database Breach Notification Act • Sarbanes-Oxley Act of 2002 • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Gramm-Leach-Bliley Act of 1999 • Computer Security Act of 1987 • Computer Fraud and Abuse Act of 1986 • Federal Education Rights and Privacy Act (FERPA) • European Union Data Privacy Directive
Law Surveys  A survey may be necessary to determine which laws apply to an organization  Look for Federal “interest” systems, private data, health info, public company financials, market data, etc.  Organizations that operate operate on behalf of the government subject to various laws  Get a lawyer for the in depth stuff
Policy Policies are statements of intentions and/or principles by which an organization is organized, guided, and evaluated.
Policy Types  Organization  Program  Issue-Specific  System-Specific
Policy Reviews  Reviews are necessary to evaluate adequacy and compliance  Some organizations have no security policies at all  Most do not follow their own policies  Most employees are unaware of policies  Most policies are out-of-date
Personnel
Personnel  Interviews are needed to assess knowledge and awareness of information security  Valuable for determining unwritten rules  Employees should be divided into categories  Interview groups and ask questions relevant to the job function  Do not be adversarial or demanding
Security Assessment Components
Security Assessment Components  Network Security  System Security  Application Security  Operational Security  Physical Security
Network Security Involves the actions taken and controls in place to secure the network and networked systems
Network Security Assessment  Gather network maps, installation procedures, checklists; evaluate  Scan networks and networked systems • Vulnerability Scanners: Nessus (free), ISS • Port Scanners: nmap, hping • Application Scanners: whisker, nikto  Target Selection • Key systems (where the goodies are stored) • Exposed systems (where the bad guys play) • Gateway systems (intersection of networks)
System Security Involves the actions taken to secure computing systems
System Security Assessment  Gather software/system inventory info, security standards, checklists, management procedures; evaluate  Review configuration with admin  Use a security checklist to evaluate current configuration  Target Selection: • Database Systems and File Servers • Network Application Servers • A typical Desktop
Application Security Consists of the requirements, specifications, architecture, implementation, and test procedures used to secure applications
Application Security Assessment  Gather application and internal development docs, source code  Review source code for common programming flaws  Use static code analysis tools • Fortify, RATS, ITS4, FlawFinder  Skill dependent task; time consuming  At minimum, evaluate development procedures
Operational Security Consists of the day-to-day security management planning and actions taken to support the mission of the organization
Operational Security Assessment  Gather procedures, contingency plans  Evaluate overall security management  Review backup, disposal procedures  Examine business continuity, disaster recovery plans  Look at automated security tasks (virus updates, patches, integrity checks)  Look at administrator security practices
Physical Security Consists of the planning and protective measures taken to prevent unauthorized access to the facilities and damage to and loss of assets
Physical Security Assessment  Gather policy and procedure documents  Examine facility and take pictures  Building • Life Safety (fire/smoke detection, alarms, suppression) • Burglar alarms, security guards, police response time  Security Perimeter • Strong doors, locks, visitor areas, sign-in procedures  Server Rooms • Environmental controls and monitoring • Sufficient power and HVAC • Locked cabinets and equipment
Reporting and Follow-up
Reporting and Follow-up  Once the assessment is complete, a report is needed to inform the client of issues found  Report should explain findings in simple terms (remember the audience)  Be available to answer questions and provide explanations
Part 3: The Assessment “Experience”  Tools • Demonstration of Nessus • Report Template  Training  Certification
Ad

Recommended

Intro.ppt
Intro.pptIntro.ppt
Intro.ppt
RamaNingaiah
 
Introduction to Information Security CSE
Introduction to Information Security CSEIntroduction to Information Security CSE
Introduction to Information Security CSE
BurhanKhan774154
 
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjsIntro kavindu rasanjahshdjdhhjxjxuxgxjdjs
Intro kavindu rasanjahshdjdhhjxjxuxgxjdjs
rasanjakavindu54
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Introduction to Information security ppt
Introduction to Information security pptIntroduction to Information security ppt
Introduction to Information security ppt
krishkiran2408
 
Introduction to Information security ppt
Introduction to Information security pptIntroduction to Information security ppt
Introduction to Information security ppt
krishkiran2408
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Technology Audit and Technology Management
Technology Audit and Technology ManagementTechnology Audit and Technology Management
Technology Audit and Technology Management
Ace Institute of Management, Institute of Management Studies
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
Control Strategies and Implementation.pptx
Control Strategies and Implementation.pptxControl Strategies and Implementation.pptx
Control Strategies and Implementation.pptx
NemsEscobar
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
ecarrow
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
GC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance EngineeringGC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance Engineering
Tier1 app
 
Exchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv SoftwareExchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv Software
Shoviv Software
 
Ad

More Related Content

Similar to Introduction_to_Security_Assessments.ppt (20)

CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Technology Audit and Technology Management
Technology Audit and Technology ManagementTechnology Audit and Technology Management
Technology Audit and Technology Management
Ace Institute of Management, Institute of Management Studies
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
Control Strategies and Implementation.pptx
Control Strategies and Implementation.pptxControl Strategies and Implementation.pptx
Control Strategies and Implementation.pptx
NemsEscobar
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
ecarrow
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Technology Audit and Technology Management
Technology Audit and Technology ManagementTechnology Audit and Technology Management
Technology Audit and Technology Management
Ace Institute of Management, Institute of Management Studies
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
drsajjad13
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
Royalzig Luxury Furniture
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
Sam Bowne
 
Control Strategies and Implementation.pptx
Control Strategies and Implementation.pptxControl Strategies and Implementation.pptx
Control Strategies and Implementation.pptx
NemsEscobar
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
ecarrow
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 

Recently uploaded (20)

GC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance EngineeringGC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance Engineering
Tier1 app
 
Exchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv SoftwareExchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv Software
Shoviv Software
 
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-RuntimeReinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Natan Silnitsky
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb ClarkDeploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Peter Caitens
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
sequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineeringsequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineering
aashrithakondapalli8
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
Solar-wind hybrid engery a system sustainable power
Solar-wind hybrid engery a system sustainable powerSolar-wind hybrid engery a system sustainable power
Solar-wind hybrid engery a system sustainable power
bhoomigowda12345
 
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint PresentationFrom Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
Shay Ginsbourg
 
AEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural MeetingAEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural Meeting
jennaf3
 
Passive House Canada Conference 2025 Presentation [Final]_v4.ppt
Passive House Canada Conference 2025 Presentation [Final]_v4.pptPassive House Canada Conference 2025 Presentation [Final]_v4.ppt
Passive House Canada Conference 2025 Presentation [Final]_v4.ppt
IES VE
 
wAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptxwAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptx
SimonedeGijt
 
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdfTop Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
evrigsolution
 
Programs as Values - Write code and don't get lost
Programs as Values - Write code and don't get lostPrograms as Values - Write code and don't get lost
Programs as Values - Write code and don't get lost
Pierangelo Cecchetto
 
GC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance EngineeringGC Tuning: A Masterpiece in Performance Engineering
GC Tuning: A Masterpiece in Performance Engineering
Tier1 app
 
Exchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv SoftwareExchange Migration Tool- Shoviv Software
Exchange Migration Tool- Shoviv Software
Shoviv Software
 
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-RuntimeReinventing Microservices Efficiency and Innovation with Single-Runtime
Reinventing Microservices Efficiency and Innovation with Single-Runtime
Natan Silnitsky
 
Adobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREEAdobe Audition Crack FRESH Version 2025 FREE
Adobe Audition Crack FRESH Version 2025 FREE
zafranwaqar90
 
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
Surviving a Downturn Making Smarter Portfolio Decisions with OnePlan - Webina...
OnePlan Solutions
 
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb ClarkDeploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Deploying & Testing Agentforce - End-to-end with Copado - Ewenb Clark
Peter Caitens
 
Autodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) LatestAutodesk Inventor Crack (2025) Latest
Autodesk Inventor Crack (2025) Latest
Google
 
Why Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card ProvidersWhy Tapitag Ranks Among the Best Digital Business Card Providers
Why Tapitag Ranks Among the Best Digital Business Card Providers
Tapitag
 
Digital Twins Software Service in Belfast
Digital Twins Software Service in BelfastDigital Twins Software Service in Belfast
Digital Twins Software Service in Belfast
julia smits
 
Artificial hand using embedded system.pptx
Artificial hand using embedded system.pptxArtificial hand using embedded system.pptx
Artificial hand using embedded system.pptx
bhoomigowda12345
 
Download MathType Crack Version 2025???
Download MathType Crack Version 2025???Download MathType Crack Version 2025???
Download MathType Crack Version 2025???
Google
 
sequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineeringsequencediagrams.pptx software Engineering
sequencediagrams.pptx software Engineering
aashrithakondapalli8
 
How to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryErrorHow to Troubleshoot 9 Types of OutOfMemoryError
How to Troubleshoot 9 Types of OutOfMemoryError
Tier1 app
 
Solar-wind hybrid engery a system sustainable power
Solar-wind hybrid engery a system sustainable powerSolar-wind hybrid engery a system sustainable power
Solar-wind hybrid engery a system sustainable power
bhoomigowda12345
 
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint PresentationFrom Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
From Vibe Coding to Vibe Testing - Complete PowerPoint Presentation
Shay Ginsbourg
 
AEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural MeetingAEM User Group DACH - 2025 Inaugural Meeting
AEM User Group DACH - 2025 Inaugural Meeting
jennaf3
 
Passive House Canada Conference 2025 Presentation [Final]_v4.ppt
Passive House Canada Conference 2025 Presentation [Final]_v4.pptPassive House Canada Conference 2025 Presentation [Final]_v4.ppt
Passive House Canada Conference 2025 Presentation [Final]_v4.ppt
IES VE
 
wAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptxwAIred_LearnWithOutAI_JCON_14052025.pptx
wAIred_LearnWithOutAI_JCON_14052025.pptx
SimonedeGijt
 
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdfTop Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
Top Magento Hyvä Theme Features That Make It Ideal for E-commerce.pdf
evrigsolution
 
Programs as Values - Write code and don't get lost
Programs as Values - Write code and don't get lostPrograms as Values - Write code and don't get lost
Programs as Values - Write code and don't get lost
Pierangelo Cecchetto
 
Ad

Introduction_to_Security_Assessments.ppt

  • 1. Security Assessments Keith Watson, CISSP kaw@cerias.purdue.edu Research Engineer Center for Education and Research in Information Assurance and Security
  • 2. Overview Part 1: Introduction to Security Assessments  What is a security assessment?  Why is it needed?  How do you do an assessment?
  • 3. Overview Part 2: Conducting Security Assessments  Asset Identification  Threat Assessment  Laws, Regulation, and Policy  Personnel  Security Assessment Components  Reporting and Follow-up
  • 4. Overview Part 3: The Assessment “Experience”  Tools • Demonstration of Nessus • Report Template  Training  Certification
  • 5. Part 1: Overview of Assessments What? Why? How?
  • 6. What? A security assessment is an evaluation of the security posture of an organization.
  • 7. What?  Evaluation of • Policy • Security practices • Management of systems and resources • Security perimeters • Handling of sensitive information  Provided in the form of • Report • Presentation
  • 8. What?  Security Assessments are… • A process • Step-by-step (with variation) • An examination • See how things work (or don’t work) • An evaluation • Making a judgment on relative security
  • 9. Why?: Need for Assessments  Due Diligence • Mergers and Acquisitions • Customer/Partnership Evaluation  Regulatory Requirement • Banks, Financial Institutions, Hospitals • Publicly Traded Companies • OMB, CBO, Federal Offices of the Inspector General  Insurance • Set premiums for “Hacker” Insurance  Just Good Security Management Practice • “Know your problems”
  • 10. How?  Negotiate Project Scope • Don’t make the project too big to finish  Spend time on site • Best examination made from the inside  Talk with everyone • A little insider knowledge goes a long way  Look at similar organizations • Useful in judging relative security posture  Make cost-effective recommendations • Don’t scare them with overpriced fixes and complicated solutions
  • 11. Part 2: Conducting Security Assessments  Project Management  Asset Identification  Threat Assessment  Laws, Regulations, and Policies  Personnel  Security Assessment Components  Reporting and Follow-up
  • 13. Project Management  Scope Definition  Setting Expectations  Scheduling  Travel  Logistics  Completion
  • 15. Assets An asset is anything that has some value to an organization.
  • 16. Asset Identification  It is necessary to determine the assets that need protection, their value, and level of protection required  Two Types: • Tangible • Intangible
  • 17. Tangible Assets  Tangible assets are physical  Examples: • Personnel • Offices, workspaces, warehouses, etc. • Inventory, stores, supplies, etc. • Servers and workstations • Network infrastructure and external connections • Data centers and support equipment
  • 18. Intangible Assets  Intangible assets are intellectual property  Examples: • Custom software • Databases (the data, not the DBMS) • Source code, documentation, development processes, etc. • Training materials • Product development and marketing materials • Operational and financial data
  • 19. Replace/Restore  What would it cost to restore or replace this asset in terms of time, effort, and money?  Tangible assets: • $?  Intangible assets: • $$$$?
  • 20. Loss of Assets  Loss of key assets could result in harm to the organization • Damaged reputation • Lost customers • Lost shareholder confidence • Lost competitive advantage • Exposure to lawsuits • Government/Regulatory fines • Failure of organization
  • 21. For Organizations It is important to know what assets are critical to the viability of the organization so that they can be adequately protected.
  • 22. For Assessments It is important to determine an organization’s assets* to see if there is adequate protection in place * Your list of assets may not be the same as the organization’s list.
  • 24. Threats An event that can impact the normal operations of an organization is a threat.
  • 25. Threat Assessment  It is necessary to determine the threats, threat sources, and the likelihood of occurrence  Threat types: • Natural Events • Unintentional • Intentional
  • 26. Natural Threats  Tornadoes, Hurricanes, Typhoons  Earthquakes, Mud Slides  Flooding  Lightning, Thunderstorms, Hail, Strong Wind  Ice Storms, Heavy Snowfall  Temperature and Humidity Extremes
  • 27. Intentional Threats  Alteration of Data  Alteration of Software  Disclosure  Disruption  Employee Sabotage  Theft  Unauthorized Use  Electronic Vandalism
  • 28. Unintentional Threats  Disclosure  Electrical Disturbance (surges, dips, outage <1 hour)  Electrical Interruption (outage >1 hour)  Environmental Failure (HVAC, humidity)  Fire  Hardware Failure (disk, fan, server)  Liquid Leakage (steam, water, sewage)  Operator/User Error  Software Error (bugs)  Telecommunication Interruption (cable cut)
  • 29. Threat Sources - Threat Agents  Murphy’s Law  Unhappy Customers  Disgruntled Employees  Activists (Hack-tivists)  Script-Kiddies  Sophisticated Attackers • Government/Foreign/Terrorist Agents • “Blackhats”
  • 30. Likelihood of Occurrence  Qualitative • High, Moderate, Low  Quantitative • Sophisticated formulas needed • Provides useful data to “numbers” people  FBI Uniform Crime Reports • Crime Index data useful
  • 31. Sample Threat Assessment Threat Source Likelihood Impact Alteration of Data “Hacker” Low Moderate Alteration of Data Disgruntled Employee Moderate High Power Loss (>6 hours) Severe Weather Low Moderate Hardware Failure Disgruntled Employee Low High Operator Error Untrained Employee Moderate High
  • 33. Laws  Depending on the organization’s business, there may be several laws that govern the protection of information • CA Database Breach Notification Act • Sarbanes-Oxley Act of 2002 • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Gramm-Leach-Bliley Act of 1999 • Computer Security Act of 1987 • Computer Fraud and Abuse Act of 1986 • Federal Education Rights and Privacy Act (FERPA) • European Union Data Privacy Directive
  • 34. Law Surveys  A survey may be necessary to determine which laws apply to an organization  Look for Federal “interest” systems, private data, health info, public company financials, market data, etc.  Organizations that operate operate on behalf of the government subject to various laws  Get a lawyer for the in depth stuff
  • 35. Policy Policies are statements of intentions and/or principles by which an organization is organized, guided, and evaluated.
  • 36. Policy Types  Organization  Program  Issue-Specific  System-Specific
  • 37. Policy Reviews  Reviews are necessary to evaluate adequacy and compliance  Some organizations have no security policies at all  Most do not follow their own policies  Most employees are unaware of policies  Most policies are out-of-date
  • 39. Personnel  Interviews are needed to assess knowledge and awareness of information security  Valuable for determining unwritten rules  Employees should be divided into categories  Interview groups and ask questions relevant to the job function  Do not be adversarial or demanding
  • 41. Security Assessment Components  Network Security  System Security  Application Security  Operational Security  Physical Security
  • 42. Network Security Involves the actions taken and controls in place to secure the network and networked systems
  • 43. Network Security Assessment  Gather network maps, installation procedures, checklists; evaluate  Scan networks and networked systems • Vulnerability Scanners: Nessus (free), ISS • Port Scanners: nmap, hping • Application Scanners: whisker, nikto  Target Selection • Key systems (where the goodies are stored) • Exposed systems (where the bad guys play) • Gateway systems (intersection of networks)
  • 44. System Security Involves the actions taken to secure computing systems
  • 45. System Security Assessment  Gather software/system inventory info, security standards, checklists, management procedures; evaluate  Review configuration with admin  Use a security checklist to evaluate current configuration  Target Selection: • Database Systems and File Servers • Network Application Servers • A typical Desktop
  • 46. Application Security Consists of the requirements, specifications, architecture, implementation, and test procedures used to secure applications
  • 47. Application Security Assessment  Gather application and internal development docs, source code  Review source code for common programming flaws  Use static code analysis tools • Fortify, RATS, ITS4, FlawFinder  Skill dependent task; time consuming  At minimum, evaluate development procedures
  • 48. Operational Security Consists of the day-to-day security management planning and actions taken to support the mission of the organization
  • 49. Operational Security Assessment  Gather procedures, contingency plans  Evaluate overall security management  Review backup, disposal procedures  Examine business continuity, disaster recovery plans  Look at automated security tasks (virus updates, patches, integrity checks)  Look at administrator security practices
  • 50. Physical Security Consists of the planning and protective measures taken to prevent unauthorized access to the facilities and damage to and loss of assets
  • 51. Physical Security Assessment  Gather policy and procedure documents  Examine facility and take pictures  Building • Life Safety (fire/smoke detection, alarms, suppression) • Burglar alarms, security guards, police response time  Security Perimeter • Strong doors, locks, visitor areas, sign-in procedures  Server Rooms • Environmental controls and monitoring • Sufficient power and HVAC • Locked cabinets and equipment
  • 53. Reporting and Follow-up  Once the assessment is complete, a report is needed to inform the client of issues found  Report should explain findings in simple terms (remember the audience)  Be available to answer questions and provide explanations
  • 54. Part 3: The Assessment “Experience”  Tools • Demonstration of Nessus • Report Template  Training  Certification

Editor's Notes

  翻译: