260 likes | 519 Views
Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Randy.Marchany@vt.edu 540-231-9523. JCSC 2000. The Auditor’s Goals.
E N D
Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Randy.Marchany@vt.edu 540-231-9523 JCSC 2000 Copyright 2000, Marchany
The Auditor’s Goals • Ensure Assets are protected according to company, local,state and federal regulatory policies. • Determine what needs to be done to ensure the protection of the above assets. • Make life miserable for sysadmins…:-) • Not really. They can save a sysadmin if a problem occurs. Copyright 2000, Marchany
The Sysadmin’s Goals • Keep the systems up. • Keep users happy and out of our hair. • Keep auditors at arms’ length. • Get more resources to do the job properly. • Wear jeans or shorts to work when everyone else has to wear suits……. Copyright 2000, Marchany
The Sysadmin’s Audit Strategy • Turn a perceived weakness (the audit) into a strength (security checklists). • Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures. • The above info can be used to help develop your incident response plan. Copyright 2000, Marchany
The Committee • Management and Technical Personnel from the major areas of IS • University Libraries • Educational Technologies • University Network Management Group • University Computing Center • Administrative Information Systems Copyright 2000, Marchany
The Committee’s Scope • Information Systems Division only • Identified and prioritized Assets • RISKS associated with those ASSETS • CONTROLS that may applied to the ASSETS to mitigate the RISKS • Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect Copyright 2000, Marchany
The Committee’s Charge • From our VP for Information Systems • “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service” • “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.” Copyright 2000, Marchany
Identifying the Assets • Compiled a list of IS assets (+100 systems) • Categorize them as critical, essential, normal • Critical - VT can’t operate w/o this asset for even a short period of time. • Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap • Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives. Copyright 2000, Marchany
Prioritizing the Assets • The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. • X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote. Copyright 2000, Marchany
Identifying the Risks • A RISK was selected if it caused an incident that would: • Be extremely expensive to fix • Result in the loss of a critical service • Result in heavy, negative publicity especially outside the university • Have a high probability of occurring. • Risks were prioritized using matrix prioritization technique. Copyright 2000, Marchany
Mapping Risks and Assets • We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not • A particular risk actually applied to the asset • Controls exist and/or already in place. • The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually. Copyright 2000, Marchany
Identifying Controls • Specific controls identified by the committee were put in a matrix • The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset. Copyright 2000, Marchany
Recommendations • The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks. • For each asset, as directed by mgt, appropriate staff should: • Review the risks & controls • Add any further risks/controls not identified • Assess the potential cost of an incident • Assess the cost of control purchases and deployment • Analyze cost vs. benefit for each asset • Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions Copyright 2000, Marchany
References • http://security.vt.edu • www.sans.org • www.nipc.gov • www.jmu.edu/info-security • www.cornell.edu/CPL • www.securityfocus.com • www.insecure.org Copyright 2000, Marchany
APPENDIX 1 • The following matrices are examples of your matrix reports • Exhibit A (ASSET Matrix) • Exhibit B (ASSET WEIGHT Matrix) • Exhibit C (RISKS Matrix) • Exhibit D (RISK WEIGHT Matrix) • Exhibit E (ASSET-RISK Matrix) • Exhibit F (CONTROLS Matrix) Copyright 2000, Marchany
APPENDIX 2 • The following spreadsheets are the compliance reports. • Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors. • Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific. • Controls Matrix lists what controls are in place for a given system. • Individual Action Matrix lists the details of an audit for each node. Did the system comply? Copyright 2000, Marchany
APPENDIX 3 • The following checklist gives the detailed commands to be performed in the “audit”. • The categories are based on the Risk Matrices in Appendix 1. • The results of the checklist commands are inserted in the Compliance matrices of Appendix 2. • This checklist and the matrices form the overall audit/security checklist package. Copyright 2000, Marchany
APPENDIX 4 • Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain. • There are 2 strategies: • Protect and Proceed • Pursue and Prosecute Copyright 2000, Marchany
Incident Handling:Protect and Proceed? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined Copyright 2000, Marchany
Incident Handling:Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff Copyright 2000, Marchany