A Holistic Approach to Vulnerability Assessment Do You Know Where Your Data Is - PowerPoint PPT Presentation

Loading...

PPT – A Holistic Approach to Vulnerability Assessment Do You Know Where Your Data Is PowerPoint presentation | free to view - id: 2606e-ODdlN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Holistic Approach to Vulnerability Assessment Do You Know Where Your Data Is

Description:

A Holistic Approach to Vulnerability Assessment. Do You Know Where Your Data Is? ... Included data on AA, NWA, UAL, Delta, 130 airlines. Travel agency transactions ... – PowerPoint PPT presentation

Number of Views:135
Avg rating:3.0/5.0
Slides: 42
Provided by: nanette3
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Holistic Approach to Vulnerability Assessment Do You Know Where Your Data Is


1
A Holistic Approach to Vulnerability
AssessmentDo You Know Where Your Data Is?
  • By Nan Poulios, CISSP, CISM

2
Overview of Todays Presentation
  • Traditional Methods
  • Why arent they enough?
  • What more should you be doing?

3
Traditional Methods

4
Scan for Vulnerabilities
  • Hosts
  • Networks
  • Firewalls
  • Servers
  • Desktops
  • Routers
  • Use commercial and freeware tools

5
Crack Passwords
  • Run password crackers on password files
  • Time Consuming
  • Benefits?
  • Case Study

6
Patch, Patch, Patch Vulnerabilities
  • Patch Systems
  • Time consuming
  • May break applications
  • Requires numerous resources
  • Requires testing and change management procedures
  • Normally, you are behind

7
Sniffers and IDS
  • Sniffers on NW
  • Employ IDS
  • Hash/CheckSum of Files
  • Deploy Snort
  • Time Sync
  • Review Log files

8
Why Arent These Actions Enough?
  • Case Studies of Breaches

9
Wells Fargo
  • Nov, 2003 200,000 names, Credit Card s, SS
    s stolen during break-in and theft of
    contractor laptop
  • Feb. 26, 2004 rental car stolen from gas
    station with laptop in trunk, contained over 1000
    names, addresses, SS s of mortgage customers
  • http//www.identitytheft911.com/education/articles
    /art20040416wells.htm

10
Airlines Reporting Corp
  • Dec, 2003 a computer containing customer data
    was stolen
  • Contained Credit Card Info
  • Included data on AA, NWA, UAL, Delta, 130
    airlines
  • Travel agency transactions
  • http//www.interesting-people.org/archives/interes
    ting-people/200401/msg00128.html

11
Deere Harvester and Alcoa CU
  • Third party processor theft of Credit Cards
  • Issued new credit cards
  • http//www.qctimes.com/internal.php?story_id10227
    39tBusinessc31,1022739

12
BJs
  • March, 2004 - Theft of computerized credit card
    data from warehouse club
  • Faces lawsuits from 12 banks for replacement
    costs of hundreds of thousands of Credit Cards
    and reimbursement of fraudulent activity
  • http//business.bostonherald.com/technologyNews/vi
    ew.bg?articleid34432format

13
Why???
  • Companies didnt have policies?
  • Companies didnt perform risk assessments or
    vulnerability assessments?
  • Companies didnt perform scans of their network?
  • Companies dont use IDS?
  • Yes, they were diligent, but still had a breach!
  • So companies must have stupid users then!

14
How Do We Prevent These Events?
  • A holistic method of Vulnerability Assessment

15
Four Areas to Assess
  • Governance
  • Physical Security
  • Business Process and Data Flow
  • Technical Areas

16
Governance Elements
  • Information Security Management System
  • Policies, Standards, Procedures and Guidelines
  • Employee Training
  • Monitoring Compliance

17
Physical Security
  • Facility Security
  • Remote Locations
  • Data Centers
  • Security of Devices when taken off campus
  • Team with physical security department

18
Business Processes and Data Flow
  • Partner Connections
  • Data Classification
  • Asset Inventory
  • PDAs, Laptops, etc.
  • Remote Users
  • Other uses of data (i.e. marketing)

19
Technical
  • All the traditional stuff we already do!

20
Steps to a Better Assessment
  • Identify legal, regulatory requirements,
    internal policy
  • Perform a gap analysis
  • Develop assessment plan
  • Perform assessment/gather data
  • Analyze data
  • Write Report/Findings
  • Mitigate vulnerabilities
  • Re-assess

21
Step 1 - Possible Standards and Guidelines
  • ISO 17799
  • NIST Guides
  • Cobit
  • COSO
  • ISFs Standard of Good Practice
  • Regulatory and Legal Requirements
  • Internal Policies

22
Start with a Framework/Plan
  • Select a standard ISO 17799, NIST, IFC etc.
  • Identify regulatory and legal requirements
  • NERC/FERC. HIPAA, GLBA, SOX, EU Privacy
  • Compare with internal policies and standards
    Are you covered?

23
Sample Element - Training Requirements
  • ISO 17799 6.2.1 Information security education
    and training All employees of the organization
    and, where relevant, third party users, should
    receive appropriate training and regular updates
    in organizational policies and procedures. This
    includes security requirements, legal
    responsibilities and business controls, as well
    as training in the correct use of information
    processing facilities e.g. log-on procedure, use
    of software packages, before access to
    information or services is granted.
  • FFIEC Examiner's Handbook, "Security Controls
    Implementation PERSONNEL SECURITY states,
    "Financial institutions should mitigate the risks
    posed by internal users by providing training to
    support awareness and policy compliance."
  • NCUA 748 Appendix A III (B) 2. Train staff to
    implement the credit unions information security
    program.

24
Training Requirements2
  • Safeguards Rule 314.4 Elements."(1) Employee
    training and management"
  • Cobit 7.0 Manage Human Resources 7.4
  • Management should ensure that employees are
    provided with orientation upon hiring and
  • with on-going training to maintain their
    knowledge, skills, abilities and security
    awareness to
  • the level required to perform effectively.
    Education and training programmes conducted to
  • effectively raise the technical and management
    skill levels of personnel should be reviewed
  • regularly.

25
Training Requirements3
  • NERC 1200 The entity performing the
    reliability authority, balancing authority,
    interchange authority, transmission service
    provider, transmission operator, generator, or
    load-serving entity function shall train
    personnel commensurate with their access to
    critical cyber assets. The training shall
    address, at a minimum the cyber security policy,
    physical and electronic access controls to
    critical cyber assets, the release of critical
    cyber asset information, potential threat
    incident reporting, and action plans and
    procedures to recover or re-establish critical
    cyber assets following a cyber security incident.
    Training shall be conducted upon initial
    employment and reviewed annually.

26
Training Requirements4
  • FISMA
  • (4) security awareness training to inform
    personnel,
  • including contractors and other users of
    information systems
  • that support the operations and assets of the
    agency, of
  • (A) information security risks associated with
    their
  • activities and
  • (B) their responsibilities in complying with
    agency
  • policies and procedures designed to reduce these
    risks

27
Training Requirements5
  • Department of Homeland Security 21 Steps for
    Securing SCADA
  • People can be a weak link in an otherwise secure
    network.
  • Conduct training and information awareness
    campaigns to ensure that personnel remain
    diligent in guarding sensitive network
    information, particularly their passwords.

28
Step 2 Gap Analysis
  • Perform a gap analysis
  • List all elements for training requirements from
    previously identified regulations
  • Use an Excel spreadsheet
  • Insert your internal policy for training
  • Are you covered?

29
Step 3 Develop Plan
  • Develop assessment plan for awareness training
  • Develop questions for HR staff
  • Develop questions Security staff
  • Develop questions users
  • List of training materials and other
    documentation for review

30
Step 4 Assessment
  • Perform Assessment
  • Conduct Interviews
  • Survey Users
  • Gather supporting documentation

31
Step 5 -Analysis
  • Rate the severity of risks and vulnerabilities
  • Confirm results
  • Analyze vulnerability based on data
    classification, physical security, threat etc.
  • Determine risk from aggregate vulnerabilities

32
Step 6 -Report
  • Write the Report
  • Include a management summary
  • Rank order your findings
  • Provide reasonable recommendations and
    alternatives
  • Include technical details for mitigation team

33
Step 7 Mitigate Vulnerabilities
  • Provide technical team with details
  • Already have a roadmap from your report

34
Step 8 - Reassess
  • You must certify and reassess your solutions
  • Remember separation of Duties
  • Cyclical

35
Example 3 - Paper Based Media Handling
  • Gramm-Leach-Bliley Act Privacy 501(b)
  • FTC Safeguards Rule 314.3 (b) (1) Insure the
    security and confidentiality of customer
    information
  • ISO 17799 8.6.2 Disposal of media
  • Media should be disposed of securely and safely
    when no longer required. Sensitive
  • information could be leaked to outside persons
    through careless disposal of media.
  • ISO 17799 12.1.4 Data protection and privacy of
    personal information

36
Paper Based Media Handling2
  • FFIEC Examiner's Handbook "SECURITY CONTROLS
    IMPLEMENTATION
  • ELECTRONIC AND PAPER-BASED MEDIA HANDLING
  • Action Summary
  • Financial institutions should control and protect
    access to paper, film and computer-based media to
    avoid loss or damage. Institutions should
  • Establish and ensure compliance with policies for
    handling and storing information,
  • Ensure safe and secure disposal of sensitive
    media, and
  • Secure media in transit or transmission to third
    parties.

37
Example 3 - Security Roles
  • 1.Safeguards Rule to implement Gramm-Leach-Bliley
    Act (GLBA) 12 CFR Part 30
  • "Train staff to implement the banks information
    security program."
  • "Oversee the development, implementation, and
    maintenance of the banks information security
    program, including assigning specific
    responsibility for its implementation and
    reviewing reports from management."
  • 2. (a) Designate an employee or employees to
    coordinate your information security program.
    16CFR Part 314.4 (a)

38
Security Roles2
  • 3. Cobit Control Objective 5.1, Manage Security
    Measures
  • 4. ISO 17799, "4.1 Information security
    infrastructure" and "4.1.3 Allocation of
    information security responsibilities"
  • 5. FFIEC IT Security Examiners Handbook,
    "Security Process - Roles and Responsibilities"
    and "Security Controls Implementation - Personnel
    Security"
  • 6. NCUA Regulations 12 CFR Part 748.2 (c) (3)
    (4) "(3) Designate an individual responsible for
    coordinating and monitoring day-to-day
    compli-ance
  • (4) Provide training for appropriate personnel."

39
Conclusion
  • Keep doing what you are already doing
  • Add new assessments of other area
  • Control your data

40
?
?
?
Questions?
?
?
?
?
41
Thank You
  • Nan Poulios
  • Nan.poulios_at_easyi.com
About PowerShow.com