i nformation t echnology s ecurity s ervices recon risk evaluation of computers and open networks...

INFORMATIONTECHNOLOGYSECURITYSERVICES

RECONRisk Evaluation of Computers and Open Networks

Developed by

Kirk SolukUniversity of Michigan

Information Technology Security Services


2

Risk Assessment Drivers

• No such thing as perfect security• Need to balance effectively risk against other factors• Need a foundation for well-informed decisions that

justify IT expenditures• Regulations

The entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.

- HIPAA Security Rule


3

Why RECON?

• Facilitate consistent decisions across the University Especially when combined with data classification

• Facilitate rollup of results So the University’s overall security posture can be measured

• “Michiganize”• Outsourcing misses the point

Security issue #1: The Business-Trust Divide

• Leverage University expertise Training Address risk assessment requirements of all regulations at

once …

To be more effective, security professionals must learn how to speak the language of the businesses they serve - Meta Group Practice 2104: The Top 10 Security Issues


4

All regulations legislate similar best practices

SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA

One Common Risk Assessment Methodology (RECON)One Common Risk Assessment Methodology (RECON)

SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA

SOX RASOX RAProcessProcess

FERPA RAFERPA RAProcessProcess

HIPAA RAHIPAA RAProcessProcess

GLBA RAGLBA RAProcessProcess

YouYou

YouYou


5

What is RECON?

• Derived from ISO 17799 (2005) NIST 800-53 not available at the time

• A Questionnaire (Excel Spreadsheet) Built-in Risk analysis Logic & Visualization

• A Set of Security Tests

• A Template for Reporting ResultsA Risk Assessment Facilitator (IT Security Professional) leverages these RECON components to identify risks and potential mitigation strategies and to present/discuss this information with unit leadership. Unit leadership is responsible for approving the final risk treatment decisions


6

RECON Process Flow


7

Scope is critical

• Provides the context within which the RECON questions are answered Don’t combine systems with different security

requirements in the same assessment If the answer for one system in scope is “No”,

the answer is “No” for the entire scope.

• Focus is on Systems that process “sensitive” information Mission critical systems


8

The RECON Questionnaire

• 219 questions about 54 control objectives in 11 different areas: 1. Organizational Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security 5. Operations 6. Network Security 7. Access Control 8. Host Security 9. Data Security 10. Incident Management 11. Business Continuity


9

Network Security Area Example:25 questions about 7 control objectives

• 6. Network Security 6.1 Perimeter Security

6.1.1 A firewall (or equivalent mechanism) exists between your unit's (or department's) network, other University networks, and public networks such as the Internet

6.1.2 The firewall (or equivalent mechanism) uses a "default deny" posture where all access that is not explictly allowed is automatically denied

6.1.3 Firewall changes are subject to a formal approval process 6.2 User authentication for external connections

6.2.1 Access to the internal network by remote users is subject to user authentication

6.2.2 Users are authorized (out of band) before they are allowed to access the internal network from remote locations

6.3 Authorization process for information processing facilities 6.3.1 New systems must be authorized by management before they can be

connected to the network 6.3.2 Rogue System Detection

... 6.7 Intrusion detection


10

RECON Questionnaire Responses

• For each question, two responses are needed: Are there policies and/or procedures requiring the control? Is the control operationally implemented? Answers: "Yes", No", "n/a", "n/r"

Industry Standard Best Practices

derived from ISO 17799:2005

Response 1:Documented

Policies, Procedures, Guidelines

Response 2:Implementation/

Operations


11

RECON Security Tests

• Used to answer specific RECON questions accurately. For example, Do you have a password policy that prevents dictionary words? Have you minimized the attack surface of of your hosts Is your firewall configured as expected? Are your systems up to date with respect to patches? Etc.

• Current RECON Test Suite Attack Surface Enumeration Password Audit Account Security Firewall Security War walking RAS Authentication Encryption Verification Vulnerability Scanning


12

Risk Analysis

• Answers to the questions determine the degree to which best practice security controls are adopted

• Risk is proportional to the lack of control adoption• Both documentation and implementation are considered in

the risk calculation Implementation weighs more

Documented?

Implemented?

Summary Risk

7.7 Removal of access rights 80%7.7.1 Access rights are removed upon

termination of employment, contract, or agreement

No Yes 60%

7.7.2 Personnel files are periodically matched with user accounts to ensure that terminated or transferred individuals do not retain access to systems

No No 100%

7.8 Unattended user equipment


13

Risk Identification and Prioritization

•Focus on Severe and High Risk controls identified in the RECON Questionnaire

•In the RECON Report Template, severe and high-risk controls are referred to as Non-existent and in Need of major improvement respectively


14

RECON Report

• Description of scope• Systems & Applications

• Description of methodology

• Detailed list of severe and high risks along with mitigation strategies

• Appendix lists every accepted risk

• Executive summary


15

Further Action

• It is the responsibility of the Risk Assessment Facilitator to educate unit leadership about the risks and to make recommendations

• It is the responsibility of Unit Leadership to make the final business (i.e. risk) decisions: Mitigate at some (approved) cost OR Continue to accept the current risk


16

RECON Process Summary


17

RECON Case Study Effort

• Scope Complete (14 hours) 3 x 1hour “kick-off” meetings to understand the major apps 3 x 1hour “investigative” meetings to refine scope and network diagram 1 x 8 hour drawing diagrams and filling in scope details

• Questionnaire Complete (20 hours) 1 x 1hour meeting with HR 7 x 2hour technical meetings (Lot’s of working lunches) 5 x 1hour “follow-up” meetings

• Test Complete (60 hours) 3 x 1hour meetings for securing authorization 3 x 8hours for network scanning (50 hosts x 5 networks) 3 x 8hours for other tests 3 x 1hour meetings for verifying results 3 x 2hour meetings for analyzing results

• Total (94 Hours) ~2.5 full-time weeks spread over a 2 month period Doesn’t count time to write final report!


18

RECON Experience

• 104 + 17 RECON assessments in ITS 101 Campus Computer Security training course (2005 - present)

• GLBA was a driver for several wide-ranging assessments 1. Student Financial Operations - Higher Education

Production Systems in MAIS. 2. Student Accounts - i.e. Financial Aid Systems 3. UM Dearborn Financial Systems 4. UM Flint Financial Systems

UM Flint risk assessment provided the foundation for Flint's annual IT appropriations request.


19

RECON Experience

• 5. The UM Windows Forest The UM Windows Forest assessment

resulted in the formation of a technical committee from four major units (Engineering, Business, LSA, Housing) that unanimously endorsed and will soon be presenting to the Forest IT Directors a request for 15 major security enhancements.

i nformation t echnology s ecurity s ervices recon risk evaluation of computers and open networks...

Documents