Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

Published byAubrie Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP."— Presentation transcript:

1 Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP

2 2 ©2005 George J. Dolicker. All Rights Reserved Agenda Fully Buzz-Word Compliant Key Factors to be Considered Hierarchical Investigations Standards, Regs, and Methodologies The IAM and IEM from NSA Conclusions Q&A

3 3 ©2005 George J. Dolicker. All Rights Reserved Fully Buzz-Word Compliant Security Assessment Security Audit Security Evaluation Risk Assessment Risk Analysis Vulnerability Analysis Vulnerability Assessment

4 4 ©2005 George J. Dolicker. All Rights Reserved Fully Buzz-Word Compliant Pen Test Red Team Tiger Team Ethical Hack White Hat Hack

5 5 ©2005 George J. Dolicker. All Rights Reserved Key Factors to be Considered What’s important to you What it’s worth to you Who your enemies are What it’s worth to them How secure you want to be How secure you need to be How to get there from where you are today

6 6 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 1 –Cooperative High Level Overview –Information Criticality Analysis –Includes Policy, Procedures, & Information Flow –No Hands-on Testing

7 7 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 2 –Hands-on process –Cooperative Testing –Diagnostic Tools –Penetration Tools –Specific Technical –Expertise

8 8 ©2005 George J. Dolicker. All Rights Reserved Hierarchical Investigations Level 3 –Adversarial –External Penetration Tests –Simulation of Anticipated Adversary –Good Place for Clear Rules of Engagement!

9 9 ©2005 George J. Dolicker. All Rights Reserved Why Some Don’t WANT to Know Ignorance remains a defense… »…but not a good one Blame Management »“How did you let it get this way?” Budget Constraints Turf Issues Span of Control

10 10 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies COBiT BS7799 ISO-17799

11 11 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies SOX HIPAA

12 12 ©2005 George J. Dolicker. All Rights Reserved Standards, Regs, and Methodologies X-Corp Security X-Ray NIST 800-30 NSA IAM NSA IEM

13 13 ©2005 George J. Dolicker. All Rights Reserved NIST 800-30 Step 1: System Characterization Step 2: Vulnerability Identification Step 3: Threat Identification Step 4: Control Analysis Step 5: Likelihood Determination

14 14 ©2005 George J. Dolicker. All Rights Reserved NIST 800-30 Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation

15 15 ©2005 George J. Dolicker. All Rights Reserved

16 16 ©2005 George J. Dolicker. All Rights Reserved

17 17 ©2005 George J. Dolicker. All Rights Reserved The NSA Infosec Assessment Methodology Characteristics Pre-Assessment On-Site Activities Post-Assessment

18 18 ©2005 George J. Dolicker. All Rights Reserved Characteristics By request only Management Buy-in Success depends on cooperation of people Non-attribution Strong focus on policy, practice, process and procedure Findings protected as proprietary Timeliness

19 19 ©2005 George J. Dolicker. All Rights Reserved Phase 1: Pre-Assessment Purpose –Refine customer needs –Gain an understanding of the criticality of the customer’s systems and information –Identify systems, including system boundaries –Coordinate logistics with the customer –Write an assessment plan

20 20 ©2005 George J. Dolicker. All Rights Reserved The Assessment Plan 1.Points of Contact 2.Organization 3.Information Criticality 4.System Criticality 5.Concerns/Constraints

21 21 ©2005 George J. Dolicker. All Rights Reserved The Assessment Plan 6.System Configurations 7.Interviewees 8.Documents 9.Project Plan

22 22 ©2005 George J. Dolicker. All Rights Reserved Phase 2: On-Site Activities Purpose –To explore and confirm the information and conclusions made during the Pre-Assessment Phase –To perform data gathering and validation Interviews Documentation System demonstrations –To provide initial analysis and feedback to the customer

23 23 ©2005 George J. Dolicker. All Rights Reserved 18 Areas of Investigation 1. Documentation 2. Roles and Responsibilities 3. Contingency Planning 4. Configuration Management 5. Identification and Authentication 6. Account Management 7. Session Controls 8. Auditing 9. Malicious Code Protection 10. Maintenance 11. System Assurance 12. Networking/Connectivity 13. Communications Security 14. Media Controls 15. Labeling 16. Physical Environment 17. Personnel Security 18. Education Training and Awareness

24 24 ©2005 George J. Dolicker. All Rights Reserved Phase 3: Post-Assessment Purpose –Finalize analysis –Prepare and delivery of a final report

25 25 ©2005 George J. Dolicker. All Rights Reserved The Final Report Executive Summary –Overview of organization/mission –Purpose and methodology of assessment –System description/information criticality –Major findings and recommendations

26 26 ©2005 George J. Dolicker. All Rights Reserved The Final Report Introduction –Provides background information Overview of organization’s mission Purpose of the assessment Organizational mission information and information criticality System criticality Customer concerns

27 27 ©2005 George J. Dolicker. All Rights Reserved The Final Report System Descriptions –Description of the systems assessed Network components (e.g., firewalls, modems, routers, wireless) Connectivity Number/type of users Operational schedules –Diagrams

28 28 ©2005 George J. Dolicker. All Rights Reserved The Final Report Analysis –Topic areas –Findings –Discussions –Recommendations

29 29 ©2005 George J. Dolicker. All Rights Reserved The Final Report Conclusions –Overall posture description –Recognition of good security practices

30 30 ©2005 George J. Dolicker. All Rights Reserved The NSA Infosec Evaluation Methodology What is IEM? –Analysis of the network structure –Examination of the security configuration of the servers, workstations, and network devices for vulnerabilities and exposures –Provide recommendations for improvement of the network security –Provide an “easy to understand” view of technical security at the organization

31 31 ©2005 George J. Dolicker. All Rights Reserved IEM Characteristics Includes hands-on testing Intrusive, but with no exploitation Repeatable processes Findings are protected as proprietary Provides a technical security roadmap customized to the environment

32 32 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 1: Pre-Evaluation –Pull information from IAM Pre-Assessment –Coordination with the customer to determine Rules of Engagement –Define customer expectations –Define customer constraints or concerns –Develop the Technical Evaluation Plan

33 33 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 2: On-Site –Verification of “known” components –Discovery of rogue components –Testing –Validating findings via manual checks

34 34 ©2005 George J. Dolicker. All Rights Reserved 10 Baseline Activities 1.Port Scanning 2.SNMP Scanning 3.Enumeration & Banner Grabbing 4.Wireless Enumeration 5.Vulnerability Scanning 6.Host Evaluation 7.Network Device Analysis 8.Password Compliance Testing 9.Application Specific Scanning 10.Network Sniffing

35 35 ©2005 George J. Dolicker. All Rights Reserved IEM Phase 3: Post Evaluation –Create the final report for the customer Provide complete findings for the evaluation Provide recommendations and alternatives to resolve each solution Provide a security roadmap based on customer input and industry standards Follow up with customer to provide support for questions or concerns

36 36 ©2005 George J. Dolicker. All Rights Reserved Conclusions Don’t let the Buzz-Words throw you Know what you want to know Insist on actionable results

37 37 ©2005 George J. Dolicker. All Rights Reserved Questions? Don’t Forget the Evaluations! (Session 132)

38 38 ©2005 George J. Dolicker. All Rights Reserved Thank You!

Download ppt "Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP."

Similar presentations

PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd (610820-A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, 57000 Kuala Lumpur,

Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd ( A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, Kuala Lumpur,
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.

1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google