Information Security Risk Assessments

1
Information Security Risk Assessments

• Kimmy Rallo, GSEC
• Security Architect

2
What do you want?

• Discussion What does a risk assessment do for
  you? What would you like for it to do?
• How many organizations here have a Risk
  Assessment Process?
• If youre in the market for a way to do Risk
  Assessments, look at Tom Peltier's Facilitated
  Risk Assessment Process (FRAP)

3
Why Perform Information Security Risk Assessments?

• Identify risks and recommend solutions for new
  products or implementations that have received
  inadequate security attention
• Appropriate step to ensure the security in an
  organization
• Raise awareness within the organization of
  security concerns

4
Key Information

• Identify and document risks vulnerabilities
• Provide proposals to mitigate risks
• Balance costs vs. acceptable risks
• Estimate impact to IT resources and project
  timelines
• Set expectations with the project team
  (especially the project lead) upfront

5
Who participates?

• Roles responsibilities for successful
  assessments
• Project Manager
• Security Analyst
• Application Analyst
• Project Team Members
• Security Leader
• Technology Owner

6
Who should really do the risk assessment?

• 500 supported applications
• Risk assessments needed on all of them
• 1 lone security analyst
• 100 application analysts

7
What can I assess?

• Having a list of standard questions
• Use the methodology widely
• Practice is the best teacher
• RTFM

8
Finding Bob

• Email a list of written questions
• Insist on talking to a security geek
• Give the salesperson or vendor liaison time and
  space to get the questions answered

9
Authentication.

• What kind of authentication is happening between
  the systems involved?
• Things to look for
• What kind of authentication is it?
• Is there a generic and/or service account
  providing authentication to back end systems? Are
  Passwords strong?
• How does the authentication in the system differ
  from the security standards of the organization?

10
Encryption.

• What kind of encryption is used for data,
  certificates, and user credentials? Is sensitive
  data being passed or stored in clear text?
• Things to look for
• Is the encryption proprietary?
• Is the algorithm strong?
• Is the key length strong?
• Are user credentials sent over the network
  encrypted?
• Is any sensitive data stored unencrypted
  anywhere?

11
Media (key storage, disks, tapes)

•  Will backup tapes or temporary files potentially
  contain sensitive or confidential information? 

12
Architecture Concerns.

• Where do the systems sit in relation to
  organization systems and architecture? How does
  this affect the organizations network
  architecture?
• Will there be a connection to the same system(s)
  where other vendor customers are connected? If
  so, how is connection to multiple customers done
  securely? 

13
Application Security.

• What settings should be made within the
  application to ensure a secure implementation?
• How is application security handled? 

14
Database Security.

• Is anyone ever required to log in with the schema
  owner password?
• How is database authentication and security
  handled?  

15
Auditing and Monitoring.

• What auditing is recommended to monitor for
  unauthorized access?

16
Physical security.

• What physical security measures are not present
  that should be?
•  

17
Operating System Security.

• How does the OS lockdown need to be modified
  (tightened or lessened) to work with the proposed
  implementation?
• Are there any permissions that should be set on
  application files, directories, or registry keys
  to further mitigate the risk of system
  compromise?
• What levels of access do application user
  accounts require to critical or sensitive
  application/database files?

18
Remote Access.

•  What management and use of the application
  can/will be done over the Internet? Is there any
  way around this?
• Will any vendor employees require access to any
  internal systems?
• To consider
• How will remote administration and remote access
  be done securely?

19
Starting the documentation

• Executive summary
• Action plan
• High level scope
• Risk categories
• Background
• Controls
• Items already planned
• Recommended Items
• Future Recommendations

20
When do I start?

• At the inception of a project
• Before product is purchased
• Again as implemented due to vendor issues,
  complications of installations, configuration
  changes, etc.

21
Links

• http//www.scmagazine.com/scmagazine/sc-online/200
  1/review/029/product_book.html
• http//www.securityauditor.net/
• http//www.networkcomputing.com/1121/1121f3.html
• http//www.breakwatersecurity.com/how/risk.cfm
• http//www.sans.org/rr/authentic/clear_text.php

22
Thank you!

• Thank you for your time and attention.
• If you wish to contact me to discuss questions on
  risk assessments, please contact me at
  kimmy_rallo_at_yahoo.com