Information Security Risk Assessments - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Information Security Risk Assessments

Description:

Discussion: What does a risk assessment do for you? What would you like for it to do? ... Assessments, look at Tom Peltier's Facilitated Risk Assessment Process (FRAP) ... – PowerPoint PPT presentation

Number of Views:251
Avg rating:3.0/5.0
Slides: 22
Provided by: KRa75
Category:

less

Transcript and Presenter's Notes

Title: Information Security Risk Assessments


1
Information Security Risk Assessments
  • Kimmy Rallo, GSEC
  • Security Architect

2
What do you want?
  • Discussion What does a risk assessment do for
    you? What would you like for it to do?
  • How many organizations here have a Risk
    Assessment Process?
  • If youre in the market for a way to do Risk
    Assessments, look at Tom Peltier's Facilitated
    Risk Assessment Process (FRAP)

3
Why Perform Information Security Risk Assessments?
  • Identify risks and recommend solutions for new
    products or implementations that have received
    inadequate security attention
  • Appropriate step to ensure the security in an
    organization
  • Raise awareness within the organization of
    security concerns

4
Key Information
  • Identify and document risks vulnerabilities
  • Provide proposals to mitigate risks
  • Balance costs vs. acceptable risks
  • Estimate impact to IT resources and project
    timelines
  • Set expectations with the project team
    (especially the project lead) upfront

5
Who participates?
  • Roles responsibilities for successful
    assessments
  • Project Manager
  • Security Analyst
  • Application Analyst
  • Project Team Members
  • Security Leader
  • Technology Owner

6
Who should really do the risk assessment?
  • 500 supported applications
  • Risk assessments needed on all of them
  • 1 lone security analyst
  • 100 application analysts

7
What can I assess?
  • Having a list of standard questions
  • Use the methodology widely
  • Practice is the best teacher
  • RTFM

8
Finding Bob
  • Email a list of written questions
  • Insist on talking to a security geek
  • Give the salesperson or vendor liaison time and
    space to get the questions answered

9
Authentication.
  • What kind of authentication is happening between
    the systems involved?
  • Things to look for
  • What kind of authentication is it?
  • Is there a generic and/or service account
    providing authentication to back end systems? Are
    Passwords strong?
  • How does the authentication in the system differ
    from the security standards of the organization?

10
Encryption.
  • What kind of encryption is used for data,
    certificates, and user credentials? Is sensitive
    data being passed or stored in clear text?
  • Things to look for
  • Is the encryption proprietary?
  • Is the algorithm strong?
  • Is the key length strong?
  • Are user credentials sent over the network
    encrypted?
  • Is any sensitive data stored unencrypted
    anywhere?

11
Media (key storage, disks, tapes)
  •  Will backup tapes or temporary files potentially
    contain sensitive or confidential information? 

12
Architecture Concerns.
  • Where do the systems sit in relation to
    organization systems and architecture? How does
    this affect the organizations network
    architecture?
  • Will there be a connection to the same system(s)
    where other vendor customers are connected? If
    so, how is connection to multiple customers done
    securely? 

13
Application Security.
  • What settings should be made within the
    application to ensure a secure implementation?
  • How is application security handled? 

14
Database Security.
  • Is anyone ever required to log in with the schema
    owner password?
  • How is database authentication and security
    handled?  

15
Auditing and Monitoring.
  • What auditing is recommended to monitor for
    unauthorized access?

16
Physical security.
  • What physical security measures are not present
    that should be?
  •  

17
Operating System Security.
  • How does the OS lockdown need to be modified
    (tightened or lessened) to work with the proposed
    implementation?
  • Are there any permissions that should be set on
    application files, directories, or registry keys
    to further mitigate the risk of system
    compromise?
  • What levels of access do application user
    accounts require to critical or sensitive
    application/database files?

18
Remote Access.
  •  What management and use of the application
    can/will be done over the Internet? Is there any
    way around this?
  • Will any vendor employees require access to any
    internal systems?
  • To consider
  • How will remote administration and remote access
    be done securely?

19
Starting the documentation
  • Executive summary
  • Action plan
  • High level scope
  • Risk categories
  • Background
  • Controls
  • Items already planned
  • Recommended Items
  • Future Recommendations

20
When do I start?
  • At the inception of a project
  • Before product is purchased
  • Again as implemented due to vendor issues,
    complications of installations, configuration
    changes, etc.

21
Links
  • http//www.scmagazine.com/scmagazine/sc-online/200
    1/review/029/product_book.html
  • http//www.securityauditor.net/
  • http//www.networkcomputing.com/1121/1121f3.html
  • http//www.breakwatersecurity.com/how/risk.cfm
  • http//www.sans.org/rr/authentic/clear_text.php

22
Thank you!
  • Thank you for your time and attention.
  • If you wish to contact me to discuss questions on
    risk assessments, please contact me at
    kimmy_rallo_at_yahoo.com
Write a Comment
User Comments (0)
About PowerShow.com