10 THINGS EVERY AUDITOR SHOULD KNOW BEFORE

PERFORMING A SECURITY AUDIT

OBJECTIVES

By the end of this presentation, participants will be able to:

• Understand the complexity of a security audit

• Consider key factors for security audit preparation

• Implement necessary steps to prepare for a security audit

SECURITY AUDITS ARE HARD

• Highly technical • Multiple conflicting standards • IT centric vs. business centric • Responsible stakeholders are often misaligned • Security is personal • Almost always met with resistance • High turnover • Operations vs. Security • Rapid evolution of technology and threats • You never get a fuzzy feeling!

AUDITS, ASSESSMENTS, CONTROLS TESTING

• Audit • Performance

• Assessments • Vulnerability Scanning

• Controls Testing • Penetration Testing

WHAT MAKES FOR A GOOD SECURITY AUDIT?

• Understanding what you’re auditing • System • Process • Network

• Defined Boundaries • Knowing the data and its handling requirements – PCI, HIPAA, PII, etc. • Established audit metrics • Choose a framework • Involving top-level stakeholders

#1 – SETTING THE OBJECTIVE • Proving security or Improving Security?

• Performance vs. Conformance • Identify Key Stakeholders • Establish communication protocols

• Owners vs. custodians • Know the metric

• Risk & Remediation? • Process improvement? • ROI?

• Agree upon intended outcomes • How we get from A to Z

• Keep discussions narrow • Are we ready?

#2 – DEFINE THE STANDARD • NIST’s Risk Management Framework (RMF)

Security and privacy controls for federal systems • ISO 27000 series

Focuses on information security management practices • Health Insurance Portability and Accountability Act (HIPAA)

Subset of HIPAA Privacy Rules PHI and ePHI • Payment Card industry Data security Standard (PCI DSS)

Increasing controls around cardholder data • North American Electric Reliability Corporation (NERC)

Addresses patching in NERC CIP 007-6 Requirement 2 • Cybersecurity Capability Maturity Model (C2M2)

Maturity of cybersecurity practices

#3 – CATEGORIZE THE SYSTEM

• Federal Information Processing Standards (FIPS) Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

• Security Objectives • Confidentiality • Integrity • Availability

• Potential Impact (Organization & Individuals • Low – Limited adverse effect • Moderate – Serious adverse effect (significant degradation of capability,

damage, or financial loss) • High – Severe or catastrophic effect

#4 – DEFINE THE BOUNDARY

• Comprised of four activities: 1.Determine what is protected and why (CIA)

Define system type and security requirements 2.Identify the system – assets, processes, physical composition

Establish physical boundaries 3.Characterize system operation

Determine logical boundaries 4.Ascertain what one does and does not have control over

Document system interconnections and rationales

Debra Herrmann, “A practical Guide to Security Engineering and Information Awareness”

#5 – DEFINE THE DATA

• Who is responsible for the data • Where does the data exist • How is the data stored • Understand how the data is created • Understand how the data flows • Who has access to the data

Who SHOULD have access to the data

#6 – POLICIES AND PROCEDURES

#7 – CAPTURING THE AUDIT

• CSET Tool Multiple standards

• C2M2 Tool Assessing maturity

• HIPAA Security Rule Toolkit Standard survey Enterprise survey

CSET

C2M2 C2M2 Evaluation Toolkit - Version 1.1 March 2014

CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)EVALUATION TOOLKIT

Worksheet LinkInformation About the Organization ORGRisk Management RMAsset, Change, and Configuration Management ACMIdentity and Access Management IAMThreat and Vulnerability Management TVMSituational Awareness SAInformation Sharing and Communications ISCEvent and Incident Response, Continuity of Operations IRSupply Chain and External Dependencies Management EDMWorkforce Management WMCybersecurity Program Management CPMGenerate Reports REPORTS

This Evaluation Toolkit enables an organization to evaluate the maturity of its cybersecurity capabilities based on the C2M2 Version 1.1. The toolkit consists of this spreadsheet and a Word report template.

The C2M2 can be obtained from http://energy.gov/oe/downloads/cybersecurity-capability-maturity-model-february-2014 , or by emailing the Department of Energy (DOE) at C2M2@doe.gov .

The C2M2 materials are furnished on an as-is basis. The DOE makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, results obtained from this toolkit.

HIPAA SECURITY RULE TOOLKIT

#8 –AUTOMATION

Windows Security Tools Windows Event Log Analyzer Windows Asset Inventory Viewer Windows Remote Control FTP Brute Force Tester MySQL Brute Force Tester Windows PCI Compliance Check Windows HIPAA Compliance Check Oracle Security Tools Oracle SID Tester Oracle Default Password Tester Oracle TNS Password Tester Oracle Password Auditor Oracle Access Rights Auditor Oracle Brute Force Tester Oracle Event Log Analyzer Oracle PCI Compliance Check Ora HIPAA Compliance Check Oracle Query Browser

SQL Security Tools SQL Default Password Tester SQL Server Password Auditor SQL Server Access Right Auditor SQL Server Event Log Analyzer SQL Server Brute Force Tester SQL Server Query Browser SQL PCI Compliance Check SQL HIPAA Compliance Check Cisco Security Tools Cisco Configuration Manager Cisco Type7 Password Decryptor Cisco MD5 Password Auditor Cisco Firewall Password Auditor IP Calculator Cisco SNMP Brute Force Tester Cisco VPN Password Auditor Cisco Switch Port Mapper Cisco Configuration Backup Tool

General Security Tools Traceroute Port Scanner SNMP Browser SNMP Scanner Whois DNS Auditor Mac Detector DNS Lookup HTTP Brute Force Tester SSH Brute Force Tester

#9 – DEMONSTRATE CONTROL DESIGN

• Assessment Methods • Examine - Review policies and procedures • Interview – Administrators of Access Controls • Test – Attempt to guess passwords

• Depth • Basic examination – Random sampling • Focused examination – Sampling just administrative access • Comprehensive – Running L0phtcrack against the password

database . NIST 800-53A Rev. 4, Control IA-5 AUTHENTICATOR MANAGEMENT The organization manages information system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

#10 – APPLYING RISK

#11 – PRIORITIZING REMEDIATION

GETTING HELP

• Peer Groups • Vendors • Consultants • Local Associations (ISC2) • Online Resources • Internal Teams

QUESTIONS?