August 15th, 2015 - NeverSysneversys.com/wp-content/uploads/2015/09/MSISA_Capstone.pdf ·...

Comprehensive Security Assessment Systemization 1

Comprehensive Security Assessment Systemization

Jesse Caleb Schroeder

A Capstone Presented to the Information Technology College Faculty

of Western Governors University

in Partial Fulfillment of the Requirements for the Degree

Master of Science in Information Security and Assurance

August 15th, 2015


Abstract

Innova Corporation (hypothetical) is a business organization that deals with information

technology. As part of the information security team, I have identified a lack of a proper security

assessment framework. These methods have been developed, they can be used by all members in

a security group for returning repeatable qualitative and quantitative results to the organization.

This reduces the organization’s risk posture and secure the company’s information assets.

To develop these methods, research has been conducted into current standards and

methodologies. The published methods utilized are: NIST Special Publication 800-30 / 800-37 /

800-115, OSSTMM v3, DISA ACAS, ISSAF, OWASP Testing Guide, ISO 27001 & 27002, PCI

DSS v3.1, and PTES. These standards were used to develop modules for implementation during

the creation of the security assessment framework for the organization.

The proposed outcome created a framework that can be used across the organization's

infrastructure that helps to mitigate the vulnerabilities of the organization. This was

accomplished by creating a clearly defined plan to use a systematized approach for performing

security assessments that is repeatable across multiple organizations. The system under

development includes the boundaries of assessment and a non-technical guide to discuss the

necessity of each test.


Table of Contents

Introduction ................................................................................................................................................ 5

Project scope ........................................................................................................................................... 5

Defense of the Solution ........................................................................................................................... 6

Methodology Justification....................................................................................................................... 6

Organization of the Capstone Report ...................................................................................................... 7

Systems and Process Audit ......................................................................................................................... 7

Audit Details ........................................................................................................................................... 7

Problem Statement .................................................................................................................................. 8

Problem Causes ...................................................................................................................................... 9

Business Impacts................................................................................................................................... 10

Cost Analysis ........................................................................................................................................ 12

Risk Analysis ........................................................................................................................................ 13

Detailed and Functional Requirements ..................................................................................................... 14

Functional (end-user) Requirements ..................................................................................................... 14

Detailed Requirements .......................................................................................................................... 15

Existing Gaps ........................................................................................................................................ 15

Project Design ........................................................................................................................................... 16

Scope .................................................................................................................................................... 16

Assumptions ......................................................................................................................................... 17

Project Phases ....................................................................................................................................... 18

Timelines .............................................................................................................................................. 18

Dependencies ........................................................................................................................................ 19

Resource Requirements ........................................................................................................................ 19

Risk Factors .......................................................................................................................................... 20

Important Milestones ............................................................................................................................ 21

Deliverables .......................................................................................................................................... 22

Methodology ............................................................................................................................................. 23

Approach Explanation .......................................................................................................................... 23

Approach Defense................................................................................................................................. 23

Project Development................................................................................................................................. 24

Hardware .............................................................................................................................................. 24


Software ................................................................................................................................................ 24

Tech Stack ............................................................................................................................................ 25

Architecture Details .............................................................................................................................. 25

Resources Used ..................................................................................................................................... 26

Final Output .......................................................................................................................................... 26

Quality Assurance ..................................................................................................................................... 27

Quality Assurance Approach ................................................................................................................ 27

Solution Testing .................................................................................................................................... 27

Implementation Plan ................................................................................................................................. 28

Strategy for the Implementation ............................................................................................................ 28

Phases of the Rollout ............................................................................................................................ 28

Details of the Go-Live .......................................................................................................................... 29

Dependencies ........................................................................................................................................ 29

Deliverables .......................................................................................................................................... 30

Training Plan for Users ......................................................................................................................... 30

Risk Assessment ....................................................................................................................................... 31

Quantitative and Qualitative Risks ........................................................................................................ 31

Cost/Benefit Analysis ........................................................................................................................... 31

Risk Mitigation ..................................................................................................................................... 32

Post Implementation Support and Issues................................................................................................... 33

Post Implementation Support ................................................................................................................ 33

Post Implementation Support Resources ............................................................................................... 33

Maintenance Plan .................................................................................................................................. 33

Conclusion, Outcomes, and Reflection ..................................................................................................... 34

Project Summary................................................................................................................................... 34

Deliverables .......................................................................................................................................... 34

Outcomes .............................................................................................................................................. 35

Reflection.............................................................................................................................................. 36

References ................................................................................................................................................ 37

Appendix A: Technical Terms .................................................................................................................. 39


Introduction

Project scope

The scope of this project developed a model of security assessment for the Innova

Corporation to follow. This project includes the creation of various modules for the organization

to use during its assessments. In these modules, a listing of policies is implemented to ensure a

thorough assessment is completed. In these policies a listing of the proper procedures and tools

to use is created. These modules, procedures, and policies are based on the NIST Special

Publication 800-30 / 800-37 / 800-115, OSSTMM v3, DISA ACAS, ISSAF, OWASP Testing

Guide, ISO 27001 & 27002, PCI DSS v3.1, and PTES publications.

The research undertaken provides a comprehensive framework that can be used by

technical professionals in the organization. These professionals need to have an understanding of

information security and network analysis to utilize the framework proposed. The framework

includes a guide discussing why each step is necessary and written in a way that can be

communicated with non-technical personnel or upper management.

The project does not include information regarding a full-scale penetration test. The

framework discussed gives the business an understanding of the vulnerabilities that are possible

towards the organization and allows the technical staff the ability to close security gaps if

necessary. This allows the organization to maintain a strong information security posture. The

project includes a model that the business can use throughout organization and its various

business locations. The framework proposed is not site-specific, rather it is a repeatable version

and establishes a baseline for the organization to use with its vulnerabilities assessments.


Defense of the Solution

This project has been proposed because it is necessary for the Innova Corporation to

perform comprehensive security assessments that can be easily used throughout the business.

Many businesses do not have a comprehensive security assessment structure and the proposed

project creates a security assessment structure that can be used by the Innova Corporation, as

well as across multiple organizations, by a review of current literature best practices.

A developed comprehensive security assessment model that is able to be used repeatedly

is extremely useful to the Innova Corporation and many organizations like it. When an

organization has developed a security assessment model, then the business has a quantitative and

qualitative analysis of the business’s security posture. Also, on additional scans of the business,

Innova Corporation is able to compare the results of the security assessment to a historical

baseline. This method ensures Innova is aware of their business’s security history and goal

achievements that the business can implement once the documentation and methodologies have

been established.

Methodology Justification

The approach to this project was selected because the organization needs to develop

metrics in order to measure the status of their infrastructure. To create these metrics the

organization can use a number of free resources available from multiple open-source projects, as

well as utilizing products from vendors. With these tools and assessment guidelines, such as the

ones listed above in the project scope section, this organization is able to develop a thorough and

in-depth guide to a repeatable security assessment process.

The results from performing these assessments can be stored for future review when

comparing future results to pass results or to further analyze and secure the network. Storing the


results of the assessment and other information in the network is also addressed. This approach

leads to an N – tier network approach, as well as layered permissions and network resources.

This methodology creates a security assessment function known as defense in depth. It is my

hope that this thoroughly developed security assessment model, which enlists procedures and

guidelines as to why each test is performed, gives Innova Corporation the confidence to conduct

their business without the fear of being victimized by an attacker.

Organization of the Capstone Report

In the following sections, I discuss the further components of the problem including

detailed background information, the causes of the problem, impact to the business, cost, and risk

analysis. Further assumptions, limitations, and technical jargon is listed about the problem as

well.

A discussion takes place as to why a technological solution has been created. This

includes business drivers, a discussion of what could happen if no technological solution is

implemented, and the justification of the technology solution within business priorities.

Systems and Process Audit

Audit Details

An audit of the current status of the business was performed. The scope of the audit was

to identify the state of security in the informational section of the business. During the audit

process, Innova was discovered to have a non-congruent security model across the 1000+

devices that are communicating across the internal infrastructure. The features of the current

state of security at Innova consisted of:

Nonstandard logging


Divided security roles by managerial department

Importance emphasis on current projects rather than long term business practices

This discovery lead to the understanding that the business was lacking a systematized

comprehensive security assessment model. To develop this model, the company would need to

take five critical actions to bring the status of the organization up to a standard of security that

allows them to continue practicing business without the risk of major financial and intellectual

losses. These steps is be discussed later in the documentation.

Problem Statement

Innova Corporation is a large technology company that has more than 1000 dedicated

information systems online in the business environment. The business processes their payment

out of band from the IT infrastructure. However, the business does keep all of the information

necessary to process payments in internal databases. The company also houses many critical

information criteria inside of the business, such as employee information, technological

engineering information, and other critical business operating information.

The problem stems from Innova Corporation’s lack of a systematized comprehensive

security assessment model. The business currently has four main problems facing its

infrastructure.

The business fixes security issues as they arise and does not have any dedicated

security professionals.

The company does not have a proper logging system.

The organization defers the security decisions to the managers of each

department, rather than having a business-wide security policy.


Innova Corporation has a heavy emphasis on current projects that the business is

trying to accomplish.

Problem Causes

The problems listed above are addressed in further detail in this section and an

explanation of each problem is described.

When the organization discovers a security vulnerability that needs to be fixed the

company assigns the issue to the IT staff. There are no dedicated employees who deal directly

with security issues. Therefore, the IT employees have to interrupt their dedicated tasks and

adjust their working hours to fixing the identified security issue. This causes the employees that

are assigned the task to become distracted from their daily duties. Also, the employees must

change their mindset of daily network management operations into one of security management.

Creating a security mindset for the organization takes time and long term views of the security

implementations must be achieved.

Innova Corporation currently logs information on an as needed basis. This means that

there is no proper logging systems set up for the organization. The company justifies this practice

by suggesting that the cost of keeping logs outweighs the benefits of maintaining those logs. The

justification does not come from a perspective of looking at the possibility of information

leakage. The company’s lack of maintaining logs comes from a view of cost savings. This cost

savings approach does not take into account the possibility of a security breach for Innova

Corporation.

Creating a departmentalized approach to security creates a non-unified approach to

security across the organization. Dividing security does not allows the organization to easily


manage the security issues associated with information flow. When an employee is assigned to

fix the problem in a department, that associate first needs to study the security model that is

being implemented by that department. This creates a loss of time and multiple individualized

approaches to security across the organization.

Finally, Innova Corporation focuses on the current projects that the organization is trying

to accomplish. This may delay the IT employees from being assigned a security task that needs

to be completed until the current projects are finished. This may lead to a multitude of problems,

such as a technology release with major bugs, multiple security holes left unattended until

resources can be allocated, unknown data breaches due to a lack of focus, and many others.

These problems lead to the company chasing its tail when it comes to fixing the problems

introduced due to an inappropriate business focus.

Business Impacts

Once the problem is addressed and a systematized comprehensive security assessment

model is created, Innova Corporation will be able to remain confident that the business is in

compliance with security requirements of multiple industries, the company may gain further

business due to the implementation of well-established security methodologies, can be assured

that the business does not collapse under the stress of a major incident or on-site disaster, and

save a great deal of money by ensuring that the business is harder to compromise.

If the problem remains unaddressed, the most significant consequences are a loss in

business continuity, a lack of risk prioritization, continued ignorance of loss or fraud perpetrated

against the organization, and a possible lack of compliance or ability to achieve certifications

based upon the business practices.


A loss of business continuity would mean that the corporation suffers “from the effects of

a disaster that interrupts their operations (Hiles, 2007).” When interruptions to a business’s

operations occur, the company needs to have plans in place to deal with the disasters that occur.

These disasters can be a multitude of possibilities, such as fire, storms or hurricanes, and terrorist

attacks. The company needs to create plans to cope with many, if not all, of these issues.

Innova lacks in prioritization of risks due to remaining ignorant about the variety of risks

the business faces. The company faces problems of profitability, business efficiency, and loss of

competitive advantage due to not identifying the majority of risks the company faces (Taylor,

2014). In order to solve this problem the company needs to work on the business culture

associated with risk. Innova needs to create clear boundaries in the business and identify the

context in which the risks occur by utilizing consistent communication and monitoring of

business practices. This lets the company analyze, evaluate, and treat the risks associated with

the organization.

The continued ignorance of loss or fraud perpetrated against the organization due to a

lack of a systematized security model is addressed from a multidisciplinary foundation. The

disciplines that are addressed to help solve the issues for Innova integrate an environmental,

situational, and psychological approach (Purpura, 2008). Using these three approaches helps to

slow the loss of vital resources from Innova.

A possible lack of compliance or ability to achieve certifications based upon the business

practices of Innova can lead to legal consequences. These challenges may come about due to a

lack of governance measured by metrics in the business (Herrmann, 2007). In order to address

these issues, the business needs to acquire a variety of standards and review these materials. Now


that a review has been undergone, the business can decide how to create a business structure that

can comply with the desired articles.

Cost Analysis

The business needs to acquire resources in five main areas to create a comprehensive

security assessment system. These five areas of focus are identified by looking into the “Top

Priorities for Better Cyber Health” (Tenable Network Security, 2014):

Identify all devices connected to the network.

Configure settings on the network to protect the systems attached.

Control the permissions available to users on the network.

Keep software and hardware up to date across the network.

Continue to revisit the four previous sections on a regular basis.

Acknowledging the issues listed above, Innova Corporation needs to address these five

areas as pertains to implementing a comprehensive systemized security assessment model. The

company needs to purchase software licensing for auditing tools. This software can be purchased

from third party vendors and kept up to date by the vendors. Hardware to monitor the state of

their information systems needs to be purchased. These items log network traffic and resource

access. Innova needs to spend money on training employees to complete the tasks necessary to

secure the organization or the company needs to hire new staff that is already knowledgeable in

the tasks that will be assigned.

However, a recent study has suggested that not implementing security solutions within an

organization can bring about major losses. These losses include data, integrity, and financial

problems. According to a recent study form the Ponemon Institute, the average annualized cost


of network breaches for a large organization is $7.6 million (Ponemon Institute LLC, 2014).

With these annual numbers incredibly costly, it makes financial sense to spend the resources

necessary to implement a comprehensive security assessment model.

Based upon the number given, the business will begin saving millions of dollars on a

yearly basis when Innova Corporation decides to implement the suggested security model.

Implementing the model that has been researched in the project leads to a greater sense of

security across the organization, as well as cost savings, disaster assurance, and demonstrated

industry security compliance.

To implement a fully realized security solution for the Innova Corporation, the company

needs to spend approximately 7 to 14 million dollars (Ponemon Institute LLC, 2014).

Risk Analysis

There is a likelihood and various consequences of adverse conditions that impact the

situation. These complication include:

1. A lack of financial resources to implement the desired solution.

2. A lack of knowledge based resources to implement the desired solution.

3. A lack of time resources to implement the desired solution.

Due to the cost of fully implementing a desired solution, the company may not have the

available financial resources to complete the project all at once. The business may utilize a tiered

approach to implementation. This means utilizing the research to identify critical vulnerabilities

of Innova Corporation first, then discussing a timeline or risk acceptance for securing the

infrastructure.


If the company lacks the knowledge base of workers required to complete the tasks, then

the company has a few options for fixing this problem. Innova can choose to train the current

employees in the areas required to accomplish securing the network. The business can hire new

employees or contractors with the knowledge needed to complete the tasks. The final option

would be working with the software or equipment vendors to provide third party services that

will secure the network.

The third risk identified is a lack of time resources. This risk relates to the other two risks

discussed above. At the business, there may be a lack of available time resources. This means

that the business managers do not have adequate resources to dedicate to new tasks due to project

completion restraints, understaffing concerns, or the failure of third party constituents. To

overcome this hurdle, Innova may choose to hire new employees with the desired skills, attempt

to work with comparable vendors to acquire the necessary resources, or decide to wait for the

completion of key projects before undertaking the security assessment project.

Detailed and Functional Requirements

Functional (end-user) Requirements

This project creates a comprehensive security assessment system to fulfill the end-user

requirements of Innova Corporation. With this system, the company can use the documentation

to create a security baseline for their organization and use the provided documentation to repeat

the same process at satellite offices. The creation of this documentation is not site specific and

can be used by any large organization to establish or audit the information security model of their

operating environment.


The security model has been developed for Innova, which has over 1000 unique user

instances. The functional requirements are that the organization takes the documentation that has

been created and utilize the process thoroughly and in the order described to determine the

probability of asset losses.

Detailed Requirements

The technical requirements for this project are defined by the information systems at

Innova Corporation. Due to the development of a new security assessment model for the

organization, this project will encompass all network systems at the business.

The operational requirements for this project include developing an on-boarding process

for all stakeholders at the organization, access to all network resources at the business, time, and

financial resources necessary to complete the creation of the comprehensive security assessment

model.

The standards requirements for this project include an in depth review of current security

practices from multiple trusted organizations. These standards include NIST Special Publication

800-30 / 800-37 / 800-115, OSSTMM v3, DISA ACAS, ISSAF, OWASP Testing Guide, PCI

v3.1, ISO 27001 & 27002, and PTES publications.

Existing Gaps

The creation of this project addresses the information security gaps at Innova. The

security gaps are addressed in the problem statement. These include:

The business fixes security issues as they arise and does not have any dedicated

security professionals.


The company does not have a proper logging system.

The organization defers the security decisions to the managers of each

department, rather than having a business-wide security policy.

Innova Corporation has a heavy emphasis on current projects that the business is

trying to accomplish.

Addressing these issues makes a difference at Innova Corporation by identifying what the

business can do to close these gaps in the information infrastructure. When these gaps are closed

by the business, Innova can continue operations with the knowledge and confidence that they are

protected from cyber threats.

Project Design

Scope

The scope of this project developed a model of security assessment for the Innova

Corporation to follow. This project includes the creation of various modules for the organization

to use during its assessments. In these modules, a listing of policies is implemented to ensure a

thorough assessment is completed. In these policies a listing of the proper procedures and tools

to use is created. These modules, procedures, and policies are based on the NIST Special

Publication 800-30 / 800-37 / 800-115, OSSTMM v3, DISA ACAS, ISSAF, OWASP Testing

Guide, ISO 27001 & 27002, PCI DSS v3.1, and PTES publications.

The project does not include information regarding a full-scale penetration test. The

framework discussed gives the business an understanding of the vulnerabilities that are possible

towards the organization and allows the technical staff the ability to close security gaps if

necessary. This allows the organization to maintain a strong information security posture. The


project includes a model that the business can use throughout organization and its various

business locations. The framework proposed is not site-specific, rather it is a repeatable version

and establishes a baseline for the organization to use with its vulnerabilities assessments.

Assumptions

The current status of Innova Corporation is one that needs to have a comprehensive

systematized security assessment model developed for the organization. During the creation of

this process, it is assumed that the business is a willing participant in the creation of the security

assessment model. This means that, according to White (2014), the person addressing the

creation of the assessment model for the organization will:

Receive reports, statistics, and policies about the information systems of the business

Interact with willing participants in business meetings and during research efforts

Be allowed access to all areas of the business that are necessary to complete the

assessment model

Follow a defined schedule during and after the development / implementation process

Be given the necessary resources to procure services from third party resources, as per

defined in the working agreements undertaken

The system status for the enterprise seats in the organization exhibit normal working status.

There are no known reports of excessive malware corruption or hardware malfunctions. When a

problem occurs at a user’s workstation, the employee must report it to the IT department and

create a ticket for fixing the problem. Any problems are put in the general cue and worked on in

the order received. Preferential is only given to problems that are slowing the progression of

critical projects.


The Management style for the organization is open and communication for the business

is not stifled. The people and team dynamics at Innova are of a friendly and open atmosphere.

The management styles and approaches of the business may tend to be too fluid to be considered

secure. The approach towards security for management is one of employee dependence or least

effort on the part of manager. Innova Corporation trusts in their employees to make proper

decisions and not release any confidential information.

Project Phases

The phases for complete project creation are:

1. Ensure the cooperation and involvement of key stakeholders at Innova Corporation.

2. Secure necessary resources to complete the project.

3. Complete an in-depth review of current policy and practices of trusted third party

organizations.

4. Create per-unit policies that will act as models for sections of information systems.

5. Create a comprehensive security assessment model for Innova Corporation to implement.

6. Hold final meeting with company stakeholders to ensure agreement and compliance with

the final model.

Timelines

The initial creation of a security assessment system will take approximately 3 month.

This process develops a baseline of security for the organization and allows the organization time

to implement the comprehensive system. The first two steps in the Project Phases takes

approximately one to two weeks. Reviewing the current policy and practices of trusted third


party organizations takes another two to three weeks. The creation of per-unit policies that will

act as models for sections of information systems and a comprehensive security assessment

model for Innova Corporation to implement takes approximately two weeks. The final meeting

with stake holders takes approximately half a day.

The actual implementation of the model to create a baseline will take the rest of the time

allocated for the three month interval. This time will include the identification of all items on the

network, training or hiring of employees, and adjustments to the network based upon the findings

of the security assessment documentation. After the baseline is accomplished, the organization

should expect an in-depth audit and report generation to take approximately 1 month.

Dependencies

The dependencies of this project are listed in order in the Project Phases section. Each

project phase must be completed before the previous one, continuing down the priorities from

the top of the list. The reason this dependency path is necessary is due to proper procedural

implementation and development of the comprehensive security assessment system.

Resource Requirements

The hardware needed to complete this project is all the hardware that is implemented on-

site at Innova. The business may wish to purchase a laptop that will be dedicated to running

network audits for the security assessment implementation. However, the business may use the

devices on-site and does not need to purchase any new hardware for the completion of this

project. The business may wish to procure hardware that will allow them to complete the


model’s requirements for each section of the network to fully implement the desired effects of

the documentation in the security assessment system.

There is no software needed to complete this project. The business may wish to procure

software licenses that will allow them to complete the model’s requirements for each section of

the network in the security assessment system. This software will only be needed after the

completion of the comprehensive security assessment system.

The workforce needed to complete this project is minimal. Innova Corporation will need

to dedicate at least one to five employees in the development of the comprehensive security

assessment system. Having more than one employee will give the company the benefit of the

employees being able to discuss the ideas for the security model while it is under development. If

the business employs more than three employees on this project, it is necessary to dedicate a

team leader for this project.

Risk Factors

There is a likelihood of consequences from adverse conditions that may impact the

situation. These complications include:

1. A lack of financial resources to implement the desired solution.

2. A lack of knowledge based resources to implement the desired solution.

3. A lack of time resources to implement the desired solution.

Due to the cost of fully implementing a desired solution, the company may not have the

available financial resources to complete the project all at once. The business may utilize a tiered

approach to implementation. This will mean conducting research to identify the critical


vulnerabilities of Innova Corporation first, then discussing a timeline or risk acceptance for

securing the infrastructure.

If the company lacks the knowledge base of workers required to complete the tasks, then

the company has a few options for fixing this problem. Innova can choose to train the current

employees in the areas required to accomplish securing the network. The business can hire new

employees or contractors with the knowledge needed to complete the tasks. The final option

would be working with the software or equipment vendors to provide third party services that

will secure the network.

The third risk identified is a lack of time resources. This risk relates to the other two risks

discussed above. At the business, there may be a lack of available time resources. This means

that the business managers do not have adequate resources to dedicate to new tasks due to project

completion restraints, understaffing concerns, or the failure of third party constituents. To

overcome this hurdle, Innova may choose to hire new employees with the desired skills, attempt

to work with comparable vendors to acquire the necessary resources, or decide to wait for the

completion of key projects before undertaking the security assessment project.

Important Milestones

Key points in the development and creation of this project are based upon the project

phases:

1. Documentation ensuring the cooperation and involvement of key stakeholders at Innova

Corporation1.

2. Documentation securing the necessary resources to complete the project.

1 It is assumed that Innova cooperates and delivers the necessary resources to complete the project due to the

hypothetical nature of the project.


3. Completing an in-depth review of current policy and practices of trusted third party

organizations.

4. Creating per-unit policies that will act as models for sections of information systems.

5. Creating a comprehensive security assessment model for Innova Corporation to

implement.

6. Holding a final meeting with company stakeholders to ensure agreement and compliance

with the final model2.

Deliverables

The deliverables provided from the creation of this project is the creation of a

systematized comprehensive security assessment model. In the creation of the model there is

documentation that lists the necessary procedures to produce reports for a secure networking

environment for a large computing organization.

To fully implement the designs of the project the business needs to acquire the necessary

hardware and software to create a secure state for the network. The hardware required to

implement this project utilizes the components Innova already has purchased for the organization

or the company may choose to purchase a laptop that will be dedicated to the process of

implementing the project. Only after the security audit has been conducted may the company

choose to purchase additional equipment to better secure the network.

Software is necessary to utilize the documentation deliverables. This will be discovered

once the model has been implemented. During the creation of this project there will only be the

use of a text editing program.

2 It is assumed the documentation is accepted and in compliance with the desired results of Innova due to the

hypothetical nature of this project.


Methodology

Approach Explanation

The approach being taken to develop a comprehensive security assessment system is one

of a comprehensive review of the current state of security assessment methodology from leading

sources in the information security industry in order to comply with current best practices. This

model is developed as a living document and will change and develop over time based upon

usage and effectiveness for the organization in which it is applied.

Other approach to developing a comprehensive security assessment system exist, such as

attempting to focus on one model at a time and insuring compliance from the business, only

using one method to develop a model for the organization, or attempting to work through the

documentation while implementing it upon the information infrastructure, can all be used in an

attempt to achieve comparable results.

The short comings in the approach under taken may be that the network remains exposed

to threats while the methodology is under development, developing the model before

implementation may hold up the creation process due to multiple meetings and discussions from

staff and stakeholders, or Innova Corporation may choose not to implement the project after the

completion of the documentation due to lack of resources.

Approach Defense

To defend the approach being used to develop the project, the creation of a thoroughly

developed and reviewed model of security assessment will lead to documentation that can be

used by the organization, even if the business chooses not to implement the project when it has


been completed. If the business chose not to implement the assessment model, then they may

still choose to do so at a different time during the life of the business. The project will not be lost

due to a lack of implementation.

Also, even though the network may remain exposed longer with the chosen approach to

this project, the business does not even know what its risk level is. Other approaches may help

identify the problems in the business’s information network more quickly. However, the time

being saved during implementation lacks a thorough understanding of the network and will lead

to unidentified, under-identified, or over-identified risks.

Finally, a deep understanding of what is being created from the undertaking of this

process by holding meetings and gaining stakeholder buy-in is an excellent long term plan for

the successful implementation of the documentation that is developed. Holding meeting may

delay the process of completion but, once the project is completed, the business has a better

chance of fully implementing and upholding the project due to the support of multiple

individuals at the organization.

Project Development

Hardware

The project development will not use any hardware towards its completion, other than a

single desktop computer with internet and browsing capabilities.

Software

No software needs to be purchased or developed for the creation of the comprehensive

security assessment system. The only program that is used for project development is an internet


browser and a text editing program. During the implementation of the project at the business,

Innova needs to license the appropriate software or use open source tools to meet the

requirements laid out in the documentation.

Tech Stack

The layers of services that are provided during the project development are the creation

of documentation based upon multiple current information security and assurance standards.

These standards help to develop a technological stack that will be used to identify each part of

the network resources available at Innova. As a starting point, the documentation created will

identify the five key areas that are needed to create a comprehensive security assessment system

model. The five priorities for “Better Cyber Health” listed by Tenable Network Security (2014)

are:

“Count: Know what’s connected to and running on your network.

Configure: Implement key security settings to help protect your systems.

Control: Limit and manage those who have admin privileges to change, bypass, or

override your security settings.

Patch: Regularly update all apps, software, and operating systems.

Repeat: Regularly revisit the Top Priorities to form a solid foundation of

cybersecurity for your organization.”

Architecture Details

The configuration of the hardware and networks at Innova needs to be identified as part

of the process of implementation. The discovery of all equipment attached to the network is the


first goal of the comprehensive security assessment system. At this time, Innova currently has

over 1000 unique user instances attached to the network. There are multiple devices attached to

this network, such as firewalls, routers, switches, clients, servers, printers, internal applications,

and a variety of vendor applications as well.

Resources Used

The manpower used to develop this project is fairly minimal. The project will use one

person to develop the comprehensive security assessment system for Innova. A great deal more

man power will be needed to implement the documentation after it has been accepted. The single

person will be used for document review and creation.

The consumables used to develop this project are working hours, electricity, and perhaps

a few sheets of paper. The most consumable aspect of this project is working hours. This

resource will be needed from the start of the process all the way through to the end. The creation

of the project will take approximately 80 hours to complete.

The funds used to develop this project are the salary of the individual who is creating this

project and the sum will be needed on the consistency of their regularly scheduled paycheck.

Final Output

The results of the comprehensive security assessment systemization project will be

detailed documentation that will allow Innova Corporation to run a complete security assessment

on their large scale network and return results from that assessment that will allow them to better

secure themselves from the risks that have been identified on their network. The documentation

will also allow them to create a security baseline for the organization so that when they use the


model to run the assessment again, they can compare the results of the current assessment and

adjust the baseline of the organization.

When the documentation has been initially finalized it will not be finished. Instead, the

documentation is a living document and will be adjusted to fit the needs of the organization as

the business continues to grow and improve the security landscape of their information network.

Quality Assurance

Quality Assurance Approach

The approach to quality assurance for this project is based upon utilizing known, well-

established models of research to create the assurance model for Innova Corporation.

Establishing a direct linkage from known documentation assets to the documentation created in

the project creates confidence in the quality of the documentation created.

Solution Testing

The proposed solution can be tested by checking the documentation with current

standards to ensure compliance with known standards. The security assessment system can also

simply be utilized by the organization and create a report for the business and be tested by first

use. This testing method does no harm to the business, instead simply implementing the solution

is the fastest way to achieve results that can improve the business.

However, if the business want to test the model on a mock network installation, then

Innova Corporation can setup virtual networking environment and test the assessment model on

that network. If Innova does create a virtual computing network, then the network administrators

can leave various vulnerabilities in place and test the methodology of the documentation to see if


the model catches all the security vulnerabilities. With either method, acceptance criteria can be

established by a review of the documentation provided. Implementation of this project is entirely

another expense and project on its own.

Implementation Plan

Strategy for the Implementation

The strategy for the implementation of the comprehensive security assessment system for

Innova Corporation is conducted by a series of events. This approach is the most desirable

because this allows Innova to ensure compliance with every step of the new model and work

through the project with the confidence of a successful outcome.

Alternative approaches for the implementation of this plan exist, such as pushing out the

project without ensuring compliance and demanding obedience, partially implementing project

with the hopes of completing the full assessment without a deadline, or attempting to fix the

network before the assessment is implemented. These are not deemed the best idea because

gaining stakeholder support for the project is a key component for a successful rollout, partial

implementation will only reveal partial results of the network architecture, and the business’s

efforts can best be used to fix known critical issues, rather than assumed security problems.

Phases of the Rollout

Now that the creation of the system is complete, the project needs to be implemented in a

set of stages. The phases of the rollout are listed here:

1. Acquire acceptance from Chief Information Officer at Innova Corporation.


2. Hold a meeting with key stakeholders at the business, reviewing the comprehensive

security assessment system in depth to create an understanding of how the

implementation will proceed.

3. Work with managers at Innova to create a staff that will work through the documentation.

4. Train staff in the necessary components of the assessment model for systematized

implementation.

5. Test the network by working through the steps listed in the documentation.

Details of the Go-Live

The project will be considered fully implemented once the comprehensive security

assessment system has been used to audit the network of Innova Corporation for a minimum of

two cycles. This allows the organization to create a security baseline for the business, implement

any security changes that need to be adapted, and run one more audit to compare the results to

the developed security baseline of the organization.

Dependencies

There are components of the comprehensive security assessment system that must be

operation before other sections of the documentation are implemented. First, a team must be

created. This team will be the ones implementing the security assessment. Next, that team must

create documentation. The documentation includes: who is on the team, when the assessment is

being conducted, and where the information is to be housed and who will have access to it. Next,

the team members will sign an agreement, ensuring that they certify the security assessment

system will be followed during implementation and will only be deviated from when additional


documentation is created explaining why and how the deviation will occur. Finally, the first step

in the process is to implement the network discovery to identify what exactly is to be tested.

Deliverables

The acceptance of the systematized comprehensive security assessment model will give

the organization a clearly defined path that the business can use to undertake a thorough security

assessment for Innova Corporation. The acceptance and implementation allows Innova to create

a map of their network, scan and discovery vulnerabilities on the information network, list those

vulnerabilities for remediation, and create a security baseline, with which the organization can

compare future implementations of the security model.

Training Plan for Users

A training plan for the implementation of the documentation is to be included in the

assessment documentation. The plan will include what employees need to be trained for, why

they need to be trained, and when the training should take place.

The training plan is to be established by a combined effort with the stakeholders at

Innova Corporation and possibly third party vendors, depending on the selection of equipment

used to implement the security assessment system.

The training needs to take place in stages based upon the steps in the rollout of the

assessment model and the skills of the technical staff and management. Further detail will be

given in the deliverable, wherein a listing of the systematized testing of the network

infrastructure is discussed.


Risk Assessment

Quantitative and Qualitative Risks

The qualitative risks associated with the creation of the comprehensive security

assessment system are very small to nil. This is due to the threat vectors associated with creation

(Sims, 2012). Because this project is a new creation, not based upon any current models at the

business, the creation of the comprehensive security assessment system will be created out of

band from other projects at the business. The only qualitative risk associated with the project

creation will be the confidence and communication capabilities of the person creating the model.

The quantitative risks associated with the creation of the comprehensive security

assessment system creation are limited to the hours put in to the project of the employee’s wages.

This is the only quantitative risk associated with the creation of the model because the work does

not directly impact the informational network of Innova until the company decides to implement

the model.

Cost/Benefit Analysis

The risk of a benefit shortfall from the failed / mismanaged completion of the project will

result in unknown losses for the organization. This is due to the current state of the business.

Innova does not currently have a proper information security model for its organization,

because of this the losses due to a lack of security are unknown. However, Innova is a large

organization and can approximate losses with organizations that have reported financial

losses to the Ponemon research reports. Wherein, large organizations loose an average annual

amount of $7.6 million (Ponemon Institute LLC, 2014).


The risk of a cost overrun from the identified quantitative and qualitative risks are

minimal because the project completion is fairly open ended and based upon a living

document model. The consequences of a cost overrun would mean that the project would

simply take longer to accomplish. This may interfere with other projects that are taking place

for the business and the researcher may need to put the creation of the security model aside in

order to comply with the needs of the company.

Risk Mitigation

To mitigate the qualitative risks of the project, Innova needs to assist the researchers with

the support they need to complete the project. This means the business may need to provide

coaching support to the researchers by utilizing the human resources (HR) department. The

employees from HR can act as confidence and communicative support for the people in the

technical research departments. The HR department can bring in outside resources to help assist

the research team accomplish its goals. Also, management can ensure that the creation of this

project’s documentation is given a priority above other projects, to ensure that the developers

focus on the creation of the documentation and do not become distracted due to other work

requirements.

To mitigate the quantitative risks of not completing this project the business will need to

simply purchase research from outside professionals to implement some standard at the

organization as quickly as possible. If the company fails to implement any standard model, it can

be expected to lose far more than the average amount of 7.6 million dollars per year because of

the lack of a comprehensive security assessment system. This will cost more than the company


utilizing its own resources because of outside profit margins and the fact that the company will

still need to adjust the purchased produce to the infrastructure of their organization.

Post Implementation Support and Issues

Post Implementation Support

Once the new system has been implemented, the system will need to be supported due to

the nature of the documentation. The comprehensive security assessment system is a living

document, wherein revision will be made to the documentation as needed. This occurs because

industry best practice standards change overtime, new tools are developed to be used for security

assessment, and staff changes and needs to adjust their training regimen.

Post Implementation Support Resources

The resources that will need to be provided to ensure that the comprehensive security

assessment system is kept up to date are work hours. The work hours needed will be used for the

review of new standards from the information security industry and updating the current status of

the security assessment system. These work hours need to be provided by the employees of the

institution where this project is being deployed.

Maintenance Plan

The plan for short-term maintenance of this project is to make minor adjustments to the

security assessment model. These minor adjustments will occur due to the network infrastructure

revisions that occur due to the discovery and mitigation of network vulnerabilities. After the first

implementation, a baseline will be created for Innova Corporation. With the creation of a


baseline for the business, they will need to update the assessment model. This process will

continue until the vulnerabilities in the system are mitigated or accepted. The assessment model

will stabilize and can be used without much maintenance.

The long-term maintenance of this project will be to maintain the versions of the

assessment system and create a catalog of events that occur over the life time of the

documentation. Revisions to the documentation should slow after the first few uses of the

assessment system. Major revisions to the documentation may take place when major releases of

various standards are given to the public. These will occur due to compliance with the newly

released standards.

Conclusion, Outcomes, and Reflection

Project Summary

This project created a comprehensive security assessment system for a hypothetical

company named Innova Corporation. The system that was created involved a review of current

documentation being utilized by trusted standards organizations. The documentation that was

reviewed involved ideas about standards compliance, information security networks, assessment

and penetration models, and business impact. The security assessment system created involves

documentation for providing security assessments.

Deliverables

The deliverables being submitted is the completion of a comprehensive security

assessment system for Innova Corporation. This model can be used by the organization, satellite

operations, or other business to run a security assessment. The documentation that has been


provided is considered a living document and may be adjusted to fit the needs of the organization

at the time of implementation. The parts of the documentation involve:

An introduction to the security assessment system

A high level discussion of the assessment model

A sectional discussion of the assessment model

A guided approach about how to best implement each section

Guidance for the creation of documentation during implementation

Guidance for the education of implementation staff

A discussion about the creation of an initial security baseline

A discussion about successive implementations

References to the sources used to create the documentation

Outcomes

The outcomes of the comprehensive security assessment system has not yet been

implemented due to the nature of the project was for a hypothetical company. I feel that the

project was produced in a professional manner, with potential for real world implementation

once the project has been reviewed and adjusted by peers in the information security field. It was

discovered during the creation process that certain documentations did not apply to the creation

of the assessment model and, therefore, were not used during the implementation of the

document’s creation. Also, other articles were found that did apply to the project creation and

were added to the project to reflect a more comprehensive review of the available material.

The shortcoming with the design of the project was the creation of the project for a

hypothetical company. This allowed for a wider range of development for the model during the


construction process. However, the openness in which the work was conceived may have created

a pitfall, in which the scope of the project ended up being larger than anticipated.

Reflection

This project has been the culmination of my education at Western Governors University.

My efforts in the creation of this project show case the effort I have put into my education and all

the efforts of the staff at the university. I could have not completed my education without the

help, knowledge, and experience of their great support staff and the patience of my beautiful

family.

The comprehensive security assessment system that I have created has lead me to review

many materials in its creation. I feel confident in my foundation of knowledge in the information

security and assurance field. Attempting to take the best ideas from around the security

assessment field has enlightened me on just how much information is out there to study and

comprehend. I hope to take my education and enter the information security field with humble

ideas in which I may support large industry in completing their business goals.


References

Herrmann, D. (2007). Complete Guide to Security and Privacy Metrics: Measuring Regulatory

Compliance, Operational Resilience, and ROI. Boca Raton, NY: Auerbach Publications

Taylor & Francis Group.

Hiles, A. (2007). The Definitive Handbook of Business Continuity Management (2nd ed.). West

Sussex PO19 8SQ, England: John Wiley & Sons, Ltd.

Ponemon Institute LLC. (October 2014). 2014 Global Report on the Cost of

Cyber Crime. Ponemon Institute Research Report. Available from

http://h20195.www2.hp.com/v2/getpdf.aspx/4AA5-5207ENW.pdf?ver=1.0.

Purpura, P. (2008). Security and Loss Prevention: An Introduction (5th ed.). San Diego, CA:

Elsevier Inc.

Sims, S. (May 3rd, 2012). Qualitative vs. Quantitative Risk Assessment. Leadership Laboratory.

Retrieved from http://www.sans.edu/research/leadership-laboratory/article/risk-

assessment.

Taylor, L. (2014). Practical Enterprise Risk Management—How to Optimize Business Strategies

Through Managed Risk Taking. Philadelphia, PA: Kogan Page.

http://h20195.www2.hp.com/v2/getpdf.aspx/4AA5-5207ENW.pdf?ver=1.0


Tenable Network Security. (November, 2014). Tenable Solutions for the Cyber Hygiene

Campaign (rev 1). Tenable Network Security, Inc. Retrieved from

http://www.tenable.com/whitepapers/tenable-solutions-for-the-cyber-hygiene-campaign.

White, J. M. (2014). Security risk assessment: managing physical and operational security.

Waltham, MA: Elsevier Inc.

http://www.tenable.com/whitepapers/tenable-solutions-for-the-cyber-hygiene-campaign


Appendix A: Technical Terms

Attacker – See Hacker.

Breach – Wherein information is disclosed unintentionally. Also known as a leak.

Bugs – See Vulnerability.

Comprehensive Framework – A complete set of instructions that enables the support of

an informational system.

DISA ACAS – Defense Information Systems Agency Assured Compliance Assessment

Solution. In depth information can be found at http://disa.mil/cybersecurity/network-

defense/acas.

DOD – United States Department of Defense. In depth information can be found at

http://www.defense.gov/.

Hacker – An individual who attempts to exploit vulnerabilities in an information system.

A hacker is only ethical or unethical based upon the purpose and authorization of their

actions.

ISO – International Organization for Standardization. In depth information can be found

at http://www.iso.org/iso/home.html.

ISSAF - Information System Security Assessment Framework. In depth information can

be found at http://www.oissg.org/.

Log – A document that is populated with events that occur on an information system.

Network Analysis – The process of identifying and separating an informational network

in to its parts and labeling the each part with its designated process, enabling an overview

of the whole of the network.

http://disa.mil/cybersecurity/network-defense/acas

http://disa.mil/cybersecurity/network-defense/acas

http://www.defense.gov/

http://www.iso.org/iso/home.html

http://www.oissg.org/


Network Flow – This describes how information moves through a given information

system.

NIST – National Institute of Standards and Technology. In depth information can be

found at http://www.nist.gov/index.html.

N-tier – Otherwise known as multitier architecture is a distributed approach to

information systems design. This structure enables the creator and administrators of these

systems to separate the processes in the network, leading to a more secure working

environment and possibly a faster flow of information. In depth information can be found

at http://www.webopedia.com/quick_ref/app.arch.asp.

OSTMM - Open Source Security Testing Methodology Manual. In depth information can

be found at http://www.isecom.org/research/osstmm.html.

OWASP - Open Web Application Security Project. In depth information can be found at

https://www.owasp.org/index.php/Main_Page.

PCI – The PCI website states (2015), “The PCI Security Standards Council is an open

global forum for the ongoing development, enhancement, storage, dissemination and

implementation of security standards for account data protection.” In depth information

can be found at https://www.pcisecuritystandards.org/.

Penetration Test – A test to verify the vulnerabilities discovered or identified during a

security assessment. Successful exploitation of the vulnerabilities leads to an associative

risk factor for each successful exploit.

PTES – Penetration Testing Execution Standard. In depth information can be found at

http://www.pentest-standard.org/index.php/Main_Page.

http://www.nist.gov/index.html

http://www.webopedia.com/quick_ref/app.arch.asp

http://www.isecom.org/research/osstmm.html

https://www.owasp.org/index.php/Main_Page

https://www.pcisecuritystandards.org/

http://www.pentest-standard.org/index.php/Main_Page


Scanner – A scanner is an automated utility used to audit information networks. Utilizing

a scanner or multiple scanners will help enumerate the informational network that is

being processed. A scanner is used in Network Analysis.

Security Assessment – The process of utilizing procedures to audit business practices for

the purpose of discovering and identifying the status of the targeted information system.

In depth information can be found at

http://csrc.nist.gov/groups/SMA/fisma/assessment.html.

Security Hole – See vulnerability.

Security Mindset – A thought process wherein individuals or organizations utilize the

skill of thinking about information from the perspective of an attacker to develop

business practices to stop resources from being vulnerable. In depth information can be

found at https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html.

System Model – The idea of system models stems from System Theory. System models

are created using systems theory. These models are used to run businesses more

efficiently and securely. In depth information can be found at

http://pespmc1.vub.ac.be/SYSTHEOR.html.

Technology Company – A company involved in selling and developing technical services

or devices. In depth information can be found at http://financial-

dictionary.thefreedictionary.com/Technology+Company.

Vulnerability – Flaws in the information structure of the business. In depth information

can be found at http://us.norton.com/security_response/vulnerabilities.jsp.

http://csrc.nist.gov/groups/SMA/fisma/assessment.html

https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html

http://pespmc1.vub.ac.be/SYSTHEOR.html

http://financial-dictionary.thefreedictionary.com/Technology+Company

http://financial-dictionary.thefreedictionary.com/Technology+Company

http://us.norton.com/security_response/vulnerabilities.jsp


White Paper – Informational guide about a complex issue. A white paper is used to help

its readers understand the issue under discussion from the author’s perspective. In depth

information can be found at https://owl.english.purdue.edu/owl/resource/546/1.

https://owl.english.purdue.edu/owl/resource/546/1

August 15th, 2015 - NeverSysneversys.com/wp-content/uploads/2015/09/MSISA_Capstone.pdf ·...

Documents

Transcript of August 15th, 2015 - NeverSysneversys.com/wp-content/uploads/2015/09/MSISA_Capstone.pdf ·...