Copyright 2000, Marchany

Forging Partnerships Between Auditors and Security

Managers: Breakthrough Methods That Work

Randy Marchany

VA Tech Computing Center

Blacksburg, VA 24060

Randy.Marchany@vt.edu

540-231-9523JCSC 2000

Copyright 2000, Marchany

Copyright 2000, Marchany

Copyright 2000, Marchany

Copyright 2000, Marchany

Copyright 2000, Marchany

Copyright 2000, Marchany

Copyright 2000, Marchany

The Auditor’s Goals

Ensure Assets are protected according to company, local,state and federal regulatory policies.

Determine what needs to be done to ensure the protection of the above assets.

Make life miserable for sysadmins…:-)– Not really. They can save a sysadmin if a

problem occurs.

Copyright 2000, Marchany

The Sysadmin’s Goals

Keep the systems up. Keep users happy and out of our hair. Keep auditors at arms’ length. Get more resources to do the job properly. Wear jeans or shorts to work when

everyone else has to wear suits…….

Copyright 2000, Marchany

The Sysadmin’s Audit Strategy

Turn a perceived weakness (the audit) into a strength (security checklists).

Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures.

The above info can be used to help develop your incident response plan.

Copyright 2000, Marchany

The Committee

Management and Technical Personnel from the major areas of IS– University Libraries– Educational Technologies– University Network Management Group– University Computing Center– Administrative Information Systems

Copyright 2000, Marchany

The Committee’s Scope Information Systems Division only Identified and prioritized Assets

– RISKS associated with those ASSETS– CONTROLS that may applied to the ASSETS to

mitigate the RISKS Did NOT specifically consider assets outside IS

control. However, those assets are included as clients when considering access to assets we wish to protect

Copyright 2000, Marchany

The Committee’s Charge

From our VP for Information Systems “Establish whether IS units are taking all

reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service”

“Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.”

Copyright 2000, Marchany

Identifying the Assets

Compiled a list of IS assets (+100 systems) Categorize them as critical, essential, normal

– Critical - VT can’t operate w/o this asset for even a short period of time.

– Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap

– Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Copyright 2000, Marchany

Prioritizing the Assets

The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical.

X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Copyright 2000, Marchany

Identifying the Risks

A RISK was selected if it caused an incident that would:– Be extremely expensive to fix– Result in the loss of a critical service– Result in heavy, negative publicity especially

outside the university– Have a high probability of occurring.

Risks were prioritized using matrix prioritization technique.

Copyright 2000, Marchany

Mapping Risks and Assets

We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not– A particular risk actually applied to the asset– Controls exist and/or already in place.

The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually.

Copyright 2000, Marchany

Identifying Controls

Specific controls identified by the committee were put in a matrix

The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset.

Copyright 2000, Marchany

Recommendations The process recommends a general order which IS should

apply scarce resources to perform a cost benefit analysis for the various assets & risks.

For each asset, as directed by mgt, appropriate staff should:

– Review the risks & controls– Add any further risks/controls not identified– Assess the potential cost of an incident– Assess the cost of control purchases and deployment– Analyze cost vs. benefit for each asset– Submit results to mgt which retains the responsibility to weigh

investments and make implementation decisions

Copyright 2000, Marchany

References

http://security.vt.edu www.sans.org www.nipc.gov www.jmu.edu/info-security www.cornell.edu/CPL www.securityfocus.com www.insecure.org

Copyright 2000, Marchany

APPENDIX 1

The following matrices are examples of your matrix reports– Exhibit A (ASSET Matrix)– Exhibit B (ASSET WEIGHT Matrix)– Exhibit C (RISKS Matrix)– Exhibit D (RISK WEIGHT Matrix)– Exhibit E (ASSET-RISK Matrix)– Exhibit F (CONTROLS Matrix)

Copyright 2000, Marchany

APPENDIX 2

• The following spreadsheets are the compliance reports.

• Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors.

• Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific.

• Controls Matrix lists what controls are in place for a given system.

• Individual Action Matrix lists the details of an audit for each node. Did the system comply?

Copyright 2000, Marchany

APPENDIX 3 The following checklist gives the detailed

commands to be performed in the “audit”. The categories are based on the Risk Matrices in

Appendix 1. The results of the checklist commands are

inserted in the Compliance matrices of Appendix 2.

This checklist and the matrices form the overall audit/security checklist package.

Copyright 2000, Marchany

APPENDIX 4

Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain.

There are 2 strategies: – Protect and Proceed– Pursue and Prosecute

Copyright 2000, Marchany

Incident Handling:Protect and Proceed?

- Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery

Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined

Copyright 2000, Marchany

Incident Handling:Pursue and Prosecute?

- allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies

- Use if:

- system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff