i nformation t echnology s ecurity s ervices recon risk evaluation of computers and open networks...
TRANSCRIPT
![Page 1: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/1.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
RECONRisk Evaluation of Computers and Open Networks
Developed by
Kirk SolukUniversity of Michigan
Information Technology Security Services
![Page 2: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/2.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
2
Risk Assessment Drivers
• No such thing as perfect security• Need to balance effectively risk against other factors• Need a foundation for well-informed decisions that
justify IT expenditures• Regulations
The entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
- HIPAA Security Rule
![Page 3: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/3.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
3
Why RECON?
• Facilitate consistent decisions across the University Especially when combined with data classification
• Facilitate rollup of results So the University’s overall security posture can be measured
• “Michiganize”• Outsourcing misses the point
Security issue #1: The Business-Trust Divide
• Leverage University expertise Training Address risk assessment requirements of all regulations at
once …
To be more effective, security professionals must learn how to speak the language of the businesses they serve - Meta Group Practice 2104: The Top 10 Security Issues
![Page 4: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/4.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
4
All regulations legislate similar best practices
SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA
One Common Risk Assessment Methodology (RECON)One Common Risk Assessment Methodology (RECON)
SOXSOX FERPA FERPA HIPAAHIPAA GLBAGLBA
SOX RASOX RAProcessProcess
FERPA RAFERPA RAProcessProcess
HIPAA RAHIPAA RAProcessProcess
GLBA RAGLBA RAProcessProcess
YouYou
YouYou
![Page 5: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/5.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
5
What is RECON?
• Derived from ISO 17799 (2005) NIST 800-53 not available at the time
• A Questionnaire (Excel Spreadsheet) Built-in Risk analysis Logic & Visualization
• A Set of Security Tests
• A Template for Reporting ResultsA Risk Assessment Facilitator (IT Security Professional) leverages these RECON components to identify risks and potential mitigation strategies and to present/discuss this information with unit leadership. Unit leadership is responsible for approving the final risk treatment decisions
![Page 6: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/6.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
6
RECON Process Flow
![Page 7: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/7.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
7
Scope is critical
• Provides the context within which the RECON questions are answered Don’t combine systems with different security
requirements in the same assessment If the answer for one system in scope is “No”,
the answer is “No” for the entire scope.
• Focus is on Systems that process “sensitive” information Mission critical systems
![Page 8: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/8.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
8
The RECON Questionnaire
• 219 questions about 54 control objectives in 11 different areas: 1. Organizational Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security 5. Operations 6. Network Security 7. Access Control 8. Host Security 9. Data Security 10. Incident Management 11. Business Continuity
![Page 9: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/9.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
9
Network Security Area Example:25 questions about 7 control objectives
• 6. Network Security 6.1 Perimeter Security
6.1.1 A firewall (or equivalent mechanism) exists between your unit's (or department's) network, other University networks, and public networks such as the Internet
6.1.2 The firewall (or equivalent mechanism) uses a "default deny" posture where all access that is not explictly allowed is automatically denied
6.1.3 Firewall changes are subject to a formal approval process 6.2 User authentication for external connections
6.2.1 Access to the internal network by remote users is subject to user authentication
6.2.2 Users are authorized (out of band) before they are allowed to access the internal network from remote locations
6.3 Authorization process for information processing facilities 6.3.1 New systems must be authorized by management before they can be
connected to the network 6.3.2 Rogue System Detection
... 6.7 Intrusion detection
![Page 10: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/10.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
10
RECON Questionnaire Responses
• For each question, two responses are needed: Are there policies and/or procedures requiring the control? Is the control operationally implemented? Answers: "Yes", No", "n/a", "n/r"
Industry Standard Best Practices
derived from ISO 17799:2005
Response 1:Documented
Policies, Procedures, Guidelines
Response 2:Implementation/
Operations
![Page 11: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/11.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
11
RECON Security Tests
• Used to answer specific RECON questions accurately. For example, Do you have a password policy that prevents dictionary words? Have you minimized the attack surface of of your hosts Is your firewall configured as expected? Are your systems up to date with respect to patches? Etc.
• Current RECON Test Suite Attack Surface Enumeration Password Audit Account Security Firewall Security War walking RAS Authentication Encryption Verification Vulnerability Scanning
![Page 12: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/12.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
12
Risk Analysis
• Answers to the questions determine the degree to which best practice security controls are adopted
• Risk is proportional to the lack of control adoption• Both documentation and implementation are considered in
the risk calculation Implementation weighs more
Documented?
Implemented?
Summary Risk
7.7 Removal of access rights 80%7.7.1 Access rights are removed upon
termination of employment, contract, or agreement
No Yes 60%
7.7.2 Personnel files are periodically matched with user accounts to ensure that terminated or transferred individuals do not retain access to systems
No No 100%
7.8 Unattended user equipment
![Page 13: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/13.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
13
Risk Identification and Prioritization
•Focus on Severe and High Risk controls identified in the RECON Questionnaire
•In the RECON Report Template, severe and high-risk controls are referred to as Non-existent and in Need of major improvement respectively
![Page 14: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/14.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
14
RECON Report
• Description of scope• Systems & Applications
• Description of methodology
• Detailed list of severe and high risks along with mitigation strategies
• Appendix lists every accepted risk
• Executive summary
![Page 15: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/15.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
15
Further Action
• It is the responsibility of the Risk Assessment Facilitator to educate unit leadership about the risks and to make recommendations
• It is the responsibility of Unit Leadership to make the final business (i.e. risk) decisions: Mitigate at some (approved) cost OR Continue to accept the current risk
![Page 16: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/16.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
16
RECON Process Summary
![Page 17: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/17.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
17
RECON Case Study Effort
• Scope Complete (14 hours) 3 x 1hour “kick-off” meetings to understand the major apps 3 x 1hour “investigative” meetings to refine scope and network diagram 1 x 8 hour drawing diagrams and filling in scope details
• Questionnaire Complete (20 hours) 1 x 1hour meeting with HR 7 x 2hour technical meetings (Lot’s of working lunches) 5 x 1hour “follow-up” meetings
• Test Complete (60 hours) 3 x 1hour meetings for securing authorization 3 x 8hours for network scanning (50 hosts x 5 networks) 3 x 8hours for other tests 3 x 1hour meetings for verifying results 3 x 2hour meetings for analyzing results
• Total (94 Hours) ~2.5 full-time weeks spread over a 2 month period Doesn’t count time to write final report!
![Page 18: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/18.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
18
RECON Experience
• 104 + 17 RECON assessments in ITS 101 Campus Computer Security training course (2005 - present)
• GLBA was a driver for several wide-ranging assessments 1. Student Financial Operations - Higher Education
Production Systems in MAIS. 2. Student Accounts - i.e. Financial Aid Systems 3. UM Dearborn Financial Systems 4. UM Flint Financial Systems
UM Flint risk assessment provided the foundation for Flint's annual IT appropriations request.
![Page 19: I NFORMATION T ECHNOLOGY S ECURITY S ERVICES RECON Risk Evaluation of Computers and Open Networks Developed by Kirk Soluk University of Michigan Information](https://reader035.vdocuments.site/reader035/viewer/2022062800/56649e115503460f94afdad7/html5/thumbnails/19.jpg)
INFORMATIONTECHNOLOGYSECURITYSERVICES
19
RECON Experience
• 5. The UM Windows Forest The UM Windows Forest assessment
resulted in the formation of a technical committee from four major units (Engineering, Business, LSA, Housing) that unanimously endorsed and will soon be presenting to the Forest IT Directors a request for 15 major security enhancements.