Posts Tagged ‘Risk Assessment’


Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.

Advertisements

Over the past three weeks an ongoing LinkedIn thread titled “Shall we trust our employees or not?” has continued to be a hot topic of debate. There simply appears to be no agreement among all the contributors.  Trust is relative.  You can always trust an employee or an organization, but the key is to what extent. You can also always trust that particular characteristics or actions will be repeated by each entity.  For example, some employees will always keep a secret while others will always tell at least one other person.  Therefore, you can trust one person to keep a secret and you can also trust the other person to tell your secret.  Simply put its a matter of behavior and action over time that should be used to build the trust model.

When referring to trust among organizations Section 2.6.1 Establishing Trust Among Organizations in NIST SP800-39 provides the best explanation.

Parties enter into trust relationships based on mission and business needs. Trust among parties typically exists along a continuum with varying degrees of trust achieved based on a number of factors. Organizations can still share information and obtain information technology services even if their trust relationship falls short of complete trust. The degree of trust required for organizations to establish partnerships can vary widely based on many factors including the organizations involved and the specifics of the situation (e.g., the missions, goals, and objectives of the potential partners, the criticality/sensitivity of activities involved in the partnership, the risk tolerance of the organizations participating in the partnership, and the historical relationship among the participants). Finally, the degree of trust among entities is not a static quality but can vary over time as circumstances change.

 


Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.


Lock picking has long been a method of access to information.  Professionals engaged in physical security reviews or social engineering assessments currently are the main security professionals using these methods.  We’ve all picked the weak file cabinet lock at work or maybe even jiggled a key of a similar type to get access through a door, but how important is it really for security professionals to know this skill.

Recently having purchased a lock pick set and several training locks I found it was extremely easy to pick the locks.  I went through a 6 set training lock package in just a few minutes and then an advanced 4 set in even less time.  I’ve read a lot prior to the purchase and even have made picks out of street cleaner bristles, but very little practical knowledge.  After moving on to master locks, etc. I found it was a little more difficult initially, but if you just sit down watching TV and practice picking the lock it becomes easy after a while.  Now there are some very complex locks and I continue to learn and understand more about these locks.   In any event, unless the lock implements very strong controls, picking the lock is done easily.

It is important that security professionals understand lock picking to grasp the risk.  Many professionals really only talk security and don’t really practice it.  The auditor comes in and says you need to put in badge readers because there is no accountability, etc.  These people really don’t understand the simplicity of lock picking or the real weakness.  Not that I’m anywhere near a professional at it.

  • How many locks at your work environment are key locks?
  • Is there sensitive information in these areas?

As professionals we should not underestimate the simplicity of lock picking.  If you are serious about security you really need to get some lock picking practice and understand the risks associated with standard locks.

If you are interested in learning more you can learn lock picking at Defcon and ShmooCon

In addition, if you continue as a hobby I would recommend becoming a member of the following site.

http://www.lockpicking101.com/


This is a topic that has generated a great deal of traffic on the Linkedin “Governance, Risk and Compliance Management (GRC) site.  If you are a member I recommend you read through the comments, if not you should consider joining.  This is a cross post, slightly modified, of my answer to this question, so forgive the double traffic if you are a member. 

I was shocked that no one had mentioned the size and financial ability of the company.  So this addresses both small and large corporations with and without financial money allocated to security.

If the company is 300 people and has very little money then usually the starting point is convincing management why money needs to be directed towards an assessment versus actually doing something tangible. Therefore, obtaining management support through some shock and awe factor will help get buy in and then you can do a risk assessment. That assessment should provide a roadmap and serve as the strategic plan.

Now if the company is more mature and financially stable, I agree with several of the current comments, which stated some type of RA framework or COSO control framework. Anyway, the typical starting point is conducting some type of strategic risk assessment. Something reviews all of the organizations assets, the threats, and vulnerabilities. This assessment should help start the program by prioritizing based on risk each security effort. From this assessment one of action items, if it doesn’t already exist, should be to put in a control (ISMS) type framework in place.

Once the prioritized roadmap is created and a control structure is in place then these two items can be put into a baseline and measured over time. Also each control area can have individual metrics. As the risk management program grows the next step will be to build a project or application based risk approach in addition to the strategic risk assessment. This focus of this secondary assessment approach is to rapidly assess projects and determine the level of security review required at the project level. Some projects will require more based on their risk (i.e. type of data, etc.).


What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?

I recently went to the 2nd Annual BITs Shared Assessments in Chicago. http://www.sharedassessments.org/

I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.

  1. Many assessors are using older versions of the SIG and still have not adopted 4.2.
  2. Product vendors have incorporated many of the features and appear to be pushing the solution the most.
  3. The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
  4. The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
  5. There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.

I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?


I came across an interesting blog about application risk assessment today, so I wanted to highlight some of the different approaches in response. 

Blog Post:

In the blog Chris’s approach seems somewhat like threat modeling, which is typically used for code reviews.  In general he covers a large part of the important content but doesn’t address the real issues of risk – Cost vs Risk.  Anyway I hope to address that here and explain the two major methods used extensively.  These are threat modeling and the NIST/OCTAVE asset based approach.

 

Threat Modeling Approach

Threat Modeling is basically the ongoing risk assessment process which covers the entire Software Development Lifecycle.

Strategic Approach

From a managerial risk assessment approach I would take a different view using a strategic NIST/OCTAVE approach.

  1. What are the assets? (i.e. information, applications, hardware, etc.)
  2. What are the threats? (i.e. data contamination, malicious code, equipment failure, etc.)
  3. What are the vulnerabilities (i.e. no security training for developers, lack of formal SDLC, no development standards, no security requirements, no security testing, etc.)

Within the vulnerabilities I would roll up any identified tactical findings into strategic issues.  For example, software code with clear text passwords may result in a poor encryption policy, lack of standard, or a lack of proper classification policy and controls around passwords.

 

Overall using this strategic approach helps us to determine what assets in the entire application architecture/environment have the highest risk and we can mitigate accordingly.  In the long run this approach should save cost.  We really wouldn’t want to spend $40,000 dollars on a code review for each application when I know that none of the developers have security training nor do we have secure development standards.  This money can be strategically better spent on training since we might have 30 applications across the enterprise.  At that point we can then decide to perform a sample checkup and measure the progress to see how we perform both before and after the training.  This will be the most cost effective approach and produce metrics that can be delivered to executive management.


This whitepaper has a good overview of key components of a risk based security plan, which have been put into practice on several occasions.  This provides good direction with a decent amount of detail.

Site Requires Registration:

The document is about 12 pages explaining the steps for performing a risk assessment to developing a security plan to determining security budget.


The BS 31100 Code of practice for risk management is also out in draft form free to download and review.  This document has the same deadline as the BCM. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-31100-Draft-for-Public-Comment-DPC-/


I came across a pretty good list of topics that Auditors ask for in a HIPAA audit.  This is usually the stuff looked at during a HIPAA risk assessment too.  If you haven’t incorporated all of these topics in your risk assessment then now is a good time to go through the list and update your tactics. 

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&pageNumber=1