ben christensen senior compliance risk analyst, cyber security practices for conducting...
TRANSCRIPT
![Page 1: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/1.jpg)
Ben Christensen Senior Compliance Risk Analyst,
Cyber Security
Best Practices for Conducting Cyber Security Assessments June 5, 2014
CIPUG Meeting, Salt Lake City
![Page 2: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/2.jpg)
2
• Why are security assessments important? • Types of security assessments • Risks related to security assessments • Best practices for security assessments • How security assessments can help with
CIP-005 & CIP-007
Agenda
![Page 3: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/3.jpg)
3
• Help maintain CIP compliance • Verify security controls that should already
be in place • Define the risks associated with your cyber
security systems and how to mitigate them • Highlight your controls to help you
determine the risk to reliability
Benefits to Entities
![Page 4: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/4.jpg)
4
• IT focuses on accidental outages, hardware failures, and uptime
• Security risk assessment is the analysis of issues relating directly to security threats
Traditional IT assessment vs. security risk assessment
![Page 5: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/5.jpg)
5
Types of Assessments
Security audits
Policies, procedures, other admin controls
Change management
Architectural review
Penetration tests
Vulnerability assessments
![Page 6: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/6.jpg)
6
Manual or systematic measurable technical assessment of how the organization's security policy is employed.
Security audits
![Page 7: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/7.jpg)
7
• Looks at how effectively the security policy has been implemented
• Measure security policy compliance • Recommends solutions to deficiencies • May be performed through: o Informal self audits o Formal IT audits
Security audits
![Page 8: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/8.jpg)
8
Components of a security audit File system security
Physical security
Ports & services
Installation/configuration
Security event logging
Account security
Backups & Disaster recovery
Network device restrictions
![Page 9: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/9.jpg)
9
• Security assessment ultimately shows the effectiveness of policies
• Assess your policies to know how effectively they have been implemented
Policies, procedures and other administrative controls
![Page 10: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/10.jpg)
10
Policies, procedures and other administrative controls
Documents • What are they? • How often are
they reviewed? • Acknowledge
adherence to • Who has them?
Training • Who is trained? • How often? • Does it
measure effectiveness?
Updates • Who makes the
updates? • How often are
they made? • How are
employees notified?
![Page 11: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/11.jpg)
11
• Have you assessed how your change management is doing?
• Are personnel really following it? • How do you know?
Change management
![Page 12: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/12.jpg)
12
• Is the change management performed on a regular basis?
• Is physical security part of the change management process?
• How are changes approved? • Where are changes documented? • Who signs off on the changes? • Who implements the changes?
Change management
![Page 13: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/13.jpg)
13
• Review network artifacts o Network diagrams o Security requirements o Inventory
• Identify data flows • Identify controls • Identify gaps
Architectural review
![Page 14: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/14.jpg)
14
Architectural review
Firewall review Remote access connections Process to evaluate risk of
opening ports and services?
Network devices Logging enabled? Restricted access? Remote admin
connections?
Current network diagram Physical
walkthrough Trace cables Look for modems
![Page 15: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/15.jpg)
15
Attacking a computer system to find security weaknesses and to potentially gain access. Warning: penetration tests can have serious consequences to the systems involved!
Penetration testing
![Page 16: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/16.jpg)
16
Penetration testing
Penetration Test
Planning & Preparation Gather Information & Analysis
Vulnerability Detection Penetration Attempt Analysis & Reporting
Clean Up
![Page 17: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/17.jpg)
17
Penetration testing
Plan & Prep
• Scope • Duration • Decide who
to inform • Legal
agreements
Info Gathering & Analysis
• Get info about target
• Network survey
• Port scanning
Vulnerability Detection
• Determine vulnerabilities
• Manual vulnerability scanning
![Page 18: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/18.jpg)
18
Penetration testing
Penetration Attempt
• Choose targets • Choose exploit • Password
cracking • Social
engineering • Physical
security
Analysis & Reporting
• Generate report • Analysis &
commentary • Highlight
vulnerabilities • Summary • Details • Suggestions
Clean Up
• Get rid of mess • List of actions • Verified by
organization
![Page 19: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/19.jpg)
19
As documented by SANS, “Vulnerabilities are the gateways by which threats are manifested”. “A vulnerability assessment is a search for these weaknesses/exposures in order to apply a patch or fix to prevent a compromise”. http://www.sans.org/reading-room/whitepapers/basics/vulnerability-assessment-421
Vulnerability assessments
![Page 20: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/20.jpg)
20
Vulnerability assessments
Catalog assets
Assign value and
importance
Identify vulnerabilities
or threats
Mitigate or eliminate
vulnerabilities
![Page 21: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/21.jpg)
21
• Methods to counteract weaknesses o Use baselines o Patching o Vulnerability scanning o Following security advisors o Use perimeter defenses o Use intrusion detection systems and AV
Vulnerability assessments
![Page 22: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/22.jpg)
22
• Vulnerability assessment uncovers the weaknesses and shows how to fix them
• Penetration test shows if someone can break in and what information they can get
Vulnerability assessments vs. Penetration test
Vulnerability Assessment
Penetration Test
![Page 23: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/23.jpg)
23
• Depends on your requirements and goals • Security assessment might be too broad • Penetration test may not identify all
vulnerabilities and could cause harm • Can’t we just do the CVA as required for
CIP?
Which assessment should I use?
![Page 24: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/24.jpg)
24
• Vulnerability assessment or penetration test might cause instability or harm to systems
• Penetration test might not uncover all your vulnerabilities
• You might incorrectly rely on results and assume you are secure
• Results may not be presented in a way to provide value
Risks of assessments
![Page 25: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/25.jpg)
Best practices
• Assessment should provide value beyond the raw data – Analyze the data to see what it means for your
organization • Identify trends that highlight underlying
problems – Might reveal a bigger problem
![Page 26: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/26.jpg)
26
• Use combination of techniques to provide a complete picture of your security o No one size fits all
• Use the techniques that best meet your requirements
• Provide answers in your assessment, not just problems
• Share what you learn with employees o Bring security to the forefront
Best practices
![Page 27: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/27.jpg)
27
• The assessments presented today can work hand in hand with the CVA
• CIP Standards provide a minimum set of controls
• Consider performing these assessments in conjunction with your CIP-005 and CIP-007 obligations
CIP-005 and CIP-007
![Page 28: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/28.jpg)
28
CVA Checklist
Review process • Do personnel know about the process? • Are personnel regularly trained on process? • Are personnel following the process?
Current inventory of devices • How do you account for changes? • Who updates the inventory? • Where is it stored?
![Page 29: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/29.jpg)
29
CVA Checklist
Verify ports and services • Which tools will be used? • Are personnel trained on the tools? • How and where will the raw data be stored?
Discover all access points • Don’t forget multi-homed devices • Wireless • Physical walkthrough
![Page 30: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/30.jpg)
30
CVA Checklist
Review controls for • Default accounts • Passwords • Network management & community strings
Results • How will the results be stored? • Where will the results be stored?
![Page 31: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/31.jpg)
31
CVA Checklist
Plan to mitigate vulnerabilities • Who will implement fixes? • How will the fixes be implemented?
Execution status of action plan • When will the fixes be implemented? • Are dates current?
![Page 32: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/32.jpg)
32
CIP-005 and CIP-007
Assessments Process
Ports and services
Default accounts Passwords
Community strings
Results & action plan
![Page 33: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/33.jpg)
Additional Resources
![Page 34: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/34.jpg)
34
• SANS – Implementing a Successful Security Assessment Process o http://www.sans.org/reading-
room/whitepapers/basics/implementing-successful-security-assessment-process-450
• NIST – Security Assessment Provider Requirements and Customer Responsibilities o http://csrc.nist.gov/publications/drafts/nistir-
7328/NISTIR_7328-ipdraft.pdf
Additional Resources
![Page 35: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/35.jpg)
35
• SANS – Security Auditing: A Continuous Process o http://www.sans.org/reading-
room/whitepapers/auditing/security-auditing-continuous-process-1150
• NIST Special Publication 800-53 o http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf
Additional Resources
![Page 36: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/36.jpg)
36
• SANS - Conducting a Penetration Test on an Organization o http://www.sans.org/reading-
room/whitepapers/auditing/conducting-penetration-test-organization-67
• SANS - Vulnerability Assessment o http://www.sans.org/reading-
room/whitepapers/basics/vulnerability-assessment-421
Additional Resources
![Page 37: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/37.jpg)
37
• NIST - Technical Guide to Information Security Testing and Assessment o http://csrc.nist.gov/publications/nistpubs/800-
115/SP800-115.pdf • ISACA – Project: Vendor Security Risk
Assessment o http://www.isaca.org/Groups/Professional-
English/information-secuirty-management/GroupDocuments/Vendor%20Security%20Risk%20Assessment%20report.pdf
Additional Resources
![Page 38: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/38.jpg)
38
• Dark Reading - How To Conduct An Effective IT Security Risk Assessment o http://www.darkreading.com/how-to-conduct-
an-effective-it-security-risk-assessment/d/d-id/1138995?
Additional Resources
![Page 39: Ben Christensen Senior Compliance Risk Analyst, Cyber Security Practices for Conducting Security... · Penetration testing . Penetration Attempt • Choose targets • Choose exploit](https://reader030.vdocuments.us/reader030/viewer/2022041218/5e079b9bea88c13a64219fa5/html5/thumbnails/39.jpg)
39
Summary
Importance of assessments
Many types you can perform
Why you should go beyond the CVA
Best practices
Other resources