10 Things Every Auditor Should Do Before Performing a Security Audit

Transcription

1 10 Things Every Auditor Should Do Before Performing a Security Audit

2 2 Opening Remarks Moderator R. Kinney Poynter Executive Director NASACT Speaker Rick Gamache Senior Consultant BerryDunn

3 Objectives By the end of this webinar, participants will be able to: Understand the complexity of a security audit Consider key factors for security audit preparation Implement necessary steps to prepare for a security audit

4 About Me

5 Security Audits are Hard Highly technical Multiple conflicting standards IT centric vs. business centric Responsible stakeholders are often misaligned Security is personal Almost always met with resistance High turnover Operations vs. Security Rapid evolution of technology and threats You never get a fuzzy feeling!

6 Audits, Assessments, Controls Testing Audit Performance Assessments Vulnerability Scanning Controls Testing Pentesting

7 What makes for a good audit? Understanding what you re auditing System Process Network Defined Boundaries Knowing the data and its handling requirements PCI, HIPAA, PII, etc. Established audit metrics Choose a framework Involving top-level stakeholders

8 #1 Setting the Objective Proving security or Improving Security? Performance vs. Conformance Identify Key Stakeholders Establish communication protocols Owners vs. custodians Know the metric Risk & Remediation? Process improvement? ROI? Agree upon intended outcomes How we get from A to Z Keep discussions narrow Are we ready?

9 #2 Define the standard NIST s Risk Management Framework (RMF) Security and privacy controls for federal systems ISO series Focuses on information security management practices Health Insurance Portability and Accountability Act (HIPAA) Subset of HIPAA Privacy Rules PHI and ephi Payment Card industry Data security Standard (PCI DSS) Increasing controls around cardholder data North American Electric Reliability Corporation (NERC) Addresses patching in NERC CIP Requirement 2 Cybersecurity Capability Maturity Model (C2M2) Maturity of cybersecurity practices

10 #3 Categorize the System Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems Security Objectives Confidentiality Integrity Availability Potential Impact (Organization & Individuals Low Limited adverse effect Moderate Serious adverse effect (significant degradation of capability, damage, or financial loss) High Severe or catastrophic effect

11 #4 Define the Boundary Comprised of four activities : 1. Determine what is protected and why (CIA) Define system type and security requirements 2. Identify the system assets, processes, physical composition Establish physical boundaries 3. Characterize system operation Determine logical boundaries 4. Ascertain what one does and does not have control over Document system interconnections and rationales Debra Herrmann, A practical Guide to Security Engineering and Information Awareness

12 #5 Define the data Who is responsible for the data Where does the data exist How is the data stored Understand how the data is created Understand how the data flows Who has access to the data Who SHOULD have access to the data

13 #6 Policies and Procedures

14 #7 Capturing the audit CSET Tool Multiple standards C2M2 Tool Assessing maturity HIPAA Security Rule Toolkit Standard survey Enterprise survey

15 CSET

16 C2M2 C2M2 Evaluation Toolkit - Version 1.1 March 2014 CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) EVALUATION TOOLKIT This Evaluation Toolkit enables an organization to evaluate the maturity of its cybersecurity capabilities based on the C2M2 Version 1.1. The toolkit consists of this spreadsheet and a Word report template. The C2M2 can be obtained from or by ing the Department of Energy (DOE) at C2M2@doe.gov. The C2M2 materials are furnished on an as-is basis. The DOE makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, results obtained from this toolkit. Worksheet Information About the Organization Risk Management Asset, Change, and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cybersecurity Program Management Generate Reports Link ORG RM ACM IAM TVM SA ISC IR EDM WM CPM REPORTS

17 HIPAA Security Rule Toolkit

18 #8 Automation Windows Security Tools Windows Event Log Analyzer Windows Asset Inventory Viewer Windows Remote Control FTP Brute Force Tester MySQL Brute Force Tester Windows PCI Compliance Check Windows HIPAA Compliance Check Oracle Security Tools Oracle SID Tester Oracle Default Password Tester Oracle TNS Password Tester Oracle Password Auditor Oracle Access Rights Auditor Oracle Brute Force Tester Oracle Event Log Analyzer Oracle PCI Compliance Check Ora HIPAA Compliance Check Oracle Query Browser SQL Security Tools SQL Default Password Tester SQL Server Password Auditor SQL Server Access Right Auditor SQL Server Event Log Analyzer SQL Server Brute Force Tester SQL Server Query Browser SQL PCI Compliance Check SQL HIPAA Compliance Check Cisco Security Tools Cisco Configuration Manager Cisco Type7 Password Decryptor Cisco MD5 Password Auditor Cisco Firewall Password Auditor IP Calculator Cisco SNMP Brute Force Tester Cisco VPN Password Auditor Cisco Switch Port Mapper Cisco Configuration Backup Tool General Security Tools Traceroute Port Scanner SNMP Browser SNMP Scanner Whois DNS Auditor Mac Detector DNS Lookup HTTP Brute Force Tester SSH Brute Force Tester

19 #9 Demonstrate control design Assessment Methods Examine - Review policies and procedures Interview Administrators of Access Controls Test Attempt to guess passwords Depth. Basic examination Random sampling Focused examination Sampling just administrative access Comprehensive Running L0phtcrack against the password database NIST A Rev. 4, Control IA-5 AUTHENTICATOR MANAGEMENT The organization manages information system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;

20 #10 Applying Risk

21 #11 Prioritizing Remediation

22 Getting help Peer Groups Vendors Consultants Local Associations (ISC2) Online Resources Internal Teams

23 23 Questions and Answers Moderator R. Kinney Poynter Executive Director NASACT Speaker Rick Gamache Senior Consultant BerryDunn