Assessing Current Network Concerns

Lesson 5

CERT/CC Stats

CERT/CC Stats

CERT/CC

The Assessment

Two important elements you will need to determine in order to produce a valuable assessment

Determine the value of the information and resources that are to be protectedDetermine the threats that may exist which jeopardize the confidentiality, integrity, or availability of the information and resources

Asset Valuation

Can be qualitative or quantitativeBusiness Impact Assessment/Analysis (BIA): used to determine what is important for inclusion in a BCP/DRP (check to see if they have accomplished one already). Will assess how unavailability of each system/process would affect the organization.

Business Continuity Plan (BCP) and Disaster Recovery Plans: Desire is to protect the operations of the organization, not just the computing systems.May/ Should have done a BIA as part of one of these and you can possibly use the results to save some time.

Goals of a BIAIdentification of the processes that are critical to the profitability and continued viability of the organizationQuantification of the financial and operational impact of an outage over timeA determination of the recovery priority, recovery time, and recovery point for each application that supports a critical business process.

For our purposes we want to use the BIA to help us determine what needs to be protected and how valuable these assets are.

Asset ValuationSo, either using the BIA or the BIA process, we should know:

What the essential processes are for the organization.What the process consists of/requires (in terms of information and resources).What the value is of these processes (or more appropriately, what the impact is on the organization should they be lost).

Knowing what the assets are can help us better determine what the threat might be to the organization.

May also be used later when we start evaluating acceptable residual risks.

Threats to the systems

“To control the risks of operating an information system, managers and users must know the vulnerabilities of the system and the threats that might exploit them.”“Knowledge of the threat environment allows management to implement the most cost-effective security measures.”“In some cases, managers may find it most cost-effective to simply tolerate the expected loss.”

Types of ThreatsComputer VirusesComputer Hackers Denial of Service AttacksE-Mail Mistakes

Abuse of email can become public affecting image of organization

Disgruntled EmployeesIndustrial Spying

Which one of these is most likely to occur? Which will have the greatest impact? Which will be the hardest to protect against?

Prioritizing Risks and Threats

According to the text:“Once the possible threats have been identified, it is necessary to prioritize those risks so that the NVA can focus on those of highest concern. To accomplish this task as quickly as possible, it is necessary to assemble a team of interested employees. This team will determine the probability that the identified risk might occur and what its impact would be if it did occur.”

What’s the chance that a “team of interested employees” will be able to “determine the probability that the identified risk might occur and what its impact would be if it did occur”?

Thus, the reason to obtain the BIA if available.

Prioritizing Risks and Threats

To simplify things a bit, try these definitions:Impact: a measure of the magnitude of loss or harm on the value of an asset

Low impact: when the business objective or mission of enterprise is not significantly affected.Medium impact: when the event is limited to a business objective or a business unit is affectedHigh impact: when the entire business or mission of the enterprise is affected

Probability: the chance that an event will occur or that a specific loss value will be incurred should the event occur

Low probability: highly unlikely that the risk will occur during the next yearMedium probability: possible that the risk will occur during the next yearHigh probability: very likely that the risk will occur within the next year

(don’t like the term “risk” being used in the above)

What to look atText discusses how to prioritize what to look at during the assessment.

Impact

Low Medium High

Low 1 4 7

Prob. Medium 2 5 8

High 3 6 9

Concentrate first on items of level 6 or higher. If time permits continue with levels 5 then 4.

Impact is one thing, how do you (or the team) determine the probability of an event occurring?

ChecklistsLots of checklists available out there, can prove very useful.Do not rely solely on checklists – use them as a guide or a starting point. 3 included as appendices in text:

ISO 17799 Self Assessment QuestionnaireLots of good information covering a variety of areas. Look at and adapt to specific environment.

Network Vulnerability Assessment ChecklistAgain, some good, useful information. Look at and adapt.

Windows Server Checklists/Security GuidesFocused checklists such as this often very useful – can contain very valuable data.This one a bit light, others available on line (check NIST)

Problems with checklists

What do you do with the results?Great, so I have 20-Y’s, 32-N’s, and 4-N/A’s, now what?Does this mean that I’m in good shape, bad shape, or somewhere in between?

Are all questions of equal importance?Do you need to add some sort of weighting system to help identify the most critical?

Checklists might overlook key components of your security plan, may also include unimportant aspects. Checklists need to be tailored.

Composition of the Assessment Team

So, who should be part of an assessment team?Need to cover all of the areas of concern

Information protectionOperationsTelecommunicationsSystems supportNetwork managementDesktop deploymentAccount administrationAuditingPhysical Security

Ideally, you’d have an “expert” in each of these areas. In practice, you may not have that many folks to draw on so a SME you can ask questions of may be all you can hope for.

Assessment TimelineHow long should an assessment take?

Book mentions that one can take as long as 12 weeks.In reality the real answer is “it depends”. Assessment can take considerably longer than 12 weeks or can be as short as only a few weeks. Depends on scope (especially size).

In establishing the timeline, pay attention to:Activities that must be accomplished before othersActivities that you can conduct in parallelMake sure you allow sufficient time to write, and review the final report.

Might include a preliminary “outbrief” for organization upon completion of the assessment, to be followed by official report at a later date.

Timeline for class assessments

For us, driven by academic calendarA bit artificial but a constraint we must live with

Final report to be presented during finals weekExternal to be performed before internal, why?

Internal and review of policies etc. can be done concurrently

Need approximately two weeks for each partPublic presence review, if requested, can be done quickly and should be accomplished before external begins

How will you use Spring Break

Summary

What is the importance and significance of this material?

How does this topic fit into the subject of “Security Risk Analysis”?