Feb 16 2010

Security risk assessment process and countermeasures

Category: Security Risk AssessmentDISC @ 4:01 pm

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
Preventive controls reduce exposure. Firewall is an example of preventive control
Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.

Tags: authentication, countermeasure, Firewall, phishing, Risk Assessment, security controls, Security policy, security review, Security Risk Assessment, security risk assessment process

Sep 01 2009

Audit of security control and scoping

Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm


Information Technology Control and Audit

The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.

Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

Aug 21 2008

Access control fraud and countermeasures

Category: Access ControlDISC @ 1:22 am

These days access to the internet is a business requirement. Most businesses are selling their products and services on the internet which sometimes requires customers to have access to the critical assets such as applications and databases. The global growth of the internet has increased complexity and potential risks to these assets. In some cases, one potential breach may put the organization’s very existence at risk.  French bank Société Générale made a frightening announcement in Jan. 2008 that it has uncovered a $7.14 billion US fraud — one of history’s biggest.  A trader at the futures desk misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.”

In a security review, the reviewer will first determine the criticality of an asset and focus on how that asset is accessed by employees, the risks that unauthorized access by insiders or outsiders could pose to the organization, and if access control has sufficient countermeasures in place to mitigate those risks.  In other words, the security review will determine the risk level of access control to a particular asset and what appropriate control should be in place based on level of risk. At the same time, the business’s first priority is to make information available with effective access control in place. Based on criticality, assets subject to security review present different level of risk associated with access control. In other words, “not all data breaches are created equal.”

Authorization control is utilized to determine access to network resources. Authentication will determine the identity of the user. Authentication verifies that the login belongs to a user who is attempting to gain access to the system which can be obtained through PKI, smart cards, USB devices, tokens and biometrics.  Accounting keeps the records of user activity including what was used, when and for how long. Most of the application and operating systems have strong auditing features in place to track the activities of a user. Accounting records can be very useful for forensic evidence in case of a security breach. Authenticity covers validity of the information, if someone misrepresents your information by claiming that it is his or hers. Authenticity addresses all forms of information misrepresentation and authenticity of the system users.

In system profiling, the reviewer determines the criticality of access control and the risk posed to an organization where the risk is directly proportional to the criticality of an asset. Higher risk will require stronger controls or perhaps multiple controls. Security review should determine that controls in place are sufficient to avoid unauthorized access and non-repudiation of information and people. In many ways a password is the weakest link in the access control of a network defense. The best passwords are at least 60 random characters, letters, numbers, and punctuation which can be stored on a portable flash drive flash drive, to be retrieved when needed. All the passwords for the critical infrastructure should have these password characteristics. One weak password in the critical infrastructure can become a launching pad to access other resources in the network.

Security tools can be used to collect user permissions in a spreadsheet, which can be utilized to analyze the effectiveness of authentication, authorization, accounting, and authenticity. This analysis will determine if users have appropriate access based on need, role and security policy of the organization. Non-repudiation is the cornerstone of access control which assures the validity of a transaction and user. Regular monitoring and non-repudiation of users in all facets of access control might be necessary to mitigate the identity fraud associated with high profile assets. Compliance only addresses the bare minimum required to comply with a control but to measure the strength of a control in high profile assets, a security reviewer should use due care to regularly evaluate the effectiveness of access control at all levels. It might not be an example of due diligence when some regulations fail to require data encryption.

Security Threats

Rogue Trader Crushes Bank Societe Generale


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: accounting, authentication, authenticity, authorization, bast passwords, countermeasure, data encryption, due diligence, fraud, higher risk, identity fraud, mitigate, non-repudiation, potential risks, security review, security tools, societe general, unauthorized access