Karen Scarfone Scarfone Cybersecurity
Karen Scarfone Scarfone Cybersecurity
Karen Scarfone Scarfone Cybersecurity
Scarfone Cybersecurity
Agenda
Assessment
Why do assessment?
Risk Management Framework
Assessment methodology phases
Technical assessment techniques
3
Why do assessment?
Help confirm that systems are properly secured
Identify any organization security requirements that
are not met, and other security weaknesses that should
be addressed
Meet requirements to periodically assess systems
Not intended to take the place of implementing
security controls and maintaining system security
4
Risk Management Framework
From NIST SP 800-37
Starting Point
CATEGORIZE
Information System
Define criticality/sensitivity of
information system according to
MONITOR potential worst-case, adverse impact SELECT
Security Controls to mission/business. Security Controls
Continuously track changes to the Select baseline security controls; apply
information system that may affect tailoring guidance and supplement
security controls and reassess control controls as needed based on risk
effectiveness. assessment.
Security Life Cycle
AUTHORIZE IMPLEMENT
Information System Security Controls
Determine risk to organizational operations Implement security controls within
and assets, individuals, other enterprise architecture using sound
organizations, and the Nation; systems engineering practices; apply
if acceptable, authorize operation. ASSESS security configuration settings.
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly, operating
as intended, meeting security requirements for
information system).
5
Assessment methodology phases
Planning: Gather information needed for assessment
execution and develop the assessment approach
Should treat an assessment as any other project
Execution: Identify vulnerabilities and validate them
when appropriate
Post-Execution: Analyze identified vulnerabilities to
determine root causes, establish mitigation
recommendations, and develop a final report
Several accepted methodologies for conducting
different types of security assessments
6
Technical assessment techniques
Review Techniques
Examination techniques, generally conducted manually
Evaluate systems, applications, networks, policies, and
procedures to discover vulnerabilities
Techniques include
Documentation review
Log review
Ruleset and system configuration review
Network sniffing
File integrity checking
7
Technical assessment techniques
(cont.)
Target Identification and Analysis Techniques
Testing techniques, generally performed using
automated tools
Identify systems, ports, services, and potential
vulnerabilities
Techniques include
Network discovery
Network port and service identification
Vulnerability scanning
Wireless scanning
Application security examination
8
Technical assessment techniques
(cont.)
Target Vulnerability Validation Techniques
Testing techniques that corroborate the existence of
vulnerabilities
May be performed manually or with automated tools
Techniques include
Password cracking
Penetration testing
Social engineering
Application security testing
9
Combinations of techniques
No one technique can provide a complete picture of
the security of a system or network
Organizations should combine appropriate techniques
One technique often relies on others
Multiple ways exist to meet an assessment requirement,
such as determining whether patches have been applied
properly
Organizations have the flexibility to choose the
techniques that best meet their requirements
10
Questions?
karen@scarfonecybersecurity.com
11
Introduction to Information Security
Testing and Assessment
Motive: ideology
Primary intent: damage/destroy
Sponsorship: unofficial
Preferred general target characteristics: entities or people who clearly
represent a conflicting ideology
Preferred specific target characteristics: high profile, high visibility
Preferred targets: human, infrastructure (buildings, communications, power, etc.)
Capability: varies by attack vector (technological: moderate)
Personal risk tolerance: high
Concern for collateral damage: low
There are four primary components of our risk taxonomy that we want to
identify threat agent characteristics for, those characteristics that affect:
■ The frequency with which threat agents come into contact with our
organizations or assets
■ The probability that threat agents will act against our organizations or
assets
■ The probability of threat agent actions being successful in overcoming
protective controls
■ The probable nature (type and severity) of impact to our assets
It’s important for us to understand the factors that drive these differentiating
characteristics in order to effectively assess the probability of being subject to
attack and, if subjected to attack, the likely nature, objective, and outcome of
the attack. We’ll examine these factors a bit more as we go along.
http://cve.mitre.org/
High C B A
Vulnerability
Medium C B B
Green Yellow Yellow
Low D C C
Blue Green Green
Comp
Metrics V V
Test Test
Rept
Results Rept
Rept
Results
Results
Y
OK? Y
Success
N Dev/Acq
Impr P N
Process
1. FAIRWIKI, The Definitive Guide to the Factor Analysis of Information Risk (FAIR)
Risk Landscape Components,
http://fairwiki.riskmanagementinsight.com/?page_id=10
2. Sherwood, J., Clark, A., Lynas, D. (2005). Enterprise security architecture: A
business-driven approach. San Francisco:CMPBooks.
3. Kissel, R., Stine, K., Sholl, M., Rossman, H., Falsing, J. & Gulik, J. (2008). Security
considerations in the system development life cycle. Gaithersburg, MD 20899-
8930:NIST Special Publication 800-64 Rev. 2. National Institute of Standards and
Technology, U.S. Dept. of Commerce.
4. Committee on National Security Systems. (2003). National information
assurance glossary: CNSS Instruction No. 4009. Ft Meade, MD:CNSS Secretariat
(142), National Security Agency, U.S. Dept. of Defense.