Monday, July 6, 2015

Methodically Evaluating Your Security Situation

Security is as much an art as it is a science. While we can teach the science side of security by emphasizing the need to methodically approach security, the art side can only be developed through practice and careful creativity. Part of my students' semester projects is to address the security needs of an organization. I cannot emphasize enough that security is a design decision, not a product to be applied after the network is assembled. Designing a network with security in mind is different because it impacts the protocols, devices, and other network components we choose. For example, if we want to segment the network at layer 2, we need to make sure the switch we recommend supports VLANs. Likewise, if we are trying to segment the network design at layer 3, we will require additional routers to link the various segments. Security is a process, not hardware and software. Security truly is job security because it is a never ending battle to protect systems from obsolescence, natural disasters, human ineptitude, malicious attacks, etc. As a result, I tell them that they need to take a methodical and logical approach to addressing the security of an organization as it relates to their network and computer systems. Failure to do so will result in a hodge-podge of countermeasures that likely reflect the bias of the designer and fail to provide comprehensive protection to the system.

The first thing I would recommend is familiarizing yourself with Microsoft's Security Assessment Tool 4.0. When you first launch it, you will encounter the screen below.


Click the yellow 'Start' button in the bottom right corner and start answering a few basic questions about your organization. These tend to be relatively high level questions that do not require a computer science degree to answer. For example, insert a name under 'Company Name'. How many employees does your company have? Etc. As you answer each question, scroll down to the bottom and select 'Next' in the bottom right corner of the screen to advance to the next page. This step is just creating a profile of your organization.


Once you reach the end of the questions, click the yellow 'Create New Assessment' half way down on the left hand side of the screen. This will present you with the following dialog box. Select 'New' and name your assessment.


I named mind 'Semester Project: Security Assessment'. Then click 'OK'.


Now, you need to start assessing the security posture of the organization. You will be guided through a series of questions that help you to determine the state of your infrastructure, application, operations, and people security.


Answer each of the questions, scrolling down and then click 'Next' in the bottom right to advance to the next page. Depending on your specific answers, some sub-questions may or may not need to be addressed. Those that do not need to be addressed will be grayed out. Once you get to the final screen and have finished answering the questions, a 'Reports' button will appear at the bottom of the navigation bar on the left.


Click on that and you will be presented with the 'Summary Report' Which can be seen below. Additionally, you have two additional tabs which can prove useful. The second tab includes and option to save the report as a DOCX file or as an image file. Alternatively, you can print the report if you wish (HINT: You could potentially print it as a PDF).



The reports has LOTS of useful information but there are a few things that are particularly important for our purposes. For example, below is an example of the Risk-Defense Distribution figure that can be helpful in informing you where you should be concentrating your use of countermeasures.


What I like about this tool is that it gives you categories of assets that you need to protect such as infrastructure, applications, operations, and people which you can use to classify your assets and it shows the areas where you need to consider implementing appropriate countermeasures to protect against, the threats identified from the tool and as can be seen below, prioritizes your need for appropriate countermeasures.


Once you have identified the areas of risk, this should inform you as to the areas where you need to more thoroughly refine your countermeasures. For example, the figure above indicates that operations and infrastructure are at greater risk and the defense in depth is lowest for applications. The countermeasures that we propose should probably tend to focus in these areas so that we can lower our risk and increase our defenses. To look at this from a "hacker's" perspective, I might want to attack this organization's applications since it is their weakest area of defense.

The result is the implementation of various countermeasures that are targeted to help shore up areas where your organization scores more poorly on. Is this the only approach? Of course not. There are lots of approaches. In general, some of the very early approaches to security were simple checklists. This was nice because it was intuitive and easy to develop but lacked any sort of customization for organizations in various industries and of various sizes. Using this approach, one might list assets down the rows and various threats across the columns. Using a numbered list below for various countermeasures, one could populate various cells as appropriate.

Schuessler, J. (2013). Contemporary Threats and Countermeasures: A Security Evaluation. Journal of Information Privacy and Security, 9(2), 20. jips.utep.edu

Personally, I like this approach as it is very intuitive and easy to follow along. But, this approach can be improved. Some of these assets are more important that others. Some threats are more likely to occur than others. Some threats, if realized, can be more catastrophic that others. Using some additional columns, rows, and/or color, you could make the table more valuable by estimating the degree of threat, likelihood of occurrence, degree of protection. In the sample Google Sheet linked above, I have added some additional columns to incorporate the BRP and DiDI scores to calculate the risk associated with each type of asset scored by the MS Security Assessment Tool. For example, the BRP for Infrastructure was 13%. For Applications, it was 11%, and so on. Similarly, the DiDI score for Infrastructure was 25%, for Applications was 47%, etc. By multiplying the respective numbers, you can determine the risk for each category. Finally, you are able to calculate the risk for each type of asset within each category. I simply weighted each asset, making sure all assets within a category totaled the overall category weight. This shows which assets need to be focused employing various countermeasures.

Impact (BRP Score in Percent)Liklihood (1-DiDI Score in Percent)Risk (Impact x Liklihood - Higher Values Represent More Risk Requiring More Attention)
Infrastructure13.00%25.00%3.25%
Routers4.00%4.00%0.16%
Switches1.00%10.00%0.10%
Servers4.00%6.00%0.24%
Media4.00%5.00%0.20%
Applications11.00%47.00%5.17%
Operating Systems1.00%10.00%0.10%
Front Office Applications1.00%10.00%0.10%
Back Office Applications1.00%10.00%0.10%
Data8.00%17.00%1.36%
Operations13.00%16.00%2.08%
Environment5.00%4.00%0.20%
Security Policy2.00%4.00%0.08%
Patch & Update Management5.00%4.00%0.20%
Backup & Recovery1.00%4.00%0.04%
People7.00%5.00%0.35%
Administrators4.00%3.00%0.12%
Internal Users2.00%1.00%0.02%
External Users1.00%1.00%0.01%

Still other valuable yet still somewhat intuitive approaches include something similar to use cases for various threats/assets as discussed in FitzGerald, Dennis, and Durcikova (2015). This is again a great approach and more comprehensive than the approach discussed above. However, this approach can also be quite tedious as a separate use-case needs to be completed for each asset.

The point is not to inundate you with different approaches but rather, to emphasize the need to take a methodical approach to identifying threats and appropriate countermeasures. We live in a world where resources are limited. If that is the case, we have to make sure that we are getting the most bang for our buck in security.

No comments:

Post a Comment