Jackson County Audit

Security Audit at Jackson County

Stan Liss - Information Security Consultant

OACDP Summer Conference 2002

Marc Christensen – Director of Information Technology

Housekeeping Issues

• Duration: 75 minutes +/-

• Questions/Comments: Early & Often

Background

• Risk of losses from security breaches increasing

• County Government increased risk– E-government– Sensitive information– HIPAA

•unwanted disruption or denial of service

•the unauthorized use of a system for the processing or storage of data

•changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent •attempts (either failed or successful) to gain unauthorized access to a system or it's data

Computer Security Institute/FBI Survey for 2001

• “…the threat from computer crime and other information security breaches continues unabated and…the financial toll is mounting.”

• 538 organizations surveyed…85% suffered breaches

• 64% suffered financial losses; 35% willing to disclose amount: $377,828,700 .

Report: U.S. Businesses Skimp on Cyberattack Protections

• “…cybersecurity (typically observed) today is far worse than what best practices can provide.”

• “…shortchanging security could be catastrophic for companies…”

National Academy of Sciences, Computer Science and Tele-communications Board – January 2002.

Background

• Jackson County desired baseline assessment • Outsourced services vs. in-house

– Objectivity– Skill set– Time constraints

RFP Overview

• Provide sufficient information for bidders to define a tangible scope of work– Scope– Goal

• Prioritize specific aspects of audit work you wish to focus bidders’ attention toward– Audit Objectives

RFP - Audit Objectives

• Try to make these as specific as practicable• Determine the standard to follow, and

specify the auditor must assess to that standard. Examples - – National Institute of Standards and Technology

(NIST) Security Self-Assessment Guide– ISO 17799 International Security Standard

RFP – Due Diligence

• Mandatory Items of Proposal– Allows selection committees to “separate wheat

from the chaff”– Consider pre-requisites, for example -

• No less than X years performing this kind of service• CISSP certification• No less than X audits performed in the last 12

months

Evaluation and Selection

• The goal – compare “apples with apples”– The guidelines of the RFP will largely

determine the ease (objectivity) of selecting the successful bidder

The Audit

• First, let’s look at an overview of what Information Security Audits should address…

Security vs. Privacy

• Different issues• “…think of privacy as the use of data by

someone you gave it to, and security as the theft of the data…by the unknown third party.”

Fred H. Cate, professor of law Indiana University

Important Security Definitions

• Confidentiality, Integrity, Availability (CIA) – the three primary ways your data/information

can be compromised


• Denial of Service (DoS) – typically a flood of packet traffic that clogs the

network, rendering some or all services inaccessible


• Owned “to be owned” – total loss of administrative rights to a given

system, often a web server or email server (stems from having “Root”)

Impact

• Losing CIA or Being Owned– Down-time– Embarrassment, loss of constituency

confidence– Potential legal liability if your servers are used

in a distributed attack or your negligence causes constituent/another business CIA loss

Distributed Denial of ServiceLegal Risks

• “…experts say it’s only a matter of time before juries have to decide whether companies that are victims of a security breach can be held liable for having inadequate security.”

“See You in Court,” Sarah D. Scalet, CIO Magazine November 1, 2001

General ThreatsMajor Types of Attacks

• Disaster– Physical damage (fire/flood/earthquake, etc)

• Cracking (Criminal Hacking)– Breaking into a system through direct electronic attack, or

breaking the copyright protections on Intellectual Property.

• Spoofing– Altering the content or apparent origin of information, such as

faking an email origin or altering a web site.

• Snooping– Intercepting information through physical or electronic methods

without the knowledge of the recipient or the sender.

General ThreatsMajor Types of Attacks

• Denial of Service– Preventing your systems from functioning due to a

weakness or a simple traffic volume attack.• Malicious Software

– Viruses, hostile applets, web bugs, Trojan horses, unsecured remote control.

– Increasing in danger as people increase their methods of interaction.

• Social Engineering– Involves the manipulation of people, rather than computers,

to reveal confidential information.

How we conducted the audit

• Pre-launch meeting• Information Security Policy review• Remote Testing• Social Engineering• Physical Security• Internal Security• Compile results• Formal Presentation

For each element assessed

• Vulnerabilities found• Assigned to a risk categories

– Acceptable risk– Risk to be managed or controlled– Risk to be eliminated

• Recommended remediation

Information Security ProgramHow to implement

• Identify resources to be protected• Perform a Threat Analysis

– Assess your vulnerability to each of the General Threats.• Vulnerability testing• SANS/FBI top twenty Internet vulnerabilities; www.sans.org

• Determine Business impact– What $ risks do you face in case of various types of

successful attacks.– Exposure = (Likelihood vulnerability is successful) X

(Business Impact expressed in dollars)


• Categorize Risks– Acceptable Risk– Risk to be Managed/Controlled– Risk to be Eliminated

• Define your organization’s Security Policies and Procedures.

• Like accounting or legal policies, Security Policies define an operational framework for managing everything related to security for your organization on a day to day basis.

• Procedures outlines who does what, when, how.


• Define your Security Architecture.– Risk/Reward

• Develop a Layered Defense, never depend on a single product or solution to defend yourself.

• Look for single points of failure; introduce redundancy if it makes business sense.


Make the Investment– Properly educated users and administrators are by far

your best defense.• Training should be constant and updated to reflect changes in both your

organization and the outside world.

– Purchase the right tools.• Don’t depend on home-grown solutions, use well documented and

robust tools developed by an established provider.

– If your organization is large enough hire security specialists or consider managed services, don’t depend on overworked network administrators to stay current on your security needs.

Best Practice Elements• Recognize the Need for Security at the Executive

Level– Allocate resources for training & auditing– Set a standard for behavior

• Security Policies and Procedures– Create and enforce them

• Training/Education– Your best first line of defense– Thwart Social Engineering exploits

Best Practice Elements• Security Infrastructure

– Linked control mechanisms to ensure protection of sensitive information

• Administrative controls• Physical controls• Technological controls

• Track Security Developments– Implement a method to regularly research security

initiatives that may modify Best Practices

Best Practice Elements• Vulnerability Testing

– In-house IT staff may not be expert in all areas of security and/or management may not be objective

– Pay close attention to proposal scope, contract & references

– Recognize that they represent merely a snapshot

– Different Approaches:• Full audit vs. perimeter study only • Business practices firms vs. technology firms

Thank you for your time!

Questions or Comments?

Jackson County Audit

Technology

Transcript of Jackson County Audit