Professional Documents
Culture Documents
Best Practices For Conducting Security Assessments PDF
Best Practices For Conducting Security Assessments PDF
2
Benefits to Entities
3
Traditional IT assessment vs. security
risk assessment
• IT focuses on accidental outages, hardware
failures, and uptime
• Security risk assessment is the analysis of
issues relating directly to security threats
4
Types of Assessments
Security audits
Change management
Architectural review
Penetration tests
Vulnerability assessments
5
Security audits
6
Security audits
7
Components of a security audit
File system security
Physical security
Ports & services
Installation/configuration
Security event logging
Account security
Backups & Disaster recovery
9
Policies, procedures and other
administrative controls
10
Change management
11
Change management
13
Architectural review
Current network diagram
Physical
Trace cables Look for modems
walkthrough
Network devices
Remote admin
Logging enabled? Restricted access?
connections?
Firewall review
Process to evaluate risk of
Remote access connections
opening ports and services?
14
Penetration testing
15
Penetration testing
Penetration Test
Planning & Preparation
Gather Information & Analysis
Vulnerability Detection
Penetration Attempt
Analysis & Reporting
Clean Up
16
Penetration testing
17
Penetration testing
Penetration Analysis &
Clean Up
Attempt Reporting
• Choose targets • Generate report • Get rid of mess
• Choose exploit • Analysis & • List of actions
• Password commentary • Verified by
cracking • Highlight organization
• Social vulnerabilities
engineering • Summary
• Physical • Details
security • Suggestions
18
Vulnerability assessments
19
Vulnerability assessments
20
Vulnerability assessments
21
Vulnerability assessments vs.
Penetration test
• Vulnerability assessment uncovers the
weaknesses and shows how to fix them
• Penetration test shows if someone can
break in and what information they can get
Vulnerability Penetration
Assessment Test
22
Which assessment should I use?
23
Risks of assessments
24
Best practices
27
CVA Checklist
Review process
• Do personnel know about the process?
• Are personnel regularly trained on process?
• Are personnel following the process?
28
CVA Checklist
29
CVA Checklist
Results
• How will the results be stored?
• Where will the results be stored?
30
CVA Checklist
31
CIP-005 and CIP-007
Default
Passwords
accounts
Results &
Process Assessments action plan
32
Additional Resources
Additional Resources
• SANS – Implementing a Successful
Security Assessment Process
o http://www.sans.org/reading-
room/whitepapers/basics/implementing-
successful-security-assessment-process-450
• NIST – Security Assessment Provider
Requirements and Customer
Responsibilities
o http://csrc.nist.gov/publications/drafts/nistir-
7328/NISTIR_7328-ipdraft.pdf
34
Additional Resources
• SANS – Security Auditing: A Continuous
Process
o http://www.sans.org/reading-
room/whitepapers/auditing/security-auditing-
continuous-process-1150
• NIST Special Publication 800-53
o http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf
35
Additional Resources
• SANS - Conducting a Penetration Test on
an Organization
o http://www.sans.org/reading-
room/whitepapers/auditing/conducting-
penetration-test-organization-67
• SANS - Vulnerability Assessment
o http://www.sans.org/reading-
room/whitepapers/basics/vulnerability-
assessment-421
36
Additional Resources
• NIST - Technical Guide to Information
Security Testing and Assessment
o http://csrc.nist.gov/publications/nistpubs/800-
115/SP800-115.pdf
• ISACA – Project: Vendor Security Risk
Assessment
o http://www.isaca.org/Groups/Professional-
English/information-secuirty-
management/GroupDocuments/Vendor%20Security%2
0Risk%20Assessment%20report.pdf
37
Additional Resources
• Dark Reading - How To Conduct An
Effective IT Security Risk Assessment
o http://www.darkreading.com/how-to-conduct-
an-effective-it-security-risk-assessment/d/d-
id/1138995?
38
Summary
Importance of assessments
Best practices
Other resources
39
Questions?
Ben Christensen
(801) 819-7666
bchristensen@wecc.biz