Ben Christensen

Senior Compliance Risk Analyst,

Cyber Security

Best Practices for Conducting Cyber Security

Assessments
June 5, 2014
CIPUG Meeting, Salt Lake City
 Agenda

• Why are security assessments important?

• Types of security assessments
• Risks related to security assessments
• Best practices for security assessments
• How security assessments can help with
CIP-005 & CIP-007

2
 Benefits to Entities

• Help maintain CIP compliance

• Verify security controls that should already
be in place
• Define the risks associated with your cyber
security systems and how to mitigate them
• Highlight your controls to help you
determine the risk to reliability

3
 Traditional IT assessment vs. security
risk assessment
• IT focuses on accidental outages, hardware
failures, and uptime
• Security risk assessment is the analysis of
issues relating directly to security threats

4
 Types of Assessments
Security audits

Policies, procedures, other admin controls

Change management

Architectural review

Penetration tests

Vulnerability assessments

5
 Security audits

Manual or systematic measurable technical

assessment of how the organization's security
policy is employed.

6
 Security audits

• Looks at how effectively the security policy

has been implemented
• Measure security policy compliance
• Recommends solutions to deficiencies
• May be performed through:
o Informal self audits
o Formal IT audits

7
 Components of a security audit
File system security

Physical security
Ports & services

Installation/configuration
Security event logging

Account security
Backups & Disaster recovery

Network device restrictions

8
 Policies, procedures and other
administrative controls
• Security assessment ultimately shows the
effectiveness of policies
• Assess your policies to know how
effectively they have been implemented

9
 Policies, procedures and other
administrative controls

Documents Training Updates

• What are they? • Who is trained? • Who makes the
• How often are • How often? updates?
they reviewed? • Does it • How often are
• Acknowledge measure they made?
adherence to effectiveness? • How are
• Who has them? employees
notified?

10
 Change management

• Have you assessed how your change

management is doing?
• Are personnel really following it?
• How do you know?

11
 Change management

• Is the change management performed on a

regular basis?
• Is physical security part of the change
management process?
• How are changes approved?
• Where are changes documented?
• Who signs off on the changes?
• Who implements the changes?
12
 Architectural review

• Review network artifacts

o Network diagrams
o Security requirements
o Inventory
• Identify data flows
• Identify controls
• Identify gaps

13
 Architectural review
Current network diagram
Physical
Trace cables Look for modems
walkthrough

Network devices
Remote admin
Logging enabled? Restricted access?
connections?

Firewall review
Process to evaluate risk of
Remote access connections
opening ports and services?

14
 Penetration testing

Attacking a computer system to find security

weaknesses and to potentially gain access.

Warning: penetration tests can have serious

consequences to the systems involved!

15
 Penetration testing

Penetration Test
Planning & Preparation
Gather Information & Analysis
Vulnerability Detection
Penetration Attempt
Analysis & Reporting
Clean Up

16
 Penetration testing

Info Gathering Vulnerability

Plan & Prep
& Analysis Detection
• Scope • Get info • Determine
• Duration about target vulnerabilities
• Decide who • Network • Manual
to inform survey vulnerability
• Legal • Port scanning scanning
agreements

17
 Penetration testing
Penetration Analysis &
Clean Up
Attempt Reporting
• Choose targets • Generate report • Get rid of mess
• Choose exploit • Analysis & • List of actions
• Password commentary • Verified by
cracking • Highlight organization
• Social vulnerabilities
engineering • Summary
• Physical • Details
security • Suggestions

18
 Vulnerability assessments

As documented by SANS, “Vulnerabilities are

the gateways by which threats are
manifested”.
“A vulnerability assessment is a search for
these weaknesses/exposures in order to
apply a patch or fix to prevent a compromise”.
http://www.sans.org/reading-room/whitepapers/basics/vulnerability-
assessment-421

19
 Vulnerability assessments

Assign value Identify Mitigate or

Catalog
and vulnerabilities eliminate
assets
importance or threats vulnerabilities

20
 Vulnerability assessments

• Methods to counteract weaknesses

o Use baselines
o Patching
o Vulnerability scanning
o Following security advisors
o Use perimeter defenses
o Use intrusion detection systems and AV

21
 Vulnerability assessments vs.
Penetration test
• Vulnerability assessment uncovers the
weaknesses and shows how to fix them
• Penetration test shows if someone can
break in and what information they can get

Vulnerability Penetration
Assessment Test

22
 Which assessment should I use?

• Depends on your requirements and goals

• Security assessment might be too broad
• Penetration test may not identify all
vulnerabilities and could cause harm
• Can’t we just do the CVA as required for
CIP?

23
 Risks of assessments

• Vulnerability assessment or penetration test

might cause instability or harm to systems
• Penetration test might not uncover all your
vulnerabilities
• You might incorrectly rely on results and
assume you are secure
• Results may not be presented in a way to
provide value

24
Best practices

• Assessment should provide value beyond

the raw data
– Analyze the data to see what it means for your
organization
• Identify trends that highlight underlying
problems
– Might reveal a bigger problem
 Best practices

• Use combination of techniques to provide a

complete picture of your security
o No one size fits all
• Use the techniques that best meet your
requirements
• Provide answers in your assessment, not
just problems
• Share what you learn with employees
o Bring security to the forefront
26
 CIP-005 and CIP-007

• The assessments presented today can

work hand in hand with the CVA
• CIP Standards provide a minimum set of
controls
• Consider performing these assessments in
conjunction with your CIP-005 and CIP-007
obligations

27
 CVA Checklist

Review process
• Do personnel know about the process?
• Are personnel regularly trained on process?
• Are personnel following the process?

Current inventory of devices

• How do you account for changes?
• Who updates the inventory?
• Where is it stored?

28
 CVA Checklist

Verify ports and services

• Which tools will be used?
• Are personnel trained on the tools?
• How and where will the raw data be stored?

Discover all access points

• Don’t forget multi-homed devices
• Wireless
• Physical walkthrough

29
 CVA Checklist

Review controls for

• Default accounts
• Passwords
• Network management & community strings

Results
• How will the results be stored?
• Where will the results be stored?

30
 CVA Checklist

Plan to mitigate vulnerabilities

• Who will implement fixes?
• How will the fixes be implemented?

Execution status of action plan

• When will the fixes be implemented?
• Are dates current?

31
 CIP-005 and CIP-007
Default
Passwords
accounts

Ports and Community

services strings

Results &
Process Assessments action plan

32
Additional Resources
 Additional Resources
• SANS – Implementing a Successful
Security Assessment Process
o http://www.sans.org/reading-
room/whitepapers/basics/implementing-
successful-security-assessment-process-450
• NIST – Security Assessment Provider
Requirements and Customer
Responsibilities
o http://csrc.nist.gov/publications/drafts/nistir-
7328/NISTIR_7328-ipdraft.pdf
34
 Additional Resources
• SANS – Security Auditing: A Continuous
Process
o http://www.sans.org/reading-
room/whitepapers/auditing/security-auditing-
continuous-process-1150
• NIST Special Publication 800-53
o http://nvlpubs.nist.gov/nistpubs/SpecialPublicati
ons/NIST.SP.800-53r4.pdf

35
 Additional Resources
• SANS - Conducting a Penetration Test on
an Organization
o http://www.sans.org/reading-
room/whitepapers/auditing/conducting-
penetration-test-organization-67
• SANS - Vulnerability Assessment
o http://www.sans.org/reading-
room/whitepapers/basics/vulnerability-
assessment-421

36
 Additional Resources
• NIST - Technical Guide to Information
Security Testing and Assessment
o http://csrc.nist.gov/publications/nistpubs/800-
115/SP800-115.pdf
• ISACA – Project: Vendor Security Risk
Assessment
o http://www.isaca.org/Groups/Professional-
English/information-secuirty-
management/GroupDocuments/Vendor%20Security%2
0Risk%20Assessment%20report.pdf

37
 Additional Resources
• Dark Reading - How To Conduct An
Effective IT Security Risk Assessment
o http://www.darkreading.com/how-to-conduct-
an-effective-it-security-risk-assessment/d/d-
id/1138995?

38
 Summary

Importance of assessments

Many types you can perform

Why you should go beyond the CVA

Best practices

Other resources

39
Questions?

Ben Christensen
(801) 819-7666
bchristensen@wecc.biz