Security Consulting Methodology


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Consulting Methodology

  1. 1. Consulting Methodology Security Management Training Series October 2, 2006
  2. 2. Security Management Training Series <ul><li>Security, Legal & Risk Management </li></ul><ul><li>Consulting Methodology </li></ul><ul><li>Policy Structure </li></ul><ul><li>Risk Assessment </li></ul>
  3. 3. Assumptions <ul><li>Assume methodology is important for now </li></ul><ul><li>More to come on the why later </li></ul><ul><li>This is the reader’s digest version </li></ul><ul><li>Based on significant worldwide experience and across numerous sectors and verticals </li></ul><ul><li>Based on IBM’s consulting approach and my own experience </li></ul>
  4. 4. Overview <ul><li>Why? </li></ul><ul><li>Project Sponsor </li></ul><ul><li>Scope definition </li></ul><ul><li>Kickoff </li></ul><ul><li>Information gathering </li></ul><ul><li>Analysis </li></ul><ul><li>Development </li></ul><ul><li>Recommendations </li></ul><ul><li>Documentation </li></ul><ul><li>Debrief </li></ul><ul><li>Case </li></ul>
  5. 5. Methodology <ul><li>a set of processes and approaches </li></ul><ul><li>Proven and documented </li></ul><ul><li>Supported by tools </li></ul><ul><li>Adopted by a group </li></ul>
  6. 6. Methodology <ul><li>The purpose of a method is to provide a framework for solving problems and getting results </li></ul><ul><li>It is </li></ul><ul><li>not static </li></ul><ul><li>a panacea </li></ul><ul><li>a cookbook or </li></ul><ul><li>substitute for good judgment </li></ul>
  7. 7. Why Methodology? <ul><li>Repeatable Results </li></ul><ul><ul><li>Process (Defined Engagements) </li></ul></ul><ul><li>Verifiable Results </li></ul><ul><ul><li>Measurement (CoS Card) </li></ul></ul><ul><li>Reliable Results </li></ul><ul><ul><li>Toolsets (Standards, Best practices) </li></ul></ul><ul><li>Resource requirements are less </li></ul><ul><ul><li>Time to engage and complete </li></ul></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Effort </li></ul></ul>
  8. 8. Project Sponsor <ul><li>Identify </li></ul><ul><ul><li>Purpose of the project sponsor is…. </li></ul></ul><ul><li>Publish if required or a good idea </li></ul><ul><ul><li>Politics </li></ul></ul><ul><ul><li>Highly decentralized sphere of scope </li></ul></ul><ul><ul><li>If you know there is resistance to the project </li></ul></ul><ul><ul><li>Very senior project sponsor </li></ul></ul><ul><ul><li>If you can leverage the sponsor’s clout </li></ul></ul>
  9. 9. Scope Definition <ul><li>In writing –what resources are required </li></ul><ul><li>Process for scope change </li></ul><ul><li>Document what success means </li></ul><ul><li>Understand what presentation format will be required </li></ul><ul><li>level of detail </li></ul><ul><li>Audience </li></ul><ul><li>Understand purpose of engagement-how will results be used? </li></ul>
  10. 10. Money Time Resources Project Triangle Project Scope
  11. 11. Kickoff <ul><li>Project management </li></ul><ul><li>Resource acquisition </li></ul><ul><li>Re-state scope, timelines and budget </li></ul><ul><li>Be aware of scope creep </li></ul><ul><li>Project Triangle </li></ul>
  12. 12. Money Time Resources Project Triangle Project Scope
  13. 13. Information Gathering <ul><li>Document reviews </li></ul><ul><ul><li>policy </li></ul></ul><ul><ul><li>strategic plans </li></ul></ul><ul><ul><li>missions and visions </li></ul></ul><ul><ul><li>diagrams </li></ul></ul><ul><ul><li>historical documents </li></ul></ul>
  14. 14. Information Gathering <ul><li>Interviews </li></ul><ul><ul><li>statements </li></ul></ul><ul><ul><li>opinions </li></ul></ul><ul><li>Develop question tree </li></ul><ul><ul><li>Who will be asked what </li></ul></ul><ul><ul><li>What order </li></ul></ul>
  15. 15. Information Gathering <ul><li>Gap Review </li></ul><ul><ul><li>compare against contemporaries </li></ul></ul><ul><ul><li>best practices </li></ul></ul><ul><ul><li>Industry opinion </li></ul></ul><ul><ul><li>Colleagues </li></ul></ul><ul><ul><li>Case Studies </li></ul></ul><ul><ul><li>Survey Research </li></ul></ul>
  16. 16. Information Gathering <ul><li>Tools </li></ul><ul><ul><li>Forms </li></ul></ul><ul><ul><li>Report Templates </li></ul></ul><ul><ul><li>Comparison spreadsheets </li></ul></ul><ul><ul><li>Organization Standards </li></ul></ul><ul><ul><ul><li>Structure </li></ul></ul></ul><ul><ul><ul><li>Esthetics </li></ul></ul></ul><ul><ul><li>WBS </li></ul></ul><ul><ul><li>Dependency Diagrams </li></ul></ul>
  17. 17. Analysis <ul><li>Qualitative </li></ul><ul><ul><li>Survey Response data </li></ul></ul><ul><ul><li>Interview question data </li></ul></ul><ul><li>Quantitative </li></ul><ul><ul><li>Statistical Analysis </li></ul></ul><ul><ul><li>Financial analysis </li></ul></ul><ul><ul><ul><li>ROI, NPV, IRR </li></ul></ul></ul><ul><li>Trends </li></ul><ul><li>Changes in the situation or environment </li></ul><ul><li>Seek conclusions </li></ul><ul><li>Sanity Check </li></ul>
  18. 18. Business process Plane Organisation Plane Solutions Plane Infrastructure Plane Security Security Security Security Analysis &quot;BUSINESS RISK&quot; VULNERABILITIES Severity Probability 1 2 3 4 5 1 2 3 4 5 A B C E D F
  19. 19. Development <ul><li>Reports </li></ul><ul><li>Flowcharts </li></ul><ul><li>Presentations </li></ul><ul><li>Deliverables </li></ul>
  20. 20. Recommendations <ul><li>Findings and Conclusions – related to standards </li></ul><ul><li>Current Security level </li></ul><ul><li>Risks to the business </li></ul><ul><li>Short term &quot;quick win&quot; recommendations </li></ul><ul><li>Longer term strategic recommendations </li></ul><ul><li>Should be: </li></ul><ul><ul><li>Timely </li></ul></ul><ul><ul><li>Financially considerate </li></ul></ul><ul><ul><li>Politically sensitive </li></ul></ul><ul><ul><li>Prioritized </li></ul></ul>Decrease of services or abilities Loss of revenue Loss of taxpayer confidence Increase of operating expenses Conflicts with others Loss of employee trust Damage to Image Security level Staff Management Assessment
  21. 21. Documentation <ul><li>Document process, participants and project authorizations and scope changes </li></ul><ul><li>Ensure copies of important paper work are retained and properly filed </li></ul><ul><ul><li>Licenses </li></ul></ul><ul><ul><li>Project Documents </li></ul></ul><ul><li>Consultant input should be documented and stored for long term knowledge transfer </li></ul><ul><li>Re-usable content </li></ul><ul><ul><li>Learner Quicker </li></ul></ul><ul><ul><li>Deliver Faster </li></ul></ul><ul><ul><li>Customize solutions </li></ul></ul>
  22. 22. Debrief <ul><li>Presentation to interested parties of the report and awareness material </li></ul><ul><ul><li>May be technical review if required </li></ul></ul><ul><li>Knowledge transfer from consultants </li></ul><ul><li>Asking of questions </li></ul><ul><li>Demonstration of findings and conclusions </li></ul><ul><li>Presentation of the quick wins </li></ul><ul><li>Staff are assigned with responsibilities for implementing quick wins </li></ul><ul><li>Validation of results </li></ul><ul><li>Closing of project </li></ul><ul><li>Security improvements can be seen immediately, increasing the value of the engagement </li></ul>
  23. 23. Kick-off meeting Interviews Document Review Physical Security Review IT Infastructure Review Analysis Development & recommendation Security Process Review Security Implementation Review Follow-on workshop
  24. 24. Questions??
  25. 25. Sample Processes
  26. 26. Reconnaissance <ul><li>Identify all possible entrances/exits </li></ul><ul><li>Identify coverage of surveillance systems </li></ul><ul><li>Identify reception staff and security guard behaviour </li></ul>Gain Building Access <ul><li>Enter site perimeter </li></ul><ul><li>Enter building and office premises </li></ul>Assess Internal Physical Controls <ul><li>Determine vulnerabilities in all possible entrances/exits </li></ul><ul><li>Determine vulnerabilities in monitoring, surveillance and alarm controls </li></ul><ul><li>Assess incident management/response controls </li></ul><ul><li>Assess access to workspace, cabinets, desks, waste </li></ul><ul><li>Review clean desk policy </li></ul>Assess availability of LAN access <ul><li>Identify live LAN connection ports </li></ul><ul><li>Assess security of cabling systems </li></ul><ul><li>Assess security of wiring closets, network devices and computer rooms </li></ul>Access Business Assets <ul><li>Obtain copies of sensitive documents and materials </li></ul><ul><li>Obtain access to other important company assets </li></ul><ul><li>Record evidence: document hardcopies, photographs </li></ul>VULNERABILITIES Security Review Processes
  27. 27. Company Information Scan <ul><li>Search the Internet for information about the company, its services, locations and IT environment </li></ul><ul><li>Access the company's public web sites </li></ul>Gain Network Connectivity <ul><li>If testing internally, gain physical access to LAN infrastructure and then an IP address </li></ul><ul><li>If testing externally, connect via Internet and also search for dial-in connections (wardialling) </li></ul>Map Network <ul><li>Gain access to and review DNS information </li></ul><ul><li>Determine network structure, external connections, and LAN services </li></ul><ul><li>Identify systems, O/S, middleware and applications </li></ul><ul><li>Determine targets </li></ul>Identify & Exploit vulnerabilities <ul><li>Identify vulnerabilities </li></ul><ul><li>Exploit vulnerabilities to gain system access </li></ul><ul><li>Obtain privileged user status </li></ul><ul><li>Identify and exploit system/network connections and trust relations </li></ul>Determine Capability <ul><li>Copy sensitive documents, e-mail & reports </li></ul><ul><li>Assess capabilities from access gained to applications and databases </li></ul><ul><li>Record evidence: screenshots, files, reports </li></ul>VULNERABILITIES
  28. 28. Sample Case Converged Investigation’s Methodology
  29. 29. Project Sponsor <ul><li>Dave </li></ul><ul><li>My purpose in this engagement is…..? </li></ul>
  30. 30. Scope Definition <ul><li>The development of a set of processes, procedures and tools sufficient for CoV security staff to conduct ongoing investigations with both traditional and electronic investigation components </li></ul>
  31. 31. Kickoff <ul><li>PM? </li></ul><ul><li>Resources? </li></ul><ul><li>Re-state scope, timelines and budget </li></ul><ul><li>How will you defend against scope creep? </li></ul><ul><ul><ul><ul><li>Project Triangle </li></ul></ul></ul></ul>
  32. 32. Tools <ul><li>Report Template Example </li></ul><ul><li>Checklist </li></ul><ul><li>Shared Workspace </li></ul>
  33. 33. Information Gathering <ul><li>What to review? </li></ul>
  34. 34. Analysis <ul><li>Review gathered material </li></ul>
  35. 35. Development <ul><li>Flowchart </li></ul><ul><li>Recommended changes </li></ul><ul><ul><li>New policy </li></ul></ul><ul><ul><li>procedures, </li></ul></ul><ul><ul><li>standards or guidelines </li></ul></ul><ul><ul><li>SOP </li></ul></ul><ul><li>Reports </li></ul><ul><li>Presentations </li></ul>
  36. 36. Recommendations <ul><li>Relate to standards and best practices if possible </li></ul><ul><li>Gap analysis </li></ul><ul><li>Prioritize with quick wins up front </li></ul><ul><li>Get input whenever possible </li></ul>
  37. 37. Documentation <ul><li>Flowchart </li></ul><ul><li>Sources </li></ul><ul><li>Filing and storage </li></ul><ul><li>Re-usability </li></ul>
  38. 38. Debrief <ul><li>Process to validate? </li></ul><ul><li>How do we make this a process? </li></ul><ul><li>PM--Close project with sponsor and stakeholders </li></ul>
  39. 39. Questions