Information Security Assessment Offering


Published on

Opportune’s Information Security Assessment Consulting Offering

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security Assessment Offering

  1. 1. Information Security Assessment<br />Process & Technology SERVICE OFFERING<br />
  2. 2. Agenda<br />Information Security and its Importance<br />Opportune Corporate Profile and Experience<br />Information Security Assessment Framework<br />Methodology<br />Approach & Timeline<br />Deliverables<br />Resumes<br />1/4/2011<br />Proprietary and Confidential<br />2<br />
  3. 3. What is Information Security?<br />Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:<br />Integrity– guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. <br />Confidentiality– preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. <br />Availability– ensuring timely and reliable access to and use of information. <br />*Source: United States Code: Title 44, 3542. Definitions (b)(1)<br />1/4/2011<br />Proprietary and Confidential<br />3<br />
  4. 4. Why is Information Security Important?<br />Upland man indicted for allegedly damaging computer<br />systems used to monitor off-shore oil platforms<br />Houston Computer Administrator Sentenced to 12 Months in Prison for Hacking Former Employer’s Computer Network<br />Student Convicted with Using University Computer Network for Denial of Service Attacks and to Control Other Computers (via "Botnet" Zombies) <br />March 17, 2009 Depart. Of Justice<br />July 6, 2010 Depart. Of Justice<br />May 26, 2010 Depart. Of Justice<br />Stalking and Computer Intrusion Indictment Filed In Philadelphia<br />August 5, 2010 Depart. Of Justice<br />* Source: Department of Justice website<br />1/4/2011<br />Proprietary and Confidential<br />4<br />
  5. 5. Why is Information Security Important?<br /><ul><li>What would it cost the business if:
  6. 6. Investor confidence or company image was damaged?
  7. 7. Confidential or proprietary information was leaked or destroyed?
  8. 8. Operational assets were tampered with?
  9. 9. Production data was altered?
  10. 10. Bid information was compromised?
  11. 11. The company was fined for regulatory non-compliance?
  12. 12. Who should care about Information Security?
  13. 13. Businesses with Industrial Control Systems (i.e. SCADA and DCS).
  14. 14. Businesses with personal information (i.e. bank account numbers and SSN).
  15. 15. Businesses with disgruntled employees.
  16. 16. Businesses who have to comply with government and industry regulations (i.e. NERC CIP, SOX, HIPAA and PCI DSS).</li></ul>Exposure of Information<br />IT Asset Abuse<br />Regulatory Compliance<br />Company Policy <br />Data Modification /<br />Systems Sabotage<br />Drivers<br />Business Operations<br />Economic Exploitation<br />Company Image<br />Company Assets<br />Legal Liability<br /><ul><li> How often should you assess your Information Security?
  17. 17. Once a quarter to once a year depending on risk tolerance and compliance requirements.</li></ul>HSE<br />Information Theft<br />Denial of Services<br />System Intrusion / <br />Unauthorized Access<br />1/4/2011<br />Proprietary and Confidential<br />5<br />
  18. 18. Opportune Corporate Profile<br />1/4/2011<br />Opportune LLP Service Offering<br />6<br />
  19. 19. Typical Consulting Firm<br />Number of People<br />The Opportune Advantage<br />Number of People<br />The Opportune Difference<br />10<br />Yrs of Experience<br />Typical large consulting firms staff with larger teams of less experienced resources to provide them with experience.<br />Value Added<br />Opportune LLP<br />Number of People<br />10<br />Yrs of Experience<br />Value Through Thought Leadership<br />Opportune’s deeply experienced staff has, on average, nearly 10 years of industry or consulting experience that they bring to each client. This means more experienced teams delivering on the projects and challenges you are facing better, faster and more economically. <br />10<br />Yrs of Experience<br />Because Opportune’s staff are more experienced, on average, our teams can be smaller and the resources staffed will be more experienced.<br />1/4/2011<br />Proprietary and Confidential<br />7<br />
  20. 20. Security Case Study 1<br />Company Profile<br />Client is a multi-billion dollar privately held operator of oil and gas properties throughout the United States. They have offices in 12 states with more than 700 employees. The client has seen tremendous growth in the last few years and expects similar growth over the coming years.<br />Business Climate<br />In some cases, rapid growth in the last few years has outpaced the ability of IT to keep up with them. A recent IT Organization Review exposed potential risks for the IT systems, which could impact the client’s ability to conduct business as well as their investors.<br />Opportune Results<br />Opportune was engaged to execute a comprehensive IT Security Assessment of all externally facing systems, external web applications, internal servers, workstations, network devices and SCADA systems. During the engagement Opportune identified several critical risk vulnerabilities. <br />A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and critical systems from the Internet. Risks were prioritized so the client could begin remediation before the assessment was completed. Opportune provided a detailed report and overall summary of all vulnerabilities and gaps discovered during the assessment. <br />This process provided an objective third party analysis of the risks, as well as recommendations to mitigate each vulnerability. Finally, Opportune provided the client with a quick hit list, short-term activities and long-term roadmap to allow the client to focus their security efforts efficiently and effectively.<br />1/4/2011<br />Proprietary and Confidential<br />8<br />
  21. 21. Security Case Study 2<br />Company Profile<br />Client is one of the largest private fee mineral and royalty owners in the United States. The client owns or controls interests, either directly or through institutionally-supported partnerships, in more than 25,000 wells.<br />Business Climate<br />The client felt that the significant growth of their information systems over the last few years had opened them up to potential security threats both internally and externally. They did not know where their risks were and wanted to have them identified so they could be remediated.<br />Opportune Results<br />The client engaged Opportune to assist in the assessment of policies, processes and procedures, including supporting information technology used to create management reports and support operating decisions. An IT security assessment was conducted across all of the company’s IT infrastructure and application assets, including a web site that supported investors. The engagement included vulnerability assessment, penetration testing, wireless scanning, configuration review, application testing and web application testing across all internal and external IT assets. <br />The engagement was conducted covertly to test the detective and reactive capabilities of the IT department and to provide “Technology Recovery” to the CIO.<br />A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and from the Internet and critical systems from the internal network.<br />1/4/2011<br />Proprietary and Confidential<br />9<br />
  22. 22. Information Security Assessment Framework<br /><ul><li>Development - Oportune’s proven Information Security Assessment Framework is developed from our extensive client experiences and our synthesis of industry-developed frameworks.
  23. 23. Foundation - Theframework’s foundation is the consideration of both the probability and likelihood of undesired events.
  24. 24. Assessment - When identifying and quantifying vulnerabilities to prioritize the resulting risk, the framework helps ensure the client will focus on mitigating the most critical items first.
  25. 25. Leverage - Additionally, use of our framework ensures that clients will be using a repeatable process that can be leveraged over time, well beyond the initial assessment.
  26. 26. Assets
  27. 27. Assessment Goals
  28. 28. Covert
  29. 29. Overt</li></ul>Scope<br /><ul><li>Identify
  30. 30. Scan
  31. 31. Enumerate
  32. 32. Target</li></ul>Discover<br /><ul><li>Plan
  33. 33. Roadmap
  34. 34. Report
  35. 35. Remediation Support
  36. 36. Review
  37. 37. Analyze
  38. 38. Exploit
  39. 39. Prioritize</li></ul>Remediate<br />Evaluate<br />1/4/2011<br />Proprietary and Confidential<br />10<br />
  40. 40. Information Security Assessment Methodology<br />Opportune’s Information Security Assessment Methodology provides fast, ACTIONABLE results.<br />Confirm Assessment Scope<br />Scope<br />Review Security Policies<br />Conduct External Vulnerability Scans<br />Conduct Internal Vulnerability Scans<br />Conduct Web Application Scans<br />Conduct Wireless Scans<br />Conduct Modem Scans<br />Review Physical Security Measures (i.e. data center access)<br />Discover<br />Critical Vulnerability Remediation<br />Y<br />Critical Issues?<br />Evaluate<br />Conduct Gap Analysis Against Best Practices and Industry Regulations<br />Execute Ethical Hacking/<br />Penetration Tests<br />Analyze Identified Vulnerabilities<br />Review Network, Server and Other OS Configuration<br />Assess Risk<br />N<br />N<br />Resolved?<br />Remediate<br />(Planning)<br />Y<br />Document Remediation Items and Recommendations<br />Develop Remediation Roadmap<br />Present Final Report and Oral Presentation<br />1/4/2011<br />Proprietary and Confidential<br />11<br />
  41. 41. Approach & Timeline<br />This is a typical timeline for an Opportune Information Security Assessment project. Some of these activities may adjust based on the outcome of the scope phase.<br />Project Kick Off<br />Scope<br />Discover<br />Evaluate<br />Project Delivery<br />Remediate (Plan)<br />Status Checkpoint<br />Management Update Meeting<br />Proprietary and Confidential<br />1/4/2011<br />12<br />
  42. 42. Approach – Scope<br />Opportune will leverage similar techniques an attacker would use to compromise information and systems. To ensure a comprehensive assessment is performed, multiple services are utilized to provide an overall understanding of potential exposure and risk. <br />1/4/2011<br />Proprietary and Confidential<br />13<br />
  43. 43. Approach – Vulnerability Assessment<br />Opportune will perform a detailed vulnerability assessment on IT assets that involves a comprehensive analysis of external and internal risks. <br /><ul><li>Analyze the results from Vulnerability Scanning, Penetration Testing and Configuration Review and provide detailed assessment information for each issue .
  44. 44. Recommend strategic and detailed technology and process adjustments that will help optimize security currently deployed by the organization as well as recommend additional solutions. </li></ul>1/4/2011<br />Proprietary and Confidential<br />14<br />
  45. 45. Approach - Administrative Security Assessment<br />Opportune will evaluate the security policies, procedures, processes, training, capabilities and awareness within the organization. <br />1/4/2011<br />Proprietary and Confidential<br />15<br />
  46. 46. Approach - Physical Security Assessment<br />Opportune will review key areas where IT assets reside by evaluating the overall Physical Security of locations such as: Data Centers and Network Closets.<br />1/4/2011<br />Proprietary and Confidential<br />16<br />
  47. 47. Opportune will analyze and prioritize vulnerabilities using a risk based approach. Critical items can be acted on during the engagement to provide the most benefit to the organization. <br />Approach - Prioritization<br />Risks Are categorized into four levels.<br />1/4/2011<br />Proprietary and Confidential<br />17<br />
  48. 48. Deliverables<br />The following deliverables will be supplied upon conclusion of the assessment:<br />Executive summary report, Including:<br />Summary of Scope<br />Approach and Methodology<br />High level Observations and Findings<br />Quick Hit List<br />Short-term and Strategic Recommendations<br />Detailed report, including:<br />Methodology Leveraged<br />Positive Security Aspects Identified<br />Overall Risk Rating<br />Detailed Technical Vulnerability Findings<br />Assignment of a Risk Rating for Each Vulnerability<br />Supporting Exhibits For Identified Vulnerabilities<br />Detailed Technical Remediation Steps<br />Oral presentation<br />1/4/2011<br />Proprietary and Confidential<br />18<br />
  49. 49. Appendix A - Penetration Testing Approach<br />Leveraging information gathered from the vulnerability assessment, Opportune will attempt to gain access to the systems by exploiting verified vulnerabilities. Opportune will utilize similar attack methods and vectors that malicious attackers might use to compromise systems and information. <br />Activities:<br />The result of the Penetration Testing will provide the information necessary to perform a risk assessment and prioritized remediation roadmap.<br />1/4/2011<br />Proprietary and Confidential<br />19<br />
  50. 50. Appendix A - Web Application Testing Approach<br />Activities:<br /><ul><li>Analysis of application: system profiling and likely points of weakness.
  51. 51. Scanning the user session lifecycle to identify vulnerabilities.
  52. 52. Exploitation of vulnerabilities to attempt to access data and/or systems.
  53. 53. Password cracking to try and gain access with elevated privileges on target devices.</li></ul>Key Assessment Areas<br />1/4/2011<br />Proprietary and Confidential<br />20<br />
  54. 54. Appendix A - Wireless Security Scanning Approach<br />Wireless access points will be mapped and their authentication mechanisms identified if possible. Once the access points have been identified, the access points and associated networks will be exploited using discovered vulnerabilities.<br />Activities:<br />1/4/2011<br />Proprietary and Confidential<br />21<br />