Information Security Assessment Offering

  • 1,100 views
Uploaded on

Opportune’s Information Security Assessment Consulting Offering

Opportune’s Information Security Assessment Consulting Offering

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,100
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Information Security Assessment
    Process & Technology SERVICE OFFERING
  • 2. Agenda
    Information Security and its Importance
    Opportune Corporate Profile and Experience
    Information Security Assessment Framework
    Methodology
    Approach & Timeline
    Deliverables
    Resumes
    1/4/2011
    Proprietary and Confidential
    2
  • 3. What is Information Security?
    Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
    Integrity– guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
    Confidentiality– preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
    Availability– ensuring timely and reliable access to and use of information.
    *Source: United States Code: Title 44, 3542. Definitions (b)(1)
    1/4/2011
    Proprietary and Confidential
    3
  • 4. Why is Information Security Important?
    Upland man indicted for allegedly damaging computer
    systems used to monitor off-shore oil platforms
    Houston Computer Administrator Sentenced to 12 Months in Prison for Hacking Former Employer’s Computer Network
    Student Convicted with Using University Computer Network for Denial of Service Attacks and to Control Other Computers (via "Botnet" Zombies)
    March 17, 2009 Depart. Of Justice
    July 6, 2010 Depart. Of Justice
    May 26, 2010 Depart. Of Justice
    Stalking and Computer Intrusion Indictment Filed In Philadelphia
    August 5, 2010 Depart. Of Justice
    * Source: Department of Justice website
    1/4/2011
    Proprietary and Confidential
    4
  • 5. Why is Information Security Important?
    • What would it cost the business if:
    • 6. Investor confidence or company image was damaged?
    • 7. Confidential or proprietary information was leaked or destroyed?
    • 8. Operational assets were tampered with?
    • 9. Production data was altered?
    • 10. Bid information was compromised?
    • 11. The company was fined for regulatory non-compliance?
    • 12. Who should care about Information Security?
    • 13. Businesses with Industrial Control Systems (i.e. SCADA and DCS).
    • 14. Businesses with personal information (i.e. bank account numbers and SSN).
    • 15. Businesses with disgruntled employees.
    • 16. Businesses who have to comply with government and industry regulations (i.e. NERC CIP, SOX, HIPAA and PCI DSS).
    Exposure of Information
    IT Asset Abuse
    Regulatory Compliance
    Company Policy
    Data Modification /
    Systems Sabotage
    Drivers
    Business Operations
    Economic Exploitation
    Company Image
    Company Assets
    Legal Liability
    • How often should you assess your Information Security?
    • 17. Once a quarter to once a year depending on risk tolerance and compliance requirements.
    HSE
    Information Theft
    Denial of Services
    System Intrusion /
    Unauthorized Access
    1/4/2011
    Proprietary and Confidential
    5
  • 18. Opportune Corporate Profile
    1/4/2011
    Opportune LLP Service Offering
    6
  • 19. Typical Consulting Firm
    Number of People
    The Opportune Advantage
    Number of People
    The Opportune Difference
    10
    Yrs of Experience
    Typical large consulting firms staff with larger teams of less experienced resources to provide them with experience.
    Value Added
    Opportune LLP
    Number of People
    10
    Yrs of Experience
    Value Through Thought Leadership
    Opportune’s deeply experienced staff has, on average, nearly 10 years of industry or consulting experience that they bring to each client. This means more experienced teams delivering on the projects and challenges you are facing better, faster and more economically.
    10
    Yrs of Experience
    Because Opportune’s staff are more experienced, on average, our teams can be smaller and the resources staffed will be more experienced.
    1/4/2011
    Proprietary and Confidential
    7
  • 20. Security Case Study 1
    Company Profile
    Client is a multi-billion dollar privately held operator of oil and gas properties throughout the United States. They have offices in 12 states with more than 700 employees. The client has seen tremendous growth in the last few years and expects similar growth over the coming years.
    Business Climate
    In some cases, rapid growth in the last few years has outpaced the ability of IT to keep up with them. A recent IT Organization Review exposed potential risks for the IT systems, which could impact the client’s ability to conduct business as well as their investors.
    Opportune Results
    Opportune was engaged to execute a comprehensive IT Security Assessment of all externally facing systems, external web applications, internal servers, workstations, network devices and SCADA systems. During the engagement Opportune identified several critical risk vulnerabilities.
    A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and critical systems from the Internet. Risks were prioritized so the client could begin remediation before the assessment was completed. Opportune provided a detailed report and overall summary of all vulnerabilities and gaps discovered during the assessment.
    This process provided an objective third party analysis of the risks, as well as recommendations to mitigate each vulnerability. Finally, Opportune provided the client with a quick hit list, short-term activities and long-term roadmap to allow the client to focus their security efforts efficiently and effectively.
    1/4/2011
    Proprietary and Confidential
    8
  • 21. Security Case Study 2
    Company Profile
    Client is one of the largest private fee mineral and royalty owners in the United States. The client owns or controls interests, either directly or through institutionally-supported partnerships, in more than 25,000 wells.
    Business Climate
    The client felt that the significant growth of their information systems over the last few years had opened them up to potential security threats both internally and externally. They did not know where their risks were and wanted to have them identified so they could be remediated.
    Opportune Results
    The client engaged Opportune to assist in the assessment of policies, processes and procedures, including supporting information technology used to create management reports and support operating decisions. An IT security assessment was conducted across all of the company’s IT infrastructure and application assets, including a web site that supported investors. The engagement included vulnerability assessment, penetration testing, wireless scanning, configuration review, application testing and web application testing across all internal and external IT assets.
    The engagement was conducted covertly to test the detective and reactive capabilities of the IT department and to provide “Technology Recovery” to the CIO.
    A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and from the Internet and critical systems from the internal network.
    1/4/2011
    Proprietary and Confidential
    9
  • 22. Information Security Assessment Framework
    • Development - Oportune’s proven Information Security Assessment Framework is developed from our extensive client experiences and our synthesis of industry-developed frameworks.
    • 23. Foundation - Theframework’s foundation is the consideration of both the probability and likelihood of undesired events.
    • 24. Assessment - When identifying and quantifying vulnerabilities to prioritize the resulting risk, the framework helps ensure the client will focus on mitigating the most critical items first.
    • 25. Leverage - Additionally, use of our framework ensures that clients will be using a repeatable process that can be leveraged over time, well beyond the initial assessment.
    • 26. Assets
    • 27. Assessment Goals
    • 28. Covert
    • 29. Overt
    Scope
    Discover
    Remediate
    Evaluate
    1/4/2011
    Proprietary and Confidential
    10
  • 40. Information Security Assessment Methodology
    Opportune’s Information Security Assessment Methodology provides fast, ACTIONABLE results.
    Confirm Assessment Scope
    Scope
    Review Security Policies
    Conduct External Vulnerability Scans
    Conduct Internal Vulnerability Scans
    Conduct Web Application Scans
    Conduct Wireless Scans
    Conduct Modem Scans
    Review Physical Security Measures (i.e. data center access)
    Discover
    Critical Vulnerability Remediation
    Y
    Critical Issues?
    Evaluate
    Conduct Gap Analysis Against Best Practices and Industry Regulations
    Execute Ethical Hacking/
    Penetration Tests
    Analyze Identified Vulnerabilities
    Review Network, Server and Other OS Configuration
    Assess Risk
    N
    N
    Resolved?
    Remediate
    (Planning)
    Y
    Document Remediation Items and Recommendations
    Develop Remediation Roadmap
    Present Final Report and Oral Presentation
    1/4/2011
    Proprietary and Confidential
    11
  • 41. Approach & Timeline
    This is a typical timeline for an Opportune Information Security Assessment project. Some of these activities may adjust based on the outcome of the scope phase.
    Project Kick Off
    Scope
    Discover
    Evaluate
    Project Delivery
    Remediate (Plan)
    Status Checkpoint
    Management Update Meeting
    Proprietary and Confidential
    1/4/2011
    12
  • 42. Approach – Scope
    Opportune will leverage similar techniques an attacker would use to compromise information and systems. To ensure a comprehensive assessment is performed, multiple services are utilized to provide an overall understanding of potential exposure and risk.
    1/4/2011
    Proprietary and Confidential
    13
  • 43. Approach – Vulnerability Assessment
    Opportune will perform a detailed vulnerability assessment on IT assets that involves a comprehensive analysis of external and internal risks.
    • Analyze the results from Vulnerability Scanning, Penetration Testing and Configuration Review and provide detailed assessment information for each issue .
    • 44. Recommend strategic and detailed technology and process adjustments that will help optimize security currently deployed by the organization as well as recommend additional solutions.
    1/4/2011
    Proprietary and Confidential
    14
  • 45. Approach - Administrative Security Assessment
    Opportune will evaluate the security policies, procedures, processes, training, capabilities and awareness within the organization.
    1/4/2011
    Proprietary and Confidential
    15
  • 46. Approach - Physical Security Assessment
    Opportune will review key areas where IT assets reside by evaluating the overall Physical Security of locations such as: Data Centers and Network Closets.
    1/4/2011
    Proprietary and Confidential
    16
  • 47. Opportune will analyze and prioritize vulnerabilities using a risk based approach. Critical items can be acted on during the engagement to provide the most benefit to the organization.
    Approach - Prioritization
    Risks Are categorized into four levels.
    1/4/2011
    Proprietary and Confidential
    17
  • 48. Deliverables
    The following deliverables will be supplied upon conclusion of the assessment:
    Executive summary report, Including:
    Summary of Scope
    Approach and Methodology
    High level Observations and Findings
    Quick Hit List
    Short-term and Strategic Recommendations
    Detailed report, including:
    Methodology Leveraged
    Positive Security Aspects Identified
    Overall Risk Rating
    Detailed Technical Vulnerability Findings
    Assignment of a Risk Rating for Each Vulnerability
    Supporting Exhibits For Identified Vulnerabilities
    Detailed Technical Remediation Steps
    Oral presentation
    1/4/2011
    Proprietary and Confidential
    18
  • 49. Appendix A - Penetration Testing Approach
    Leveraging information gathered from the vulnerability assessment, Opportune will attempt to gain access to the systems by exploiting verified vulnerabilities. Opportune will utilize similar attack methods and vectors that malicious attackers might use to compromise systems and information.
    Activities:
    The result of the Penetration Testing will provide the information necessary to perform a risk assessment and prioritized remediation roadmap.
    1/4/2011
    Proprietary and Confidential
    19
  • 50. Appendix A - Web Application Testing Approach
    Activities:
    • Analysis of application: system profiling and likely points of weakness.
    • 51. Scanning the user session lifecycle to identify vulnerabilities.
    • 52. Exploitation of vulnerabilities to attempt to access data and/or systems.
    • 53. Password cracking to try and gain access with elevated privileges on target devices.
    Key Assessment Areas
    1/4/2011
    Proprietary and Confidential
    20
  • 54. Appendix A - Wireless Security Scanning Approach
    Wireless access points will be mapped and their authentication mechanisms identified if possible. Once the access points have been identified, the access points and associated networks will be exploited using discovered vulnerabilities.
    Activities:
    1/4/2011
    Proprietary and Confidential
    21