Information Security Assessment Process & Technology SERVICE OFFERING
Agenda Information Security and its Importance Opportune Corporate Profile and Experience Information Security Assessment Framework Methodology Approach & Timeline Deliverables Resumes 1/4/2011 Proprietary and Confidential 2
What is Information Security? Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Integrity– guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Confidentiality– preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Availability– ensuring timely and reliable access to and use of information. *Source: United States Code: Title 44, 3542. Definitions (b)(1) 1/4/2011 Proprietary and Confidential 3
Why is Information Security Important? Upland man indicted for allegedly damaging computer systems used to monitor off-shore oil platforms Houston Computer Administrator Sentenced to 12 Months in Prison for Hacking Former Employer’s Computer Network Student Convicted with Using University Computer Network for Denial of Service Attacks and to Control Other Computers (via "Botnet" Zombies) March 17, 2009 Depart. Of Justice July 6, 2010 Depart. Of Justice May 26, 2010 Depart. Of Justice Stalking and Computer Intrusion Indictment Filed In Philadelphia August 5, 2010 Depart. Of Justice * Source: Department of Justice website 1/4/2011 Proprietary and Confidential 4
Businesses who have to comply with government and industry regulations (i.e. NERC CIP, SOX, HIPAA and PCI DSS).
Exposure of Information IT Asset Abuse Regulatory Compliance Company Policy Data Modification / Systems Sabotage Drivers Business Operations Economic Exploitation Company Image Company Assets Legal Liability
How often should you assess your Information Security?
Once a quarter to once a year depending on risk tolerance and compliance requirements.
HSE Information Theft Denial of Services System Intrusion / Unauthorized Access 1/4/2011 Proprietary and Confidential 5
Opportune Corporate Profile 1/4/2011 Opportune LLP Service Offering 6
Typical Consulting Firm Number of People The Opportune Advantage Number of People The Opportune Difference 10 Yrs of Experience Typical large consulting firms staff with larger teams of less experienced resources to provide them with experience. Value Added Opportune LLP Number of People 10 Yrs of Experience Value Through Thought Leadership Opportune’s deeply experienced staff has, on average, nearly 10 years of industry or consulting experience that they bring to each client. This means more experienced teams delivering on the projects and challenges you are facing better, faster and more economically. 10 Yrs of Experience Because Opportune’s staff are more experienced, on average, our teams can be smaller and the resources staffed will be more experienced. 1/4/2011 Proprietary and Confidential 7
Security Case Study 1 Company Profile Client is a multi-billion dollar privately held operator of oil and gas properties throughout the United States. They have offices in 12 states with more than 700 employees. The client has seen tremendous growth in the last few years and expects similar growth over the coming years. Business Climate In some cases, rapid growth in the last few years has outpaced the ability of IT to keep up with them. A recent IT Organization Review exposed potential risks for the IT systems, which could impact the client’s ability to conduct business as well as their investors. Opportune Results Opportune was engaged to execute a comprehensive IT Security Assessment of all externally facing systems, external web applications, internal servers, workstations, network devices and SCADA systems. During the engagement Opportune identified several critical risk vulnerabilities. A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and critical systems from the Internet. Risks were prioritized so the client could begin remediation before the assessment was completed. Opportune provided a detailed report and overall summary of all vulnerabilities and gaps discovered during the assessment. This process provided an objective third party analysis of the risks, as well as recommendations to mitigate each vulnerability. Finally, Opportune provided the client with a quick hit list, short-term activities and long-term roadmap to allow the client to focus their security efforts efficiently and effectively. 1/4/2011 Proprietary and Confidential 8
Security Case Study 2 Company Profile Client is one of the largest private fee mineral and royalty owners in the United States. The client owns or controls interests, either directly or through institutionally-supported partnerships, in more than 25,000 wells. Business Climate The client felt that the significant growth of their information systems over the last few years had opened them up to potential security threats both internally and externally. They did not know where their risks were and wanted to have them identified so they could be remediated. Opportune Results The client engaged Opportune to assist in the assessment of policies, processes and procedures, including supporting information technology used to create management reports and support operating decisions. An IT security assessment was conducted across all of the company’s IT infrastructure and application assets, including a web site that supported investors. The engagement included vulnerability assessment, penetration testing, wireless scanning, configuration review, application testing and web application testing across all internal and external IT assets. The engagement was conducted covertly to test the detective and reactive capabilities of the IT department and to provide “Technology Recovery” to the CIO. A “proof-of-concept” demonstrated it was possible to access investor information, confidential information and from the Internet and critical systems from the internal network. 1/4/2011 Proprietary and Confidential 9
Remediate Evaluate 1/4/2011 Proprietary and Confidential 10
Information Security Assessment Methodology Opportune’s Information Security Assessment Methodology provides fast, ACTIONABLE results. Confirm Assessment Scope Scope Review Security Policies Conduct External Vulnerability Scans Conduct Internal Vulnerability Scans Conduct Web Application Scans Conduct Wireless Scans Conduct Modem Scans Review Physical Security Measures (i.e. data center access) Discover Critical Vulnerability Remediation Y Critical Issues? Evaluate Conduct Gap Analysis Against Best Practices and Industry Regulations Execute Ethical Hacking/ Penetration Tests Analyze Identified Vulnerabilities Review Network, Server and Other OS Configuration Assess Risk N N Resolved? Remediate (Planning) Y Document Remediation Items and Recommendations Develop Remediation Roadmap Present Final Report and Oral Presentation 1/4/2011 Proprietary and Confidential 11
Approach & Timeline This is a typical timeline for an Opportune Information Security Assessment project. Some of these activities may adjust based on the outcome of the scope phase. Project Kick Off Scope Discover Evaluate Project Delivery Remediate (Plan) Status Checkpoint Management Update Meeting Proprietary and Confidential 1/4/2011 12
Approach – Scope Opportune will leverage similar techniques an attacker would use to compromise information and systems. To ensure a comprehensive assessment is performed, multiple services are utilized to provide an overall understanding of potential exposure and risk. 1/4/2011 Proprietary and Confidential 13
Approach – Vulnerability Assessment Opportune will perform a detailed vulnerability assessment on IT assets that involves a comprehensive analysis of external and internal risks.
Analyze the results from Vulnerability Scanning, Penetration Testing and Configuration Review and provide detailed assessment information for each issue .
Recommend strategic and detailed technology and process adjustments that will help optimize security currently deployed by the organization as well as recommend additional solutions.
1/4/2011 Proprietary and Confidential 14
Approach - Administrative Security Assessment Opportune will evaluate the security policies, procedures, processes, training, capabilities and awareness within the organization. 1/4/2011 Proprietary and Confidential 15
Approach - Physical Security Assessment Opportune will review key areas where IT assets reside by evaluating the overall Physical Security of locations such as: Data Centers and Network Closets. 1/4/2011 Proprietary and Confidential 16
Opportune will analyze and prioritize vulnerabilities using a risk based approach. Critical items can be acted on during the engagement to provide the most benefit to the organization. Approach - Prioritization Risks Are categorized into four levels. 1/4/2011 Proprietary and Confidential 17
Deliverables The following deliverables will be supplied upon conclusion of the assessment: Executive summary report, Including: Summary of Scope Approach and Methodology High level Observations and Findings Quick Hit List Short-term and Strategic Recommendations Detailed report, including: Methodology Leveraged Positive Security Aspects Identified Overall Risk Rating Detailed Technical Vulnerability Findings Assignment of a Risk Rating for Each Vulnerability Supporting Exhibits For Identified Vulnerabilities Detailed Technical Remediation Steps Oral presentation 1/4/2011 Proprietary and Confidential 18
Appendix A - Penetration Testing Approach Leveraging information gathered from the vulnerability assessment, Opportune will attempt to gain access to the systems by exploiting verified vulnerabilities. Opportune will utilize similar attack methods and vectors that malicious attackers might use to compromise systems and information. Activities: The result of the Penetration Testing will provide the information necessary to perform a risk assessment and prioritized remediation roadmap. 1/4/2011 Proprietary and Confidential 19
Appendix A - Web Application Testing Approach Activities:
Analysis of application: system profiling and likely points of weakness.
Scanning the user session lifecycle to identify vulnerabilities.
Exploitation of vulnerabilities to attempt to access data and/or systems.
Password cracking to try and gain access with elevated privileges on target devices.
Key Assessment Areas 1/4/2011 Proprietary and Confidential 20
Appendix A - Wireless Security Scanning Approach Wireless access points will be mapped and their authentication mechanisms identified if possible. Once the access points have been identified, the access points and associated networks will be exploited using discovered vulnerabilities. Activities: 1/4/2011 Proprietary and Confidential 21