Forging Partnerships Between
Auditors and Security
Managers: Breakthrough
Methods That Work
JCSC 2000
Randy Marchany
VA Tech Computing Center
Blacksburg, VA 24060
[email protected]
540-231-9523
Copyright 2000, Marchany
Copyright 2000, Marchany
Copyright 2000, Marchany
Copyright 2000, Marchany
Copyright 2000, Marchany
Copyright 2000, Marchany
Copyright 2000, Marchany
The Auditor’s Goals
Ensure Assets are protected according to
company, local,state and federal regulatory
policies.
 Determine what needs to be done to ensure
the protection of the above assets.
 Make life miserable for sysadmins…:-)

–
Not really. They can save a sysadmin if a
problem occurs.
Copyright 2000, Marchany
The Sysadmin’s Goals
Keep the systems up.
 Keep users happy and out of our hair.
 Keep auditors at arms’ length.
 Get more resources to do the job properly.
 Wear jeans or shorts to work when everyone
else has to wear suits…….

Copyright 2000, Marchany
The Sysadmin’s Audit
Strategy
Turn a perceived weakness (the audit) into a
strength (security checklists).
 Develop a set of reporting matrices that can
be used as audit reports or justification for
security expenditures.
 The above info can be used to help develop
your incident response plan.

Copyright 2000, Marchany
The Committee

Management and Technical Personnel from
the major areas of IS
–
–
–
–
–
University Libraries
Educational Technologies
University Network Management Group
University Computing Center
Administrative Information Systems
Copyright 2000, Marchany
The Committee’s Scope


Information Systems Division only
Identified and prioritized Assets
–
–

RISKS associated with those ASSETS
CONTROLS that may applied to the ASSETS to
mitigate the RISKS
Did NOT specifically consider assets outside IS
control. However, those assets are included as
clients when considering access to assets we wish
to protect
Copyright 2000, Marchany
The Committee’s Charge

From our VP for Information Systems

“Establish whether IS units are taking all
reasonable precautions to protect info resources
and to assure the accurate & reliable delivery of
service”
“Investigate and advise the VPIS as to the security
of systems throughout the university….Provide
documentation of the security measures in place.”

Copyright 2000, Marchany
Identifying the Assets
Compiled a list of IS assets (+100 systems)
 Categorize them as critical, essential,
normal

–
–
–
Critical - VT can’t operate w/o this asset for even a
short period of time.
Essential - VT could work around the loss of the asset
for up to a week. The asset needs to be returned to
service asap
Normal - VT could operate w/o this asset for a finite
period but entities
may need to identify alternatives.
Copyright 2000, Marchany
Prioritizing the Assets
The network(router, bridges, cabling, etc.)
was treated as a single entity and deemed
critical.
 X assets were classified as critical and then
rank ordered using a matrix prioritization
technique. Each asset was compared to the
other and members voted on their relative
importance. Members could split their vote.

Copyright 2000, Marchany
Identifying the Risks

A RISK was selected if it caused an incident
that would:
–
–
–
–

Be extremely expensive to fix
Result in the loss of a critical service
Result in heavy, negative publicity especially
outside the university
Have a high probability of occurring.
Risks were prioritized using matrix
Copyright 2000, Marchany
prioritization technique.
Mapping Risks and Assets

We built a matrix that maps the ordered list
of critical assets against the ordered list of
risks regardless of whether or not
–
–

A particular risk actually applied to the asset
Controls exist and/or already in place.
The matrix provides general guidance about
the order each asset/risk is examined. All
assets/risks need to be examined eventually.
Copyright 2000, Marchany
Identifying Controls
Specific controls identified by the
committee were put in a matrix
 The controls were then mapped against a
list of risks and in those cells are the control
ids that can mitigate a particular risk for a
particular asset.

Copyright 2000, Marchany
Recommendations


The process recommends a general order which IS
should apply scarce resources to perform a cost
benefit analysis for the various assets & risks.
For each asset, as directed by mgt, appropriate
staff should:
–
–
–
–
–
–
Review the risks & controls
Add any further risks/controls not identified
Assess the potential cost of an incident
Assess the cost of control purchases and deployment
Analyze cost vs. benefit for each asset
Submit results to mgt which retains the responsibility to weigh
investments and make
implementation
decisions
Copyright
2000, Marchany
References
http://security.vt.edu
 www.sans.org
 www.nipc.gov
 www.jmu.edu/info-security
 www.cornell.edu/CPL
 www.securityfocus.com
 www.insecure.org

Copyright 2000, Marchany
APPENDIX 1

The following matrices are examples of
your matrix reports
–
–
–
–
–
–
Exhibit A (ASSET Matrix)
Exhibit B (ASSET WEIGHT Matrix)
Exhibit C (RISKS Matrix)
Exhibit D (RISK WEIGHT Matrix)
Exhibit E (ASSET-RISK Matrix)
Exhibit F (CONTROLS Matrix)
Copyright 2000, Marchany
APPENDIX 2
•
•
•
•
•
The following spreadsheets are the compliance
reports.
Overall Compliance Report that lists the general
vulnerabilities a system has. This is a quick 1 page
report for mgt. or the auditors.
Asset/Risk Matrix list whether a system is affected
by a risk. The risks are more specific.
Controls Matrix lists what controls are in place for
a given system.
Individual Action Matrix lists the details of an
audit for eachCopyright
node.2000,
DidMarchany
the system comply?
APPENDIX 3
The following checklist gives the detailed
commands to be performed in the “audit”.
 The categories are based on the Risk
Matrices in Appendix 1.
 The results of the checklist commands are
inserted in the Compliance matrices of
Appendix 2.
 This checklist and the matrices form the
overall audit/security
checklist package.
Copyright 2000, Marchany

APPENDIX 4
Your company’s response policy will
dictate the degree of audit record keeping
you’ll have to maintain.
 There are 2 strategies:

–
–
Protect and Proceed
Pursue and Prosecute
Copyright 2000, Marchany
Incident Handling:
Protect and Proceed?
- Which strategy should your organization follow to handle an incident? This
dictates the level of record keeping needed to fulfill the strategy. (RFC2196)
- the protection and preservation of site facilities
- return to normal operations as soon as possible
- actively interfere with intruder attempts
- begin immediate damage assessment and recovery
Use if:
- assets are not well protected
- continued penetration could result in financial risk
- possibility or willingness to prosecute is not present
- user community is unknown
- unsophisticated users and their work is vulnerable
- the site is vulnerable to lawsuits from users if their resources
are undermined
Copyright 2000, Marchany
Incident Handling:
Pursue and Prosecute?
- allow intruders to continue their activity until the site can identify them. This is
recommended by law enforcement agencies
- Use if:
- system assets are well protected
- good backups are available
- Asset risks are outweighed by risk of future penetrations
- it's a concentrated and frequent attack
- the site has a natural attraction to intruders, e.g. university, bank
- the site is willing to spend the money and risk to catch the guy
- intruder access can be controlled
- well-developed monitoring tools are available
- you have a technically competent support staff
- management is willing to prosecute
- system administrators know in general what evidence will aid in
prosecution
- there is established contact with law enforcement agencies
- the site has involved their legal staff
Copyright 2000, Marchany