Conducting Security Assessments: Lessons for those being assessed and those wanting to do it

oh sure how many people here for the 11 o'clock talk a security auditor um there'll be a slight overlap between the two talks because there is an overlap between security Audits and when I talk about here which is called there are security assessments or security risk assessments but there are some differences um the big thing was for about seven years I spent uh as a security consultant doing a lot of security risk assessment for a live marketing companies different Frameworks and standards and regulations uh now I've gotten out of that it's just working for one company dealing with high-dressing women I thought I'd do a disclaimer and I started doing this so you know the views expressed by me or are my abuse they don't you know they're not bash with reflect abuse of my employer's current or past or B size stamp or any organization so your mileage May occurring foreign I spent several years as a security consultant I did a lot of security risk assessment Gap assessments for a wide range of companies of various sizes and industries um just to give you an idea what I mean by that it's a smallest company dealt with was a one doctor Psychology office the biggest was probably from these large Regional Hospital concerns that meant I had to support with a team of people assessing them over a couple of weeks you know driving around visiting offices doing a lot of interviews and so on and so forth walking around campuses well with some software companies manufacturing companies a theme chain a publisher and sorry that I don't mention any names but when I worked as a consultant we did not name our clients and so I'm a little so leery about doing so but if I name someone my clients oh yeah I know them also a certain entertainment conglomerate that's in the greater Tampa Bay area in that I did a lot of different things I had HIPAA PCI Cyber City framework 27001 uh participating controls New York DFS have you ever heard of that not one stock two high Trust blah blah blah but part of this for a lot of my clients I I personally to create what I call them Auto framework basically a structure for Gathering their evidence ongoing so when they can't beat you when we came in to assess them or they've gotten that they actually had the evidence to show this yes we're doing we say we're doing here's the evidence uh this will be actually the topic of a future presentation but I'm Lucy calling part two uh I'm not sure where that will be given we'll win hopefully this year so again this is meant to be a presentation at a very high level a very simple level uh this is probably a topic that you know honestly we would probably spend a whole uh day on or a week of training on how to be a security assessor uh my target audience are basically two people one is those who maybe you might want to do this as a career you might want to work as a security consultant like I did and go and work with clients and companies and help them be better and assess them go forth um and also maybe you're going to face someone like me or you know coming into your company and asking you a lot of questions and you know you might understand what that is and what got involved and I you might say oh it's the scary Auditors you know um I'm terrified and kind of trying to alleviate that um because the assessment can be done it begins a wide range of framework standard regulations I'm not going to cover any of these okay I'm basically going to do like a basically if you will a generic assessment model that can be used with any of these uh I will at the end of the presentation give you resources of where you can go and learn about these framework containers if you're not familiar with them uh I honestly several of these I've actually spoken at conferences including besides Tampa uh like my first time talking at besides Tampa was on the HIPAA regulation and they filmed it it's on YouTube so what is a security risk assessment you know basically an assessment is an appraisal or an evaluation committency how are you doing then really good or oh my God what are you why are you doing this why aren't you doing this and everything in between and it's basically an evaluation of an organization security program we must call it an isms that's from 27001 as an information security management system uh and we try to see hey how does this compare how do what you do you're doing compare against whatever we're going to compare it against whether it's a regulation whether it's a standard whether it's a framework and what are the risks that you face because you're not doing what you're supposed to be doing and again we evaluate how well you meet those requirements it's not just are you doing it or are you not doing it is how well you're doing it oh you're doing backups yeah that's great no no no no it's how are you doing backups explain to me how are you doing with backups oh you're doing a daily weekly you know incremental are you encrypting them you know that's where it gets into the assessment part where we take a look at how you doing and is that really well or is it oh my God are you freaking crazy um and again that's one of the one of the benefits of having worked with a lot of different companies was there was a wide range of these different companies there was the bare handful that they were doing everything good where it was like gee can I find anything that I can say you need to improve this you know versus the other other side where it was you know we already know going in they have no policies yeah and who knows what else god-awful things we'll find you know and then the ones in between where you know you're giving me policies where's the rest oh there aren't any rest okay I think which I will kind of you know touch on before going on I want to make clear um security assessments or Investments are not audits there is a difference okay so again you know we talk about a security assessment we're evaluating the isms again we're getting a rating of some sort and that rating could be like a you know good to bad or you know numerical rating and they're talking different ways that they can be done uh and there's another type of assessment called a gap assessment that's just it's much much easier it's quicker it's basically coming inside finding out what you're doing what you're not doing you know you're doing backups okay great great you know antivirus great yeah you are you uh the asset management place oh you don't okay that's a gap moving on Jim so that's the campus system is quicker the thing with an audit is that one it's an independent evaluation an internal or external what is or in that place I am not independent as an assessor I am an extension of the company that's one big difference between an audit and what I do that's why somebody's making it very clear when you go talk to people in companies because I'm not an auditor you know I'm here on behalf of your company to find out how you're doing because they want me to come in and find out what's going on and what's not going on because we're here to help you and improve you um that's why so we're not necessarily independent we're also aimed at Improvement because oftentimes what happens because again I was a consultant assessor at the end of the assessment I might say okay this is what you need to work on sometimes we're like okay great thank you we'll see you next year and some are like okay what do you do to help us so then I would start helping them put in place policies and procedures and so on and so forth which an auditor cannot do auditor cannot audit what they implement at an auditor I'm an assessor I can assess what I Implement though ideally I should get one of my colleagues to come and assess what I put in place what I put in place with the client but that's where the some of the differences are again what's going to be assessed against all these things and probably about more I think uh except for like one I've done every one of these and thanks for like oh yeah yeah uh we're also subject to this regulation could you take a look at at and us and tell us how we're doing type thing so uh why conduct an assessment um use the management typically c-suite or upper management wants to know how their program is doing they want to make sure that they're in line with whatever whether regulation Center framework how they're doing they want to know you know what they can do to get get things improved um I actually had some clients that and these weren't necessarily the c-suite people they were so like the stuck below they were bringing us in to assess their their program system knowing full well that they had issues but upper management was more likely to listen to us and give them money to fix the problems they knew about than they were to listen to them and give them money to fix the problems they knew about go figure you know as in you know we would sit down like oh what problems or this this this this type thing you know you don't usually have people coming in just blurt out all their all their all their uh dirty laundry but that's what would you sometimes do so I was the purpose is to approve the overall program we give a full report to the client several different reports on you know details high level and so forth one that we also will do is we will also give them what's called a corrective action plan I.E we've looked at what what you have in place what you're missing we I have a different good idea of your capabilities so we've laid out this plan that runs out six months a year year and a half of prioritize activities you should do to fix what we think you need to be fixed which really helps them out for a lot of our clients to if you were like uh what do we do first of a hundred thousand you know um and sometimes they want to report if they can give to their clients at least they said like yes we've had a third party commission and took a look at us and you know we're have a compliant what have you some of them are also doing this to prepare because they're going to have Auditors or whatever you want to call them come into an audit them and give them a soft two report or certify for 27001 or high pressure what have you so they want you know Ops to come in take a look at their program and figure out what what needs to be fixed and fix them this happens and that's something that I actually did actually did I helped two companies get the first stock two we're two companies to get 27001 certified with Uber companies for high thrust certification so a lot of fun times now one thing I hopefully most of you guys are familiar with this I'm not going to spend too much time but this is the big thing of what we're doing when we do assessments is we're doing assessments against what we're call controls uh in particular nitrogen controls either activities done by people and systems I have to emphasize that because of some people who think that controls are only technical and I don't understand that no no controls or people doing things and policies and procedures and this is something that we take a look at in terms of you know do you have policies in place there's no place controls in place let me see the evidence of that um what an auditor would do as well and this is important to managing risk and we look at all these sort of things um this is this design is from isaka you get there's various versions of this but this is the one I like the best which is why we have controls you have a threat that is it creates a threat it integrates a threat event that event impacts a vulnerability which causes an impact a breach may be and you have all these different controls to address certain aspects you know you have to you know the detective control that just says oh that's happened you know if you take care of it nobody that we're rentive will will help things uh keep in mind that if you read the wording um you never don't see the word stop or prevent the controls do not do either they reduce you can reduce risk you cannot eliminate risk understand that so again we have technical controls firewalls encryption antivirus and so forth but we also have non-technical controls that where we have policies and procedures and you need both if you don't have both you will fail an audit or an assessment because you have to have them on both now in doing this of course we have to gather evidence that's something I think the last couple of talks I've talked about is evidence because that's how we're an assessor whether I'm auditor how do I know the heck that you're doing what you claim you're doing but I don't have evidence um this is a methodology from Douglas Landoll with his book I'll tell you what that book is later on and it's called the riot method uh review of documents got a none of that interview he Personnel uh inspects the controlled observed Behavior test controls uh did a lot of the first two uh the last three have done hopefully a decent way of doing it um I honestly wish I had the book but I started out in this career as an assessor I probably would have done a better job in my opinion um and there's different method method of Assessments um so these are a couple that I see a lot and this is basically where you assess risk against threat and Impact versus very common this is a three by three low medium high you know is the threat likelihood I is a low impact low that's low don't have to worry about it too much but you can also go further where you can do a five by five like this and I've seen seven by seven of course you know the first one I can do pretty pretty decently that's what it typically did but you know you try to like think about okay is this very low or is it low or is it moderate you know and and oftentimes when I'm doing assessments I'll I'll work with someone else and then we'll go back and forth whether oh I think it's low and he thinks it's medium and you know we've got to go back and forth because to come up with what what am I going to pick so not too much fun uh here's two other different methodologies this one the first one here is from um the center for Internet Security for their assessment for security controls they do five elements and then each one of those they have five points so policies whether you have no policies or written uh is the control implement or not is it until automated is the control reported and the thing is is that these are all then scored and then that's how they kind of score you on your assessment of having the prescription tools implemented um this one here is from high Trust here for every one of their little Patrol points they look at you have policy that addresses what they want do you have a procedure that addresses what they want have you implemented it and then they score from zero to one hundred and based upon that scoring and the scoring of all the other controls we'll determine whether or not you pass your certification so lots of fun um and when I started talking about you know think about the assessment there's like you know facing stages but before you should even have even talk about doing an assessment if this is what you do as a career you you have what I kind of jokingly call kind of the the pre-free preparation before we even talk about getting ready to us to work with a client these are some things that you need to get taken care of beforehand you know if you're working for a company you know the consulting company order the company would have hopefully done this um the fun thing was was the company I was working with was pretty small so a lot of the stuff either I had a heavy heavy hand in doing and so forth and it's saying like Okay are we gonna have a GRC tool to collect that evidence from this client or even have a you know just a repository for them to upload files um or we're going to use like spreadsheets and do our assessments they have all the controls that we're doing all our scoring and whatnot um do we have what's called a a document request list or evident request list that we give to clients say this is what we want from you I'll talk more about that because that that's a very important step and then of course we want to create kind of report templates to make things a lot easier if I'm going to create if I'm going to give you know different clients or I don't want to have to create a brand new from scratch report for a different client I I want to have a template that I can take and I can modify and update and give to this client that kind that client that is you know 90 the same structure and whatnot it's just the data inside is different you know otherwise I'm spending a lot of time and also you know the assessment bottom that I might use which might be determined by the client I might have different versions so I had multiple suspensions printed so I had a spreadsheet for oh I'm doing HIPAA assessment I have spreadsheet for that oh I'm doing assessment against Liberty framer not expressing for that oh 327001 expression for that again this is also taken from isaka I thought this was a good one this was like an audit process you know step but this is again this is the assessment process the same way you have your planning phase you know planning getting ready to to do the work what we call the field worker document phase which is usually uh this one where the this is kind of the fun part I think this is that this is the boring part that oftentimes items desert didn't always have involvement with us using my you know upper level in the organization with a client not me you know is the more that do work and then the reporting phase which is where you take everything else you go to the client and say this is how you do and so forth which something sometimes I'm involved with someone I wasn't beautiful so the preparation you know the first step one thing we do is we Define What's called the scope and the Rules of Engagement which are put down what's called an sow statement of work okay scope um hopefully you guys know what that is but just in case the scope is what is the scope of the assessment what are you assessing are you assessing the entire company that might not be a good idea or you're only assessing a sub part of the company so that can be important you know might have a huge company but they're like okay we have this division over here that they're working with sensitive data so okay that's just the scope we're going to look at just that little little part so that's important to Define what that scope is uh child support for the client because you know the more I have to you know as an assessor run around to do stuff the more it's going to cost you Define what is being assessed why are we assessing it uh how are we going to do it um am I allowed to do Uninvited visits can I can I drop by you know the high locations unannounced and social interior my way in am I allowed to do that or not um we don't want to go what happened with that with the accessories that went to that Courthouse that buy company sheriffs which did happen um then decided if you do a request from the from the client um now we developed what's called a document request list and this was not just a sheet of paper saying you know give us your policies across have developed into a multi-tab spreadsheet first one was all the documentation evidence I needed compliance that was it wasn't just giving your policies it was communicate on Asset Management do you hear policy on antivirus give me your Disaster Recovery plan give me your instant response plan in your network diagram give me a sample of your assets your asset that is a screenshot you know give me a screenshot of your password settings things like that so it had a whole list I developed over time to give the time I say this is what I need from you to be very specific then we had another one which was you know who are the people who are the key people on your company you know who's your network engineer who's your system admini