Más contenido relacionado
La actualidad más candente (20)
Similar a Prioritizing an audit program using the 20 critical controls (20)
Más de EnclaveSecurity (9)
Prioritizing an audit program using the 20 critical controls
- 1. Prioritizing an Audit Program
Using the Consensus Audit
Guidelines (CAG)
James Tarala
© 2010 James Tarala - Prioritizing an Audit Program 1
- 2. Issue Statement #1
Traditionally the focus of audit groups has not been to
audit for information security
Historical progression of audit focuses:
– Accounting
– Fraud
– Compliance
– Security / Assurance*
2
© 2010 James Tarala - Prioritizing an Audit Program 2
- 4. Other Issues to Consider
Today there are no “Generally Accepted” practices for IS
Audit
It is difficult to find agreement on what’s important to
audit as well as how to perform an audit
Risk measurements are mostly subjective in
organizations
Metrics are not generally used when evaluating IS
security
We are too reliant on “paperwork reviews” to evaluate
information security programs
4
© 2010 James Tarala - Prioritizing an Audit Program 4
- 5. One Reason This is Important
Here are some data breaches that were reported in 2009
(most were not)
Just a small sample (organization/records breached):
– Heartland Payment Systems (130+ million – 1/2009)
– Oklahoma Dept of Human Services (1 million – 4/2009)
– Oklahoma Housing Finance Agency (225,000 – 4/2009)
– University of California (160,000 – 5/2009)
– Network Solutions (573,000 – 7/2009)
– U.S. Military Veterans Administration (76 million – 10/2009)
– BlueCross BlueShield Assn. (187,000 – 10/2009)
5
© 2010 James Tarala - Prioritizing an Audit Program 5
- 6. Another Reason This is Important
The threats are becoming more serious and more
difficult to stop
6
© 2010 James Tarala - Prioritizing an Audit Program 6
- 7. How Do the 20 Critical Controls Fit?
For auditors:
– They prioritize critical controls
– They instruct how to truly audit for information
assurance
– They help set audit strategy
– They can automate testing
– They can facilitate meaningful reporting
For auditors, they answer the question, what’s really
important
7
© 2010 James Tarala - Prioritizing an Audit Program 7
- 8. A Few of the Document Contributors
Blue team members inside the Department of Defense
Blue team members who provide services for non-DoD government
agencies
Red & blue teams at the US National Security Agency
US-CERT and other non-military incident response teams
DoD Cyber Crime Center (DC3)
Military investigators who fight cyber crime
The FBI and other police organizations
US Department of Energy laboratories
US Department of State
Army Research Laboratory
US Department of Homeland Security
Plus over 100 other contributors
8
© 2010 James Tarala - Prioritizing an Audit Program 8
- 9. The 20 Critical Controls
Inventory of Authorized and Unauthorized Continuous Vulnerability Assessment
Devices and Remediation
Inventory of Authorized and Unauthorized Account Monitoring and Control
Software Malware Defenses
Secure Configurations for Hardware and Limitation and Control of Network
Software on Laptops, Workstations, and Ports, Protocols, and Services
Servers
Wireless Device Control
Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches Data Loss Prevention
Boundary Defense Secure Network Engineering
Maintenance, Monitoring, and Analysis of Penetration Tests and Red Team
Audit Logs Exercises
Application Software Security Incident Response Capability
Controlled Use of Administrative Privileges Data Recovery Capability
Controlled Access Based on Need to Know Security Skills Assessment and
Appropriate Training to Fill Gaps
9
© 2010 James Tarala - Prioritizing an Audit Program 9
- 10. CAG Core Evaluation Steps
Defined in the latest version of the 20 Critical Controls
(after version 2.1)
One or two tests which can be performed to determine if
the business goal of the control has been met
Mental Goal:
– It’s all about meeting a business goal
– Don’t over-think the controls as a technician
Each test is technical in nature (no paperwork reviews)
10
© 2010 James Tarala - Prioritizing an Audit Program 10
- 11. Sample Test for Control #1
Place ten unauthorized devices on various portions of
the organization’s network unannounced to see how long
it takes for them to be detected
– They should be placed on multiple subnets
– Two should be in the asset inventory database
– Devices should be detected within 24 hours
– Devices should be isolated within 1 hour of detection
– Details regarding location, department should be
recorded
11
© 2010 James Tarala - Prioritizing an Audit Program 11
- 12. Sample Metrics for Control #1
ID Testing / Reporting Metric Response
1a How long does it take to detect new devices added to the Time in Minutes
organization’s network?
1b How long does it take the scanners to alert the Time in Minutes
organization’s administrators that an unauthorized device
is on the network?
1c How long does it take to isolate / remove unauthorized Time in Minutes
devices from the organization’s network?
1d Are the scanners able to identify the location, department, Yes/No
and other critical details about the unauthorized system
that is detected?
12
© 2010 James Tarala - Prioritizing an Audit Program 12
- 13. Case Study: Large Retirement Fund
We have already started using the controls as
the foundation of an assurance audit program
Large financial services company
13
© 2010 James Tarala - Prioritizing an Audit Program 13
- 14. Where to Learn More:
Center for Strategic & International Studies
(http://csis.org/program/commission-cybersecurity-44th-
presidency)
The SANS Institute
(http://www.sans.org/critical-security-controls/)
James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit & @jamestarala
– Blog: http://enclavesecurity.com/blogs/
14
© 2010 James Tarala - Prioritizing an Audit Program 14