Overview of Assessment Methodology
1. BENEFITS OF ASSESSMENT
The vulnerability assessments and surveys provided by Cypro are an integral part of any organisation’s strategy.
Organisations should routinely perform vulnerability assessments to better understand their threats and vulnerabilities, determine acceptable levels of risk, and stimulate action to mitigate identified vulnerabilities.
The direct benefits of performing a vulnerability assessment include:
- To build and broaden awareness. The process of doing an assessment directs senior managements’ attention to security. It forces to the surface, security issues, risks, vulnerabilities, mitigation options, and best practices. Awareness is one of the least expensive and most effective methods for improving the overall security posture of an organisation.
- Establish or evaluate against a baseline. If a baseline has been previously established, an assessment is an opportunity for checkup” to gauge the improvement or deterioration of an organisation’s security posture. If no previous baseline has been performed, an assessment is an opportunity to integrate and unify previous efforts, define common metrics, and establish a definitive baseline. The baseline also can be compared against best practices to provide perspective on an organisation’s security posture.
- Identify vulnerabilities and develop responses. Generating lists of vulnerabilities and potential responses is usually a core activity and outcome of an assessment. Sometimes, due to budget, time, complexity, and risk considerations, the response selected for many of the vulnerabilities may be non-action, but after completing the assessment process, these decisions will be conscious ones, with a documented decision process and item-by-item rationale available for revisiting issues at scheduled intervals. This information can help drive or motivate the development of a risk management process.
- Categorise key assets and drive the risk management process. An assessment can be a vehicle for reaching corporate-wide consensus on a hierarchy of key assets. This ranking, combined with threat, vulnerability and risk analysis is at the heart of any risk management process. An assessment allows an organisation to revisit that list from a broader and more comprehensive perspective.
- Promote action. Although disparate security efforts may be underway in an organisation, an assessment can crystallise and focus management attention and resources on solving specific and systemic security problems. Often the people in the trenches are well aware of security issues (and even potential solutions) but are unable to convert their awareness to action. An assessment provides an outlet for their concerns and the potential to surface these issues at appropriate levels (legal, financial, executive) and achieve action. A well-designed and executed assessment not only identifies vulnerabilities and makes recommendations, it also gains executive buy-in, identifies key players, and establishes a set of cross-cutting groups that can convert those recommendations into action.
- Kick off an ongoing security effort. An assessment can be utilised as a catalyst to involve people throughout the organisation in security issues, build cross-cutting teams, establish permanent forums and councils, and harness the momentum generated by the assessment to build an ongoing institutional security effort. The assessment can lead to the creation of either an actual or a virtual (matrixed) security organisation.
ASSESSMENT PHASES
The methodology is divided into three basic phases: pre-assessment, assessment, and post-assessment.
2 PRE-ASSESSMENT
The pre-assessment phase involves defining the scope of the assessment, establishing appropriate information protection procedures, and identifying and ranking critical assets. Each of these activities is critical in ensuring the success of the assessment.
A wide range of activities are involved in defining the scope of the assessment. These include identifying the assessment objectives and measures of success, specifying the elements of the methodology that will be included in the assessment, engaging knowledgeable personnel and ensuring access to resources and information, deciding on the type of assessment (internal, facilitated, external, hybrid) to be conducted, and developing an assessment schedule.
Assessment objectives and measures of success define the assessment and must be tailored to the organisation. Possible objectives include the following:
• Identify all critical vulnerabilities—physical and cyber—and develop appropriate response options.
• Identify and rank all key assets from a security perspective.
• Enhance awareness and make security an integral part of the business strategy.
The process of setting the assessment objectives will help to define the specific elements of the methodology that will be included in the assessment. As shown later, ten assessment activities are included in the methodology. The appropriateness of each must be examined in the context of the assessment objectives.
When Cypro conducts an assessment, a non-disclosure agreement (NDA) is developed that defines the policies for the storage, transmission, handling, and disposition of all sensitive data gathered and generated during the assessment.
The final pre-assessment task is to identify and rank assets. This is an enterprise -wide ranking of the vital systems, facilities, processes, and information necessary to maintain continuity of service. The objective is to focus the assessment and support the risk analysis process (a process that culminates in ranked options for action).
3. ASSESSMENT
The assessment methodology consists of ten elements: analyse the network architecture; assess the threat environment; conduct penetration testing; assess physical security; conduct a physical asset analysis; assess operations security; examine policies and procedures; conduct an impact analysis; assess infrastructure interdependencies; and conduct a risk characterisation. Each of these elements is described below.
3.1 NETWORK ARCHITECTURE
This element provides an analysis of the information assurance features of the information network(s) associated with the organisation’s critical information systems. Information to examine includes network topology and connectivity (including subnets), principal information assets, interface and communication protocols, function and linkage of major software and hardware components (particularly those associated with information security such as intrusion detectors), and policies and procedures that govern security features of the network.
Procedures for information assurance in the system, including authentication of access, and management of access authorisation should be reviewed. The assessment should identify any obvious concerns related to architectural vulnerabilities, and operating procedures. The assessment should also review existing security plans and analyse results of any prior testing. Results from this element include potential recommendations for changes in the information architecture, functional areas and categories where testing is needed, and suggestions regarding system design that would enable more effective information and information system protection.
3.2 THREAT ENVIRONMENT
Developing a clear understanding of threats is a fundamental element of risk management. This understanding, combined with an appreciation of the value of the information assets and systems, and impact of unauthorised access and subsequent malicious activity, provides a basis for better defining the investment that might be prudent to prevent such access.
3.3 PENETRATION TESTING
The purpose of network penetration testing is to utilise active scanning and penetration tools to identify network vulnerabilities that might be easily exploited by a determined adversary. Penetration testing can be customised to the specific needs and concerns of the utility. In general, the penetration testing includes a test plan and details on the rules of engagement for the testing. Penetration testing also include a general characterisation of the access points to the critical information systems and communication interface connections, modem network connections, access points to principal network routers, and other external connections. Lastly, the penetration testing includes identified vulnerabilities and particularly whether access could be gained to the control network or specific subsystems or devices that have a critical role in assuring continuity of service.
3.4 PHYSICAL SECURITY
The purpose of the physical security assessment is to examine and evaluate the physical security systems in place or planned, and to identify potential physical security improvements for the sites evaluated. The physical security systems include access controls, barriers, locks and keys, badges and passes, intrusion detection devices and associated alarm reporting and display, closed circuit television (CCTV) (assessment and surveillance), communications equipment (telephone, two-way radio, intercom, cellular), lighting (interior and exterior), power sources (line, battery, generator), inventory control, postings (signs), security system wiring, and protective force. The physical security systems are reviewed for design, installation, operation, maintenance, and testing.
The focus of the physical security assessment should be those sites that are directly related to the facilities, including information systems and assets required for operation.
3.5 PHYSICAL ASSET ANALYSIS
The purpose of the physical asset analysis is to examine the systems and physical operational assets to ascertain whether vulnerabilities exist. This includes examining asset utilisation, system redundancies, and emergency operating procedures. Consideration should be given to the topology and operating practices for electric and gas transmission, processing, storage and delivery, looking specifically for those elements which either singly or in concert with other factors provide a high potential for disruption of service.
3.6 OPERATIONS SECURITY AND AWARENESS
Operations Security (OPSEC) is the systematic process of identifying potential threats and information about capabilities and intentions cyber criminals. This should include review of security training and awareness programs, discussions with key staff, and tours of appropriate facilities. It should also include a review of information that may be available through public access.
3.7 POLICIES AND PROCEDURES
The policies and procedures by which security is administered, provides the basis for identifying and resolving issues, establishes the standards of reference for policy implementation, and defines and communicates roles, responsibilities, authorities and accountabilities for all individuals and organisations. They provide the backbone for decisions and day- to-day security operations. The security policies and procedures become particularly important where multiple parties must interact to affect a desired level of security and where substantial legal ramifications may result from policy violations. The policies and procedures should be reviewed to determine whether they
(1) address the key factors affecting security,
(2) will enable effective compliance, implementation and enforcement,
(3) reference or conform to established standards, and
(4) provide clear and comprehensive guidance.
3.8 IMPACT ANALYSIS
A detailed analysis can be conducted to determine the influence that exploitation of unauthorised access to facilities or information systems might have on an organisation’s operations (e.g., market and/or physical operations).
In general, this will require thorough understanding of (1) the applications and their information processing, (2) decisions influenced by this information, (3) independent checks and balances that might exist regarding information upon which decisions are made, (4) factors that might mitigate impact of unauthorised access, and (5) secondary impacts of such access.
3.9 INFRASTRUCTURE INTERDEPENDENCIES
The term “infrastructure interdependencies” refers to the electronic (cyber) linkages within, and among customer’s infrastructure. This encompasses interdependencies with customers, suppliers, partners, remote organisations and any other government or non-government entities. This requires analysis of, and validation that the interdependencies are secure and a breach within any of these other organisations would not impact the customer’s infrastructure.
3.10 RISK CHARACTERISATION
This task provides a framework for prioritising recommendations across all task areas. The recommendations for each task area are judged against a set of criteria to help prioritise the recommendations and assist the organisation in determining the appropriate course of action.
This provides a framework to assess vulnerabilities, threats, and potential impacts (determined in the other tasks). In addition, the existing risk analysis and management process at the organisation should be reviewed and, if appropriate, utilised for prioritising recommendations. The degree to which corporate risk management includes security factors is also evaluated.
4 POST ASSESSMENT
The post-assessment phase involves prioritising assessment recommendations, developing an action plan, capturing lessons learned and best practices, and conducting or recommending any training. The first two tasks are aimed at focusing attention on high-priority security concerns and ensuring that these concerns are addressed in systematic and timely manner. As part of the assessment, lessons learned and best practices are captured and disseminated to enhance education and awareness within the organisation.
5 SUMMARY
The vulnerability assessment methodology described here is developed by Cypro to help organisations identify and understand the threats to, and vulnerabilities of, their infrastructure, people and communications channels.
The methodology is multi-faceted, addressing physical, cyber, and interdependencies-related vulnerability concerns. Through this methodology, Cypro helps organisations improve their understanding of the risks they face, and what steps might be taken to mitigate those risks.