INFORMATION

TECHNOLOGY
SECURITY
SERVICES

RECON
Risk Evaluation of Computers and Open Networks

Developed by

Kirk Soluk
University of Michigan
Information Technology Security Services

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Risk Assessment Drivers

No such thing as perfect security

Need to balance effectively risk against other factors
Need a foundation for well-informed decisions that
justify IT expenditures
Regulations
The entity must decide whether a given addressable implementation
specification is a reasonable and appropriate security measure to apply
within its particular security framework.
This decision will depend on a variety of factors, such as, among
others, the entitys risk analysis, risk mitigation strategy, what
security measures are already in place, and the cost of
implementation.
- HIPAA Security Rule
2

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Why RECON?

Facilitate consistent decisions across the University

Especially when combined with data classification

Facilitate rollup of results

So the Universitys overall security posture can be measured

Michiganize
Outsourcing misses the point
Security issue #1: The Business-Trust Divide
To be more effective, security professionals must learn how
to speak the language of the businesses they serve
- Meta Group Practice 2104: The Top 10 Security Issues

Leverage
University expertise
Training
Address risk assessment requirements of all regulations at
once
3

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

All regulations legislate similar

best practices

SOX

FERPA

HIPAA

GLBA

SOX RA
Process

FERPA RA
Process

HIPAA RA
Process

GLBA RA
Process

You

SOX

FERPA

HIPAA

GLBA

One Common Risk Assessment Methodology (RECON)

You
4

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

What is RECON?

Derived from ISO 17799 (2005)

NIST 800-53 not available at the time

A Questionnaire (Excel Spreadsheet)

Built-in Risk analysis Logic & Visualization

A Set of Security Tests

A Template for Reporting Results
A Risk Assessment Facilitator (IT Security Professional)
leverages these RECON components to identify risks and
potential mitigation strategies and to present/discuss this
information with unit leadership. Unit leadership is
responsible for approving the final risk treatment decisions
5

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Process Flow

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Scope is critical

Provides the context within which the

RECON questions are answered
Dont combine systems with different security
requirements in the same assessment

If the answer for one system in scope is No,

the answer is No for the entire scope.

Focus is on
Systems that process sensitive information
Mission critical systems
7

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

The RECON Questionnaire

219 questions about 54 control objectives in 11

different areas:

1. Organizational Security
2. Asset Management
3. Human Resources Security
4. Physical and Environmental Security
5. Operations
6. Network Security
7. Access Control
8. Host Security
9. Data Security
10. Incident Management
11. Business Continuity
8

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Network Security Area Example:

25 questions about 7 control objectives

6. Network Security
6.1 Perimeter Security

6.1.1 A firewall (or equivalent mechanism) exists between your unit's (or
department's) network, other University networks, and public networks
such as the Internet
6.1.2 The firewall (or equivalent mechanism) uses a "default deny" posture
where all access that is not explictly allowed is automatically denied
6.1.3 Firewall changes are subject to a formal approval process

6.2 User authentication for external connections

6.2.1 Access to the internal network by remote users is subject to user

authentication
6.2.2 Users are authorized (out of band) before they are allowed to access
the internal network from remote locations

6.3 Authorization process for information processing facilities

6.3.1 New systems must be authorized by management before they can

be connected to the network
6.3.2 Rogue System Detection

...
6.7 Intrusion detection
9

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Industry Standard
Best Practices
derived from ISO
17799:2005

RECON Questionnaire
Responses

Response 1:
Documented
Policies, Procedures,
Guidelines

Response 2:
Implementation/
Operations

For each question, two responses are needed:

Are there policies and/or procedures requiring the control?
Is the control operationally implemented?
Answers: "Yes", No", "n/a", "n/r"

10

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Security Tests

Used to answer specific RECON questions accurately. For

example,

Do you have a password policy that prevents dictionary words?

Have you minimized the attack surface of of your hosts
Is your firewall configured as expected?
Are your systems up to date with respect to patches?
Etc.

Current RECON Test Suite

Attack Surface Enumeration

Password Audit
Account Security
Firewall Security
War walking
RAS Authentication
Encryption Verification
Vulnerability Scanning

11

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Risk Analysis

Answers to the questions determine the degree to which

best practice security controls are adopted
Risk is proportional to the lack of control adoption
Both documentation and implementation are considered
in the risk calculation
Implementation weighs more
Documented?

Implemented?

7.7 Removal of access rights

Summary Risk

80%

7.7.1 Access rights are removed upon

termination of employment, contract, or
agreement

No

Yes

60%

7.7.2 Personnel files are periodically matched

with user accounts to ensure that
terminated or transferred individuals do
not retain access to systems

No

No

100%

7.8 Unattended user equipment

12

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Risk Identification and

Prioritization

Focus on Severe and High Risk

controls identified in the RECON
Questionnaire
In the RECON Report Template,
severe and high-risk controls are
referred to as Non-existent and in
Need of major improvement
respectively

13

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Report

Description of scope
Systems & Applications

Description of methodology
Detailed list of severe and high risks along with
mitigation strategies
Appendix lists every accepted risk
Executive summary

14

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

Further Action

It is the responsibility of the Risk Assessment Facilitator to educate

unit leadership about the risks and to make recommendations
It is the responsibility of Unit Leadership to make the final business
(i.e. risk) decisions:
Mitigate at some (approved) cost OR
Continue to accept the current risk

15

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Process Summary

16

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Case Study Effort

Scope Complete (14 hours)

3 x 1hour kick-off meetings to understand the major apps
3 x 1hour investigative meetings to refine scope and network diagram
1 x 8 hour drawing diagrams and filling in scope details

Questionnaire Complete (20 hours)

1 x 1hour meeting with HR
7 x 2hour technical meetings (Lots of working lunches)
5 x 1hour follow-up meetings

Test Complete (60 hours)

3 x 1hour meetings for securing authorization

3 x 8hours for network scanning (50 hosts x 5 networks)
3 x 8hours for other tests
3 x 1hour meetings for verifying results
3 x 2hour meetings for analyzing results

Total (94 Hours)

~2.5 full-time weeks spread over a 2 month period
Doesnt count time to write final report!

17

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Experience

104 + 17 RECON assessments in ITS 101

Campus Computer Security training course
(2005 - present)
GLBA was a driver for several wide-ranging
assessments
1. Student Financial Operations - Higher Education
Production Systems in MAIS.
2. Student Accounts - i.e. Financial Aid Systems
3. UM Dearborn Financial Systems
4. UM Flint Financial Systems
UM Flint risk assessment provided the foundation
for Flint's annual IT appropriations request.
18

INFORMATION
TECHNOLOGY
SECURITY
SERVICES

RECON Experience

5. The UM Windows Forest

The UM Windows Forest assessment
resulted in the formation of a technical
committee from four major units
(Engineering, Business, LSA, Housing) that
unanimously endorsed and will soon be
presenting to the Forest IT Directors a
request for 15 major security enhancements.

19