Chances are, some aspects of your IT security setup make you uncomfortable. Maybe it's the server that's so brittle no one dares install security updates on it. Maybe it's the use of shared passwords, known to all past and present IT team members. Maybe it's the overly permissive firewall; outdated antivirus protection; open WiFi. Maybe it's the inability to enforce security policies, or the lack of such policies.
It's difficult to know where to begin improving IT security, because the number of potentially weak areas can be overwhelming. A security assessment helps prioritize the issues, allowing an organization to tackle them in the order of importance. The assessment not only allows IT staff to focus a limited budget on addressing the most critical risks first, but also arms them with facts that could free up additional funding.
To help you get the most out of a security assessment, let's consider which aspects of the environment a security assessment can examine. We'll also discuss how the assessment can be conducted.
What to Examine?
The first step in scoping a security assessment, whether you will conduct it yourself or hire a consultant, is to determine what you'd like to examine. The best way to start is to list your concerns, then group them. The issues often fall into the following categories:
- External network components, which may include systems and devices accessible from the internet or partner networks
- Internal network components, which may include workstations, servers, printers, and other devices used by individuals at your organization
- Guest or remote networks, which may include mistrusted wireless and wired networks used by visitors or remote VPN users
- Applications and databases, which store sensitive data and allow employees, partners, and customers to conduct important transactions
- Security policies and procedures, which guide personnel in IT and other departments in maintaining or making use of IT infrastructure
The goal of a security assessment often is to examine these areas in some detail, in order to identify vulnerabilities, understand their relevance, and prioritize them by risk. This information will allow the organization or the assessor to develop a remediation plan.
Knowing what to include in the security assessment helps estimate the effort and cost. If you don't have the luxury of examining all pertinent aspects of your environment in a single project, consider starting with the most significant concerns, and cover the other ones in subsequent assessments.
Technology vs. Processes
An organization working to mature its IT security practices with the help of an assessment can begin by examining IT infrastructure, looking for vulnerabilities in systems, networks, and applications designated for the project's scope. Identifying technological weaknesses that may lead to a breach often highlights the underlying problems in IT management practices.
Alternatively, you can start by examining the current state of your security processes: the way people share data, manage systems, develop applications, install security updates, and so on. This task often involves interviewing individuals throughout the organization. It also involves reviewing existing security policies and procedures to identify gaps and inconsistencies between written documents and actual practices.
Which of the two phases is the best starting point for you depends on how your organization thinks about its IT infrastructure: Some focus more on technology; others on processes. If your budget permits, consider examining both aspects of the environment as part of the security assessment.
To Exploit or Not?
A security assessment whose scope includes technological infrastructure components looks for problems such as:
- Missing security updates
- System configuration errors
- Weak passwords
- Network architecture deficiencies
A vulnerability assessment typically involves performing a comprehensive analysis of infrastructure components and network blueprints to locate the issues above. However, it stops short of exploiting the vulnerabilities to compromise the affected systems. Instead, the tester analyzes the vulnerabilities for trends and patterns to prioritize the many issues often uncovered during the project. The organization may provide the tester with credentials to log on to the assessed systems and applications. This facilitates a thorough, in-depth examination.
A penetration test, also known as ethical hacking, attempts to confirm that the discovered weaknesses can lead to a breach. The tester mimics an attacker's actions to exploit the vulnerabilities. Such an approach further differs from a vulnerability assessment in that the tester often has minimal prior knowledge of the environment, treating the target as a "black box." Findings of a penetration test are difficult to disregard if the test leads to a breach. However, if the tester is unable to penetrate the defenses, the organization may have less information than it would get from a vulnerability assessment-- an attacker with different approaches, tools, and motives may still be able to break in.
Which of the two approaches is right for you? Simply put, pick the one that feels better in light of your organization's culture and assessment expectations. Many organizations are uncomfortable allowing a tester to exploit vulnerabilities even under controlled conditions. Others find it difficult to accept the weaknesses discovered during a vulnerability assessment without confirming that they can be exploited. You may also consider a hybrid approach, performing a penetration test of your external systems, while opting for a comprehensive vulnerability assessment of your internal network.
If an ethical hacker is unable to penetrate defenses, you may end up with less information than you would get from a vulnerability assessment-- an attacker with different approaches, tools, and motives may still be able to break in.
The Business of Prioritizing
When prioritizing the issues uncovered during an assessment, account for their business impact. For instance, of the two servers missing common security updates, fix the one that processes more sensitive data or holds a more critical operational role. Evaluating such factors involves speaking to individuals outside the IT department to better understand the systems' roles. A side (but no less important) benefit of this kind of effort: It will help you describe the risks in terms relevant to your organization's executive management.
Tools of the Trade
The long list of security assessment tools includes free and commercial products that vary widely in their usefulness and complexity. A sampling of the tools are:
- Network and port scanners such as Nmap
- Vulnerability scanners such as Nessus (from Tenable Network Security) and QualysGuard
- Web application scanners such as Nikto and IBM's Rational AppScan
- Penetration testing tools such as Metasploit and Core Security Technologies' Core Impact
For assessing weaknesses in the overall security program, refer to ISO 27001 and 27002 standards. These tools, in the form of written guidelines, are an excellent resource for evaluating gaps in security practices and policies.
Of course, the usefulness of any tool depends on the expertise of the person using it. The scanners and other resources mentioned above will produce a good deal of information about the assessed environment. Some of the findings will be false alarms; others will be missing from the automatically collected data set and will need to be gathered through manual means. At the heart of the security assessment is what the tester does to analyze and prioritize the information gathered via automated and manual techniques.
Wrapping up the Project
Typically speaking, the security assessment culminates in a report that describes the testing methodology, ranks the vulnerabilities, accounts for business factors, highlights underlying problems, and outlines remediation options. What should you be wary of? The dangers of ad-hoc assessment efforts. Too many organizations try to address the vulnerability assessment in an unfocused manner, and run out of steam before completing the effort. The best approach: Plan and conduct the remediation effort asa project with a clear timeline and unambiguous goals, and with responsible participants who will help you get the most out of the security assessment's findings.