Security
Where the Risks Are
Knowing what to spend on data protection and where to focus
the effort isn't easy. Security assessments help eliminate
the guesswork by identifying where your most critical risks lurk.
CHANCES ARE, SOME ASPECTS of your IT security
setup make you uncomfortable. Maybe it's the server
that's so brittle no one dares install security updates on it.
Maybe it's the use of shared passwords, known to all past
and present IT team members. Maybe it's the overly permissive
firewall; outdated antivirus protection; open WiFi.
Maybe it's the inability to enforce security policies, or the
lack of such policies.
It's difficult to know where to begin improving IT security,
because the number of potentially weak areas can be
overwhelming. A security assessment helps prioritize the
issues, allowing an organization to tackle them in the order
of importance. The assessment not only allows IT staff to
focus a limited budget on addressing the most critical
risks first, but also arms them with facts that could free up
additional funding.
To help you get the most out of a security assessment,
let's consider which aspects of the environment a security
assessment can examine. We'll also discuss how the
assessment can be conducted.
What to Examine?
The first step in scoping a security assessment, whether
you will conduct it yourself or hire a consultant, is to determine
what you'd like to examine. The best way to start is
to list your concerns, then group them. The issues often
fall into the following categories:
- External network components, which may
include systems and devices accessible from the
internet or partner networks
- Internal network components, which may include
workstations, servers, printers, and other devices
used by individuals at your college or university
- Guest or remote networks, which may include
mistrusted wireless and wired networks used by
visitors or remote VPN users
- Applications and databases, which store sensitive
data and allow staff, faculty, and students to
conduct important transactions
- Security policies and procedures, which guide
personnel in IT and other departments in maintaining
or making use of IT infrastructure
The goal of a security assessment often is to examine
these areas in some detail, in order to identify vulnerabilities,
understand their relevance, and prioritize
them by risk. This information will allow the organization
or the assessor to develop a remediation plan.
Knowing what to include in the security assessment
helps estimate the effort and cost. If you don't
have the luxury of examining all pertinent aspects of
your environment in a single project, consider starting
with the most significant concerns, and cover the
other ones in subsequent assessments.
Technology vs. Processes
A school working to mature its IT security practices with the
help of an assessment can begin by examining IT infrastructure,
looking for vulnerabilities in systems, networks,
and applications designated for the project's scope. Identifying
technological weaknesses that may lead to a breach
often highlights the underlying problems in IT management
practices.
Alternatively, you can start by examining the current state
of your security processes: the way people share data,
manage systems, develop applications, install security
updates, and so on. This task often involves interviewing
individuals throughout the school, including staff, faculty,
and students. It also involves reviewing existing security
policies and procedures to identify gaps and inconsistencies
between written documents and actual practices.
Which of the two phases is the best starting point for you
depends on how your college or university thinks about its
IT infrastructure: Some focus more on technology; others
on processes. If your budget permits, consider examining
both aspects of the environment as part
of the security assessment.
To Exploit or Not?
A security assessment whose scope
includes technological infrastructure
components looks for problems such as:
- Missing security updates
- System configuration errors
- Weak passwords
- Network architecture deficiencies
A vulnerability assessment typically
involves performing a comprehensive
analysis of infrastructure components
and network blueprints to locate the
issues above. However, it stops short of
exploiting the vulnerabilities to compromise
the affected systems. Instead, the
tester analyzes the vulnerabilities for
trends and patterns to prioritize the
many issues often uncovered during the
project. The organization may provide
the tester with credentials to log on to
the assessed systems and applications.
This facilitates a thorough, in-depth
examination.
A penetration test, also known as
ethical hacking, attempts to confirm
that the discovered weaknesses can
lead to a breach. The tester mimics an
attacker's actions to exploit the vulnerabilities.
Such an approach further
differs from a vulnerability assessment
in that the tester often has minimal
prior knowledge of the environment,
treating the target as a "black box."
Findings of a penetration test are
difficult to disregard if the test leads
to a breach. However, if the tester is
unable to penetrate the defenses,
the organization may have less information
than it would get from a vulnerability
assessment-- an attacker with different
approaches, tools, and motives may still be able to break in.
Which of the two approaches is right for you? Simply
put, pick the one that feels better in light of your school's
culture and assessment expectations. Many organizations
are uncomfortable allowing a tester to exploit vulnerabilities
even under controlled conditions. Others find it difficult to
accept the weaknesses discovered during a vulnerability
assessment without confirming that they can be exploited.
You may also consider a hybrid approach, performing a
penetration test of your external systems, while opting for a
comprehensive vulnerability assessment of your internal
network.
If an ethical hacker is unable to penetrate defenses, you
may end up with less information than you would get
from a vulnerability assessment-- an attacker with different
approaches, tools, and motives may still be able to break in.
The Business of Prioritizing
When prioritizing the issues uncovered during an assessment,
account for their business impact. For instance, of
the two servers missing common security updates, fix the
one that processes more sensitive data or holds a more
critical operational role. Evaluating such factors involves
speaking to individuals outside the IT department to better
understand the systems' roles. A side (but no less important)
benefit of this kind of effort: It will help you describe
the risks in terms relevant to your organization's executive
management.
Tools of the Trade
The long list of security assessment tools includes free and
commercial products that vary widely in their usefulness
and complexity. A sampling of the tools are:
For assessing weaknesses in the overall security program,
refer to ISO 27001 and 27002 standards. These tools, in the form of written
guidelines, are an excellent resource for evaluating gaps in
security practices and policies.
Of course, the usefulness of any tool depends on the
expertise of the person using it. The scanners and other
resources mentioned above will produce a good deal of
information about the assessed environment. Some of
the findings will be false alarms; others will be missing from
the automatically collected data set and will need to be
gathered through manual means. At the heart of the security
assessment is what the tester does to analyze and prioritize
the information gathered via automated and manual
techniques.
Wrapping up the Project
Typically speaking, the security assessment culminates in a
report that describes the testing methodology, ranks the
vulnerabilities, accounts for business factors, highlights
underlying problems, and outlines remediation options.
What should you be wary of? The dangers of ad-hoc
assessment efforts. Too many colleges and universities
try to address the vulnerability assessment in an unfocused
manner, and run out of steam before completing
the effort. The best approach: Plan and conduct the
remediation effort asa project with a clear timeline and
unambiguous goals, and with responsible participants
who will help you get the most out of the security assessment's
findings.
web extras::
Mickey Spillane Versus Wiley Hacker: Who is qualified
to conduct computer forensics: computer jocks or private
eyes?
Vulnerability Management Needed for Security, Study
Says
