Security Health Check
May 20, 2013 3 Comments
Security Health Check
Many companies have the notion that “once secure, always secure.” But this head-in-the-sand attitude could be detrimental to the health and security of your business. The reality is that security incidents are on the rise, and attackers are more sophisticated and better financed than ever before. Your company might already be a victim, and you don’t even know it.
Security Assessment Baseline
Organizations should seek 3rd party independent and objective validation via regular security assessments, such as a Security Health Check. The main goal of a Security Health Check is to help avoid security compromises on hosts and network environments. It is an assessment-only project which provides recommendations, no changes in the environment are ever made.
A Security Health Check enables organizations to obtain an accurate representation of the security posture and develop a customized security baseline. The baseline should be used in a cyclic and iterative process to evolve towards becoming more secure and thus compliance with associated policy and regulatory requirements. Security is a process not a destination.
A Security Health Check should cover these fundamental process steps:
- Baseline>Refresh – Identify/refresh objectives based on industry, policy, regulations, risk tolerance, and so on
- Snapshot – Security Program Assessment, Technical Security Assessment, Penetration Testing
- Scorecard – Standards or Compliance-based Security Report and Executive Presentation
- Workshop – Validate Findings and develop Prioritized Remediation Action Plan based on Risk/Threat
- Roadmap – Annual Plan of Next Steps based on Budget and Resources
There are two key yet highly complementary approaches to network security testing: the “black-box” zero-knowledge external penetration study and the “white-box” onsite security vulnerability assessment.
In the “white-box” approach, 3rd party consultants validate your company’s security policy, review the design and implementation of internal security controls, network security perimeter, defense-in-depth strategy, and determine common vulnerabilities and exposures from an internal perspective. The consultants determine possible attacks against your environment and identify security problems and process maturity.
In the complementary “black-box” approach, the consultant operates knowing only the name and address of your company. The team will identify, scan, and probe your network security perimeter for common vulnerabilities and exposures, much as a hacker would. The external penetration study provides real-world attack experience utilizing commonly used hacker scanning, manual techniques and attack tools to determine security exposures and vulnerabilities.
The testing is conducted in parallel with the onsite security assessment team and is coordinated closely with the project manager. The penetration study methodology is typically based upon and uses subsets of, as follows:
- Penetration Testing Execution Standard (PTES)
- Open-Source Security Testing Methodology Manual (OSSTM)
- INFOSEC Assessment Capability Maturity Model (IA-CMM)
A Security Scorecard should consist of detailed penetration study and security assessment reports together with executive summary slides. This package presents the findings and recommendations on identified Common Vulnerabilities and Exposures (CVE), regulatory and standards compliance gap matrices, and provides custom best-practices-based security strategy and summary scorecards.
The collaborative workshop provides the opportunity onsite to review, validate, and prioritize the findings, and discuss methodology, best practices, and strategy recommendations to create an action plan. These results facilitate development of a comprehensive yet improving security program and annual lifecycle process. The workshop can often include security training on the techniques used by attackers to map, probe, and scan computers from the Internet or to increase user awareness and education.
Thanks for your interest!
Nige the Security Guy.