How to Conduct Security Assessments

How to Conduct Security Assessments

Conducting a security audit might help you answer the question, How do I know if my network is really secure? However, it will not improve the security of your network. Regardless of the type of security assessment that your organization undertakes, you can help increase the security of your network by implementing your security assessment in these three phases:

• Planning a security assessment

• Conducting a security assessment

• Resolving issues discovered during the security assessment

Planning a Security Assessment

The success of a security assessment is largely determined before the actual assessment begins: in the planning phase. Like most IT projects, the major cause of failure for security assessments is poor planning. To avoid this common pitfall, you can create project vision and scope documents.

Creating a Project Vision

The project vision for your security assessment should precisely describe the reason you are conducting the security assessment, the type of security assessment that will be done, the milestones for completing the project, and the project goals. Other items that the project vision commonly contains include the proposed budget for the project, explanations of project team roles and responsibilities, and metrics that can be used to determine the success of the security assessment.

The project vision document will help ensure that everyone working on the project understands the project goals and how the project will accomplish them. It is essential that you obtain executive sponsorship on the vision for the security assessment. Without executive sponsorship, the project will suffer from a lack of prioritization on the part of middle management and consequently might not receive the necessary budget.

Creating a Project Scope

The project scope for your security assessment details what you will be assessing the security of, what tools will be used, what methodology will be employed, and the time constraints of the project. The scope also defines what tasks are beyond the parameters of the project. For example, you might create a project scope for a two-week penetration test on a Web server, specifying that only publicly available tools will be used to attack a given Web server but prohibiting testers from using denial-of-service attacks or disrupting the services that the Web server provides.

Conducting a Security Assessment

Although it is obvious that you must document the results of a security assessment, the fact that you must document the procedures used in a security assessment might not be obvious. Unfortunately, well-organized and detailed documentation often is not created during IT projects, including security assessments, because it is somewhat time-consuming and often falls outside the skill set of administrators. Regardless of the type of security assessment that your organization plans to undertake, you must diligently document the procedures used during the security assessment to ensure that the result of the assessment can be used to augment the security of the network.

Documenting the methodology used during the security assessment will ensure that the results can be independently reviewed and reproduced if necessary. This documentation includes the tools used during the assessment and operating conditions and the assumptions made by the people conducting the assessment.

With vulnerability scanning, the methodology used might impact the result of the test. For example, vulnerability scanning software that runs under the security context of the domain administrator will yield different results than if it were run under the security context of an authenticated user or a nonauthenticated user. Similarly, different vulnerability scanning software packages assess security differently and have unique features, which both can influence the result of the assessment.

For penetration tests, detailed documentation of the methodology that was used during the test regardless of whether it was successful in compromising the network can be reviewed to find areas where your organization must make changes to secure the network. For example, knowing that a penetration tester compromised a domain controller does little to help you secure your network. However, knowing that a penetration tester was able to break into a file server by enumerating account information on local accounts through a null connection to the IPC$ share and discovering that the password for a local service account was contained in the description of the account can help you make the necessary changes to secure your network.

For IT security audits, documenting the methodology and tools used to perform the audit is essential. After the items found deficient in the audit have been resolved, or at some scheduled point in the future, the audit can be repeated in the same manner to assess the progress made since the previous audit. Because organizations frequently use progress made since prior audit findings as metrics to judge their relative success, maintaining such documentation is crucial.

Resolving Issues Discovered During the Security Assessment

After the security assessment is complete, the work of securing the network begins. You will need to analyze the results of the security assessment and determine which methods you can take to address the deficiencies discovered. The first step is to prioritize the deficiencies according to their impact on your organization. The following list details how you should prioritize such impacts:

1. Human safety

   Although not all organizations will have security vulnerabilities that, if exploited, could lead to the loss of life or otherwise jeopardize human safety, such vulnerabilities should always be given the highest priority.

2. Destruction of data

   The next priority should be given to the destruction of data, especially when it results in total data loss. At any given point in time, data that has not been backed up to remote storage exists. If an attacker can gain access to this data, it probably cannot be restored. For some organizations, losing even a day s worth of data would be devastating.

3. Disclosure of confidential information

   Confidential data includes customer information, employee information, business plans, financial information, and trade secrets. The disclosure of this information can cause loss of customer confidence, litigation against the organization, loss of competitive advantage, and loss of intellectual property.

4. Loss of services

   A denial-of-service attack causes organizations or their customers to lose the use of IT services. The impact of a denial-of-service attack depends on the nature of your organization s business. For example, the loss of IT services impacts a business-to-consumer (B2C) Web site or an ISP much more that it does a software vendor.

5. Annoyances

   The least critical category of impact is that of attack vulnerabilities, which, if exploited, result in the minor disruption of business continuity, leading to nothing more than mere annoyances. For example, attacks that require a user to reboot her computer such as attacks that flood a user s computer with NetBIOS messages sent to the console will cause a minor disruption of business services and be a general annoyance to the user but will have no lasting consequences.

After you have prioritized the security issues discovered in the security assessment, you should incorporate them into your organization s risk management plan or at least apply them to the process your organization normally uses to mitigate security risks.

See Chapter 1, Key Principles of Security, for more information about managing risk.