9.3 Technology security review

The technology security review is a process that reviews each technology or service within the organization. We will be talking about exposures and controls. An "exposure" is anything that can make your system vulnerable to an incident, including any of the attacks listed in the preceding section. The "control" is what can be put in place to keep the attack from being successful. The following template demonstrates the various items that will need to be reviewed.

Technology Security Review

Name of technology or service reviewed __________________________________

Expected or current user of the technology or service _______________________

Exposures__________________________________________________________

Exposure #_________________________________________________________

Exposure summary___________________________________________________

Exposure source (testing, CERT)________________________________________

Suggested control # __________________________________________________

Detail suggested control ______________________________________________

Cost or impact to the business of this control ______________________________

# of required controls _______________________________________________

Detail required control ______________________________________________

Cost or impact to the business of this control _____________________________

Comments ________________________________________________________

This is actually a simple form, but the information recorded on it can be very helpful. You will fill out this form for every approved software product and/or service that could be impacted by security. For example, under "Name of technology or service reviewed," the following might be indicated.

A web site
The OS that is used on the web site
The web server
The applications on the web server
The routers used
The firewall
The architecture of the DMZ

"Expected or current user of the technology or service" determines the scope of where this software or service will be used. Potential answers could be:

External customers
Employees
Vendors
Internal customers (employees resulting in a charge back to a cost center)

The next step is to list the exposures, which is interesting, because you cannot identify all exposures. Here is a suggestion: If you are using a vendor for software, contact the vendor to discover what known exposures exist. Also, check out some of the known hacking sites, such as http://www.l0pht.com/, and the CERT listing for your software, http://www.cert.org/. Table 9.2 shows some examples of exposures.

Table 9.2: Exposures
# (Any Tracking #)	Exposure Summary	Exposure Source (Testing, Cert)
1001	OS can crash due to a DDoS	Cert advisory XXX.xx.V3
2023	Users can send sensitive mail outside of the company	Mail encryption is available but it cannot be forced on the users
3011	Hacking tool can grant administrator access for any user	From a hacker site
4067	Ninjas break into the 30th floor and force people to reveal their passwords	No known occurrences of this type of attack

Then, for each potential exposure, list any suggested controls that could counteract the attack listed.

Table 9.3: Suggested Controls
#	Detail Suggested Control	Cost or Impact to the Business of this Control
1001	Upgrade firewall to Version 3.1	Upgrade is free from vendor
4067	Train an army of Ninjas	$100,000

Table 9.4: Required Controls
#	Detail Required Control	Cost or Impact to the Business of this Control
2023	Train users on S/MIME	Added cost of training extra cost will be $10 per user
3011	Upgrade O/S to service pack 9	Upgrade is free from vendor

Then, for each potential exposure, list any required controls that could counteract the attack listed.

As with any form, you will need a section for comments. Comments could be used to point out any specific issues or controls that should be considered.

The following issues should be considered when reviewing any service or software:

Accidental destruction, modification, disclosure of information
Too many or too few system administrators
Incorrect system configuration
Fraud, theft, embezzlement
Attacks by social engineering
Inadequate security awareness, lack of security guidelines
Lack of documentation
Abuse of privileges/trust
Selling of confidential corporate information
Mixing of test and production data or environments
No change control
Operating system design errors
DNS spoofing
Introduction of unauthorized software or hardware
Mixing of test and production data networks
DoS and DDoS
Trojan horses
Spoof messages
External attackers masquerading as valid users or customers
Equipment failure due to defective hardware
E-mail bombing
Physical destruction of computing devices or media
Poor backups
Backups of data that should not be backed up
Unauthorized physical access to system
Disclosure of company secrets
Subversion of DNS to redirect e-mail or other traffic
Malicious and/or deliberate damage of information
Modification of business data for example, customer or accounting data
Password cracking

The preceding examples comprise just a small list of the issues that you would be concerned with.

Before we can go any further, you must define the impacts to the business. An "impact" is the result of an incident that causes some type of loss to the business. The following are some examples, with financial impact assumed to be part of each:

Data disclosure This can be as simple as someone sending information out of the trusted environment to someone who should not have this information.
Data integrity compromised The best example of this is credit card information that has been stolen from various web sites.
Loss of customer confidence The credit card issue would also apply here, but this could also be a situation in which someone hacks your web site and places pornography on it.
Network impact This is when someone attacks the network, making it unusable for the customer or employee.
Messaging impacts This is when messaging is impacted and you cannot communicate via your messaging infrastructure.