9.3 Technology security review

9.3 Technology security review

The technology security review is a process that reviews each technology or service within the organization. We will be talking about exposures and controls. An "exposure" is anything that can make your system vulnerable to an incident, including any of the attacks listed in the preceding section. The "control" is what can be put in place to keep the attack from being successful. The following template demonstrates the various items that will need to be reviewed.

Technology Security Review

Name of technology or service reviewed __________________________________

Expected or current user of the technology or service _______________________


Exposure #_________________________________________________________

Exposure summary___________________________________________________

Exposure source (testing, CERT)________________________________________

Suggested control # __________________________________________________

Detail suggested control ______________________________________________

Cost or impact to the business of this control ______________________________

# of required controls _______________________________________________

Detail required control ______________________________________________

Cost or impact to the business of this control _____________________________

Comments ________________________________________________________

This is actually a simple form, but the information recorded on it can be very helpful. You will fill out this form for every approved software product and/or service that could be impacted by security. For example, under "Name of technology or service reviewed," the following might be indicated.

  • A web site

  • The OS that is used on the web site

  • The web server

  • The applications on the web server

  • The routers used

  • The firewall

  • The architecture of the DMZ

"Expected or current user of the technology or service" determines the scope of where this software or service will be used. Potential answers could be:

  • External customers

  • Employees

  • Vendors

  • Internal customers (employees resulting in a charge back to a cost center)

The next step is to list the exposures, which is interesting, because you cannot identify all exposures. Here is a suggestion: If you are using a vendor for software, contact the vendor to discover what known exposures exist. Also, check out some of the known hacking sites, such as http://www.l0pht.com/, and the CERT listing for your software, http://www.cert.org/. Table 9.2 shows some examples of exposures.

Table 9.2: Exposures

# (Any Tracking #)

Exposure Summary

Exposure Source (Testing, Cert)


OS can crash due to a DDoS

Cert advisory XXX.xx.V3


Users can send sensitive mail outside of the company

Mail encryption is available but it cannot be forced on the users


Hacking tool can grant administrator access for any user

From a hacker site


Ninjas break into the 30th floor and force people to reveal their passwords

No known occurrences of this type of attack

Then, for each potential exposure, list any suggested controls that could counteract the attack listed.

Table 9.3: Suggested Controls


Detail Suggested Control

Cost or Impact to the Business of this Control


Upgrade firewall to Version 3.1

Upgrade is free from vendor


Train an army of Ninjas


Table 9.4: Required Controls


Detail Required Control

Cost or Impact to the Business of this Control


Train users on S/MIME

Added cost of training extra cost will be $10 per user


Upgrade O/S to service pack 9

Upgrade is free from vendor

Then, for each potential exposure, list any required controls that could counteract the attack listed.

As with any form, you will need a section for comments. Comments could be used to point out any specific issues or controls that should be considered.

The following issues should be considered when reviewing any service or software:

  • Accidental destruction, modification, disclosure of information

  • Too many or too few system administrators

  • Incorrect system configuration

  • Fraud, theft, embezzlement

  • Attacks by social engineering

  • Inadequate security awareness, lack of security guidelines

  • Lack of documentation

  • Abuse of privileges/trust

  • Selling of confidential corporate information

  • Mixing of test and production data or environments

  • No change control

  • Operating system design errors

  • DNS spoofing

  • Introduction of unauthorized software or hardware

  • Mixing of test and production data networks

  • DoS and DDoS

  • Trojan horses

  • Spoof messages

  • External attackers masquerading as valid users or customers

  • Equipment failure due to defective hardware

  • E-mail bombing

  • Physical destruction of computing devices or media

  • Poor backups

  • Backups of data that should not be backed up

  • Unauthorized physical access to system

  • Disclosure of company secrets

  • Subversion of DNS to redirect e-mail or other traffic

  • Malicious and/or deliberate damage of information

  • Modification of business data for example, customer or accounting data

  • Password cracking

The preceding examples comprise just a small list of the issues that you would be concerned with.

Before we can go any further, you must define the impacts to the business. An "impact" is the result of an incident that causes some type of loss to the business. The following are some examples, with financial impact assumed to be part of each:

  • Data disclosure This can be as simple as someone sending information out of the trusted environment to someone who should not have this information.

  • Data integrity compromised The best example of this is credit card information that has been stolen from various web sites.

  • Loss of customer confidence The credit card issue would also apply here, but this could also be a situation in which someone hacks your web site and places pornography on it.

  • Network impact This is when someone attacks the network, making it unusable for the customer or employee.

  • Messaging impacts This is when messaging is impacted and you cannot communicate via your messaging infrastructure.

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net