|
The technology security review is a process that reviews each technology or service within the organization. We will be talking about exposures and controls. An "exposure" is anything that can make your system vulnerable to an incident, including any of the attacks listed in the preceding section. The "control" is what can be put in place to keep the attack from being successful. The following template demonstrates the various items that will need to be reviewed.
Technology Security Review
Name of technology or service reviewed __________________________________
Expected or current user of the technology or service _______________________
Exposures__________________________________________________________
Exposure #_________________________________________________________
Exposure summary___________________________________________________
Exposure source (testing, CERT)________________________________________
Suggested control # __________________________________________________
Detail suggested control ______________________________________________
Cost or impact to the business of this control ______________________________
# of required controls _______________________________________________
Detail required control ______________________________________________
Cost or impact to the business of this control _____________________________
Comments ________________________________________________________
This is actually a simple form, but the information recorded on it can be very helpful. You will fill out this form for every approved software product and/or service that could be impacted by security. For example, under "Name of technology or service reviewed," the following might be indicated.
A web site
The OS that is used on the web site
The web server
The applications on the web server
The routers used
The firewall
The architecture of the DMZ
"Expected or current user of the technology or service" determines the scope of where this software or service will be used. Potential answers could be:
External customers
Employees
Vendors
Internal customers (employees resulting in a charge back to a cost center)
The next step is to list the exposures, which is interesting, because you cannot identify all exposures. Here is a suggestion: If you are using a vendor for software, contact the vendor to discover what known exposures exist. Also, check out some of the known hacking sites, such as http://www.l0pht.com/, and the CERT listing for your software, http://www.cert.org/. Table 9.2 shows some examples of exposures.
# (Any Tracking #) | Exposure Summary | Exposure Source (Testing, Cert) |
---|---|---|
1001 | OS can crash due to a DDoS | Cert advisory XXX.xx.V3 |
2023 | Users can send sensitive mail outside of the company | Mail encryption is available but it cannot be forced on the users |
3011 | Hacking tool can grant administrator access for any user | From a hacker site |
4067 | Ninjas break into the 30th floor and force people to reveal their passwords | No known occurrences of this type of attack |
Then, for each potential exposure, list any suggested controls that could counteract the attack listed.
# | Detail Suggested Control | Cost or Impact to the Business of this Control |
---|---|---|
1001 | Upgrade firewall to Version 3.1 | Upgrade is free from vendor |
4067 | Train an army of Ninjas | $100,000 |
# | Detail Required Control | Cost or Impact to the Business of this Control |
---|---|---|
2023 | Train users on S/MIME | Added cost of training extra cost will be $10 per user |
3011 | Upgrade O/S to service pack 9 | Upgrade is free from vendor |
Then, for each potential exposure, list any required controls that could counteract the attack listed.
As with any form, you will need a section for comments. Comments could be used to point out any specific issues or controls that should be considered.
The following issues should be considered when reviewing any service or software:
Accidental destruction, modification, disclosure of information
Too many or too few system administrators
Incorrect system configuration
Fraud, theft, embezzlement
Attacks by social engineering
Inadequate security awareness, lack of security guidelines
Lack of documentation
Abuse of privileges/trust
Selling of confidential corporate information
Mixing of test and production data or environments
No change control
Operating system design errors
DNS spoofing
Introduction of unauthorized software or hardware
Mixing of test and production data networks
DoS and DDoS
Trojan horses
Spoof messages
External attackers masquerading as valid users or customers
Equipment failure due to defective hardware
E-mail bombing
Physical destruction of computing devices or media
Poor backups
Backups of data that should not be backed up
Unauthorized physical access to system
Disclosure of company secrets
Subversion of DNS to redirect e-mail or other traffic
Malicious and/or deliberate damage of information
Modification of business data for example, customer or accounting data
Password cracking
The preceding examples comprise just a small list of the issues that you would be concerned with.
Before we can go any further, you must define the impacts to the business. An "impact" is the result of an incident that causes some type of loss to the business. The following are some examples, with financial impact assumed to be part of each:
Data disclosure This can be as simple as someone sending information out of the trusted environment to someone who should not have this information.
Data integrity compromised The best example of this is credit card information that has been stolen from various web sites.
Loss of customer confidence The credit card issue would also apply here, but this could also be a situation in which someone hacks your web site and places pornography on it.
Network impact This is when someone attacks the network, making it unusable for the customer or employee.
Messaging impacts This is when messaging is impacted and you cannot communicate via your messaging infrastructure.
|