external security evaluations
Post on 14-Feb-2016
27 Views
Preview:
DESCRIPTION
TRANSCRIPT
External Security
EvaluationsWhat are the options? Which is best?
#LegalSEC
• Why do an “assessment”?• What types of assessments exist?• Best uses for each type• My recommended prioritization• Tips for a successful project
Agenda
• Adam Carlson• 10+ years in information security• M.S. from UC Davis, ISACA CISM• Security researcher studying Internet threats• Security auditor for financial services/Fortune 500• Chief Security Officer at UC Berkeley• Legal IT security consultant • Currently security solutions consultant at IntApp
Introductions
• Need to identify potential security issues• Need to prioritize security issues• Need for formal reporting to management• Need for external review• Compliance mandate
Reasons For An Assessment
• Penetration test• Vulnerability assessment• Security assessment• Risk assessment
Types Of Assessments
• No universally standard definitions • Great variability among offerings• Caveat Emptor• Don’t assume you are speaking the same
language• Vendors will try to convince you their offering
is best• Must map your needs to the services offered
What’s In A Name?
• Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/
• Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP
Penetration Test Definition
• Pros:• Authoritatively validates the existence of a serious
issue• Reveals easily discoverable “low hanging fruit”• May identify unexpected areas of weakness• Often involves highly skilled security professionals
• Cons:• Can be fairly expensive• Negative result does not indicate a lack of issues• May only evaluate a portion of your environment
Pen Test Pros & Cons
Variable Scope
• Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.Source: http://en.wikipedia.org/wiki/Vulnerability_assessment
• Example: Evaluating your document management system with a vulnerability scanning application
Vulnerability Assessment
• Clearly defined scope• Which systems are evaluated• What potential problems are evaluated
• Identifies most common technical issues• Cheapest of the assessment options• Repeatable and quantitative
Vulnerability Assessment Pros
• Can identify A LOT of issues• Often lacks contextual risk information• Generic risk rankings• May not indicate the severity in your
environment• May not include expert advice/involvement
Vulnerability Assessment Cons
• Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place.Source: Adam Carlson
• Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices
Security Assessment Definition
• Provides broader view of current security posture
• Both technical and non-technical issues identified
• Risk-based ordering of problems• Provides security expert familiarity with
environment• Tailored guidance and remediation planning
Security Assessment Pros
• Difficult to do well• May be a glorified vulnerability assessment• May not be performed by seasoned expert
• May be focused around the strengths of the assessor
• May not provide a lot of depth• May simply recommend best practices
Security Assessment Cons
• Extremely broad term• Risk = Likelihood x Impact• Could assess either the likelihood or impact (or
both)• Encompasses other types of assessments• E.g. IT security assessment is a form of risk
assessment• Often focused around a proposed change or idea• E.g. Risk assessment of using a cloud-based storage
system
Risk Assessment
• Requires involvement from business owners and IT
• Used to identify valid business problems• Puts technical issues in context• Evaluates the impact of those problems
• Prioritizes risks• Informs investment decisions
Risk Assessment Pros
• Requires involvement from business owners and IT
• Relies on imperfect information• Likelihood often unknown• Impact often unknown
• May result in many findings with equivalent risk level
• Expensive to do a broad and thorough risk assessment
Risk Assessment Cons
• A penetration test is best used:• To scare management into investing• To identify weaknesses in a very mature
security program• A vulnerability assessment is best used:• To validate effective patch management and
system configuration practices• To evaluate exposure to the most common
technical attacks
So Which Do I Want?
• A security assessment is best used:• To identify more than just technical
vulnerabilities• To perform a compliance gap analysis• To engage an external security resource
• A risk assessment is best used:• To evaluate the importance of a possible
security investment• To evaluate the impact of a proposed change
So Which Do I Want Cont.
• Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application.Source: http://en.wikipedia.org/wiki/Vulnerability_assessment + Adam Carlson
• Example: Performing a code review and penetration test against an internally developed web application.
• Best used to secure applications managing highly sensitive data or those available over the Internet.
Bonus! Web Application Vulnerability Assessment
• External vulnerability assessment• Internal vulnerability assessment• Security assessment• (anything else worth investing in)• Penetration test
Recommended Prioritization
• “White box testing” provides the most value• Security assessments often include
vulnerability assessments (but not always)• “Penetration tests” offered by many vendors
are actually security assessments• Vulnerability assessments can now be easily
performed via SaaS (nCircle Purecloud, Qualys, Nessus, etc.)
A Few Considerations
• Enumerate the goals of the engagement:• What is the ideal scope?• What knowledge should be gained?• Who is the intended audience?
• Understand your budget• Compare your options
Tips For A Successful Project
• Consider an RFP/RFI template• Ask about the process• Who will do the assessment?• What will the report/deliverable look like?• How will post-engagement questions be
answered?• Ask them to explain their
strengths/differentiators• Ask for references• Think about your future together
Evaluating Potential Vendors
• To patch your systems• To run a firewall• To run up-to-date antivirus• To put data backups in place• That security policies are important• Etc.
• Do a self-assessment instead (SANS Top 20, LegalSEC)
Don’t Pay To Be Told…
• Thanks for joining us today!• Please say hi at SharePoint/LegalSEC next
week• Continue the discussion• #LegalSEC• @ajcsec on twitter• adam.carlson@intapp.com
Questions/Comments
top related