External Security Evaluations What are the options Which
- Slides: 27
External Security Evaluations What are the options? Which is best? #Legal. SEC
Agenda • • • Why do an “assessment”? What types of assessments exist? Best uses for each type My recommended prioritization Tips for a successful project
Introductions • Adam Carlson • • 10+ years in information security M. S. from UC Davis, ISACA CISM Security researcher studying Internet threats Security auditor financial services/Fortune 500 Chief Security Officer at UC Berkeley Legal IT security consultant Currently security solutions consultant at Int. App
Reasons For An Assessment • • • Need to identify potential security issues Need to prioritize security issues Need formal reporting to management Need for external review Compliance mandate
Types Of Assessments • • Penetration test Vulnerability assessment Security assessment Risk assessment
What’s In A Name? • No universally standard definitions • Great variability among offerings • Caveat Emptor • Don’t assume you are speaking the same language • Vendors will try to convince you their offering is best • Must map your needs to the services offered
Penetration Test Definition • Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal. Source: http: //danielmiessler. com/writing/vulnerability_assessment_penetration_test/ • Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP
Pen Test Pros & Cons • Pros: • • Authoritatively validates the existence of a serious issue Reveals easily discoverable “low hanging fruit” May identify unexpected areas of weakness Often involves highly skilled security professionals • Cons: • Can be fairly expensive • Negative result does not indicate a lack of issues • May only evaluate a portion of your environment
Variable Scope
Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Source: http: //en. wikipedia. org/wiki/Vulnerability_assessment • Example: Evaluating your document management system with a vulnerability scanning application
Vulnerability Assessment Pros • Clearly defined scope • Which systems are evaluated • What potential problems are evaluated • Identifies most common technical issues • Cheapest of the assessment options • Repeatable and quantitative
Vulnerability Assessment Cons • Can identify A LOT of issues • Often lacks contextual risk information • Generic risk rankings • May not indicate the severity in your environment • May not include expert advice/involvement
Security Assessment Definition • Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place. Source: Adam Carlson • Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices
Security Assessment Pros • • • Provides broader view of current security posture Both technical and non-technical issues identified Risk-based ordering of problems Provides security expert familiarity with environment Tailored guidance and remediation planning
Security Assessment Cons • Difficult to do well • May be a glorified vulnerability assessment • May not be performed by seasoned expert • May be focused around the strengths of the assessor • May not provide a lot of depth • May simply recommend best practices
Risk Assessment • Extremely broad term • Risk = Likelihood x Impact • Could assess either the likelihood or impact (or both) • Encompasses other types of assessments • E. g. IT security assessment is a form of risk assessment • Often focused around a proposed change or idea • E. g. Risk assessment of using a cloud-based storage system
Risk Assessment Pros • Requires involvement from business owners and IT • Used to identify valid business problems • Puts technical issues in context • Evaluates the impact of those problems • Prioritizes risks • Informs investment decisions
Risk Assessment Cons • Requires involvement from business owners and IT • Relies on imperfect information • Likelihood often unknown • Impact often unknown • May result in many findings with equivalent risk level • Expensive to do a broad and thorough risk assessment
So Which Do I Want? • A penetration test is best used: • To scare management into investing • To identify weaknesses in a very mature security program • A vulnerability assessment is best used: • To validate effective patch management and system configuration practices • To evaluate exposure to the most common technical attacks
So Which Do I Want Cont. • A security assessment is best used: • To identify more than just technical vulnerabilities • To perform a compliance gap analysis • To engage an external security resource • A risk assessment is best used: • To evaluate the importance of a possible security investment • To evaluate the impact of a proposed change
Bonus! Web Application Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application. Source: http: //en. wikipedia. org/wiki/Vulnerability_assessment + Adam Carlson • Example: Performing a code review and penetration test against an internally developed web application. • Best used to secure applications managing highly sensitive data or those available over the Internet.
Recommended Prioritization • • • External vulnerability assessment Internal vulnerability assessment Security assessment (anything else worth investing in) Penetration test
A Few Considerations • “White box testing” provides the most value • Security assessments often include vulnerability assessments (but not always) • “Penetration tests” offered by many vendors are actually security assessments • Vulnerability assessments can now be easily performed via Saa. S (n. Circle Purecloud, Qualys, Nessus, etc. )
Tips For A Successful Project • Enumerate the goals of the engagement: • What is the ideal scope? • What knowledge should be gained? • Who is the intended audience? • Understand your budget • Compare your options
Evaluating Potential Vendors • Consider an RFP/RFI template • Ask about the process • Who will do the assessment? • What will the report/deliverable look like? • How will post-engagement questions be answered? • Ask them to explain their strengths/differentiators • Ask for references • Think about your future together
Don’t Pay To Be Told… • • • To patch your systems To run a firewall To run up-to-date antivirus To put data backups in place That security policies are important Etc. • Do a self-assessment instead (SANS Top 20, Legal. SEC)
Questions/Comments • Thanks for joining us today! • Please say hi at Share. Point/Legal. SEC next week • Continue the discussion • #Legal. SEC • @ajcsec on twitter • adam. carlson@intapp. com
- Mikael ferm
- Provate security
- Boston university pemba
- Restitution évaluations nationales cp
- Nau course evaluations
- Pharmacoeconomic evaluations amcp
- What is nondiscriminatory evaluation
- Uri idea survey
- Shsu idea evaluations
- External-external trips
- Hình ảnh bộ gõ cơ thể búng tay
- Slidetodoc
- Bổ thể
- Tỉ lệ cơ thể trẻ em
- Chó sói
- Tư thế worm breton
- Bài hát chúa yêu trần thế alleluia
- Các môn thể thao bắt đầu bằng tiếng chạy
- Thế nào là hệ số cao nhất
- Các châu lục và đại dương trên thế giới
- Công thức tiính động năng
- Trời xanh đây là của chúng ta thể thơ
- Mật thư anh em như thể tay chân
- Phép trừ bù
- Phản ứng thế ankan
- Các châu lục và đại dương trên thế giới
- Thể thơ truyền thống
- Quá trình desamine hóa có thể tạo ra