External Security Evaluations What are the options Which

  • Slides: 27
Download presentation
External Security Evaluations What are the options? Which is best? #Legal. SEC

External Security Evaluations What are the options? Which is best? #Legal. SEC

Agenda • • • Why do an “assessment”? What types of assessments exist? Best

Agenda • • • Why do an “assessment”? What types of assessments exist? Best uses for each type My recommended prioritization Tips for a successful project

Introductions • Adam Carlson • • 10+ years in information security M. S. from

Introductions • Adam Carlson • • 10+ years in information security M. S. from UC Davis, ISACA CISM Security researcher studying Internet threats Security auditor financial services/Fortune 500 Chief Security Officer at UC Berkeley Legal IT security consultant Currently security solutions consultant at Int. App

Reasons For An Assessment • • • Need to identify potential security issues Need

Reasons For An Assessment • • • Need to identify potential security issues Need to prioritize security issues Need formal reporting to management Need for external review Compliance mandate

Types Of Assessments • • Penetration test Vulnerability assessment Security assessment Risk assessment

Types Of Assessments • • Penetration test Vulnerability assessment Security assessment Risk assessment

What’s In A Name? • No universally standard definitions • Great variability among offerings

What’s In A Name? • No universally standard definitions • Great variability among offerings • Caveat Emptor • Don’t assume you are speaking the same language • Vendors will try to convince you their offering is best • Must map your needs to the services offered

Penetration Test Definition • Definition: Security engagement meant to determine whether a mature security

Penetration Test Definition • Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal. Source: http: //danielmiessler. com/writing/vulnerability_assessment_penetration_test/ • Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP

Pen Test Pros & Cons • Pros: • • Authoritatively validates the existence of

Pen Test Pros & Cons • Pros: • • Authoritatively validates the existence of a serious issue Reveals easily discoverable “low hanging fruit” May identify unexpected areas of weakness Often involves highly skilled security professionals • Cons: • Can be fairly expensive • Negative result does not indicate a lack of issues • May only evaluate a portion of your environment

Variable Scope

Variable Scope

Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the

Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Source: http: //en. wikipedia. org/wiki/Vulnerability_assessment • Example: Evaluating your document management system with a vulnerability scanning application

Vulnerability Assessment Pros • Clearly defined scope • Which systems are evaluated • What

Vulnerability Assessment Pros • Clearly defined scope • Which systems are evaluated • What potential problems are evaluated • Identifies most common technical issues • Cheapest of the assessment options • Repeatable and quantitative

Vulnerability Assessment Cons • Can identify A LOT of issues • Often lacks contextual

Vulnerability Assessment Cons • Can identify A LOT of issues • Often lacks contextual risk information • Generic risk rankings • May not indicate the severity in your environment • May not include expert advice/involvement

Security Assessment Definition • Definition: Security engagement meant to evaluate the completeness and effectiveness

Security Assessment Definition • Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place. Source: Adam Carlson • Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices

Security Assessment Pros • • • Provides broader view of current security posture Both

Security Assessment Pros • • • Provides broader view of current security posture Both technical and non-technical issues identified Risk-based ordering of problems Provides security expert familiarity with environment Tailored guidance and remediation planning

Security Assessment Cons • Difficult to do well • May be a glorified vulnerability

Security Assessment Cons • Difficult to do well • May be a glorified vulnerability assessment • May not be performed by seasoned expert • May be focused around the strengths of the assessor • May not provide a lot of depth • May simply recommend best practices

Risk Assessment • Extremely broad term • Risk = Likelihood x Impact • Could

Risk Assessment • Extremely broad term • Risk = Likelihood x Impact • Could assess either the likelihood or impact (or both) • Encompasses other types of assessments • E. g. IT security assessment is a form of risk assessment • Often focused around a proposed change or idea • E. g. Risk assessment of using a cloud-based storage system

Risk Assessment Pros • Requires involvement from business owners and IT • Used to

Risk Assessment Pros • Requires involvement from business owners and IT • Used to identify valid business problems • Puts technical issues in context • Evaluates the impact of those problems • Prioritizes risks • Informs investment decisions

Risk Assessment Cons • Requires involvement from business owners and IT • Relies on

Risk Assessment Cons • Requires involvement from business owners and IT • Relies on imperfect information • Likelihood often unknown • Impact often unknown • May result in many findings with equivalent risk level • Expensive to do a broad and thorough risk assessment

So Which Do I Want? • A penetration test is best used: • To

So Which Do I Want? • A penetration test is best used: • To scare management into investing • To identify weaknesses in a very mature security program • A vulnerability assessment is best used: • To validate effective patch management and system configuration practices • To evaluate exposure to the most common technical attacks

So Which Do I Want Cont. • A security assessment is best used: •

So Which Do I Want Cont. • A security assessment is best used: • To identify more than just technical vulnerabilities • To perform a compliance gap analysis • To engage an external security resource • A risk assessment is best used: • To evaluate the importance of a possible security investment • To evaluate the impact of a proposed change

Bonus! Web Application Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing

Bonus! Web Application Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application. Source: http: //en. wikipedia. org/wiki/Vulnerability_assessment + Adam Carlson • Example: Performing a code review and penetration test against an internally developed web application. • Best used to secure applications managing highly sensitive data or those available over the Internet.

Recommended Prioritization • • • External vulnerability assessment Internal vulnerability assessment Security assessment (anything

Recommended Prioritization • • • External vulnerability assessment Internal vulnerability assessment Security assessment (anything else worth investing in) Penetration test

A Few Considerations • “White box testing” provides the most value • Security assessments

A Few Considerations • “White box testing” provides the most value • Security assessments often include vulnerability assessments (but not always) • “Penetration tests” offered by many vendors are actually security assessments • Vulnerability assessments can now be easily performed via Saa. S (n. Circle Purecloud, Qualys, Nessus, etc. )

Tips For A Successful Project • Enumerate the goals of the engagement: • What

Tips For A Successful Project • Enumerate the goals of the engagement: • What is the ideal scope? • What knowledge should be gained? • Who is the intended audience? • Understand your budget • Compare your options

Evaluating Potential Vendors • Consider an RFP/RFI template • Ask about the process •

Evaluating Potential Vendors • Consider an RFP/RFI template • Ask about the process • Who will do the assessment? • What will the report/deliverable look like? • How will post-engagement questions be answered? • Ask them to explain their strengths/differentiators • Ask for references • Think about your future together

Don’t Pay To Be Told… • • • To patch your systems To run

Don’t Pay To Be Told… • • • To patch your systems To run a firewall To run up-to-date antivirus To put data backups in place That security policies are important Etc. • Do a self-assessment instead (SANS Top 20, Legal. SEC)

Questions/Comments • Thanks for joining us today! • Please say hi at Share. Point/Legal.

Questions/Comments • Thanks for joining us today! • Please say hi at Share. Point/Legal. SEC next week • Continue the discussion • #Legal. SEC • @ajcsec on twitter • adam. carlson@intapp. com

EXOTIC OPTIONS EXOTIC OPTIONS Nonstandard options Exotic optionsEXOTIC OPTIONS EXOTIC OPTIONS Nonstandard options Exotic options
FED TAPERING EXTERNAL STIMULUS EXTERNAL STIMULUS External stimulusFED TAPERING EXTERNAL STIMULUS EXTERNAL STIMULUS External stimulus
External Enclosure External Enclosure Needs The external packageExternal Enclosure External Enclosure Needs The external package
External Analysis External Analysis External Analysis Summary OpportunitiesExternal Analysis External Analysis External Analysis Summary Opportunities
Which part Which part Which part Which partWhich part Which part Which part Which part
TOSIBOX LOCK security options TOSIBOX LOCK security optionsTOSIBOX LOCK security options TOSIBOX LOCK security options
PANORAMA DES OPTIONS EXOTIQUES Options barrire Options LookbackPANORAMA DES OPTIONS EXOTIQUES Options barrire Options Lookback
Lecture 21 Options Markets Options With options oneLecture 21 Options Markets Options With options one
F 520 Options 1 Options F 520 OptionsF 520 Options 1 Options F 520 Options
Debt OPTIONS Options on Treasury Securities TBill OptionsDebt OPTIONS Options on Treasury Securities TBill Options
Socket options a summary Tcp options ip optionsSocket options a summary Tcp options ip options
Louver Finishes Options Louver Options Construction Frame OptionsLouver Finishes Options Louver Options Construction Frame Options
FED TAPERING OPTIONS Presenting Options OPTIONS Lets sayFED TAPERING OPTIONS Presenting Options OPTIONS Lets say
Evaluations CPCE 1 Directeurs Evaluations repres CP etEvaluations CPCE 1 Directeurs Evaluations repres CP et
End of semester evaluations Class Rep Evaluations TeamEnd of semester evaluations Class Rep Evaluations Team
Enhancing Evaluations Club Officer Training Enhancing Evaluations QualityEnhancing Evaluations Club Officer Training Enhancing Evaluations Quality
Evaluations Please complete your evaluations and turn themEvaluations Please complete your evaluations and turn them
EVALUATIONS EVALUATIONS ARE REGULATED AND REQUIRED BY KDEEVALUATIONS EVALUATIONS ARE REGULATED AND REQUIRED BY KDE
Planning for Evaluations Planning and managing evaluations inPlanning for Evaluations Planning and managing evaluations in
Juvenile Forensic Evaluations Types of Juvenile Forensic EvaluationsJuvenile Forensic Evaluations Types of Juvenile Forensic Evaluations
Extra Schedular Evaluations Extra Schedular Evaluations Regulation 38Extra Schedular Evaluations Extra Schedular Evaluations Regulation 38
Designing Influential Evaluations Session 7 Commissioning evaluations UgandaDesigning Influential Evaluations Session 7 Commissioning evaluations Uganda
ERATE PROCESS STEP TWO BID EVALUATIONS BID EVALUATIONSERATE PROCESS STEP TWO BID EVALUATIONS BID EVALUATIONS
EMERGENCY MEDICINE EVALUATIONS By Tiesha Saunders SHIFT EVALUATIONSEMERGENCY MEDICINE EVALUATIONS By Tiesha Saunders SHIFT EVALUATIONS