Security assessments can mean different things to different people.
This paper should help you to explore what a security assessment is. This paper will then provide useful principles for your security assessment projects, with a focus on holistic security management and foundations. This guidance is not intended to provide a one-size-fits-all blueprint for your organization.
Your team will have to determine the most appropriate way to optimize your security mechanisms. The security assessment should enable you to answer the following questions:
- What are your critical assets?
- What security controls are in place for your:
- a. Administrative Security Mechanisms?
- b. Physical Security Mechanisms?
- c. Technical Security Mechanisms?
- What is the current security posture of your information systems?
- What do you need to do to address high-priority issues?
Important Definitions
“Confidentiality,” “Availability,” and “Integrity:” These words should be well defined in your security dictionary.
Identification of Assets
What are your organization’s critical assets? You should know what is critical and essential for your business. From there, the organization should be able to make appropriate decisions regarding the level of security that should be provided to protect these assets.
Depending upon the criticality of the assets, you need to determine level of redundancy that is necessary. Depending on your business and customer support requirements, you might have more than what we have listed here. At a high level, we can broadly classify assets in the following categories:
- a. Hardware
- b. Software
- c. Operating systems
- d. Front office
- e. Back office
- f. Other
- g. WAN infrastructure
- h. LAN infrastructure
- i. Database
- j. Physical assets
- k. intellectual assets
- l. Services
- m. Other
Administrative Security Mechanisms
Administrative Security Mechanisms controls are perhaps the most overlooked because they are underneath the surface and most easily overlooked.
This should be a complete, up-to-date, a practical hands-on guide to document, set guidelines and create effective information security policies and procedures for your organization. This should serve as your essential security policy concepts and their rationale. This also should thoroughly cover information security regulations and related frameworks as well as present best-practice policies specific to your industry sectors.
The goals for your Security Administrative Mechanisms should include:
- Risk management
- Best practices for policy development and implementation
- Establishing a layered defense
- Responding to incidents and ensuring continuation of operations
- Auditing and monitoring security on an ongoing basis
- Meeting unique legal and regulatory environments, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules and PCI-DSS
Your Administrative Security policy should affect all your administrative systems used in planning, managing, or operating a major administrative function of the network infrastructure. This policy also pertains to any associated administrative data that resides on end-users’ local desktop computers and/or departmental servers. An assessment for this phase, at a minimum, should address and clearly document the following policies and procedures:
- 1. Risk analysis and assessment
- 2. Confidentiality Notice
- 3. Inventory
- 4. User responsibilities and accounts
- 5. Access control
- 6. System Administrator responsibilities
- 7. Vendors
- 8. Sanctions
- 9. Passwords
- 10. Management responsibilities
- 11. Business Associate responsibilities
- 12. Enforcement
- 13. Review and monitoring
- 14. Audit control
- 15. Training
- 16. Other
Physical Security Mechanisms
A physical security assessment should be conducted regularly, with a basic understanding of crime prevention theory and security standards. You and your team should have a clear understanding of:
- 1. The physical layout of the organization’s buildings and surrounding perimeters
- 2. Lock and badges
- 3. Emergency Access Control and Management
- 4. Does the property topography provide security or reduce the means of access?
- 5. How many points of entry are there to the building?
- 6. Are those entrances monitored?
- 7. Alarms – including fire, intrusion, tamper, motion
- 8. Are doors, windows, gates, turnstiles, etc. monitored for egress and ingress?
- 9. Do you have adequate physical blockages and barriers from spying eyes?
- 10. Are the perimeters of the building and the perimeter of the property adequately covered by cameras?
- 11. Are locks, badges and locking equipment in good repair and operating properly?
- 12. How is your mailroom being protected?
- 13. How do you dispose of your paper data?
- 14. Other
Technical Security Mechanisms
Once again, the purpose of this section is to provide guidelines for your organization on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. This guide is not intended to present a comprehensive information security testing or assessment program, but rather to provide an overview of the main elements of a technical security assessment.
Dozens of technical security testing and examination techniques exist that can be used to assess the security posture of systems and networks.
The most commonly used techniques from the standpoint of this document will be discussed in more depth later in this guide and are grouped into the following three categories:
1. Review
There are no set rules for this. These could be techniques used to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. During this phase, most of the work is arduous and is generally conducted manually.
This includes documentation, log, rule set, and system configuration review as well as network sniffing and file integrity checking.
2. Target Identification and Analysis
One rule: Make sure that you are doing your due diligence and homework here! It is not right if you are attacking someone’s network or WAN IP. Can we say fine and/or a legal implication here?
3. Data Examinations and Comparisons to Minimize False Positives
This is a requisite and an absolute must. We have seen many sloppy and careless reports from so-called “Security Analysts.” We have seen a “report” that cost the client thousands of dollars, generated as a result of freeware, and shows that the entire scan took less than 30 seconds. The properties of the document also showed that the assessment had been carried out for some other entity, and the names from the report had been changed more than 400 times.
There should be 3+3+3 as a minimum here. When doing the assessment technical security, 3 enterprise tools should be deployed, the examinations should be carried out 3 times, each time at a different time of the day, and 3 set of data should be examined and compared to each other.
At a minimum, this phase should include comprehensive data for the following:
A. WAN
- 1. Internet network interfaces
- 2. WAN data transfer
- 3. WAN connectivity for internal access
- 4. WAN connectivity for Business Associates and partners
- 5. WAN connectivity Internet access
- 6. WAN connectivity Intranet access
- 7. Firewall/network Protection
- 8. Gateway edge routers
- 9. Email protection
- 10. Hosting sites and hosting applications
- 11. Security access and transmission amongst all sites
B. LAN (Local Area Network)
- 1. Servers
- 2. User PCs
- 3. Access controls
- 4. End users
- 5. Virus control and management
- 6. Boot sector viruses
- 7. File viruses
- 8. Macro viruses
- 9. Trojans
- 10. Worms
- 11. Audit trail control and management
- 12. Email protection
- 13. Database
- 14. VLAN
- 15. Domain controller
- 16. Application
- 17. Patches
- 18. Services
C. Holistic Access and Transmission Assessment for Entire Infrastructure
- 1. Users and domain(s)
- 2. LAN and WAN interface
- 3. WAN to internet
- 4. Internet to remote access, users and location(s)
- 5. Other