1 / 27

External Security Evaluations

External Security Evaluations. What are the options? Which is best? #LegalSEC. Agenda. Why do an “assessment”? What types of assessments exist? Best uses for each type My recommended prioritization Tips for a successful project. Introductions. Adam Carlson

colum
Download Presentation

External Security Evaluations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. External Security Evaluations What are the options? Which is best?#LegalSEC

  2. Agenda • Why do an “assessment”? • What types of assessments exist? • Best uses for each type • My recommended prioritization • Tips for a successful project

  3. Introductions • Adam Carlson • 10+ years in information security • M.S. from UC Davis, ISACA CISM • Security researcher studying Internet threats • Security auditor for financial services/Fortune 500 • Chief Security Officer at UC Berkeley • Legal IT security consultant • Currently security solutions consultant at IntApp

  4. Reasons For An Assessment • Need to identify potential security issues • Need to prioritize security issues • Need for formal reporting to management • Need for external review • Compliance mandate

  5. Types Of Assessments • Penetration test • Vulnerability assessment • Security assessment • Risk assessment

  6. What’s In A Name? • No universally standard definitions • Great variability among offerings • Caveat Emptor • Don’t assume you are speaking the same language • Vendors will try to convince you their offering is best • Must map your needs to the services offered

  7. Penetration Test Definition • Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal. Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/ • Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP

  8. Pen Test Pros & Cons • Pros: • Authoritatively validates the existence of a serious issue • Reveals easily discoverable “low hanging fruit” • May identify unexpected areas of weakness • Often involves highly skilled security professionals • Cons: • Can be fairly expensive • Negative result does not indicate a lack of issues • May only evaluate a portion of your environment

  9. Variable Scope

  10. Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Source: http://en.wikipedia.org/wiki/Vulnerability_assessment • Example: Evaluating your document management system with a vulnerability scanning application

  11. Vulnerability Assessment Pros • Clearly defined scope • Which systems are evaluated • What potential problems are evaluated • Identifies most common technical issues • Cheapest of the assessment options • Repeatable and quantitative

  12. Vulnerability Assessment Cons • Can identify A LOT of issues • Often lacks contextual risk information • Generic risk rankings • May not indicate the severity in your environment • May not include expert advice/involvement

  13. Security Assessment Definition • Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place. Source: Adam Carlson • Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices

  14. Security Assessment Pros • Provides broader view of current security posture • Both technical and non-technical issues identified • Risk-based ordering of problems • Provides security expert familiarity with environment • Tailored guidance and remediation planning

  15. Security Assessment Cons • Difficult to do well • May be a glorified vulnerability assessment • May not be performed by seasoned expert • May be focused around the strengths of the assessor • May not provide a lot of depth • May simply recommend best practices

  16. Risk Assessment • Extremely broad term • Risk = Likelihood x Impact • Could assess either the likelihood or impact (or both) • Encompasses other types of assessments • E.g. IT security assessment is a form of risk assessment • Often focused around a proposed change or idea • E.g. Risk assessment of using a cloud-based storage system

  17. Risk Assessment Pros • Requires involvement from business owners and IT • Used to identify valid business problems • Puts technical issues in context • Evaluates the impact of those problems • Prioritizes risks • Informs investment decisions

  18. Risk Assessment Cons • Requires involvement from business owners and IT • Relies on imperfect information • Likelihood often unknown • Impact often unknown • May result in many findings with equivalent risk level • Expensive to do a broad and thorough risk assessment

  19. So Which Do I Want? • A penetration test is best used: • To scare management into investing • To identify weaknesses in a very mature security program • A vulnerability assessment is best used: • To validate effective patch management and system configuration practices • To evaluate exposure to the most common technical attacks

  20. So Which Do I Want Cont. • A security assessment is best used: • To identify more than just technical vulnerabilities • To perform a compliance gap analysis • To engage an external security resource • A risk assessment is best used: • To evaluate the importance of a possible security investment • To evaluate the impact of a proposed change

  21. Bonus! Web Application Vulnerability Assessment • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application. Source: http://en.wikipedia.org/wiki/Vulnerability_assessment + Adam Carlson • Example: Performing a code review and penetration test against an internally developed web application. • Best used to secure applications managing highly sensitive data or those available over the Internet.

  22. Recommended Prioritization • External vulnerability assessment • Internal vulnerability assessment • Security assessment • (anything else worth investing in) • Penetration test

  23. A Few Considerations • “White box testing” provides the most value • Security assessments often include vulnerability assessments (but not always) • “Penetration tests” offered by many vendors are actually security assessments • Vulnerability assessments can now be easily performed via SaaS (nCirclePurecloud, Qualys, Nessus, etc.)

  24. Tips For A Successful Project • Enumerate the goals of the engagement: • What is the ideal scope? • What knowledge should be gained? • Who is the intended audience? • Understand your budget • Compare your options

  25. Evaluating Potential Vendors • Consider an RFP/RFI template • Ask about the process • Who will do the assessment? • What will the report/deliverable look like? • How will post-engagement questions be answered? • Ask them to explain their strengths/differentiators • Ask for references • Think about your future together

  26. Don’t Pay To Be Told… • To patch your systems • To run a firewall • To run up-to-date antivirus • To put data backups in place • That security policies are important • Etc. • Do a self-assessment instead (SANS Top 20, LegalSEC)

  27. Questions/Comments • Thanks for joining us today! • Please say hi at SharePoint/LegalSEC next week • Continue the discussion • #LegalSEC • @ajcsec on twitter • adam.carlson@intapp.com

More Related