54
A Practical Guide to Security Assessments
impossible for an average IT staff to do manually. This clearly underscores the
importance of toolsets.
Tools are available both commercially and in the form of freeware and shareware.
In some cases, companies might have the expertise to develop their own custom
tools. The type of tools you use in your environment will be influenced by a number
of factors, some of which include what is being run on the network, existing security
policies, budget (for purchasing tools), and the level of expertise of the people who
will be using the tools. The tools you use are a matter of preference. The trend today
is to use some combination of commercially available tools, custom-developed tools,
and freeware/shareware, for three reasons:
First, some wonderful tools that are free and community supported provide
much of the functionality that a company would want. Some of the most
widely respected security tools, such as Nmap and Nessus, are available
for free.
Second, most companies have budget constraints, and so if some good tools
can be had for nothing, companies will certainly take advantage of it. Some
companies do take a hard line on downloading tools from the Internet
because there is no assurance that they are not corrupted. Also, with free-
ware, there is no recourse — freeware is taken on the basis of “try at your
own risk.” It all depends on the company.
Third, companies want to protect themselves against people who would
potentially break into their systems (i.e., hackers). In most cases, hackers
are using freely available tools to do most of their work. Using these same
tools helps companies simulate what a hacker would do and use that to
protect themselves.
E
NFORCEMENT
Enforcement (Figure 3.8) is the final yet critical component of an information
security program. Enforcement in the context of an information security program
consists of actively ensuring that information security policies and procedures are
followed. Enforcement can take place using manual procedures or can be automated
using functionality available in existing systems (e.g., strong password policies can
be enforced automatically in systems such as Microsoft Windows 2000). To the
extent that enforcement can be automated, it should be because this results in greater
compliance. Manual enforcement of security policies and procedures is a bit more
difficult. The security organization, as discussed earlier, would have people carry
out these enforcement activities. Besides these individuals, the IT audit part of an
internal audit department would likely conduct some enforcement-related activities
as well. For enforcement to be successful, strong upper management support for
good security practices is necessary. Without management support, enforcement has
no “teeth.” Auditors or other members of a security organization may try to enforce
security policies and procedures and not get very far because no repercussions for
noncompliance exist. Conversations with people in different companies have uncov-
ered numerous stories of where business groups are given a report that documents
AU1706_book.fm Page 54 Wednesday, July 28, 2004 11:06 AM