Technology Evaluation
175
FIGURE 7.3
Meet with technology owners and conduct detailed testing.
Evaluate
Technology
Environment
General review of
technology and
related
documentation
Develop question
sets for technology
reviews
Meet with
technology
owners and
conduct
hands on
testing
Analyze
information
collected and
document findings
Status meeting
with client
AU1706_book.fm Page 175 Tuesday, August 17, 2004 11:02 AM
176
A Practical Guide to Security Assessments
what you are doing.” From the time that subject matter experts are iden-
tified on the business or technology side, the single point of contact should
get the message out or work through other management to make sure the
message is out. Technology owners must understand what the security
assessment is all about, why it is being done, and what their role is. If
the participants have that understanding, it makes it that much easier when
you talk to them about the particular technology they work with. The
other benefit of informing technology owners early is that if anyone is
identified who might not be the right person to work with, you will know
sooner rather than later, which provides the opportunity to find the right
person.
Some of the key messages that should be communicated to technology owners
when scheduling interviews to help put them at ease if necessary include:
•Technology owners should be informed about what has been done in the
security assessment so far.
They should realize that the quality of the final deliverable is directly
dependent on the quality of the information that the various subject matter
experts provide.
•Technology owners (this is also true for business process owners who
participate in the security assessment) should know that they will have an
opportunity to comment on the findings and recommendations in the
report. Ideally, they should see the findings and recommendations as soon
as they are developed. The key point here is that they will have the
opportunity to say whether a particular recommendation is feasible or if
they may perhaps have a better way to address the security issues.
On a more logistical level, the technology owners should understand that
hands-on testing will be done on various machines. In some cases, indi-
viduals performing the testing might need temporary access to different
machines or devices on the network. Assessing the security related to the
key technologies is critical to the success of the overall security assess-
ment. Technology owners can add tremendous value in ensuring this
success because of their knowledge. As a result, it is very important that
technology personnel are in the loop with the security assessment and
understand why it is happening.
For this step of the security assessment, there are two components: interviews with
the technology owners and hands-on testing of the critical systems.
I
NTERVIEWS
The interviews are conducted using the question sets to guide the conversation. As
with the interviews conducted with the business process owners, the conversation
will not necessarily follow the order of your questionnaire; however, the question-
naire will help ensure that you have covered everything you needed to cover. The
AU1706_book.fm Page 176 Tuesday, August 17, 2004 11:02 AM
Technology Evaluation
177
interviews with the technology owners will include both process-related questions
and technical questions about the technology they specifically manage. You may
find that some of the information you receive from the technology owners
is infor-
mation you already know because of your previous conversations. It is still valuable
to hear this because it will help you ensure that everyone is on the same page with
regards to the technology.
When recording the results of the meeting, it is valuable to document processes
through some type of flowcharting method. In fact, you can take any flowcharts that
were developed during the last phase, and the technology can almost be overlaid on
top of the processes. This is an excellent technique to help you tie in the technology
to the business processes. It also helps you identify where the holes or single points
of failure potentially exist on the network. This analysis will help you further confirm
the technologies on which you have chosen to conduct detailed testing.
When conducting these interviews with technical people, it is critical to have
the right people doing the interviewing. People without the right skill sets can lose
credibility with the client and not gain the information that is required for the
analysis. One of the concerns that the company is going to have is that someone
who is not very qualified is going to talk to them using a checklist or questionnaire
to gather information. If this happens, it can lead to a loss of credibility for those
conducting the assessment.
H
ANDS
-O
N
T
ESTING
Hands-on testing requires careful planning with the client’s personnel. You also need
to understand what you are testing and the purpose of it. In keeping with the
methodology discussed in this book, you need to ensure that you are spending the
time testing the technologies that support key business processes. These technologies
should have been identified based on the business process–related interviews and
your meeting with IT management.
When thinking about hands-on testing, you need to consider several factors
related to planning, tool selection, etc. In this section, we will discuss all of the
relevant facets of hands-on testing, which include the following:
Reasons for conducting hands-on testing
Planning considerations for hands-on testing
Manual vs. automated testing
•Tool selection
Hands-on testing methodology
Reasons for Conducting Detailed Testing
Before discussing the actual methodology for hands-on testing, it is worth discussing
why we conduct hands-on testing and some of the challenges and risks associated
with it. Hands-on testing is a critical component of a security assessment for a
number of reasons. Up until now, all of the information you have received has been
through interviews and has been largely process focused. You might have tested
AU1706_book.fm Page 177 Tuesday, August 17, 2004 11:02 AM
178
A Practical Guide to Security Assessments
some processes through observation to verify that they were being done the way
they were explained to you. Even for the technology, you have conducted interviews
with technology owners. On the technology side, you have not looked at anything
in detail. For example, you have not reviewed certain configuration settings on
machines to determine whether they are secure. To really understand the security
posture of a company, you must look at the critical technologies in detail to determine
what vulnerabilities exist. These are technical vulnerabilities, which technology
owners may or may not know depending on how much they do from a security
perspective. Unlike process-focused vulnerabilities, which can be subjective, the
vulnerabilities found in the technical testing will tend to be objective with fairly
clear fixes. These vulnerabilities are ones that have been exploited in the past by
hackers and the like. With these vulnerabilities, the choice is to either fix them or
demonstrate that the vulnerability is a result of a required business process.
It is very likely that one of the reasons you were asked to conduct a security
assessment was because of the expertise to conduct this type of detailed testing. For
customer management teams who have requested a security assessment, the vulner-
abilities that exist in the technology are an unknown to which they cannot relate.
As a security practitioner, you bring security expertise and the right tools to deter-
mine vulnerabilities on systems. You also know what resources to tap into to determine
vulnerabilities. This knowledge and expertise make hands-on testing successful.
Hands-on testing is performed for these reasons:
Verification —
Up to this point, everything you know is based on what
people in the company have told you. Some of the information is critical
enough to verify using hands-on testing. This does not mean that you are
being misled. It is very possible and probable that what people think is
not always the case. IT staffs are stretched very thin and in some compa-
nies, no one has any ownership of security. It is perfectly reasonable that
some things are going to fall through the cracks. For example, one thing
that many companies need to do a better job with is staying up to date
with patches. In large environments and even some small ones, this can
be a daunting task. Not staying up to date with certain patches can have
major security implications depending on the technology and the patch.
In this case, even if you are being told that all patches are up to date, it
might be worthwhile to scan or manually review some of the critical
machines to ensure and verify that patches are up to date. This testing
will either confirm or not confirm what you are being told about patches,
which will enhance the results of the security assessment. Depending on
the results, you might also be able to provide some valuable recommen-
dations. How much or little detailed testing is performed is a judgment
call based on what business processes are supported by the given tech-
nology, how critical a component the technology is in the process, and
the risk associated with the technology and how it is administered.
Perception —
Depending on the audience, detailed testing is very impor-
tant. For many people who understand the vulnerabilities associated with
technology, a security assessment without going hands-on into the system
AU1706_book.fm Page 178 Tuesday, August 17, 2004 11:02 AM
Technology Evaluation
179
might not carry a whole lot of credibility. For example, in your review of
user ID administration practices, you might have been told that users do
not have good passwords. Taking that at face value and writing a recom-
mendation where you recite password best practices may or may not carry
weight. However, if you take the password file and run a password cracker
that guesses 90 percent of the passwords in less than five minutes and use
those results as your finding, both the finding and recommendation will
carry much more weight. Findings that are backed up with objective
hands-on test results are difficult to dispute. The only discussion then is
what risk does it pose and whether the associated recommendation is
appropriate. The other aspect of perception is that clients will generally
expect that some level of detailed testing will be done unless this was
specifically taken out of the scope of the assessment via mutual agreement
between you and the client. Generally speaking, a security assessment is
thought of as having some level of focus on technology, which is under-
standable as many of the security issues today are due to technology and
the related processes. If you do not conduct any hands-on testing of the
technology, it is very possible that clients might not be completely com-
fortable with the results, particularly the technology-related findings and
recommendations, thereby potentially reducing the credibility of the
whole assessment.
Quality of results —
The quality of the results of the security assessment,
to a large extent, will depend on the hands-on testing. As alluded to earlier,
some of the findings have more impact if technical and objective testing
can back them up. For the more significant findings dealing with technical
issues, it is almost imperative to have some technical hands-on testing
results to back up the finding. Keep in mind the audience of the deliverable
when thinking about the quality of the results. For the executive-level
person whose focus is the “big picture,” these details do not matter much.
For the IT director or security officer who might be in charge of imple-
menting some of the recommendations you present in the final deliverable,
the hands-on testing details are very relevant. The success of the assess-
ment is largely driven by whether or not the company uses the final
deliverable as intended — as a “roadmap” to plan short- and long-term
security initiatives. On this basis, it is important to understand the needs
of the total audience. Specific to this discussion, detailed testing results
as they relate to the critical technologies is very relevant for the IT
personnel who are charged with implementing the recommendations you
make.
Some information cannot be obtained via interviews —
The final aspect
of hands-on testing is that some information cannot be obtained via
interviews. People just do not know some important technical details off
the tops of their heads. An example is security settings in a Windows
server. Although a system administrator might know some of the settings,
that person probably will not know what all of them are. Another example
is a firewall rule base, which dictates what kind of traffic can go through
AU1706_book.fm Page 179 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.136.170