178
A Practical Guide to Security Assessments
some processes through observation to verify that they were being done the way
they were explained to you. Even for the technology, you have conducted interviews
with technology owners. On the technology side, you have not looked at anything
in detail. For example, you have not reviewed certain configuration settings on
machines to determine whether they are secure. To really understand the security
posture of a company, you must look at the critical technologies in detail to determine
what vulnerabilities exist. These are technical vulnerabilities, which technology
owners may or may not know depending on how much they do from a security
perspective. Unlike process-focused vulnerabilities, which can be subjective, the
vulnerabilities found in the technical testing will tend to be objective with fairly
clear fixes. These vulnerabilities are ones that have been exploited in the past by
hackers and the like. With these vulnerabilities, the choice is to either fix them or
demonstrate that the vulnerability is a result of a required business process.
It is very likely that one of the reasons you were asked to conduct a security
assessment was because of the expertise to conduct this type of detailed testing. For
customer management teams who have requested a security assessment, the vulner-
abilities that exist in the technology are an unknown to which they cannot relate.
As a security practitioner, you bring security expertise and the right tools to deter-
mine vulnerabilities on systems. You also know what resources to tap into to determine
vulnerabilities. This knowledge and expertise make hands-on testing successful.
Hands-on testing is performed for these reasons:
•
Verification —
Up to this point, everything you know is based on what
people in the company have told you. Some of the information is critical
enough to verify using hands-on testing. This does not mean that you are
being misled. It is very possible and probable that what people think is
not always the case. IT staffs are stretched very thin and in some compa-
nies, no one has any ownership of security. It is perfectly reasonable that
some things are going to fall through the cracks. For example, one thing
that many companies need to do a better job with is staying up to date
with patches. In large environments and even some small ones, this can
be a daunting task. Not staying up to date with certain patches can have
major security implications depending on the technology and the patch.
In this case, even if you are being told that all patches are up to date, it
might be worthwhile to scan or manually review some of the critical
machines to ensure and verify that patches are up to date. This testing
will either confirm or not confirm what you are being told about patches,
which will enhance the results of the security assessment. Depending on
the results, you might also be able to provide some valuable recommen-
dations. How much or little detailed testing is performed is a judgment
call based on what business processes are supported by the given tech-
nology, how critical a component the technology is in the process, and
the risk associated with the technology and how it is administered.
•
Perception —
Depending on the audience, detailed testing is very impor-
tant. For many people who understand the vulnerabilities associated with
technology, a security assessment without going hands-on into the system
AU1706_book.fm Page 178 Tuesday, August 17, 2004 11:02 AM