218 A Practical Guide to Security Assessments
In the formula above, one aspect that is not specifically identified in the calcu-
lation that must be addressed is the ongoing cost related to implementing security
recommendations. In the calculation, costs related to the ongoing administration of
the tool (T) are not addressed. In the intrusion detection example above, there is
significant cost related to reviewing logs, incident response, and the ongoing tech-
nical maintenance of the intrusion detection system. This is something to keep in
mind as you determine ROSI.
When making recommendations, one aspect to think about is how well the
recommendation addresses the risk. This is an important concept, and it will be
evident when calculating ROSI. For most risks, you can have recommendations that
address the risk in different ways. Although it would be nice to have the best solution
to address a finding and risk, does the client really need it? For that matter, do they
even need something good? It is likely that all they need is a solution that is adequate
enough to address the risk. The reason why this is an important concept is that a
perfect solution might cost double or triple the amount of the adequate solution —
this has a significant impact on ROSI.
Some people do not go through this type of calculation and instead try to
demonstrate the cost benefit by utilizing the F.U.D. (Fear, Uncertainty, Doubt)
method. The theory with F.U.D. is that management will implement security mea-
sures out of sheer fear that something might happen. As people are becoming more
knowledgeable about security, F.U.D. is becoming less of a factor when deciding
whether or not to implement security measures. Consequently, this is not an advisable
method when justifying recommendations.
The bottom line is that cost benefit and ROSI must be considered when making
recommendations. For recommendations that require significant outlay of money or
resources or significant changes in processes, decision makers will certainly ask
questions on the cost benefit and the ROSI of implementing the recommendation.
It is really no different than what is done with other major projects. Being able to
demonstrate the cost benefit and the ROSI is like making a business case for the
investment. As security practitioners, we need to think in financial and business
terms to present an accurate picture to management. The trend now is that decision
making as it pertains to information security is resting with business unit personnel,
not IT. “The Yankee Group expects security budgets to increase in 2004. But com-
panies will no longer spend for security’s sake. The enterprise model for security
decision making has changed to include line-of-business managers. The biggest
discovery in this model is the shift in influence from technology decision-makers to
the lines of business.”
3
As many of the elements of the ROSI calculation are sub-
jective, the cost-benefit analysis will force you to make certain projections and
estimations about the probability of a security incident and the potential impact. It
is critical to have a good knowledge of the business to make the estimations required
in calculating ROSI. With time and experience, this becomes an easier process.
OTHER GENERAL RECOMMENDATIONS
After the actual security assessment is complete, some other long-term recommen-
dations should be considered. Making these recommendations depends on certain
AU1706_book.fm Page 218 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation 219
factors such as staffing levels and how much accountability is in the organization.
The recommendations include:
• Ongoing assessments
• Managed services
• Service-level agreements
These recommendations do not necessarily address specific risks, but they do
address more strategic weaknesses such as lack of proper staff and the desire to
focus on core competencies. They are long-term initiatives to strengthen the security
posture in a cost-effective manner. These recommendations are not appropriate in
every environment, but they are worth considering.
Ongoing Assessment
Once findings are presented and the security assessment is complete, clients should
think of how to ensure that their environment is secure on an ongoing basis. Ideally,
the security assessment process should be something that is happening all the time.
This is especially true for companies with a heavy dependence on technology
because technology is changing so rapidly. Reviewing a company’s security posture
after long periods of time is both expensive and to some extent ineffective for two
reasons.
First, a full-blown security assessment after a long period of time is expensive
and time consuming. Because the security posture has not been reviewed for a
significant time period, everything has to be reviewed — previous knowledge cannot
necessarily be leveraged. Because of the time lapse, gathering information for the
security assessment is like starting from scratch. This does not mean that security
measures have not been taken as the business has changed. However, because no
analysis has been done on an ongoing basis, there is little assurance that security
measures are commensurate with the associated risks.
Second, companies that look at their security postures after long periods of time
might not be making the best decisions from a security perspective because they are
not up to speed on the risks facing their organizations. The more frequent reviews
allow management to be more in tune with information security requirements for
the company and thus make better and more proactive decisions, ultimately resulting
in a more secure environment.
A good recommendation to give clients at the conclusion of a security assessment
is to use the initial security assessment as a “baseline” and have some type of ongoing
assessment. This is similar to what many large companies have with their internal
audit function. Many companies have IT audit as a part of the internal audit function,
where some IT areas are audited in conjunction with the financial and operational
audit. One approach that internal audit departments take is a risk-based approach to
auditing the company in which the company’s operations are classified based on
risk categories. This analysis is then used to determine what will be audited and
how often. If this process is already in place for internal audit, information security
should be reviewed in a similar manner in conjunction with internal audits. If there
AU1706_book.fm Page 219 Tuesday, August 17, 2004 11:02 AM
220 A Practical Guide to Security Assessments
is no internal audit function, some type of periodic assessment or audit should be
done by internal resources or third-party consultants.
One issue with ongoing assessments is that some small and mid-size companies
may feel they are too expensive or unnecessary. These companies might not neces-
sarily see the value in doing ongoing assessments, especially if they have not had
any security incidents. With these companies, it is important to point out that taking
a proactive approach to information security will ultimately benefit them. One
incident, such as computers being infected with viruses or a disgruntled employee
doing major damage because his or her access was never revoked, can be far more
costly than the cost of having a periodic assessment done. Ongoing security assess-
ments surface information security concerns so that companies can proactively take
action and minimize any associated risks.
Managed Security Services
Managed security services are essentially outsourced security services, where a third
party manages parts of the security infrastructure. For example, an outsourcer might
manage firewalls, routers, or intrusion detection systems. The justifications and
arguments for managed security services are similar to those for other types of
outsourcing and include:
• Companies should concentrate on their core competencies — i.e., com-
panies should focus on what they are good at and hire experts to handle
noncore operations such as IT and security.
• Outsourcing security is a cheaper and better alternative than trying to do
it in house.
• Outsourcing security allows the company to stay up to date with current
technology related to security.
• Security is managed on a 24/7 basis.
What is the relevance of managed security in a security assessment? As you
perform the security assessment and develop the findings and recommendations, one
thing to think about is whether the company has the resources to implement the
recommendations you are proposing. As part of the assessment, you should be
thinking about whether the client’s current staff has the expertise and time to
implement the recommendations and the time to do the additional administration
associated with those recommendations (if any). If they do not, managed security
is a potential alternative in certain cases that should be considered to possibly address
some areas of security. Some of the managed services being offered in the market
today include:
• Managed vulnerability assessments — Managed vulnerability assessments
are regular scans that are run against a company’s network (or some
portion of the network) with little human intervention. The scan looks at
various system settings and compares them against what are considered
best practices. The results of the comparison are reported to the client. It
AU1706_book.fm Page 220 Tuesday, August 17, 2004 11:02 AM
Risk Analysis and Final Presentation 221
is the client’s responsibility to interpret these results and determine which
are legitimate and should be fixed and which should not. With managed
vulnerability assessments, the critical aspect is having good reports, being
able to interpret them, and making the appropriate fixes. The automated
vulnerability scan by itself is meaningless unless it is interpreted and acted
upon. One potential issue for clients is that they may not have the in-
house expertise to interpret the report, in which case some third party
should be hired to do so.
• Managed firewall — Managed firewall service is when an outsourcer
administers the client’s firewall. Managing a firewall can be complicated,
and although it is an integral part of the security infrastructure, clients do
not necessarily have the appropriate expertise. Some of the services that
managed firewall vendors will perform include:
– Monitoring — Personnel review traffic passing through the firewall.
This can be accomplished by using automated tools to help in the
review process.
– Rule base changes — Personnel will make changes to the firewall rule
base as business requirements change and different traffic is allowed
or not allowed into the network.
– Security patches — Personnel install security patches on firewalls as
they are released from the firewall vendor.
– Management reporting — Managed firewall vendors normally have a
set of standard reports that are offered with their managed service.
These reports are one way of managing the outsourcing vendor and
ensuring that service levels are being met.
Different vendors vary in the way in which they provide the service. Many
vendors are limited in what firewalls they support, so some flexibility is
lost. As with any service that is outsourced, clients should ensure that the
managed firewall vendor is legitimate. Due diligence must be performed
before selecting a vendor, and the client must understand that the rela-
tionship with the managed firewall vendor is not a turnkey relationship.
Because of the criticality of the piece of the security infrastructure managed
firewall vendors handle, the client must manage the relationship properly.
• Managed intrusion detection — Managed intrusion detection is when a
vendor monitors potential intrusions for a company. The services can be
for network-based detection, where certain network segments are moni-
tored, or host-based detection, where specific machines are monitored. At
a high level, agents are installed on networks or hosts, which watch traffic
and determine whether a potential attack is in process. If one is in process,
an alert is sent to the console at the managed security provider’s location,
which operators are constantly monitoring. Operators then classify and
send the alert to the client. Note that the attack is not prevented — it is
only detected and reported. The basic items that a managed intrusion
detection service offers include:
– Alert notification — Alert notification is the main element of the man-
aged intrusion detection service. As attacks are detected, clients are
AU1706_book.fm Page 221 Tuesday, August 17, 2004 11:02 AM
222 A Practical Guide to Security Assessments
notified of the event. Clients than must decide what action, if any, to
take.
– Attack signature updates — As new attack patterns are discovered, the
intrusion detection system should be updated to ensure it could detect
them.
– Management reporting — The managed security service should provide
some management reports that give the client management a sense for
what type of intrusion activity is occurring. The managed security
service provider should have some canned standard reports available.
The provider might also be able to create other reports as required.
– Mitigation support — Once clients are notified of a potential intrusion,
they must decide what action (if any) they are going to take. The action,
in most cases, is not obvious and requires expertise and some research
to determine what to do. Many companies do not have the in-house
expertise to do the research and determine a fix. As a result, some
Managerial Security Service Providers (MSSP) provide mitigation sup-
port, where they give technical assistance with responding to an intru-
sion. MSSPs will normally have information repositories available to
help research how to fix vulnerabilities.
The decision to go with managed security should not be taken lightly because
with outsourcing, someone else is managing a critical component of the IT infra-
structure and there is a loss of control. Although the MSSP is managing certain
elements of security, the company is still ultimately responsible for the security of
its information assets. If something goes wrong, the company will feel the impact
and be held accountable. As a result, clients must be willing to actively manage the
MSSP and hold it accountable for the services for which the business contracted.
If the client makes a decision that managed security is proper for them, you
should advise them to look carefully at providers and do a proper due diligence
before making a decision. When comparing different MSSPs, it is important to
clearly understand what each is offering so fair comparisons and the best decision
can be made. You can also refer to the Managed Security Questionnaire for some
questions to ask when choosing a managed security provider.
DISCUSS DRAFT REPORT WITH CLIENT
The next step of this phase is to review the draft report with the client (Figure 8.4).
At this stage, you should have a good draft of the report, which the client can review.
Unlike the previous status meetings where findings were primarily reviewed, risks,
recommendations, and the rest of the report are reviewed at this meeting. This
meeting should include the people from the client side whom you have been working
with throughout the assessment, with the main purpose of giving them the oppor-
tunity to provide feedback on the entire report. The structure of this meeting is to
walk through the report and obtain feedback from the client. The structure of the
final report is something that the client should already have seen. At this time, the
AU1706_book.fm Page 222 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.