BEST PRACTICES FOR PERFORMING AN INFORMATION SECURITY ASSESSMENT-SOUTECHNIGERIA TIPSEsang U. E
Dear reader, do you know of the best way to measure information security risk? My favorite answer is that you dive in immediately to find those vulnerabilities that are specifically inherent in your system and applications. This can be likened to humans going through different tests to know the situation of their health through blood tests and analysis as well as magnetic resonance imaging and the likes. Some IT experts may refer to this kind of exercise as IT security audits while some may refer to it as penetration testing. Well, I will say that when you are performing an in-depth analysis of any IT infrastructure, it is not just about comparing policies to the working mechanism of things and trying to proof a point. This is the reason why I prefer to call this exercise information security assessment. Information security assessment is a broader and a more meaningful standard to unravel areas where security policies and procedures are lagging.
The ultimate goal in security testing is to find and fix any form of weaknesses in a system before anyone gets to exploit them and this is the core reason why the semantics of security testing is debated. It is therefore the duty of all security professionals to ensure that proper steps and measures are taken to ensure risk identification is understood. Let us put ego and politics aside and ensure that the key components of an effective information security scheme is given the desired attention. What are the key components of a detailed information security assessment?
1.Support: One of the important components is support of management. This is because no good information security assessment scheme can be successful without first receiving the support of management. If the leadership of an organisation is not willing to invest immensely their resources into making sure that their IT infrastructure is protected to a great extent, then the battle will be much more uphill. The focus should be on getting and keeping the right team on the organizational board. The target should not be on just management but on the security staff and member of the team.
2. Scope: This is known to be a very vital phase of information security assessment and I have seen many examples where the applications, systems and even the entire IT network is being excluded from security testing. The reasons are usually the same which may be insufficient time and lack of money. In as much as you need to fine tune the scope of your work, you have to make sure that all the critical systems are looked at and as soon as possible. In subsequent times, you may need to totally look at your environment because it requires a benign system, network segments or security process to out everything in jeopardy. The systems to be considered are the external and internal systems as well as the systems that are being hosted in the cloud by third parties as well as the marketing website. Also, it is of absolute necessity to do an authentic security testing of both the web applications and the operating systems. Ensure all that there is a fair test conducted on the people, the processes and all the physical system.
3. Testing: The testing phase should include and begin with vulnerability scan by using a vulnerability scanner to perform a manual analysis to discover the areas that are susceptible to attacks as regards to our context of the business environment. This phase usually includes activities like;
- Password cracking
- Wireless network analysis
- Email phishing
The most important in this phase is to do an overview of the business environment from an attackers’ viewpoint in order to see the areas that can be exploited and then demonstrate what may happen so that the issue can be analyzed and steps taken towards resolving it.
4. Reporting: Doing a 500-page PDF report from a vulnerability scanner will not make it either easy to understand the issue or prevent it from happening. The aim of a report is to obtain a security assessment report that is concise prioritizes findings and recommendations on the way out. The report does not have to be lengthy but needs to be drafted in a way that will cut to the chase and give an detailed outline of the specific areas of weaknesses that should be given immediate and proper attention. This is often done from the viewpoint and professionalism of the security professional taking into account the business and systems. IT security auditing and penetration testing are the elements that are incorporated here as well. There are many standards to draft out good reports but I’m usually not a big fan of follow too many standards but I advocate that you draft out something that works for you. You can look out for templates such as the CVE (Common Vulnerability Scoring System) and some similar ratings which provide a severe rating for SNMP (Simple Network Management Protocol) which is being enabled with a two-default community string. If the vulnerabilities are discovered to be on very high risk, then what will be the dangers of a weak firewall password. Missing patches that are remotely exploitable, SQL injections on intrinsic web applications? What should rather be applicable here is common sense and the worst kind of information security assessment that can be performed and that will not have a formal report with issues that cannot be resolved.
5. Resolution: After a detailed report has been made, we must take all the discovered problems are try to develop solution plans for them. Majorly, problems should be found and fixed. I have seen security reports that contain unacknowledged and pending solutions after a security assessment. There is an easy fix which involves assigning responsibilities and ensuring that everyone is held accountable. The usual cycle for performing your information security assessments spans from 6months to a year depending on the environment. An alternative way is to do a follow-up from a time frame of 30 to 45 days after a report is drafted when performing a remediation validation of all the critical and highly prioritized findings.
6. Oversight: This involves ensuring that the security process between the security assessments will require things like tweaking of the existing systems and software including an implementation of the new technical controls with an outright of the policies and processes. Instead of trying to achieve a perfect security, your target should be on moving forward should on achieving a good security with a shorter time for catching flaws and resolving them. The management must be engaged with the task of achieving this plan with the executives kept on board with whats required in the aspect of compliance and contractual obligations. Whether or not they are interested, the right people must be kept to make sure security is ensured. By doing this Return on Investment is assured which is essential for business growth. Note that security is not out of mind but a priority.
As final words, I will say that the bottom line of the matter is that every business organisation has information and computing infrastructure that criminal hackers or malicious attackers are interested in for their gains. Of course, you know that you cannot totally be safe or immune from information risks and attacks so you must know the value of information security assessments. Organisations and businesses I would advise not to depend on IT security auditing and penetration testing to be safe. Neglecting IT security assessments is not a defensive option for due care. Furthermore, take out time to properly plan and strategize on how to perform information security assessment, ensuring that the task is completed and that the proper staff members in IT, development management and elsewhere are appraised on the findings so the matter can be resolved.
Some security professionals and vendors will try to paint it that information security assessment is not a difficult exercise to perform and will not be a very expensive project given its virtual return on investment. But I must tell you that your information security program will be a deep reflection of what you invest in. That means if you fail at it, then you stand a huge chance of shutting down your infrastructure. So, I will tell you a quote from warren Buffet which says “you only have to do a very few things in your life so long as you don’t do too many things wrong.” Assessments are never and will not be the perfect solution to your security problems even though it is performed periodically or consistently. The fact that you have tall fences, a big and strong gate and armed men at your does not guarantee 100% your safety. However, there is a big level of assurance that if you choose to ignore this exercise, history will of a surety repeat itself.
You can subscribe to our services at Soutech ventures to give you the desired security ideas that you may require to carry out a detailed and successful information security assessment. You can also learn our Ethical Hacking course from EC-Council which is desired to educate and give you hands-on knowledge on how to secure your infrastructure.