Breaking Down the Enterprise Security Assessment

Presented by: Michael R. Farnum, CISSP

Senior Security Solutions Engineer

Purpose and Audience

SME and Enterprise Security Staff Risk in the assessment What am I missing? How far should I (or the assessor) go?

Assessor / Consultant Risk in the assessment What am I missing? How far should I go?

The Basic Premise

Many enterprise security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered.

THE BIG MISTAKE

Security assessment = find the vulnerabilities and more of a holistic look at security.

Penetration test = a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing.

Pen Test ≠ Assessment

Religious Debate

How far do you dig? Will it break my stuff? Will I be responsible if you break my

stuff?

What about RISK?

Assessment vectors can (and probably should) be based on risk

But... DON’T ASSUME YOU KNOW YOUR RISK!

The Security “ASS”-umption

LET'S DIG INTO THE ASSESSMENT

External Assessment Information Gathering Vulnerability Identification Confirmation and Exploitation (”Pen Test”) Web applications

External Technical Testing

Wireless Testing IdentificationPenetration

War Dialing IdentificationPenetration

External Technical Testing

Vulnerability TestingWorkstations (sampling or images)Servers (maybe sampling)Network Devices

Configuration Review (criticals or sampling)

ServersWorkstationsNetwork Devices

Internal Technical Testing

Network Activity AnalysisThreat (malicious traffic)Traffic (policy compliance)

Applications

Internal Technical Testing

Policies and Standards Review Social Engineering

User environmentPhysical environment

Physical SecurityGap AnalysisPenetration Testing

Non-Technical Testing

Interviews for reviewsArchitecture reviewSecurity coverage reviewCompliance review

Non-Technical Testing

NEVER FORGET ABOUT THE DELIVERABLES

Deliverables

TangiblesDocumentation

Remediation helpStrategy documentAttestation

Raw data

IntangiblesKnowledge transferWorkshopsPresentations

Deliverables

AKA – Follow-Up TestingVery important, especially for compliance

Point in time security is NOT security

Develop a security program

Remediation Verification

Summary

Get the terms straightDon’t ignore risk, but don’t assume you know all your vectors

Deliverables (tangible and intangible) are important

Follow-up to verify remediation

Work Contact Info

Email – mfarnum@accuvant.com

Phone – 832.971.4854http://www.accuvant.com

Other places you can find me

http://infosecplace.com/bloghttp://infosecplacepodcast.com

Twitter - @m1a1vet