breaking down the enterprise security assessment
DESCRIPTION
Breaking Down the Enterprise Security Assessment. Presented by: Michael R. Farnum, CISSP Senior Security Solutions Engineer. Purpose and Audience. SME and Enterprise Security Staff Risk in the assessment What am I missing? How far should I (or the assessor) go? Assessor / Consultant - PowerPoint PPT PresentationTRANSCRIPT
Breaking Down the Enterprise Security Assessment
Presented by: Michael R. Farnum, CISSP
Senior Security Solutions Engineer
Purpose and Audience
SME and Enterprise Security Staff Risk in the assessment What am I missing? How far should I (or the assessor) go?
Assessor / Consultant Risk in the assessment What am I missing? How far should I go?
The Basic Premise
Many enterprise security assessments look at too few attack vectors or do not dig far enough into the attack vectors once a vulnerability has been discovered.
THE BIG MISTAKE
Security assessment = find the vulnerabilities and more of a holistic look at security.
Penetration test = a focused attack of a single or a few vulnerabilities that are generally already known to exist or are suspected of existing.
Pen Test ≠ Assessment
Religious Debate
How far do you dig? Will it break my stuff? Will I be responsible if you break my
stuff?
What about RISK?
Assessment vectors can (and probably should) be based on risk
But... DON’T ASSUME YOU KNOW YOUR RISK!
The Security “ASS”-umption
LET'S DIG INTO THE ASSESSMENT
External Assessment Information Gathering Vulnerability Identification Confirmation and Exploitation (”Pen Test”) Web applications
External Technical Testing
Wireless Testing IdentificationPenetration
War Dialing IdentificationPenetration
External Technical Testing
Vulnerability TestingWorkstations (sampling or images)Servers (maybe sampling)Network Devices
Configuration Review (criticals or sampling)
ServersWorkstationsNetwork Devices
Internal Technical Testing
Network Activity AnalysisThreat (malicious traffic)Traffic (policy compliance)
Applications
Internal Technical Testing
Policies and Standards Review Social Engineering
User environmentPhysical environment
Physical SecurityGap AnalysisPenetration Testing
Non-Technical Testing
Interviews for reviewsArchitecture reviewSecurity coverage reviewCompliance review
Non-Technical Testing
NEVER FORGET ABOUT THE DELIVERABLES
Deliverables
TangiblesDocumentation
Remediation helpStrategy documentAttestation
Raw data
IntangiblesKnowledge transferWorkshopsPresentations
Deliverables
AKA – Follow-Up TestingVery important, especially for compliance
Point in time security is NOT security
Develop a security program
Remediation Verification
Summary
Get the terms straightDon’t ignore risk, but don’t assume you know all your vectors
Deliverables (tangible and intangible) are important
Follow-up to verify remediation
Other places you can find me
http://infosecplace.com/bloghttp://infosecplacepodcast.com
Twitter - @m1a1vet