White paper

2 A coherent Approach to the field

2 A cultivated Approach to Security engineering

4 Assessment & reporting

4 A Holistic View

6 Threat Modeling

6 A focus on continuous Improvement

7 experience & Qualifications

Table of contents

Choosing the Right.. seCuRity AssessoR..

Guidance for finding a vendor who can provide advice and insight into your unique security environment

executive SummaryIn legislation, in the media and in the operation of office networks, security has become an increasingly prominent concern. Although the popular perception that security is complex is largely a myth, many organizations struggle with the puzzle of deciding what kind of security posture is right for them and how to go about implementing it. In particular, it can be difficult to determine what an organization’s specific security needs are, let alone how best to address them.

One way of making that determination is to conduct a security assessment. An assessment can help an organization better understand its current state of security, identify the most important gaps and provide insight into how to improve the situation.

SecurITY ASSeSSMenT — part 2 of 3

tWeet this!

Choosing the Right seCuRity AssessoR2

Unfortunately, there’s no universally accepted standard for what constitutes a security assessment, how to go about conducting one or what to expect from it. In practice, any vendor can claim to offer security assessments, and their approaches to the craft, along with the results they provide, can vary widely.

The Security Assessment series of white papers (What Is a Security Assessment?, Choosing the Right Security Assessor and Conducting a Successful Security Assess-ment) shares some of CDW’s experiences as a security assessor, and as an advisor to customers as they work toward mature operational security programs. By taking the time to examine this topic in more detail, organizations will be able to approach future assessment projects with confidence and the best possible chances for success.

This second paper in the series describes (both in terms of approach to security engineering and in terms of basic assessment methodology) the traits that characterize successful security assessors.

Specifically, the qualities that enable an assessor to deliver clear technical insight into complex security issues, offer helpful and organized advice for addressing whatever needs are discovered in the course of the assessment, and prioritize this information in the context of real business data.

With these insights, the recipients can then make informed and effective decisions about what security improvements are worthwhile and will provide a return on the investments made in them.

A coherent Approach to the fieldOne of the challenges of security engineering is that it’s difficult to prove that any given system is secure. The best determination a security engineer can make is that the system has no known weaknesses. This might make it seem as though security testers have an easy job. If a vulnerability is found, the system under scrutiny is known to be insecure. On the other hand, if no vulnerabilities are found, this doesn’t actually prove anything, and the system might still be insecure.

The first potential disqualifier when considering an assessor should be any claim that by having an assessment, an organization can know if it is secure. An assessment might certainly demonstrate that an organization is insecure, but (except in trivial cases) the converse is never true.

While definitive results can’t be expected from a security assessment, it might be possible to identify some traits

that good assessors have in common, which contribute to the authority of their results. These traits often typify the assessor’s approach to security in general, and also to the more specific craft of conducting assessments.

A cultivated Approach to Security engineeringIn the previous white paper What Is a Security Assessment?, security was defined in terms of its technical ingredients: the selection, placement and ongoing monitoring of authentication, authorization and accounting measures in order to control risk. This amounts to a general definition of security engineering.

Given that one of the goals of an assessment is to produce advice on the remediation of any weaknesses uncovered, it’s important that the assessor be able to offer guidance grounded in sound and proven principles for building secure systems. The following three concepts, inverted security, least privilege and defense in depth, are common elements in such an approach.

Inverted SecurityThe term inverted security describes an approach to design that de-emphasizes the construction of shared perimeters, and instead focuses on placing security controls as closely as possible to the assets they’re intended to defend. Specifically, this approach developed in response to the general industry trend of reliance on firewalls for security.

Of course, firewalls can be an important part of a security posture. Still, organizations want to avoid constructing environments (using hacker terminology) with a “hard crunchy shell” and a “soft chewy center.” Designs based on inverted security endeavor to pull security inward, close to the systems being defended, instead of pushing it out to some arbitrary boundary that many systems might depend on.

For example, consider a catalog retailer that maintains a database of critical business information: product inventory, customer addresses, orders, payment data, etc. Obviously, there are business rules in place specifying who can access data and how. For example, customer service representatives can take an order but not download the entire list of customers; supervisors can review customer information but cannot add new products to inventory, etc.

Returning to a definition of security that focuses on authentication, authorization and accounting, it could be said that a user can only interact with the database if:

tWeet this!

800.800.4239 | CDW.com 3

• The user’s identity is verified (authentication)

• The interaction is consistent with that user’s role (authorization)

• A record is made of the transaction (accounting)

If these three guidelines are fulfilled, database access is considered properly secured. But how should these rules be enforced?

The designers of a desktop application for internal use might attempt to build these rules into their client software so that various options within the system might be rendered inactive, depending on the user’s role. The designers of a business-to-business web service would attempt to embed these rules in the interface they publish, so that Simple Object Access Protocol (SOAP) requests issued by a consumer of the service would be subject to restrictions based on Security Assertion Markup Language (SAML) assertions. The designers of a business-to-consumer e-commerce application would take yet a third approach.

The principle of inverted security states that in attempting to secure access to the database, security should be placed as closely as possible to that database itself. If a database access layer is built that correctly implements access rules (for example, that database transactions are associated with specific identities, privileges are limited, and records are kept), more can be done with the database in the long run.

As the Single Database Access Layer Supporting Multiple Applications diagram shows, even though the application

was initially built only for internal users, it is possible to add on additional interfaces (for example, to business partners or directly to customers) without having to build new and more elaborate security designs.

In this case, inverted security has actually provided a return on investment. By correctly implementing security at the start, this organizational model has been able to reuse what it built and do more with the existing pool of business information than it otherwise might have been able to.

Inverted security is a strategy for making security investments more effective. This is done by making security controls more specific to the assets they’re protecting, and therefore more difficult to circumvent. The net result is that security can become a business enabler, instead of overhead.

Least PrivilegeThe principle of least privilege determines the degree of access given to the users of a system: users should be granted only the minimum degree of authority needed for their roles. The goal of incorporating least privilege into a system design is to minimize the consequences of security failures and to contain incidents when they do occur.

The diagram Least Privilege in a Share Hosting Environment on the following page depicts an application service provider that sells e-mail, web and file-sharing services to various customers. Within each customer organization, there might be further subdivisions, and the application service provider allows customers to provision user accounts on their own.

The rules for access should be familiar. When a user authenticates with the system, access is granted based on the group to which the user belongs. Users belonging to one customer cannot see another customer’s information; and users belonging to one group within a customer cannot access materials owned by another group.

Therefore, if a cybercriminal should happen to steal the password of one of the staff individuals attached to Customer 1, only the information belonging to that person’s group is at risk. Neither the resources belonging to Customer 1’s other groups nor the data belonging to Customer 2 and Customer 3 are in danger because access is properly compartmentalized.

Defense in DepthThe principle of defense in depth combines multiple defensive layers in order to guard against the failure of any single one. Workstation security provides an excellent illustration of this idea. The concept of operating system

Single Database Access Layer Supporting Multiple Applications

Web ServiceConsumer

Employees

Internet

RemoteUser

(B2C)

Remote BusinessPartner (B2B)

WebBrowser

WebServer

DatabaseAccessLayer

Database

WebService

Provider

DesktopClientSoftware(Internal)

Choosing the Right seCuRity AssessoR4

updates is familiar to everyone, as is the fact that many of them are released to address security issues. In addition, most system administrators will take steps to make sure that desktop operating systems are properly configured for security by turning off unneeded services, managing user accounts, applying password policies, etc. The majority of workstations are running antivirus software as well.

Each of these measures represents an effort to control access to workstations, but each may fail: patches might not get distributed across the enterprise as quickly as needed; users may (intentionally or otherwise) alter the configurations of their workstations; antivirus signatures may not be able to recognize the very newest threats. So in addition to all these tactics, many organizations are deploying host-based intrusion prevention systems.

The diagram Defense in Depth Strategy for Workstation Protection on the following page depicts a series of steps that might take place as part of an attempt to access a workstation.

Before any access to the workstation is granted, the request passes through a series of layers. At each point along this process, access might be denied. The goal of each of these tactics is the same — enforce a policy about what actions workstations are allowed to do — and a combination of techniques are employed to ensure that an attack circumventing one layer will be caught by the others.

Assessment & reportingUnfortunately, a solid background in security theory doesn’t guarantee that an assessment project will go well. Security assessment is a specialized craft, and an assessor’s methodology is every bit as important as the framework that guides the assessor’s advice. There are several qualities that characterize good assessors.

A Holistic ViewWhen considering a system’s security, it’s important to cover every conceivable aspect. If an assessment is not sufficiently comprehensive, two potential pitfalls

Least Privilege in a Share Hosting environment

Customer 1

Share Point Top-level Admin Exchange ServersActive Directory/LDAP

User Web Browser andWeb Pages

Web Portal

User’s Notebook

ContainerAdmin

Groups

Staff Individuals

Customer 2 ContainerAdmin

Groups

Staff Individuals

Customer 3 ContainerAdmin

Groups

Staff Individuals

tWeet this!

800.800.4239 | CDW.com 5

arise. The first (of course) is that the assessment might overlook some important area of risk. The second is that an incomplete evaluation of a system’s security might foster a false sense of security.

This is a dangerous prospect because complacency about risk can lead to a worsening of security over time. And this is the reason why a good assessor needs to be able to provide comprehensive insight into the security of the system under scrutiny. This typically involves thinking in abstract terms about where the subject of the assessment begins and ends.

For example, there is a great deal of interest in assessing the security of software applications. In assessing a relatively generic e-commerce application, most security scanning tools will seek to discover vulnerabilities in network infrastructure gear, server operating systems and web server software.

Although these elements are important, they comprise far less than the whole of the e-commerce application. Also

worth considering are the custom-built components that provide the e-commerce functionality itself (a shopping cart metaphor, the ability to browse inventory, etc.).

And there is code, which does not run in a vacuum — it runs (often in a compiled form) on a server, in a network and in the context of a specific business environment. In fact, when considering all the ingredients in a single e-commerce interaction, it quickly becomes apparent what a far-reaching event this really is.

The Components of an E-commerce Application diagram highlights the flow of information in a basic e-commerce application-user interaction.

The user interacts through some piece of client software, usually a web browser. The web browser sends information across a network (the Internet). Web browser traffic passes through the merchant’s firewall and is processed by the web server software (in this case, IIS). IIS passes along elements from the web browser’s request to the appropriate e-commerce software components (here implemented in ASP.NET).

The business application queries a database (SQL Server), which contains two pools of information: public data available to all users of the application (such as inventory data) and some private data specific to this user (payment information, for example). The content in the database is the electronic representation of some assets (such as goods or services) that the merchant is trying to provide to the user. These transactions flow up and down this entire stack. For the application to function properly, all these components need to interoperate.

Defense in Depth Strategy for Workstation Protection

components of an e-commerce Application

request for Access to Workstation

user

client Software (Ie)

network (Internet)

firewall

Internet Information Servers (IIS)

Business Application (ASP.neT)

SQL Server

Shared Data Private Data

facts, Goods, Services, etc.

Access to Workstation

Access is Denied

Access is Denied

Access is Denied

Access is Denied

Does OS Patch Level

Prevent This?

Does OS configuration Prevent This?

Does This Match Antivirus

Signature?

Does HIPS Policy

Prevent This?

nO

nO

nO

nO

YeS

YeS

YeS

YeS

Choosing the Right seCuRity AssessoR6

In order to assess the security of the application (the degree to which it provides information confidentiality, transactional integrity and overall availability), the whole system needs to be considered, end to end. Vulnerability scanners and code review are important components of this process, but deciding if the application is secure requires an evaluation of the whole system, not just some subset of its parts.

Threat ModelingAs the previous e-commerce example highlights, “simple” systems can contain a wide range of disparate subsystems, and an assessor needs to have an organized and consistent method of prioritizing the risks that are identified. This is where threat modeling comes in, which refers to a variety of techniques for identifying and ranking threats to a system.

There are various formal methods for threat modeling, such as Microsoft’s STRIDE approach, or portions of the OCTAVE method from Carnegie Mellon. There are varying schools of thought as to which threat modeling approach makes the most sense, and they each have value in certain situations. The important takeaway here is that the emphasis should not be on a specific point of methodology, but being consistent about the way threats are compared on the basis of their relative likelihood and impact.

Considering the e-commerce application example again, it is necessary to be able to judge whether a design flaw that allows traces of transactions to be stored on the user’s hard drive is more or less important than an implementation flaw that causes database table names to appear in application error messages. Threat modeling is the component of an assessor’s work that makes such comparisons possible, and that allows the assessor to offer strategic advice on reducing risk.

A focus on continuous ImprovementLikely the single most valuable part of an assessment report is the set of recommendations describing how to fix discovered security problems. However, in many cases, simply addressing a list of specific vulnerabilities may not be sufficient.

For example, if desktop systems were found to be vulnerable because a patch had not been applied, applying the patch would fix this discrete issue — but would fail to address the bigger problem of patch management in

general. The absence of a given patch is a symptom of a systemic problem. Although an assessment report should enumerate each instance of a discovered vulnerability (and provide information on how to remedy each discrete problem), the report becomes much more valuable if its advice is offered within a framework emphasizing a process of continuous improvement.

An organization’s goal should not be simply to identify and fix a discrete set of problems, but to become more secure and to remain secure in the future. The key to remaining secure is to implement a comprehensive and adaptive operational framework, and the recommendations made in a security assessment should take this fact into account.

An assessment should serve three primary purposes: education about security topics, guidance for improving security and business justification for making the necessary changes. In addition, the contents of the assessment report need to address three audiences: technical engineering staff, management and executives. These groups have different, but related, needs.

Technical staff: Those tasked with actually implementing changes to an organization’s technology need to be given detailed and specific technical information about both the changes to be made and the attacks to which systems are vulnerable to if no action is taken. This content generally represents the largest component of the assessment report, simply because a good assessment will uncover many details that need to be explained.

Management: Managers need to know which of the assessment recommendations deserve the highest priority and which will be the most taxing (in terms of cost or effort) to implement.

executives: Decisions about budget and strategic direction (and therefore, security) are sometimes made by people without significant technical expertise or knowledge of security. In order to be persuasive and useful to these individuals, an assessment report needs to describe security problems in business terms: what kinds of information are at risk, what sorts of losses might be incurred, etc.

An assessment report needs to explain the problems it identifies, how best to fix them and why it is necessary to do so. However, if those explanations are not directed at the proper audience, they’ll fail to have the desired effect.

As should be expected, the specific points emphasized by vendors will vary somewhat. Nevertheless, these qualities will greatly enhance the value of an assessment

tWeet this!

800.800.4239 | CDW.com 7

report document. Attention to this sort of detail is what differentiates a vendor with an experienced full-time security practice from a less-dedicated shop whose reports are primarily derived from the output of scanning tools.

experience & QualificationsWhen selecting a vendor for an assessment project, it’s worth talking to candidates to gain an understanding of their approach and methodology, but it’s not practical to make a selection based solely on some checklist of philosophical points. Here are a few other factors that are helpful to use as a basis of comparison.

certifications: A common point of comparison between vendors might be their various certifications. Of course, this immediately raises the question of which certifications are the most desirable. But the value of certifications is limited.

First, consider that the computer security trade is a relatively new field. Many of its most talented and experienced practitioners have been conducting assessments since before any given certificate existed. So the absence of some particular certification should not be taken as conclusive evidence of a lack of skill or experience.

Second, most of the well-known security certifications (such as the Certified Information Systems Security Professional, or CISSP, certification) are intended to cover the entire field of security. Even those that focus on security assessment techniques tend to do so in a relatively shallow manner. As a result, having certifications should not necessarily be taken as proof of expertise in assessment.

Obviously, there are exceptions. Many excellent assessors are highly certified. And it would be somewhat odd to encounter an assessment team whose members held no certifications whatsoever. Moreover, there are some environments where, for the sake of regulatory compliance, certain qualifications are required.

Certifications are valuable, but it’s important not to put too much stock in them. On their own, certifications are not sufficient either to prove or disprove claims of excellence in the field of security assessment.

related work: A more useful barometer of an assessor’s merits is experience with similar projects. For example, is the assessor conversant with the regulatory environment in question? In most cases, specific regulatory experience isn’t an issue. An assessor familiar with the Gramm-Leach-Bliley Act (GLBA) concerns of banking environments will

be an excellent candidate for work with credit unions, even though this specific statute does not apply.

Has the assessor worked on projects with similar logistical constraints? For example, an organization spanning time zones or national borders can take on unexpected complexity when assessing. Likewise, if the environment to be assessed includes exotic technologies or highly specialized equipment, it’s important that the assessor be experienced in evaluating the security of unfamiliar gear.

One helpful step to gaining insight into a vendor’s level of experience with similar projects is simply listening to the staff’s war stories. How many assessments have they done? What have some of their more complex projects involved? Which aspects of their work are they most proud? Such anecdotal evidence can often reveal a potential assessor’s strengths or degree of maturity.

Vendors should be able to describe the methodology they bring to each phase of the assessment in clear terms. Where applicable, they should be able to reference relevant standards, and describe why they’ve chosen to adopt or deviate from them. For example, if the system under scrutiny is a web-based application, the vendor should be conversant with the Open Web Application Security Project’s documentation.

Or a vendor proposing to do a risk assessment tied to the healthcare industry’s Meaningful Use criteria should be familiar not only with the Health Insurance Portability and Accountability Act (HIPAA), but also with frameworks such as NIST Special Publication 800-53. This, too, demonstrates experience with related work. A vendor who has already done the homework to become familiar with key resources in a specialized area, and has built a standard approach to projects of this type, is one that is bringing valuable experience to the job.

Status within the industry: Finally, it’s possible to learn something of potential vendors by their reputations. The security consulting business is a fairly collaborative industry: many of the best tools are open-source. Inexpensive underground conferences are often the venues for spotting major trends, and free mailing lists are the most common vector for the sharing of information. One gauge of a vendor’s commitment to the craft of assessment is participation in the security field.

In particular, it is helpful if team members have published interesting documents or software. Often, assessors will develop their own tools (or enhancements to others) and share these with the community. There is an important

Choosing the Right seCuRity AssessoR 8800.800.4239 | CDW.com

The information is provided for informational purposes. It is believed to be accurate but could contain errors. CDW does not intend to make any warranties, express or implied, about the products, services, or information that is discussed. CDW®, CDW•G® and The Right Technology. Right Away® are registered trademarks of CDW LLC. PEOPLE WHO GET IT™ is a trademark of CDW LLC. All other trademarks and registered trademarks are the sole property of their respective owners.Together we strive for perfection. ISO 9001:2000 certified116346 — 120921 — ©2012 CDW LLC

distinction between the assessor who is able to operate someone else’s testing software and the assessor who created the tool in the first place.

For a variety of reasons, it’s not always easy to match a given tool up with its creator. The climate of the security field is such that many of the most prominent contributors publish their work under aliases. With that in mind, it’s worth researching assessors up front.

The same principle pertains to conferences: Have assessment team members presented their work at any prominent venues? Again, given the nature of vulnerability and assessment research, there’s a good chance that these presentations have been made under alternate names, without a direct tie to the organization where the engineers work.

Nevertheless, most vendors are aware that these activities are an important means of professional development — especially for engineers at the forefront of the field. It’s worth asking what kinds of events the assessment team has participated in and whether any of their research is published.

The Security Assessment White Paper Series CDW’s Security Assessment white papers were produced to help clarify the complex topic of security assessment. The first white paper in the series, What Is a Security Assessment?, clarifies what exactly an assessment is and why it’s worthwhile.

This second paper in the series offers guidance on how to identify the right assessor for a particular project.

The third paper in the series, Conducting a Successful Security Assessment, walks the reader through a security assessment project from start to finish.

CDW has been performing security assessments since 1998. We have completed hundreds of assessment projects, ranging in scope from stand-alone servers to large enterprise networks spanning national borders. CDW has made significant investments in its assessment practice, and this document reflects the aspects of it that we consider to be most important. It also reflects some of the hard lessons learned along the way.

The purpose of this white paper series is to help organizations approach their next security assessment from the best possible perspective, minimizing the risk of failure in all phases of the project, and deriving the maximum possible benefit from the results.

tWeet this!