Home > Cover Story> Full Story

Security Assessment Methodology

As CTO you are responsible for the safety of your company's crown jewels—the information that's used for business transactions. That itself is more valuable than any infrastructure or asset in your organization. Information becomes sensitive if it is accessible in a controlled manner to selected people—key executives in the company or to customers (via the Web).

Security consultants tell us the first step to security is "identifying the assets" and then working towards protecting them. But you would also want to determine the security strength of your system—how vulnerable is it to external and internal threats? It's a lot like checking the locks and bolts on your doors and windows at home. That's where Vulnerability Scanning/Risk Assessment comes in. So how do security consultants go about doing this?

Avinash Kadam, who heads the Assurances & Global Services division at MIEL e-Security, says the evaluation should be based on security standards such as ISO17799 and BS7799.

"There are number of steps to assure a company's security—firstly check all its controls (procedural controls, administrative controls, technical controls etc). The second step is to move into attack mode and check if every control, procedure, or product is configured or implemented properly. The third step is to do an audit."

The Mumbai-based MIEL e-Security audits against certain benchmarks—for instance it checks if the company has the right policies in place, or if they have a proper information management system.

"We first do an internal audit for the company. Then an external agency certified by ISO does audit and certification," says Kadam. "We follow the ISO17799 information security management standard which gives 10 distinct domains and has 127 objectives."

The Infrastructure and Security Consulting Practice (ISeC) at Infosys Technologies has done audits for more than 20 customers both in India and abroad. ISeC also follows security standards.

"Our security consulting practice follows standards laid out in BS7799 and the COBiT recommendations. Many of these have also been independently audited by few of the Big 5 consulting firms for their integrity," says S. Soundararajan, Head-ISeC, Infosys Technologies.

Apart from following such standards, security consultants may take a different approach and devise their own methods for security audit.

Says K.K. Mookhey, CTO, Network Intelligence India, "The client may either be unsure of his need for security, or he is convinced that he needs a solution. We conduct a Penetration Test (ethical hacking) for those who are not convinced. The penetration test may not reveal all the vulnerabilities, but it might indicate some major holes. We do vulnerability assessment only for those who are convinced that they need security. For this, we test every element of the network—the servers, workstations, hubs, switches, routers, topology, etc. We see what rules are already in place and what business functionality needs to be followed. The assessment generally leads to a security policy that provides a managerial perspective. A policy states what is allowed or disallowed.

The implementation of the policy leads to deployment of security solutions."

Tools
There are various tools available for Vulnerability Scanning/Risk Assessment and some are available as freeware on the Internet (See Table on page 28). The Cybercop scanner from Network Associates (NAI) for instance checks the system against a database of 750 vulnerabilities, and generates reports. The software identifies holes in the network and gives reports in a graphical format indicating high, medium and low-risk cases. Vendors like NAI also offer security auditing services.

"We do security audits for companies worldwide. In India we do this through our various partners who have been certified and trained on our products, and who have our consulting license," says Vishwajeet Deshmukh, Country Manager, Network Associates. "There are two types of security audits that are done: one is for Vulnerability Assessment and the other is for Network Security—by which we gauge the efficiency and performance of a network."

Brian Pereira can be reached at brianp@networkmagazineindia.com

Risks of the distributed enterprise l Physical security risks l Logical access risks - Flimsy passwords - Irresponsible users - Poorly defined access control policies l Technology risks - Weakness of communication protocol - Weakness of Operating Systems - Weakness of programming practices - Weakness of Cryptography l Social engineering risks l Risks of automated and remote attacks Source: MIEL e-Security Pvt. Ltd.

Vulnerability assessment Methodology:
Step 1 : Study & scope the IT architecture & components for assessment
Step 2 : Determine the boundary of analysis
Step 3 : Identify asset owners & schedule tasks
Step 4 : Impact analysis for Active scans, which includes assessment of Service(s) or Server(s) scans in online production.
Step 5 : Plan for Downtime & Contingency, if applicable
Step 6 : Estimate the scan process, based on the complexity of the target network(s) and host(s)
Step 7 : Define the scan Policy for each target. Scan Policy to define the level of scan - Information gathering, Policy checking, Port scanning, Password analysis, Attack stimulation etc.
Step 8 : Scan the targeted network(s) and host(s), based on the defined scan policy
Step 9 : Collect the scan results and analyze for security loopholes, configuration errors, default installation settings, overlooked setups, password quality, firmware/software revisions, patch fixes, security policy violations etc.
Step 10 : Submission of Assessment Reports with suggestions and recommendations to fix the vulnerabilities

Courtesy: Infosys Technologies

LAYERS OF ENTERPRISE SECURITY
A few years back, a conversation on security solutions was generally limited to Antivirus products or security features within the operating system. Today security solutions are available for every stage of the network. These can be broadly categorized as Vulnerability/Risk assessment tools, Firewalls/VPN, Intrusion Detection Systems, Authentication/Access control, Antivirus, and encryption. Further, these solutions are separately available for Servers, Desktops and Wireless devices.

Top 10 Security lapses or vulnerabilities:

1. Security threats and risks are not analyzed prior to selection of security technology and design
2. Corporates fail to deal with the awareness and operational aspects of security
3. Lack of robust security policy definition or non-adherence to security policies
4. Absence of non-periodic security audits of IT infrastructure and operations
5. Lackadaisical implementation of physical security - Easy physical access to Data centers & critical IT assets
6. Misconfiguration of servers - Default options in installation procedures of operating systems and applications, which can be hacked easily
7. Password User accounts with No Passwords or Weak Passwords - Leads to password cracks with easy guesses
8. Failure to block unauthorized access to application ports - Unwanted TCP ports are open in Application Servers
9. Lack of availability of data foot prints due to non-existent or incomplete logging and backup of data
10. Improper Virus prevention procedures - Lack of timely update of periodic virus signatures

Courtesy: Infosys Technologies

Common security lapses
Mistakes made by Users

• Opening unsolicited e-mail attachments without verifying their source and checking their content first
• Failing to install security patches—especially for Microsoft Office, Microsoft Internet Explorer, and Netscape
• Installing screen savers or games from unknown sources
• Not making and especially, not testing backups
• Using a modem while connected through a local area network

Mistakes made by Senior Executives

• Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job
• Failing to understand the relationship of information security to the business problem
• Failing to deal with the operational aspects of security: making a few fixes and then not performing the necessary action to ensure the problems stay fixed
• Depending primarily on a firewall alone
• Failing to realize how much money their information and organizational reputation are worth
• Authorizing reactive, short-term fixes leading to problems re-emerging
• Mistakes made by IS Department
• Connecting systems to the Internet before hardening them
• Connecting test systems to the Internet with default accounts/passwords
• Failing to update systems when security holes are found
• Using telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI
• Giving users passwords over the phone or providing configuration information without authenticating the requester
• Failing to maintain and test backups
• Running unnecessary services, especially ftp, telnet, finger
• Implementing firewalls with rules that don't stop malicious or dangerous traffic-incoming or outgoing
• Failing to implement or update virus detection software
• Failing to educate users on what to look for and what to do when they see a potential security problem
• Providing users with too many usernames & passwords and making things difficult for the user to manage the same

Source: Bangalore Labs