Follow the assessment processBy John Moore | Posted 2007-03-09 Email Print
An outside consultant can bring fresh insights on a company's security practices. Make sure you establish ground rules first.
Follow the assessment process
Security assessments take various forms; the type of assessment performed will dictate the steps involved.
Some assessments aim to measure an organization's security posture against a particular baseline. Such efforts generally hew to a security standard. The International Standards Organization's ISO 17799 standard, for example, is widely used as an information security benchmark. An associated standard, ISO 27001, provides a higher degree of technical specificity compared with ISO 17799, according to Lepofsky.
An outside firm conducting an ISO standard audit will arrive with a checklist that covers a wide range of security practices. An ISO 17799 checklist developed by SANS includes basic queriesdoes your company have a security policy?and more technical questionsdoes your company use a firewall to segregate its network?
Morrow says his company has seen more clients referencing the ISO standards, as well as other standards, "as something they want to use as a security benchmark when choosing an outsourcing vendor." The American Institute of Certified Public Accountants' Statement on Auditing Standards (SAS) No. 70, Service Organizations, also applies to companies in the outsourcing field such as EDS. "We commonly use SAS 70 audits as a mechanism to efficiently allow our client's auditors to assess our safeguards and policies," Morrow says.
From there, the consultant's auditors conduct I.T. staff interviews as they work down the checklist of security practices. An assessment can begin and end with the list, but Ullrich says this approach falls short.
"One way to tell a good auditor is that they go into the network and verify that certain things are true," he says. "You really want them to get their hands dirty."
In that regard, the consultant who performs the audit can run a vulnerability scan using commercial or open-source vulnerability management software. Vulnerability scanning tools are designed to discover the devices attached to the network and identify security gaps based on a database of known vulnerabilities.
Instead of merely ticking the firewall box, for instance, an auditor can run a scan to see if the firewall is configured properly. A scan might also flag an operating system on a server that lacks a current security patch.
Moving up a notch from vulnerability scanning, a security audit may include penetration testing. Guerrino says the Bank of New York runs general network penetration tests, but also hires firms to conduct tests that focus on specific applications. He describes the latter tests as "ethical hacking." Consultants performing the hack are given access to the corporate application. The purpose of the hack is to see if a tester, posing as an authorized user, can break into an application and then execute transactions or access information without proper authorization.
This practice, for example, can be used to test whether an application follows the principle of input validation, which restricts users accessing an application to predefined input field values. An online ordering system, for example, may only accept a certain number of digits in the credit-card entry field. Without this measure, an intruder may be able to enter malicious code in the input field.
"An ethical hack will pass unexpected data to the application to see how it reacts," Guerrino says. The tester can see how the application behaves "when it gets something it is not anticipating," he adds.
Each security issue that turns up during an assessment is tracked in a database and then reviewed with application developers to gauge the level of risk, potential impact of a breach and the likelihood that a vulnerability can be remotely exploited, Guerrino says. "Once the level of risk is identified, we work with the application developers to ensure they remediate findings in a timely manner," he explains.
Vulnerability scans, penetration tests and ethical hacking may follow the checklist phase of an audit. They can also be performed independently of each other. While organizations may hire outsiders to conduct the various tests, some opt to conduct them using internal resources.
"We have pretty much taken everything in-house now," says Mark Odiorne, chief information security officer at Scottish Re, a life reinsurance company. He says the in-house approach lets the company schedule penetration tests as needed (see "Taking Charge" next).