Technical Security Assessment
Intentionally I left this topic out of my previous article “Information Security / Cyber Security: Audit vs Maturity Assessment vs Risk Assessment”, for it is the most efficient type of assessment when an enterprise wants to identify its risks related to Technology, current security posture and the ability of their teams to successfully detect and respond to cyber attacks.
A technical security assessment consists of a series of security tests, assessments and audits conducted for discovering the vulnerabilities in the IT infrastructure and information systems, which may cause significant risk at business level. Each of them encompass different type of assurance activities:
Following security best practices, adequate assurance activities should be performed during a risk assessment at enterprise level and after any significant changes in the IT infrastructure and information systems.
Security Tests
Security tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security:
It’s worth noting that other types of assessment such as social engineering, red-teaming testing real world scenarios, or scenario-based process testing are not considered security tests.
Security tests should take place on a regular schedule, with attention paid to each of the key security controls protecting an organization. When scheduling security controls for review, the following factors should be considered:
After assessing each of these factors, security teams design and validate a comprehensive assessment and testing strategy. This strategy may include frequent automated tests (vulnerability scans) supplemented by infrequent manual tests (penetration tests).
Vulnerability Assessment
This security testing requires an enterprise-class vulnerability scanning and assessment tool to conduct automated vulnerability scans of:
The automated scan requires no work from administrators once it is configured, so it is easy to run quite frequently, and check for unpatched systems, open ports, vulnerable software and misconfigured services across the network.
In addition to this, various free and commercial tools can evaluate security settings and configurations of local machines on which they are installed, providing fine-grained insight into unauthorized changes in configuration or the inadvertent introduction of security weaknesses by administrators.
A vulnerability assessment should also include an assessment of the security of all routes from the Internet into the internal network, public-facing web servers, restricted systems, and critical servers on the internal network.
The vulnerability scanning tools must have the ability to associate a risk ranking based on industry best practices such as CVSS base score to each vulnerability.
When the vulnerability assessment scanning is carried out by an external company, the Client should be aware of and approve the scanning and assessment tools to be used.
Penetration Testing
The security team may wish to complement those automated scans with a manual penetration test performed by an external consulting company. Those tests may occur on an annual basis to minimize costs and disruption to the business.
Penetration testing can be conducted on the entire IT infrastructure and information systems or on several parts, such as:
The penetration testing team requires a variable set of skills, as the team must have in-depth knowledge on the target assets, reason why it is often carried out by an external consulting company.
The Client should conduct few activities prior signing the Rules of Engagement with the third party, such as:
- Minimum 5 years of experience
- One or more of the following certifications: CISSP, CISM, CISA, GIAC GSLC
- Either GIAC GPEN or offensive security OSCP/equivalent certification
- Minimum 3 years of experience
Recommended by LinkedIn
- One of the following certifications: CISSP, GCIH, GIAC GPEN, or offensive security OSCP/equivalent certification
2. Define very clearly the scope of testing:
3. Notify UAE SIA (former NESA) if CII entity:
4. Be aware of and approve the scanning tools to be used by the third party
Security Assessments and Review
At this point, a security assessment is a systematic examination of the following:
Enterprise Security Architecture Review
No security architecture is complete and totally secure, and no IT system is foolproof to weaknesses and vulnerabilities. The goal of security architecture is to address as many known weaknesses as possible and to resolve security issues.
A security architecture review is a systematic examination of the entire enterprise architecture that encompasses all aspects supporting business and IT initiatives (business architecture, information architecture, application architecture and technology architecture):
Security Review of Web-Based Systems
Software plays a critical role in any security infrastructure because it handles sensitive information and interacts with critical resources.
To ensure web-based systems are secured when exposed on the Internet, software reviews should be performed on web applications during development phase – by the software development team, during integration and testing phase – by the software acceptance team, and in production phase – by the security assessment team. Example of software reviews are:
Even when the development of a software is outsourced, the Client should monitor the execution of all activities during development, integration and testing phases.
Disregarding the execution and/or outcome of previous software review activities, our consultants can perform a security review of web-based systems either before or after go-live, consisting of:
Availability Assessment
The Domain Name System (DNS) is a critical infrastructure server for all infrastructure providers, application owners and internet users, for it resolves any search for a website by matching the website name to its IP address, which is unknown to common Internet users.
Being a server exposed to the Internet, the DNS server can be targeted by attacks for covert resource usage or data exfiltration, but the biggest threat is DDoS attacks which could render your website or your applications completely unreachable.
A DDoS attack is any cyber attack that compromises a website or web application and impairs the ability of legitimate users or visitors to access it. An availability assessment provide assurance on the following:
Security Audits
The security audit program is a tool that can be used for the completion of a specific assurance process such as:
About myself: I worked with, wrote and implemented secure SDLC frameworks, wrote methodologies for VAPT tailored to various SoW, wrote methodologies for security review of web-based systems, and performed compliance audits, in companies across different sectors.