What kind of security assessment do I need? It’s a question we at HALOCK Security Labs hear all the time. Every regulation and information security standard in existence tells us that we must undergo some kind of regular assessment. But the security field has not been consistent in advising what kinds of assessments fit which purpose best.
This security assessment guide will help clarify the variety of assessment options available, along with the benefits and limits of each approach.
Gap Assessments and Audits
Be very cautious of these types of assessments. Gap assessments and audits are used for different purposes, but they involve almost identical analysis practices and share the same limitations. They are very often misused, though, to plan corrective actions. This may surprise you, but we’ll explain why.
What are Gap Assessments and Audits?
A gap assessment or audit is a comparison that determines how well your practices match a list of controls. A controls list may come from a standard, such as ISO 27002, NIST SP 800-53, PCI-DSS, the Critical Security Controls, or elsewhere. They can also come from a client, an outside auditor, or a regulator. An audit is a little different from a gap assessment in that an independent person runs an audit to check for compliance to a standard, a contract, or a rule.
What they are good for.
Gap assessments and audits are good for determining whether your security practices resemble a standard.
Their limitations.
HALOCK does not go so far as to say that gap assessments and audits indicate how compliant you are with a regulation or a standard. Compliance with regulations and standards most often requires risk assessments which we’ll discuss below. But most organizations cannot operate effectively with all security controls completely in place. They are too costly in terms of invested dollars and business constrictions. As a result, a worthy gap assessment or audit will always result in identified gaps. Similarly, they can’t tell you whether those gaps are acceptable, or what reasonable safeguards should be used given your organization’s unique circumstances and risks.
What decisions do they help management make?
Use gap assessments and audits to identify potential vulnerabilities to your information, facilities, people, and systems. But determine whether those vulnerabilities matter – and plan for their improvement – by assessing the risk that they pose using risk assessments (below).
Risk Assessments
Risk assessments are required by laws, regulations, and standards for determining when security investments are reasonable and appropriate. They help substantiate that an organization meets their “duty of care” to secure information and systems. Regulators, judges, attorneys, and security standards bodies all know that perfect security is not possible, so cyber security risk assessments were devised to determine when our security safeguards are responsible.
What are Risk Assessments?
Risk assessments are evaluations of the threats that could compromise the security of information assets. A risk assessor will ask, “This type of asset is often attacked using ‘x’ threat. Given your safeguard, what is the likelihood and impact of this threat?” Your answer may indicate whether a risk is reasonable with the current safeguard in place, or if a new safeguard is warranted. Risk assessments demonstrate a duty of care if planned security improvements are also evaluated to show whether the burden of the safeguards is greater than the risk it is meant to protect against.
What they are good for.
Risk assessments are useful for managers to determine whether current or planned safeguards are appropriate, and how to prioritize improvements; higher risks should be addressed first. Risk assessments also provide an excellent basis for budgets, they provide an excellent explanation to auditors about the appropriateness of controls, and – if it comes to this – are excellent demonstrations of due care after a breach occurs.
Their limitations.
Risk assessments are estimations of what may happen. Unless they are paired with penetration tests or advanced malware threat assessments, they do not give you a good picture of how hackers and malware may be compromising systems now.
What decisions do they help management make?
Managers may prioritize their investments in safeguards based on the risk reduction value of each safeguard, or the likelihood of a foreseeable impact. If the risk assessment and acceptance criteria are appropriately defined, then managers may also be able to safely say, “Our current safeguard is enough.” Knowing your acceptable risk and having a reasonable security strategy is best practice.
Automated Vulnerability Assessments
Automated Vulnerability Assessments are automated scans designed to detect known (published) vulnerabilities that may be exploited by an attacker.
What are vulnerability assessments?
Vulnerability scan software applications can be scheduled to run automated scans of devices with responding services and compare those to lists of vulnerabilities in the matching scanner definitions. Reports from these applications show the vulnerabilities that were identified on each system and prioritize the vulnerabilities based on a variety of conditions and criteria.
What they are good for.
Automated vulnerability assessments are low cost utilities that are easily managed by internal resources to quickly identify common weaknesses that hackers or malware may identify and attempt to exploit to gain unauthorized access. Vulnerability scans are an excellent method for identifying misconfigurations, monitoring an environment for missing security patches that were recently released, identifying new hosts recently added to a network, or testing other common weaknesses with little-to-no user intervention. Many organizations configure their vulnerability scanners to run weekly if not more frequently.
Their limitations.
The primary limitation of a vulnerability scanner is that they match detected configurations with known definitions. In other words, they detect only what has been published. They cannot identify undocumented (zero day) vulnerabilities, they cannot correlate if a weakness identified on one system can be leveraged to gain access to another, are limited in their ability to validate accuracy (resulting in false positives), and are extremely limited in their ability to effectively and accurately identify web application vulnerabilities. Further, vulnerability scan reports will often incorrectly use the term “risk” to describe their estimation of the potential harm that a vulnerability can pose. Their definition of risk will likely not be yours and they do not take into consideration any nontechnical evaluation criteria. For example, these reports do not take into account how accessible the system is or what actual harm can result from a successful attack. “Low risk” vulnerabilities may actually pose a high risk to you based on the potential harm that can result in your organization.
What decisions do they help management make?
Similar to gap assessments and audits, vulnerability assessments can indicate a number of weaknesses that you may decide to address immediately. They are an invaluable part of an effective cyber security program, but cannot be relied upon exclusively to comprehensively identify vulnerabilities. One should be cautious, however, about over-investing in low severity vulnerabilities, or accepting the risk of vulnerabilities that may cause a high impact for your organization. If analyzed against your own well-defined risk criteria, vulnerability assessments can provide an excellent input into cyber security risk assessments.
Penetration Tests
Penetration tests are another type of vulnerability assessment, but a penetration test goes far beyond what automated vulnerability scanner can do. Penetration tests are attempts by trained penetration testers to explore and exploit systems, applications, facilities, and networks to determine what harm hackers or thieves may do. Different from a vulnerability scan, a penetration test exploits vulnerabilities and escalates them under controlled conditions to see how far they can penetrate an organization’s environment.
What are penetration tests?
Penetration testers use a combination of methodologies, tools, scripts, and manual processes to systematically explore, exploit, and escalate vulnerabilities through an environment. Penetration testers are not limited to testing responding IP addresses but can also explore network vulnerabilities, comprehensively test feature-specific aspects of a web application, test wireless networks, or target the cyber security awareness of end users. Vulnerabilities are pursued, validated, exploited, escalated, and fully evaluated. These tests result in detailed reports that describe what parts of a network, system, facility, or application were tested, which vulnerabilities can be exploited, demonstrate the specific steps taken to exploit weaknesses, document what information or access can be achieved, and, most importantly, provide prescriptive guidance on how to remediate vulnerabilities.
What they are good for.
Penetration testing focuses on an environment, not just a list of device IP addresses, which provides organizations the best demonstration of the harm that hackers and thieves can do in your systems and work places in their current state. They can also provide invaluable guidance for preventing the described cyber attacks.
Their limitations.
Penetration tests are manual and labor intensive. As such, most organizations are limited in the frequency in which they are performed. If penetration testing was the only method employed for testing security, a good deal of time could pass before the next pen test is performed which can result in vulnerabilities being left undetected for too long. The most common method to overcome this limitation is to supplement penetration tests with more frequent methods of testing, such as vulnerability scanning. Similar to gap assessments, audits, and vulnerability tests, penetration tests cannot always provide a clear indication of the acceptability of certain risks. While more critical vulnerabilities almost always warrant immediate attention, lower severity vulnerabilities may be candidates to risk reduction or risk acceptance decisions. The evaluation required to make these decisions requires input beyond what may be included exclusively in a penetration test. When a penetration test is performed in conjunction with a risk assessment however, this more detailed evaluation is possible.
What decisions do they help management make?
When management sees the vulnerabilities that cyber attackers can see, and understands the harm that hackers or thieves may do, they can take specific action to close the vulnerabilities that allow the demonstrated harm. If management goes further and considers the root cause of the vulnerability, they may reduce the likelihood that the vulnerability will re-occur.
Compromise Assessments
Compromise assessments are evaluations of the current advanced malware activities that are occurring in your network now.
What are Compromise Assessments?
A compromise assessment involves the placement of one or more technologies in a network for a period of time to detect, report on, and possibly prevent malware activity that cannot be detected or prevented by common anti-virus applications and appliances.
What they are good for.
Compromise assessments help organizations detect what kinds of cyber attacks they are undergoing, and can provide a helpful test to determine what anti-malware architecture and approaches may be most appropriate for that organization.
Their limitations.
These assessments provide a small window of analysis and may be conducted while malware threats are latent or not yet present. They may also not detect the actions of an intelligent hacker. Additionally, without an evaluation of vulnerabilities or risks, advanced malware threat assessments would not help you determine what cyber attacks are foreseeable, unless they are underway.
What decisions do they help management make?
When management sees the patterns of behavior that advanced malware is conducting in real time, they are able to take immediate action to prevent foreseeable impacts, such as the eventual removal of data, or to stop breaches that are under way. Additionally, they can help model for an organization the most appropriate architecture for their networks and systems to best detect, prevent, and respond to malware attacks.
Most organizations need a combination of cyber security assessments to understand their security posture. The combination of assessments that are right for you will change over time, but will also depend on the questions you are asking. The table below can help you design a security assessment plan to address your changing needs.
No one security assessment can give your organization a complete picture of your security posture. Nor can a regular routine of repeated assessments provide you full situational awareness. Your organization should regularly review your security assessment programs by asking the questions above and selecting a set of assessment methods that best answer those questions.
Keep in mind that regulators and attorneys ask compliance and foreseeability questions on a regular basis, and that hackers answer those questions when you least expect them.
Do you know “reasonable” for your organization?
Enhance your security strategy to address your changing working environment and risk profile. HALOCK is a trusted cybersecurity consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States on reasonable security strategies.