external security evaluations n.
Skip this Video
Loading SlideShow in 5 Seconds..
External Security Evaluations PowerPoint Presentation
Download Presentation
External Security Evaluations

Loading in 2 Seconds...

play fullscreen
1 / 27

External Security Evaluations - PowerPoint PPT Presentation

  • Uploaded on

External Security Evaluations. What are the options? Which is best? #LegalSEC. Agenda. Why do an “assessment”? What types of assessments exist? Best uses for each type My recommended prioritization Tips for a successful project. Introductions. Adam Carlson

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'External Security Evaluations' - colum

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
external security evaluations

External Security Evaluations

What are the options? Which is best?#LegalSEC

  • Why do an “assessment”?
  • What types of assessments exist?
  • Best uses for each type
  • My recommended prioritization
  • Tips for a successful project
  • Adam Carlson
    • 10+ years in information security
    • M.S. from UC Davis, ISACA CISM
    • Security researcher studying Internet threats
    • Security auditor for financial services/Fortune 500
    • Chief Security Officer at UC Berkeley
    • Legal IT security consultant
    • Currently security solutions consultant at IntApp
reasons for an assessment
Reasons For An Assessment
  • Need to identify potential security issues
  • Need to prioritize security issues
  • Need for formal reporting to management
  • Need for external review
  • Compliance mandate
types of assessments
Types Of Assessments
  • Penetration test
  • Vulnerability assessment
  • Security assessment
  • Risk assessment
what s in a name
What’s In A Name?
  • No universally standard definitions
  • Great variability among offerings
  • Caveat Emptor
    • Don’t assume you are speaking the same language
    • Vendors will try to convince you their offering is best
  • Must map your needs to the services offered
penetration test definition
Penetration Test Definition
  • Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.

Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/

  • Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP
pen test pros cons
Pen Test Pros & Cons
  • Pros:
    • Authoritatively validates the existence of a serious issue
    • Reveals easily discoverable “low hanging fruit”
    • May identify unexpected areas of weakness
    • Often involves highly skilled security professionals
  • Cons:
    • Can be fairly expensive
    • Negative result does not indicate a lack of issues
    • May only evaluate a portion of your environment
vulnerability assessment
Vulnerability Assessment
  • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

Source: http://en.wikipedia.org/wiki/Vulnerability_assessment

  • Example: Evaluating your document management system with a vulnerability scanning application
vulnerability assessment pros
Vulnerability Assessment Pros
  • Clearly defined scope
    • Which systems are evaluated
    • What potential problems are evaluated
  • Identifies most common technical issues
  • Cheapest of the assessment options
  • Repeatable and quantitative
vulnerability assessment cons
Vulnerability Assessment Cons
  • Can identify A LOT of issues
  • Often lacks contextual risk information
    • Generic risk rankings
    • May not indicate the severity in your environment
  • May not include expert advice/involvement
security assessment definition
Security Assessment Definition
  • Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place.

Source: Adam Carlson

  • Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices
security assessment pros
Security Assessment Pros
  • Provides broader view of current security posture
  • Both technical and non-technical issues identified
  • Risk-based ordering of problems
  • Provides security expert familiarity with environment
  • Tailored guidance and remediation planning
security assessment cons
Security Assessment Cons
  • Difficult to do well
    • May be a glorified vulnerability assessment
    • May not be performed by seasoned expert
  • May be focused around the strengths of the assessor
  • May not provide a lot of depth
  • May simply recommend best practices
risk assessment
Risk Assessment
  • Extremely broad term
  • Risk = Likelihood x Impact
    • Could assess either the likelihood or impact (or both)
  • Encompasses other types of assessments
    • E.g. IT security assessment is a form of risk assessment
  • Often focused around a proposed change or idea
    • E.g. Risk assessment of using a cloud-based storage system
risk assessment pros
Risk Assessment Pros
  • Requires involvement from business owners and IT
  • Used to identify valid business problems
    • Puts technical issues in context
    • Evaluates the impact of those problems
  • Prioritizes risks
  • Informs investment decisions
risk assessment cons
Risk Assessment Cons
  • Requires involvement from business owners and IT
  • Relies on imperfect information
    • Likelihood often unknown
    • Impact often unknown
  • May result in many findings with equivalent risk level
  • Expensive to do a broad and thorough risk assessment
so which do i want
So Which Do I Want?
  • A penetration test is best used:
    • To scare management into investing
    • To identify weaknesses in a very mature security program
  • A vulnerability assessment is best used:
    • To validate effective patch management and system configuration practices
    • To evaluate exposure to the most common technical attacks
so which do i want cont
So Which Do I Want Cont.
  • A security assessment is best used:
    • To identify more than just technical vulnerabilities
    • To perform a compliance gap analysis
    • To engage an external security resource
  • A risk assessment is best used:
    • To evaluate the importance of a possible security investment
    • To evaluate the impact of a proposed change
bonus web application vulnerability assessment
Bonus! Web Application Vulnerability Assessment
  • Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application.

Source: http://en.wikipedia.org/wiki/Vulnerability_assessment + Adam Carlson

  • Example: Performing a code review and penetration test against an internally developed web application.
  • Best used to secure applications managing highly sensitive data or those available over the Internet.
recommended prioritization
Recommended Prioritization
  • External vulnerability assessment
  • Internal vulnerability assessment
  • Security assessment
  • (anything else worth investing in)
  • Penetration test
a few considerations
A Few Considerations
  • “White box testing” provides the most value
  • Security assessments often include vulnerability assessments (but not always)
  • “Penetration tests” offered by many vendors are actually security assessments
  • Vulnerability assessments can now be easily performed via SaaS (nCirclePurecloud, Qualys, Nessus, etc.)
tips for a successful project
Tips For A Successful Project
  • Enumerate the goals of the engagement:
    • What is the ideal scope?
    • What knowledge should be gained?
    • Who is the intended audience?
  • Understand your budget
  • Compare your options
evaluating potential vendors
Evaluating Potential Vendors
  • Consider an RFP/RFI template
  • Ask about the process
    • Who will do the assessment?
    • What will the report/deliverable look like?
    • How will post-engagement questions be answered?
  • Ask them to explain their strengths/differentiators
  • Ask for references
  • Think about your future together
don t pay to be told
Don’t Pay To Be Told…
  • To patch your systems
  • To run a firewall
  • To run up-to-date antivirus
  • To put data backups in place
  • That security policies are important
  • Etc.
  • Do a self-assessment instead (SANS Top 20, LegalSEC)
questions comments
  • Thanks for joining us today!
  • Please say hi at SharePoint/LegalSEC next week
  • Continue the discussion
    • #LegalSEC
    • @ajcsec on twitter
    • adam.carlson@intapp.com