When it comes to a security assessment of your businesses IT assets and infrastructure, who does it? You or the other guy?
Outsourcing Vulnerability Assessment
Difference between Vulnerability Assessment and a Pentest?
The difference between the vulnerability assessment and a pentest is that a vulnerability assessment just finds the holes and does not exploit them. In the penetration test, security professionals think like hackers and try ways to use vulnerabilities to get inside the network. When conducting the vulnerability assessment you want to pay attention to scanning the assets with the right software and try to find the vulnerabilities that the hackers will find. The penetration test is where the vulnerability is exploited and a server is owned or a network is compromised with data flowing out to a hacker. In either scenario, the company must define its assets so that they know what they are going to test and assign ownership. While trying to test for weaknesses you might as well prepare for ISO 27001/2 audit.
A good example would be to take GFI LAN Scanner and scan a network with current definitions of known vulnerabilities loaded. The results should show that there are systems that need to be patched. The same goes with Microsoft Baseline Security Analyzer. This will find the difference in levels of a Windows operating system of where it is and what level it needs to be for patching. Taking a closer look at penetration testing would be for a hacker to play the bad person and enumerate the network from logged in credentials. Then using meterpreter packaged in a game, the unsuspecting user downloaded. Now the attacker can escalate to a system account privilege to change the user account to an admin account on the box. This type of test is the essence of a penetration test where the hackers has inserted themselves and are gaining a foothold and escalating privileges to do more harm.
In order to conduct a vulnerability assessment correctly you have to define your assets and organize them. Know what you have and know what you want to test. This could mean assigning ownership of the asset being defined, and analyzed. Next you should get a few tools to help with the assessment. Pick up a tool or two that measures risks on software like operating systems and one that does networks. Next before doing any work on the infrastructure put in place a communication tree between the CIO and the outsourced vendor. This way if something does impact production network someone can stop it or inform the staff that it is expected today if need be. Later, after the outsourced vulnerability assessment is conducted the company IT department may want to have some policy and procedures out lining a scheduled assessment.
The next thing you want to do is calculate the risk. Most often it is the quantitative assessment then qualitative. However, here are the two assessments presented by the two formulas; Calculate Risk = Vulnerability X Attacks X Threat X Exposure (Snedaker, 2007). This will definitely get you a dollar amount but there is some subjective evaluation of the attack and exposure. Again, this qualitative weight in the quantitative formula is like a hybrid. Unless you are benchmarking from proven studies to extrapolate your numbers, it will have some subjective input. The latter formula could be more qualitative, as the reference to the frequency will be subjective in the first year run. The next subsequent years can more easily defined as quantitative. A historic record will assist you in the following years.
When the company gets to writing a policy for their own quarterly scanning and assessment, they should have it written as a policy. The policy will state when and by who the vulnerability assessment should be done. There will be an accompanying procedure outlining the exact steps to take that have been proven and approved. This will aid them in becoming closer to an ISO 27001/2 compliance as well as safeguard their assets.
Decision Point over Dilemma
The company has a dilemma either to proceed with their own assessment or hire out to third party. Realistically you should stick to what you are good at. This means if your IT department has the history of performing such analysis then proceed. However, this small company doesn’t have the manpower. Knowledge of is not the same as working knowledge. What is important to the company IT department in the assessment. Is it the scan type, assets, demonstrated effective use of vulnerability assessment, and industry experience. Industry experience is going to account for a lot of what the company IT department is lacking in this disciplined practice. You need to have focus and experience to know what is going to work and what will not. The company IT department does not have the luxury of time for honing their skills. Another inherent risk is complacency of the environment. This doesn’t mean the IT department is tired of the place it works in it just means that not all assets are going to come to mind when some devices or do not get used all the time.
What are we looking for in the assessment? In a normal vulnerability assessment the professional team will look for systems, server, and networks that have not patched to a protected level or hardened systems. Hardened systems are systems that are running with only the services they really need to run and have some protection whether a trusted computer system or firewall. Systems that are patched to the right level and have no known vulnerabilities are the goal of any assessment. Getting to that secured level and preserving it through continuous monitoring. The company IT department may not have such knowledge and therefore not the best selection for running the assessment.
Company Action Items
The IT Security Professional is designated technical lead for the assessment. The action items are to find and catalog all assets both hardware and software for the assessment. What the technical lead will do is group together all network subnets unto themselves if more than one. They will also find the different types of operating systems and group those together. The next step is to find the different software that is used as a service with in the company for the assessment. This means servers that share out software and services all must be identified and listed for versions and type. An example would be a list of all database servers. Out of the database servers you will list the ones using MS SQL, Oracle, and which use a web front end with html. In addition, the technical lead will find the database servers whose front end is driven by SOAP, or AJAX and any other like java. This list will be exhaustive but it will declare the assets and the exposure type they possess. Also this will be used for the outsourced company performing the scan.
Risk from Internal Vulnerability Assessment
The risk you have to conducting an assessment on your own is knowing enough to be dangerous but not enough to be effective. The expertise of security consultants is then drawn upon to do the assessment. While performing your assessment you may omit to test certain other parts of the network or devices you don’t use or manage. You might even fail to test a security objective that is a major flaw from a vendor or technology implemented. This would require special attention because some businesses have contracts with other companies based on an ISO rating. This means that the company either knows how to produce consistent results or hires a company to assist in providing the infrastructure for consistent results. A consultant would either find the requirements for the vulnerability assessment. This is very important to make the assessment a valid one.
Teaming up with 3rd Party Security Experts
The company has realized that while their Information Security professional is quite well versed in their profession that they will be seeking outside vendor to assist in the vulnerability assessment. The first thing the company needs to do is get legal advice from an attorney that has knowledge of technological testing where intellectual property, assets, and risks operate in the same arena. The lawyer has to be knowledgeable about USC 18 Section 1029 & 1030, PCI, Sarbanes Oxley, as well as other laws about privacy and disclosure. The company will coordinate with the lawyer to make sure that the vendor they choose to go with operates under an agreement.
Now the company has to find a reputable company to perform this assessment. This agreement will be the legal document that authorizes and binds the two parties to operate professionally with the client’s interest as a focal point. The company providing the service will provide names of the team members that will be coming onsite or offsite to perform the test. They will have to comply with company policy that the participants all have to be US citizens and have a clean criminal record or one that has been made right provided by documented testimony of character and a signature of said individual recommending them for this service.
The two companies design an agreement/contract that details what is and what is not to be scanned as stated in slides 6 and 9. The agreement also has to include that there is liability coverage and the 3rd party has errors and omissions insurance. The contract will further read that if anything happens outside the scope of the test both parties will attempt at mutually agreeing to a course of action verbally to rectify the situation. No fault clauses can be agreed upon but rarely is that allowed and is contrary to getting legal direction. Later, the course of action taken will be written as an addendum to the agreement and signed by the officer of each company legally able to form agreements. Once this document is done and the vulnerability assessing company has written consent to perform the test, then they can begin on the agreed upon date.
In the agreement the technical lead (Information Security Professional Employee) will have the entire topology mapped and each test area scheduled for testing. All the details about what is to be tested can also be outlined in here. This is where the Information Security Professional can make known what devices or types of scans are allowed and not allowed. Most scans are noninvasive or unable to interrupt production. It is an approach that is over the top but when you are talking about intellectual property, data privacy of people, and the general operating capacity of a business, there are no short cuts. The agreement has to state what will be tested, how, when, and the objective. There will be a schedule to follow and a communication tree to call if things go out of focus or assets are becoming unusable.
After the vulnerability assessment has been conducted a report of such results should be created. The results could be matches to the ones found on the publically known Mitre CVE list. Also, the company can proactively start looking ahead at the CVE site for more vulnerabilities in software that they currently use. When the third party vendor finds these vulnerabilities they are held to the contract for not disclosing their findings. In the process of doing the assessment they found ways into the citizen personal records database allowing them to have free range of the data therein. Again, the agreement states that no matter what they find in the course of the assessment they are not allowed to disseminate the information.
The vendor now has an accumulation of vulnerabilities and configuration settings and dependencies that need to be reported and presented for review. The report can be created by any software that they have chosen going into the assessment but the report must be hand delivered and not emailed. The report needs to make it to the desk of the Information Security Professional, CISO, and the CEO’s office. What happens after that is all the responsibility of the company. The reports should be reviewed with the company who provided the assessment to show what vulnerabilities were discovered and with what tools. They will show what needs to be done to correct this and then empower the company through council or outsourcing their assessments to create a schedule.
Once the assessment is done the team has a report they give to the company. In it this report it will include all the assets as they were before the scan. This include the configurations and patch levels provided by the Information Security Professional and verified by the assessment team. The assessment team had given some indication of how the assessment was going to be conducted in the agreement but not at the detail provided in the report. In the report that follows the team tells how each group and in some case individual items were scanned. The results of the scans now need to be addressed. The assessment team provides a link to vendor specific pages for the upkeep of the software and it includes releases addressing security concerns. Also, the team provides an independent vulnerability site that provides a list of outstanding and recorded vulnerabilities for many vendors and advises the Information Security Professional to sign up for updates on the items they host.
The assessment team then provides steps for remediation that they can provide. These will include testing before patching by imaging the company servers and emulating their network architecture. This is an additional service the assessment team can provide for a price or the company can manage their own.
The schedule will be a routine check of the systems both hardware and software to see if there are any vulnerabilities not discovered and the ones that are patched are taken affect at protecting the asset. The Information Security Professional will then create a policy under the guidance of senior management and the CEO, that provides details of what actions have to take place in a quarterly scanning of the devices.
The scans should occur quarterly and at the last two weeks of the first month in the new quarter. This way any new vulnerabilities and published exploits get published. This give the company’s IT group time to test patches and deploy. The assessment gets processed the same every month as the initial assessment with reports being created in the third week. Executive reports get delivered to the CISO and CEO by 2nd week of the 2nd month for review.
The executive review can consist of the employees of the company or here the Information Security Professional reviewing the reports are on target for an ISO certification and accreditation. Any notes provided by the assessment team can be interpreted as a strategic vision for the IT department in the up and coming years.