I’m creating a brief presentation for a Capture the Flag event at USC, explaining our methodology for performing Security Assessments. First of all, recurring periodic security assessments are important for your environment. Security isn’t a set-it-and-forget-it attribute. Infrastructure changes over time and tons of new attack methods are discovered every day. Security is a game of intelligently assessing risk.
Just about every organization needs to adhere to regulations that spell out the minimum security measures to have in place, and how they should be assessed. For example, HIPAA/HITECH, PCI, FISMA, FERPA, and SOX all have standards to secure data. If you’re not bound by any of these, consider using ISO27002 as a generic resource to help guide your own IT security practices.
With regular assessments you can:
- · Maintain a focus on IT security
- · Increase awareness and understanding of security issues
- · Prioritize security investments and focus on the high importance/rewards intiatives
- Find out whether your environment has already been compromised
- · Stay on top of the latest security threats
- · Demonstrate to customers and partners that security is important
If you already have a particular regulation like one of those mentioned above, download the appropriate standard as a starting point. Otherwise, choose one that is similar to your type of business. In either case, print it out, give it a good read, then start from the beginning.
Here are a few main areas and tips to focus on. All of the security standards have many more requirements than these, but we need to keep the blog to 500 words or less. :o
What ways can the data be compromised? Not just from the Internet, but what from the inside of the network? From remote offices? Rogue wireless access points? Audit the firewall rules and watch logs. Use secure protocols, like modern HTTPS, SSH and SFTP rather than HTTP, Telnet, and FTP. Do the services enabled on the servers enable more than necessary?
Timely patch management is important: operating systems on servers and workstations; infrastructure services such like email and DNS; Web applications; databases; desktop applications.
How is the network perimeter defended and segmented? Review the device configurations!
Reach out to peers at other companies, participate in user groups, attend a few meetups, and come to some of the Bird Rock Systems events! Compare your infrastructure with others out there and keep your organization in line with industry best practices.
Crack open your Security Policy and run it through its paces. This is usually one of the first things an auditor will do, to see what your administrators and end users can do. See if your own standards can hold up to a little scrutiny.
Again, this information is not intended to be exhaustive or complete. Other important topics include how well your organization works, how well your procedures are documented, and how well your staff members keep up to date with the craft; physical security; encryption; social engineering.
If you think about security like the accounting team thinks about cash flow, IT security should have checks and balances. Do periodic security assessments yourself, then bring in a third party to validate!