External Security

EvaluationsWhat are the options? Which is best?

#LegalSEC

• Why do an “assessment”?• What types of assessments exist?• Best uses for each type• My recommended prioritization• Tips for a successful project

Agenda

• Adam Carlson• 10+ years in information security• M.S. from UC Davis, ISACA CISM• Security researcher studying Internet threats• Security auditor for financial services/Fortune 500• Chief Security Officer at UC Berkeley• Legal IT security consultant • Currently security solutions consultant at IntApp

Introductions

• Need to identify potential security issues• Need to prioritize security issues• Need for formal reporting to management• Need for external review• Compliance mandate

Reasons For An Assessment

• Penetration test• Vulnerability assessment• Security assessment• Risk assessment

Types Of Assessments

• No universally standard definitions • Great variability among offerings• Caveat Emptor• Don’t assume you are speaking the same

language• Vendors will try to convince you their offering

is best• Must map your needs to the services offered

What’s In A Name?

• Definition: Security engagement meant to determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/

• Example: Adam will attempt to gain access to client information through Internet-based attacks against Costello & Shock LLP

Penetration Test Definition

• Pros:• Authoritatively validates the existence of a serious

issue• Reveals easily discoverable “low hanging fruit”• May identify unexpected areas of weakness• Often involves highly skilled security professionals

• Cons:• Can be fairly expensive• Negative result does not indicate a lack of issues• May only evaluate a portion of your environment

Pen Test Pros & Cons

Variable Scope

• Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.Source: http://en.wikipedia.org/wiki/Vulnerability_assessment

• Example: Evaluating your document management system with a vulnerability scanning application

Vulnerability Assessment

• Clearly defined scope• Which systems are evaluated• What potential problems are evaluated

• Identifies most common technical issues• Cheapest of the assessment options• Repeatable and quantitative

Vulnerability Assessment Pros

• Can identify A LOT of issues• Often lacks contextual risk information• Generic risk rankings• May not indicate the severity in your

environment• May not include expert advice/involvement

Vulnerability Assessment Cons

• Definition: Security engagement meant to evaluate the completeness and effectiveness of the security policies, procedures, and technical protections currently in place.Source: Adam Carlson

• Example: Consultant visits a law firm to evaluate the risk management practices as well as the technical security practices

Security Assessment Definition

• Provides broader view of current security posture

• Both technical and non-technical issues identified

• Risk-based ordering of problems• Provides security expert familiarity with

environment• Tailored guidance and remediation planning

Security Assessment Pros

• Difficult to do well• May be a glorified vulnerability assessment• May not be performed by seasoned expert

• May be focused around the strengths of the assessor

• May not provide a lot of depth• May simply recommend best practices

Security Assessment Cons

• Extremely broad term• Risk = Likelihood x Impact• Could assess either the likelihood or impact (or

both)• Encompasses other types of assessments• E.g. IT security assessment is a form of risk

assessment• Often focused around a proposed change or idea• E.g. Risk assessment of using a cloud-based storage

system

Risk Assessment

• Requires involvement from business owners and IT

• Used to identify valid business problems• Puts technical issues in context• Evaluates the impact of those problems

• Prioritizes risks• Informs investment decisions

Risk Assessment Pros

• Requires involvement from business owners and IT

• Relies on imperfect information• Likelihood often unknown• Impact often unknown

• May result in many findings with equivalent risk level

• Expensive to do a broad and thorough risk assessment

Risk Assessment Cons

• A penetration test is best used:• To scare management into investing• To identify weaknesses in a very mature

security program• A vulnerability assessment is best used:• To validate effective patch management and

system configuration practices• To evaluate exposure to the most common

technical attacks

So Which Do I Want?

• A security assessment is best used:• To identify more than just technical

vulnerabilities• To perform a compliance gap analysis• To engage an external security resource

• A risk assessment is best used:• To evaluate the importance of a possible

security investment• To evaluate the impact of a proposed change

So Which Do I Want Cont.

• Definition: The process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a web application.Source: http://en.wikipedia.org/wiki/Vulnerability_assessment + Adam Carlson

• Example: Performing a code review and penetration test against an internally developed web application.

• Best used to secure applications managing highly sensitive data or those available over the Internet.

Bonus! Web Application Vulnerability Assessment

• External vulnerability assessment• Internal vulnerability assessment• Security assessment• (anything else worth investing in)• Penetration test

Recommended Prioritization

• “White box testing” provides the most value• Security assessments often include

vulnerability assessments (but not always)• “Penetration tests” offered by many vendors

are actually security assessments• Vulnerability assessments can now be easily

performed via SaaS (nCircle Purecloud, Qualys, Nessus, etc.)

A Few Considerations

• Enumerate the goals of the engagement:• What is the ideal scope?• What knowledge should be gained?• Who is the intended audience?

• Understand your budget• Compare your options

Tips For A Successful Project

• Consider an RFP/RFI template• Ask about the process• Who will do the assessment?• What will the report/deliverable look like?• How will post-engagement questions be

answered?• Ask them to explain their

strengths/differentiators• Ask for references• Think about your future together

Evaluating Potential Vendors

• To patch your systems• To run a firewall• To run up-to-date antivirus• To put data backups in place• That security policies are important• Etc.

• Do a self-assessment instead (SANS Top 20, LegalSEC)

Don’t Pay To Be Told…

• Thanks for joining us today!• Please say hi at SharePoint/LegalSEC next

week• Continue the discussion• #LegalSEC• @ajcsec on twitter• adam.carlson@intapp.com

Questions/Comments