IT Insights IT Security Assessment Terminology
Effective IT security assessments begin with baselining common terminology A FAVORITE DISH ORDERED AT A RESTAURANT away from home might not taste anything like what was expected, giving the customer an unpleasant surprise. How often do such situations occur? How often can such difficulties be traced to a lack of clear definitions and terminology? Unfortunately, such scenarios play out across organizations’ IT security programs, too. Effective IT security begins with recognizing related terminology so that management can accurately act upon information in a commonly understood manner. It’s also crucial for ensuring that management is not relying upon false assurance. That common understanding is crucial because it helps mitigate risks related to losses in system and data availability, confidentiality and integrity. That common understanding thus supports broader aims to mitigate reputational, financial and liability risks to the organization.
IT Security Assessments and Common Related Terminology: What the Terms Mean IT SECURITY ASSESSMENT IS a widely-used term that encompasses IT security audits, risk assessments, vulnerability scans and penetration tests that deploy ethical hacking efforts. While related, common IT security terms have different objectives and characteristics. An IT security assessment’s scope may be based on a particular framework or defined set of standards, such as: • PCI-DSS (Payment Card Industry Data Security Standard) • FISMA (Federal Information Security Management Act) • GLBA (Gramm-Leach-Bliley Act) • ISO (International Organization for Standardization) 27001/27002 • NIST (National Institute of Standards and Technology) 800-53: Security and Privacy Controls for Federal Information Systems and Organizations • HIPAA (Health Insurance Portability and Accountability Act) The assessment determines whether or not the organization is in compliance with that particular set of IT security standards, framework or best practices.
IT Insights: IT Security Assessment Terminology Vulnerability Scanning and Assessment A VULNERABILITY SCAN IS A PROCEDURE performed by an automated tool and is often compared to a burglar who cases a house to identify all the windows or doors that could be used as points of entry. The vulnerability scan likewise identifies potential exposures or holes in a network or a system that could be exploited to attain unauthorized system access, unwittingly disclose information or disrupt functionality. Such vulnerabilities primarily arise from two areas: • A misconfiguration of an operating system, application or network service • Flaws in programming logic or source code that is processed with or without additional user input to create a vulnerable outcome There are two perspectives that can be utilized when conducting a vulnerability scan on a selected grouping of targets; external and internal. External vulnerability scans are usually conducted without authorized user credentials and are performed against the organization’s public-facing systems from outside the targeted environment. This creates an inventory of vulnerabilities based on an outsider’s perspective (e.g. from the internet). However this quick win activity creates an inventory that may be incomplete because information has only been collected from public-facing systems. Additional procedures are needed to detect and identify a more complete picture of vulnerabilities, which can be sped up by utilizing an internal network connection or privileged access credentials. An internal vulnerability scan is normally performed using administrative IT credentials and focuses on all internal devices or a sampled subset. This type of scan requires an internal connection on the network. Identified vulnerabilities are then evaluated to determine which present significant risk to the organization, with mitigation efforts undertaken to address the most critical weaknesses. A vulnerability assessment is performed by analyzing the data generated during a vulnerability scan. While the distinction between a vulnerability scan and a vulnerability assessment may seem like splitting hairs, it is best to be sure of the services performed. That can be the difference in receiving only the automated output from the scanning tool or a more customized report that interprets and categorizes those results for an organization to make it more relevant. Either result may be acceptable depending on the objectives of the organization as long as the information presented is understood and actionable.
2
GLOSSARY OF TERMS VULNERABILITY SCAN An information gathering process that usually involves systematic tools to collect data from devices and perform an analysis to determine if any known software vulnerabilities or known misconfiguration are present on those systems. PUBLIC-FACING SYSTEMS The collective footprint of an organization’s devices and systems that are electronically visible to individuals outside of the organization via the public internet. BAD ACTOR The individual or organization that initiates a harmful action against a target organization. PENETRATION TEST A security assessment procedure that assesses the weaknesses of a computer system or connected network device and utilizes the tools and techniques of an attacker in an attempt to gain unauthorized access to the system or its data. INTERNAL PENETRATION TEST A penetration test that is conducted from within the target organization’s network environment to simulate an attack from an inside employee, a compromised device, or a rogue device planted on the network. EXTERNAL PENETRATION TEST A penetration test that is conducted from a system from outside of the target organization (e.g. from the internet). SOCIAL ENGINEERING Psychological manipulation of people into performing actions or divulging confidential information (e.g. calling a user and pretending to be from the IT department to get them to divulge their user ID and password credentials). PHISHING EMAILS Email messages sent to a target user that are intended to solicit the disclosure of information, such as usernames and passwords, are intended to get the user to initiate a malicious activity such as clicking on links that download malware or opening infected files. DENIAL OF SERVICE (DOS) An event that causes system resources to become unavailable to perform their designed function, usually with a negative impact to other dependent systems (i.e. an email server that has become unresponsive, which prevents users from sending or receiving email messages).
IT Insights: IT Security Assessment Terminology Penetration Tests IF A VULNERABILITY SCAN is the equivalent of a burglar casing a house to identify entry points, then a penetration test is the equivalent of a burglar actually attempting a break-in by sneaking in through an unlocked window to gain entry to the house. Penetration testing relies upon ethical hacking techniques, which seeks to obtain unauthorized IT access by deploying tactics that bad actors – hackers – would use to exploit systems’ weaknesses. Ethical hacking is conducted by certified trained professionals, with approval of the organization. A penetration test usually has a narrower scope than a broad sweeping vulnerability scan and should begin by focusing on the systems and data requiring the highest levels of protection. Coordination and care should be exercised when conducting a penetration test to avoid potential disruption of production systems. As an additional precaution, some penetration tests may be conducted during non-business hours or times when the system experiences lower demand to further mitigate any disturbances to sensitive systems.
‘‘
‘‘
Ethical hacking is conducted by certified trained professionals, with approval of the organization.
An external penetration test usually involves attempts to access and exploit a suspected weakness from a remote location without the knowledge of the organization simulating an external attacker. Once a system has been accessed or compromised, the tester then attempts to pivot to other devices to determine what additional connected resources may be exploited or what additional information may be collected. However, an internal penetration test can be performed through VPN connections or an on-site testing device. This type of
testing assesses the exposure from a single compromised system or a scenario where the bad actor is an insider of the target organization. Once ethical hacking identifies successful tactics, the organization can take steps to mitigate the risks of systems found to be exploitable from being maliciously breached in a similar fashion.
Social Engineering IN ADDITION TO machine-automated or manual efforts, ethical hacking security assessments also use social engineering techniques. Such social engineering efforts rely upon the manipulation of human behavior for successful exploitation. Email phishing or spear phishing tactics may be used, in which individual members of an organization are asked – under false pretenses – to click on a link in a crafted email message. Clicking on such a link launches a program or script to either exploit a system vulnerability or possibly install malware that enables the email sender to access the system. Phishing can also be conducted via phone calls where the caller asks an organization’s employees to provide information needed for unauthorized access. Another means for social engineering can be physical media. USB thumb drives affixed with tempting labels such as “Payroll” or “Human Resources Only” may be placed on or near company facilities. Curiosity might prompt employees to insert those drives into company laptops or workstations. Once inserted, those thumb drives launch malware in a similar manner to a phishing email link and exploit a vulnerability, capture information or provide unauthorized system access to the tester. Security assessments and social engineering may also entail attaining unauthorized physical access to company facilities and IT equipment. For example, an individual dressed in a delivery person’s uniform might attempt to walk past a receptionist or security guard without being questioned. Valuable IT assets and information can then be accessed or stolen once inside the facility.
3
IT Insights: IT Security Assessment Terminology
CONTACT US
IT Security: Three Areas for Evaluation
Brian Thomas, CISA, CISSP, QSA Partner-in-Charge, IT Advisory Services brian.thomas@weaver.com
VULNERABILITY SCANNING and penetration testing usually refer to various IT security assessments that are focused on network services. Network services include the devices and infrastructure that comprise an organization’s IT assets as well as the ports and services that keep them all connected. The same processes and procedures used for assessing network services can be applied toward assessing an organization’s wireless networks and web applications. A wireless network examination focuses on the configuration of specific network components and access points for the wireless infrastructure. Issues addressed include whether or not the wireless network can be easily joined, whether the network can be easily mimicked, whether wireless traffic is properly encrypted, and whether or not signal creep might enable someone nearby to intercept the wireless signal. Lastly, web application evaluations focus on whether or not a web-based application can be made to do something beyond its intended behavior. That abnormal behavior may involve inadvertently sharing sensitive data, corrupting data, or denial or service (DoS), all of which can have a devastating impact on an organization.
Accurate Terminology is Crucial for Proper Scoping and Successful Mitigation IF AN ORGANIZATION IS SEEKING COMPLIANCE with a standard or regulation and interprets a criterion as requiring a penetration test when a vulnerability scan was what the criteria intended, nobody wins – neither the frustrated vendor who performed the penetration test nor the organization that paid for a service that did not fulfill the prescribed requirement. Equally challenging is when security services companies sell clients penetration tests that are really just automated scans with minimal human analysis or interpretation. When an organization begins to plan internally or requests information and bids from third parties for security assessments and services, a clear understanding is needed to achieve a successful outcome. An organization needs to identify its most crucial IT risks, maturity of security processes, and compliance requirements and then determine what actions are needed to mitigate risks and provide assurance. Properly assessing an environment’s needs and taking appropriate actions begins with understanding the correct IT security assessment terminology.
Brittany George, CISA, QSA, CISM Partner, IT Advisory Services brittany.george@weaver.com Trip Hillman, CISSP, CISA, CEH, GPEN, GCFE, GSNA Director, Cybersecurity Services trip.hillman@weaver.com Weaver’s IT advisory services group focuses on delivering performanceenhancing consultations that address your IT and business agendas. We work directly with CIOs and others to create a more risk-aware, effective IT organization that can drive process efficiencies throughout your company and better support and deliver transformational business change. Specific services we provide include: • • • • • • • • • • • •
Application controls review Business continuity/disaster recovery Cloud computing assessment Data analytics Data privacy Information security and vulnerability assessment ISO27001 reviews IT audit IT governance and organizational effectiveness IT risk assessment Pre- and post-implementation application reviews System and Organization Controls (SOC) reporting
Disclaimer: This content is general in nature and is not intended to serve as accounting, legal or other professional services advice. Weaver assumes no responsibility for the reader’s reliance on this information. Before implementing any of the ideas contained in this publication, readers should consult with a professional advisor to determine whether the ideas apply to their unique circumstances. © Copyright 2019, Weaver and Tidwell, L.L.P.
4 www.weaver.com | 800.332.7952