Knowing the strengths and weaknesses in the defenses of your organization is crucial to its survival.
There is a solid reason for quoting Sun Tzu when it comes to knowing yourself. The actual quote is:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
― Sun Tzu, The Art of War
In the beginning of my career I hated audits – all of them. IT audits, IT Security audits, compliance audits – they seemed like a waste of time. They seemed to get in the way of my “work”, stopping my “productivity” and waste everybody’s time just to produce spreadsheet reports. I am sure a huge percentage of IT personnel today and tomorrow will continue seeing them that way. In reality they are an excellent and probably the best way of ‘knowing yourself’. Every audit can provide you with a ton of information and if you look at it from different angles you will see the bigger picture. Instead of forcing them on your fellow colleagues it is a good idea to spend some time and explain their value once and for all – you will get better data and better results if you do it.
Knowing by heart the exposure of your organization to external and internal threats is crucial. At any point in time your officers need to know the currently open vulnerabilities for any system under their command – that includes public exploits as well as configuration weaknesses which would make lateral movement or data exfiltration easier once a breach occurs.
Maintaining an internal, well-protected database of all systems and their current state of exposure is critical. This would be done best by integrating a 3rd party system with a CMDB (configuration management database) containing all of your equipment and all of your logical business systems and software systems, database systems and file storage systems, automatically updated over time when new equipment is added.
Information on current exposure is best gained from manual and automated audits.
Larger organizations are usually forced to pass yearly audits to maintain compliance and can audit each other before establishing trust. If you are part of such an organization then this chapter will help you find alternatives to what you use today and who knows, maybe you will find the alternatives more effective than what you use today?
The reason I somewhat lack trust in the popular standards – such as ISO/IEC 27001, is that many times the auditors try to ‘help you pass’ – they accept paper proof without validation or sometimes themselves do not see the difference between a realistic control and the control they see on paper. If a control is ‘there’ it is not necessarily effective – but they will write a “yes” on their checklist and move on. They will not discuss with you the effectiveness of said control – as a result you will have a false sense of security after ‘passing’. This is risky.
Besides the most popular information security audit standards there are ones which are less popular and in a way more powerful. I don’t know how they didn’t get to the market and why aren’t they accepted by the majority as primary information security assessment methods – but I personally strongly recommend them. A likely reason is the lack of a significant marketing and sales effort – not their value or effectiveness.
The first in my list by importance is NSA-ISAM, which is short for NSA Information Security Assessment Methodology. If you read the book, you might just be able to perform it yourself, following the book, granted you have the manpower and expertise necessary. You can find the book on Amazon: http://www.amazon.com/Security-Assessment-Case-Studies-Implementing/dp/1932266968
This book goes hand to hand with http://www.amazon.com/Network-Security-Evaluation-Using-NSA/dp/1597490350/ – “Network Security Evaluation Using the NSA IEM”
Having been developed by the NSA with the purpose of protecting the US Government networks and contractors I can assure you it is less full of BS than other auditing standards out there.
The reason this information security assessment methodology is so powerful is that it covers everything – including blue and red teaming assessments. Real assessments and not just a checkbox “do you perform pentests – yes / no”, like in other ‘standards’.
Having risk-based approach rather than a checkbox-based approach is yet another benefit of passing through NSA-ISAM.
Since this methodology is not mandatory and is almost unknown outside the USA it has made little commercial impact and had no chance of becoming the pillar of information security assessment it deserves.
There are, however, multiple organizations and individuals capable of getting our organization audited according to NSA-ISAM. The price for such an audit can begin in the range of $20 000 – but that figure can be significantly lower or higher based on the size of your organization or its complexity / perceived risk.
Most experts in the field have heard or used to some degree the NIST 800 series of standards and best practices. Not many have performed audits based on them, though – and that is a really big miss. You will rarely see auditors with experience in NIST 800-53 v4 as one of their areas of expertise – meaning you might have to organize the workforce to deal with this task yourself. Luckily, there are tools to help you with that.
There are tools which might help you perform complex assessments without having to pay auditors who would basically do the same thing – asking you questions and marking down check-boxes in their notebooks. You can easily ask the same questions to your IT team and fellow colleagues.
This actually is a set of usable assessment programs generating very useful, readable and actionable reports. It is called CSET (Cyber Security Evaluation Toolkit), and can be found at https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
Mounting and installing from the ISO file leaves you with the most powerful free infosec assessment manual audit tool ever created.
My recommendation: install it on a secured laptop, the auditor can pass through the various departments of your company – the program is designed to collect verbal answers (with the option to attach evidence) and produce reports based on checklists and questions.
CSET allows for a full audit of your company’s practices against NIST 800-53 or DoD 8500, as well as several other standards:
You and your team can have weeks of fun with this tool! I would like to reiterate: it’s FREE. It would be a sin not to use it.
Note: this is NOT a scanner. It is meant to manually (questions and answers, collecting evidence to support these answers) audit your company’s cyber security posture.
Please remember: an audit is useless without validation. For every answer you get require proof – in the best case scenario, the person answering the question should be able to show you the exact setting / control in place, not just on paper. In the worst case scenario, accept documents – but never accept an answer as “yes” without evidence.
I am oversimplifying the complexity of this application – its user manual is 250 pages long and is worth reading.
Automated scanners and penetration testing
Now that is an entirely different field. I would like to avoid turning this book into a catalogue of links and tool names – just remember, that a free tool is as effective as its price – for example, HP’s WebInspect is much more powerful than most freely available web vulnerability scanners, but its price will likely mean it will be cheaper for you to hire a professional services firm to run it for you rather than buy the license, unless you are on the Fortune 500 list.
Important: When purchasing / leasing an automated scanner to assess your environment, check if it supports STIG compliance checking. You will learn why later on in the book.
Another very important feature you should be looking for is vulnerability remediation tracking, unless you want to do all that work in Excel.
Automated scanners are the most basic level of assessment you could run in your environment. A manual assessment by a professional penetration testing team will uncover logical errors and weaknesses which a tool can never find.
But there is also a caveat to penetration testing: the technology I mention again and again and again throughout this book – STIG/SRG – is unknown to most penetration testers. That means that the intricate details of system hardening up to the deepest configuration settings are also not well known to them. Penetration testers focus on finding the weakest link or the easiest exploitable hole in your defenses – their target is not finding ALL of them. So even after a pentest uncovers tremendous weaknesses in your defenses and you fix all of them – remember, 90% of the remaining vulnerabilities are still there. Please remember that and work on hardening as many devices as deeper as possible. If you can afford a team of a few penetration testers who will find 10% of the existing vulnerabilities in your defenses there are countless others working individually and in teams doing the same and looking to break the other 90% around the clock, if left unchecked.
How to choose a penetration testing company
Disregard the brochures and sales presentations given by big name organizations. I have seen very, very big names deliver ‘penetration testing’ in the form of heavily branded vulnerability scan reports and a couple sql injections. Same organizations charge in the range of $1000 per day for their services.
Try and find the company employing infosec professionals with a different set of skills. They don’t like wearing suits and you could see them in jeans and black T-shirts, covered in tattoos – but what differentiates them from ‘suited pentesters’ is they know what they’re doing. They present regularly at security conferences because they have something to say – and people listen to them time and time again. The same people often create open-source security tools – tools which then are used by everyone, even by the ‘suited pentesters’.
This is the one solid sign your potential vendor can deliver on a penetration testing engagement – involvement and usefulness to the infosec community, as well as name recognition of their employees in the same. And just because I love examples, I will allow myself to gift some shameless advertising to my friends from TrustedSec – https://www.trustedsec.com/may-2015/egressbuster-v0-2-and-github-goodies/
They are just one of the hundreds of properly trained teams around the world – but looking for the right ones just got easier for you.