Why undertake periodic assessments?
There is a long list of reasons why you want to do periodic assessments, and an equally long list of reasons why you should. An increasing number of organizations are bound by governmental regulations that dictate what security measures you should have in place and how they should be audited. HIPAA, PCI, FISMA, Sarbanes-Oxley, and Gramm-Leach-Bliley all dictate how to secure different types of data and the systems that manage it. They also require regular security posture assessments, though they vary on specific requirements and time frames.

If you’re not actually bound by any of these governmental regulations, you still might want to use them as resources to help guide your own IT security practices. ISO 27002 is a good generic security standard, and we discussed the value of FISMA to every organization in the Q4 2006 issue of The Barking Seal.

There are many benefits to doing periodic assessments beyond simply complying with government regulations. Undertaking regular assessments can help you to:

• Find out whether your security has already been compromised. You might not know unless you look, and you will sleep better at night if you know.
• Stay on top of the latest security threats — with new attacks coming on the scene every day, you could become vulnerable even if nothing has changed since your last assessment!
• Make sure that your staff is being vigilant by maintaining a focus on IT security.
• Increase awareness and understanding of security issues throughout your company.
• Make smart security investments by prioritizing and focusing on the high-importance, high-payoff items.
• Demonstrate to your customers that security is important to you — this shows them that you care about them and their data.

Paths of attack. Evaluate ways that your security can be compromised from the inside or outside, from both internal and external sources of attack. Auditing your firewall rules and watching logs is only part of the picture. Can hackers harvest information through a company directory posted on the Internet? If so, each of your employees is now a potential vector for social-engineering attacks. Internally, are you using secure tools with secure protocols, for example SSH/SFTP vs. Telnet/ FTP? What services do your internal servers and workstations provide? Do they match up with your policies? And has someone snuck a wireless access point onto your network to make her life easier and give you a new security vulnerability?

Software patch-level and use compliance. Just how well have you been keeping up with patches? You’ve got a number of areas to pay attention to: operating systems on servers and workstations; infrastructure services such as email and DNS; enterprise applications including Web applications and databases; and then there are desktop productivity applications. What are your patch policies? Are you following them? And what is your lag time?

Network security architecture. Assess and re-assess how your network is defended at its perimeter, and how well it is segmented internally to limit the damage that can be caused by prying eyes or errant applications. Audit both your device configurations and your update procedures and policies.

Infrastructure best practices. If hackers were wolves and you were their prey, where would you want to be? Right in the middle of the pack. Hackers, like wolves, prey upon those who lag behind. Remember that security is not absolute, but relative, so it’s a game of intelligently assessing risk. Compare your security infrastructure with your peers and keep your organization in line with industry best practices.

User administrative policy and compliance. Writing down your security policies gives your employees guidance and you a benchmark with which to compare your performance. Do you have policies for what administrators, end users, and software developers can do? Measure your performance against your own standards.

Encryption usage and key handling. Use encryption to secure internal and external communication, including between layers of software. Make sure you’re using it, and you’re exercising proper control over encryption keys.

Trust-level dependencies and management. How well do you understand your business relationships and the trust you place in them? Do you trust your business partners, for example, so much that their security vulnerabilities can become yours? Or do you give them controlled, role-based access only to the applications they need?

Virus protection and management. Viruses can come from practically anywhere: from an employee’s home laptop, from visiting a malicious Web site, from an infected USB drive. How well is your antivirus software working, and how prepared are you to stop viruses if your countermeasures fail?

Role / function segmentation and acc ess management. Segmenting user and administrator privileges by roles increases security by limiting the extent of damage that they can cause — either intentionally or by accident. Make sure that you implement role-based access and that privileges overlap only where you intend them to. Remote acc ess . By what means do you allow remote employees, partners, and contractors to access your internal resources? Are they segmented by role? Are the communication channels secure? Can security problems on their remote workstations become yours? Brush up on the topic by reading ‘Safe and secure remote access’ in the Q4 2007 issue of The Barking Seal.

Password policy and use. Have a policy that dictates how complex user passwords must be and when users are forced to change them. Do you have such a policy in place? Is it automatically enforced? And are you auditing it periodically by running password-cracking software?

Organizational and security measures. A well-organized security staff is more efficient and more effective at everything from patching systems in a timely manner to responding appropriately to suspected incidents. Assess how well your organization works, how well your procedures are documented, and how well your staff members keep up to date with their field.

Physical network and system infrastructure security. All of your security measures are for naught if someone can walk into your datacenter and walk off with a disk drive, or enter a closet and watch your network. Are your physical security devices adequate? (Hint, most card-key access systems installed before 2005 are not.) Are they in place and working? Be sure nobody is propping open a switching closet with a brick or with tape over the striker plate. Backups are also part of your security strategy; verify that they work by actually restoring your data.

Telecommunications safeguards. Your telecommunications infrastructure offers routes of attack from network snooping to social engineering. If you have a dedicated network connecting multiple sites, is its traffic encrypted and secure from prying eyes along its route? Can a casual passer-by press a ‘voice mail’ button on an employee phone and gain access to company secrets?

Level and methods of ongoing vigilance. You can boost security and minimize risk not only by following the recommendations in this article. You can also educate non-security staff members with lunch-and-learn sessions that communicate the importance of good passwords, not falling prey to social-engineering attacks, and not opening attachments from people they don’t know.

Regulatory compliance. Back to the beginning. You may be bound by governmental regulations dictating how you secure and manage your business data and your customer information. These regulations sometimes dictate how you respond to an incident; California, for example, regulates how and when you must inform your customers if a breach may have compromised the security of their personal information. If you have, or are required to have, a disaster recovery plan, test it to make sure that it performs in the event of a real disaster. Finally, be sure of which regulations affect you and make sure that you’re in compliance.

Checking checks & balances
We've introduced a comprehensive list of areas that should be part of your regular security assessment schedule. Table 1 condenses this information and gives recommendations for how often to address each of them. Think about security like your finance department thinks about money. Just as your accounting system has checks and balances to help prevent fraud and embezzlement, your IT security policies need to have checks and balances to help prevent intentional and unintentional security compromises. You can handle periodic security assessments internally so long as you have a good checklist and a good set of checks and balances. Having an independent third party do some of your security assessments is your check and balance that your checks and balances themselves are in place and are, in fact, working.