ISACA Journal
Volume 3, 2,018 

Features 

Building a Strong Security Posture Begins With Assessment 

Tyler Hardison, CISSP, PCI-QSA 

Hacked! Attacked! Leaked! Daily news headlines scream high-profile information security failures and their consequences, emphasizing that the severity of the risk posed by technology and the management, storage and transmission of massive quantities of sensitive information is unprecedented.

Where are the data? What are the security holes? What are the risk factors? Is the enterprise compliant? There are many questions about the terabytes of data that funnel through enterprises; how they are protected; and whether enterprises are compliant with state and federal guidelines, regulations, and best-practice standards.

When it comes to assessing risk factors and gaps in an information security structure, it is important to identify what type of information is stored, how it is transmitted and accessed, and what risk factors pose possible threats to the information. Risk assessment enables an enterprise to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards, and determine the best course of action to remediate the risk. Among the factors to consider are:

  • Threats
  • Vulnerabilities
  • Likelihood
  • Business impact
  • Residual risk
  • Effectiveness of controls protecting assets

What Is Right for the Enterprise?

Everyone’s enterprise has different needs. Some may need a complete overhaul, while others just need a tune-up. As such, there are a number of approaches to assess risk, including:

  • A risk assessment identifies the key assets, the possible risk to these assets (e.g., destruction, modification, improper disclosure) and the controls in place to mitigate the risk. It is imperative to use a risk assessment to determine the controls to put into place. Risk assessments are also closely related to the business impact analysis (BIA) and provide necessary data to gauge impacts.
  • A security audit then proves that the identified controls are in place and in alignment with the security program.
  • A gap assessment measures a security program against a known framework. Examples of frameworks include the US Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), US Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), US National Institute of Standards and Technology (NIST) 800-53, and NIST 800-171. In some cases, where a regulatory framework does not apply, it is widely accepted that NIST 800-53 is an excellent framework.

It is important to understand how well the current security program operates within the technical architecture. Risk and gap assessments can be used to provide a snapshot-in-time dashboard for the executive management team to demonstrate a functioning program. A proper assessment of any type is an ongoing process and should be forward-looking. Where does the enterprise want its security to be in the future? What does it want its compliance posture to look like? What is its plan to address risk? To which industry framework should the enterprise map?

Assessment Knowledge Is the Foundation

Protecting the integrity and availability of confidential information is critical. Information security should command significant attention across the enterprise. Often, information security is overlooked because of limited staffing, budget and senior management support. This was demonstrated by recent events at Equifax, where the chief executive officer is being held accountable for a failed patch of Apache Struts.1 As such, it is paramount that the executive management team truly understand and address risk factors through effective and proactive policies to be implemented by the enterprise as a whole. The responsibility has crossed over from “that is an IT problem” to “this is everyone’s problem.”

Because the assessment structure is key to a functioning information security program, it is critical to include the risk management and operational security cycle as the cornerstone of the enterprise’s policy. The team must systematically assess risk, make risk decisions, address risk, and evolve and test programs.

Assessing risk means taking a negative outlook on protected assets. What are the possibilities surrounding the protected assets, and what is the impact if these data are lost? It is necessary to come up with worst-case (yet realistic) scenarios on the overall threat to which each asset could be exposed to, thinking in categories such as:

  • Environmental (adverse weather)
  • Geopolitical (new regulations or a shift in consumer behavior)
  • Malicious actor (advanced persistent threats)
  • Nonmalicious actor (employee mistake)

Risk decisions often boil down to an enterprise’s willingness to accept a loss. This is often based on a monetary calculation as to the worth of the asset and the cost of loss. In some situations, an enterprise may find that its tolerance for loss is higher than the cost of the asset. This is addressed by a documented willingness to accept risk vs. the cost to protect the asset. An example of this is a physical asset, such as a storage shed, that does not contain any important assets. The cost of a full-time security guard outweighs the projected loss of the asset. It is, however, important to be careful. Reputation loss is a cost of which enterprises must be aware, and it should weigh in their final decisions regarding mitigation.

Addressing risk, or mitigating risk, involves making a decision to change a process or invest in additional protections. Applying a mitigation results in a residual risk score that identifies whether more protection is needed. A caution with residual risk is that it can never be zero. There is always a fundamental risk to any asset regardless of protections being applied. There are always unknowns, and malicious desires to acquire an enterprise’s assets are always high. New and increasingly clever methods for gaining access are a constant threat. It is critical to always consider the fact that one is fallible and exposed.

The security audit of the cycle involves evolving and testing programs. While the risk assessment and information security program have thoroughly documented all risk factors and how the enterprise is addressing them, they are worthless unless the implementation is proven through physical and logical testing. This cycle uses penetration testing, network scanning and physical inspection of the actual implemented systems and controls. These audits and assessments will feed back into the program and provide the ability to make adjustments. It is not uncommon to discover that there are limitations to a prescribed method in a procedure (derived from the information security program) and need to adjust. However, it is important not to allow the procedure to remain unaddressed, as this will be called out as an exception during an assessment.

This is a continuous cycle. A well-executed security cycle provides enterprises with a risk management-based methodology for integrating security assessment and auditing. It also provides functional testing to achieve continuous, targeted and relevant improvements to information security-related programs. Additionally, it helps define a clear, concise and achievable set of responsibilities. Assessing and prioritizing ongoing efforts helps clarify and, ideally, minimize the uncertainties that can limit effectiveness.

A Strong Foundation

Senior management wants assurance, and IT and security teams need to prove functional excellence. The goals for the risk management process are:

  • Safety—The ability to avoid, deter, prevent, or rapidly detect and negate incidents before damage occurs.
  • Durability—The ability to withstand, respond to and recover from damage without disrupting critical business functions.
  • Resilience—The ability to restore critical business functions to acceptable operating levels after a disruption.

An effective risk assessment is the foundation of an effective risk management program and the foundation for developing an effective information security program. Too often, enterprises have boilerplate security programs and policies that do not address their basic risk factors. Every enterprise’s enemy is risk, and the key to remaining resilient and secure is understanding that risk as much as possible. Not understanding risk can only hurt the enterprise. Understanding helps provide insight into what it is that the enterprise must protect. A security posture should become more efficient and effective over time through continuous improvement—just like every other business process. When an enterprise is looking to improve its security posture and boost its compliance, risk assessments and gap assessments are keys to continuous improvement and well-informed leadership decisions.

Understanding Risk

A risk assessment is about gathering data, determining threats, analyzing risk factors and prioritizing to determine mitigation. Multiple frameworks exist for performing risk assessments. Choosing one and becoming consistent is critical to remaining abreast of the enterprise’s risk profile. The three most common frameworks are:

  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE Allegro)
  • Factor Analysis of Information Risk (FAIR)
  • NIST Risk Management Framework (RMF)

Each has its own strengths and weaknesses and can be quite effective when the right amount of resources is applied. OCTAVE Allegro2 is more than sufficient for most enterprises, with ample documentation and examples to kick-start a risk management program.

At a high level, OCTAVE Allegro is more for enterprises that are already aware of their gaps and need to implement an effective risk management program. The steps are:

  • Gather data regarding the information and technology assets.
  • Determine threats to assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements.
  • Analyze the probability and impact associated with the known threats and vulnerabilities to the information and technology assets.
  • Prioritize the risk factors to determine the appropriate level of training and controls necessary for mitigation.

It is important to conduct a risk assessment that incorporates:

  • Reviews of changes to the threats and vulnerabilities in the enterprise’s operating environment
  • Reviews of changes to the enterprise’s regulatory environment
  • Audit and assessment outcomes
  • Functional incident response and business continuity plan testing outcomes
  • Technical and nontechnical penetration testing outcomes

The final step is to submit the risk assessment report to senior management for decision-making. Where most enterprises fall short in their first foray into a risk management program is the required follow-up after remediation. At least annually, a follow-up risk assessment needs to be performed to ensure that newly identified risk factors are mitigated and previously documented risk factors are still sufficiently mitigated. Ideally, risk factors should be continuously monitored, and the enterprise’s risk assessment portfolio should be updated in real time.

Most breaches and data-loss scenarios can be traced to a failure to understand how risk changes and morphs over time. One example from a recent assessment illustrates the need to continually monitor for changes within the environment. For more than a few years, a large retailer had demonstrated that its software-patching practices were effective, and it had numerous scans and penetration tests showing that its systems were secure and the controls were working. However, an acquisition of a smaller retailer had not been accounted for during testing. The enterprise had simply continued its software patching and internal penetration efforts against the original core network. It had been assumed, incorrectly, that the smaller retailer already had this program in place. During the acquisition, a virtual private network (VPN) tunnel had been established for the benefit of accounting and finance to gather records from the smaller retailer. Unbeknownst to the parent company, a malicious actor had been siphoning off data for more than a few months prior to the establishment of the tunnel.

While the parent company had reasonable and effective controls in place, the malicious actor became aware of the new connection and began to sniff around the new network. The parent company noticed the unusual traffic immediately, and an investigation effort uncovered the extent of the damage done within the smaller company. The key takeaway from this is that the larger retailer needed to perform a risk assessment against the smaller retailer before the establishment of the VPN tunnel to ensure that the risk was low. The most effective solution would have been to conduct a full IT audit prior to the acquisition to allow time to uncover any potential issues.

Mind the Gap

Once an enterprise fully understands its risk and a security program is in place, a gap analysis is a great next step. A gap analysis provides insight and perspective on the information security landscape, helping to identify possible security holes, weaknesses and risk factors in the enterprise’s network. This enables the enterprise to better understand what needs to be addressed and take action. It is important to look for gaps from a total-systems perspective. Next, it is essential to prioritize the remediation according to the business drivers discovered during the risk assessment process. A good start is considering the gaps that would have the least desired outcome for the business if they were leveraged in an attack. Top drivers typically include:

  • Loss of reputation
  • Loss of revenue/profits
  • Liability
  • Loss of personnel
  • Loss of property

A penetration test complements the gap analysis and helps the enterprise learn about the security of its IT infrastructure by safely exploiting its vulnerabilities and identifying security threats. Common vulnerabilities found during penetration testing include inadequate patch management, unsupported legacy software, password reuse and access control issues.

According to the InfoSec Institute,3 the top five cybersecurity vulnerabilities are injection vulnerabilities, buffer overflows, sensitive data exposure, broken authentication and session management, and security misconfiguration. Added to those vulnerabilities, according to the McAfee Labs 2017 Threats Predictions report,are ransomware, Internet of Things botnets, phishing and whaling attacks, business process compromise attacks, and machine learning-enabled attacks.4

Do Not Forget the Security Audit

Now the enterprise has documented all of its programs and procedures, and it has a clear understanding of its risk. However, does staff understand the actual implementation and consequent testing of the implementation? An enterprise should conduct testing in adherence with its security standards. If a tester asks that certain protections in place be removed to “see what really happens,” then the enterprise is now exposed and in danger. No assessor should ever have the need to ask for a relaxing of standards to attempt penetration testing. Penetration tests must be treated as real-world exercises.

Conclusion

Performing the steps in this article results in a deep understanding of an enterprise’s security stance. Without these fundamental pieces in place, most enterprises will make poor decisions regarding properly securing assets. In some cases, an enterprise may decide to simply do nothing. This approach needs to change, starting with documenting the underlying issues then addressing these issues with a clear and present understanding of the identified risk factors. The steps outlined herein give an enterprise the tools to approach security in a mature and procedural fashion. Overall, this will strengthen the enterprise’s security stance and, in the long run, provide the tools to become increasingly secure. As is taught in the military, Boy Scouts of America and similar disciplines: Proper planning prevents poor performance.

Endnotes

1 Ivanova, I.; “Former Equifax CEO Testifies Before House Energy Committee—As It Happened,” CBS News, 3 October 2017, https://www.cbsnews.com/live-news/former-equifax-ceo-testifies-congress-richard-smith/
2 Caralli, R. A.; J. F. Stevens; L. R. Young; W. R. Wilson; Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, May 2007, https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=8419
3 InfoSec Institute, “The Top Five Cyber Security Vulnerabilities,” 2 July 2015, http://resources.infosecinstitute.com/the-top-five-cyber-security-vulnerabilities-in-terms-of-potential-for-catastrophic-damage/#gref
4 McAfee Labs, “McAfee Labs 2017 Threats Predictions,” November 2016, https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf

Tyler Hardison, CISSP, PCI-QSA
Is chief technology officer at Redhawk Network Security and plays a key role in leading new product strategies and initiatives, and is responsible for developing technology solutions and service offerings for clients. Hardison is highly regarded as a hands-on technologist with a strong focus on regulatory issues, program management and secure implementation. With his extensive knowledge of evolving cybersecurity threats, Hardison leads the development and execution of innovative, robust and secure information technology environments for organizations of all sizes. He has extensive experience and knowledge of security and IT, including regulatory issues and compliance, enterprise architecture, disaster recovery, process improvement, custom application development, and risk management.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.