Technical Security Assessment

Intentionally I left this topic out of my previous article “Information Security / Cyber Security: Audit vs Maturity Assessment vs Risk Assessment”, for it is the most efficient type of assessment when an enterprise wants to identify its risks related to Technology, current security posture and the ability of their teams to successfully detect and respond to cyber attacks.

A technical security assessment consists of a series of security tests, assessments and audits conducted for discovering the vulnerabilities in the IT infrastructure and information systems, which may cause significant risk at business level. Each of them encompass different type of assurance activities:

• Security tests
• Security assessments and review
• Security audits

Following security best practices, adequate assurance activities should be performed during a risk assessment at enterprise level and after any significant changes in the IT infrastructure and information systems.

Security Tests

Security tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security:

• Vulnerability assessment
• Penetration testing

It’s worth noting that other types of assessment such as social engineering, red-teaming testing real world scenarios, or scenario-based process testing are not considered security tests.

Security tests should take place on a regular schedule, with attention paid to each of the key security controls protecting an organization. When scheduling security controls for review, the following factors should be considered:

• Availability of security testing resources
• Criticality of the systems and applications protected by the tested controls
• Sensitivity of information contained on tested systems and applications
• Likelihood of a technical failure of the mechanism implementing the control
• Likelihood of a misconfiguration of the control that would jeopardize security
• Risk that the system will come under attack
• Rate of change of the control configuration
• Other changes in the technical environment that may affect the control performance
• Difficulty and time required to perform a control test
• Impact of the test on normal business operations

After assessing each of these factors, security teams design and validate a comprehensive assessment and testing strategy. This strategy may include frequent automated tests (vulnerability scans) supplemented by infrequent manual tests (penetration tests).

Vulnerability Assessment

This security testing requires an enterprise-class vulnerability scanning and assessment tool to conduct automated vulnerability scans of:

• Endpoint IP Discovery and Network Leakage Detection
• Rogue and Unknown Network Detection

The automated scan requires no work from administrators once it is configured, so it is easy to run quite frequently, and check for unpatched systems, open ports, vulnerable software and misconfigured services across the network.

In addition to this, various free and commercial tools can evaluate security settings and configurations of local machines on which they are installed, providing fine-grained insight into unauthorized changes in configuration or the inadvertent introduction of security weaknesses by administrators.

A?vulnerability assessment?should also include an assessment of the security of all routes from the Internet into the internal network, public-facing web servers, restricted systems, and critical servers on the internal network.

The vulnerability scanning tools must have the ability to associate a risk ranking based on industry best practices such as CVSS base score to each vulnerability.

When the vulnerability assessment scanning is carried out by an external company, the Client should be aware of and approve the scanning and assessment tools to be used.

Penetration Testing

The security team may wish to complement those automated scans with a manual penetration test performed by an external consulting company. Those tests may occur on an annual basis to minimize costs and disruption to the business.

Penetration testing can be conducted on the entire IT infrastructure and information systems or on several parts, such as:

• Network?– aims at identifying systems on the network with open ports and discovering known security flaws on those systems
• Web applications?- aims at searching for known vulnerabilities in applications that already passed the built stage (OWASP Top 10 Applications Risks)
• Mobile applications?– aims at searching for known vulnerabilities in mobile applications (OWASP Top 10 Mobile Risks)
• Wireless?- aims at searching for known vulnerabilities in WiFi systems, Bluetooth, ZigBee, Z-Wave, DECT, RFID, NFC, contactless smart cards, and proprietary wireless systems

The penetration testing team requires a variable set of skills, as the team must have in-depth knowledge on the target assets, reason why it is often carried out by an external consulting company.

The Client should conduct few activities prior signing the Rules of Engagement with the third party, such as:

1. Consultant background check and certifications validation (see UAE NESA Security Penetration Testing Mandatory Guideline):

• For lead penetration tester:

- Minimum 5 years of experience

- One or more of the following certifications: CISSP, CISM, CISA, GIAC GSLC

- Either GIAC GPEN or offensive security OSCP/equivalent certification

• For penetration tester:

- Minimum 3 years of experience

- One of the following certifications: CISSP, GCIH, GIAC GPEN, or offensive security OSCP/equivalent certification

2. Define very clearly the scope of testing:

• The scope will detail the objective, scale, depth and methodology to be used. If CII entity, the methodology to be used is UAE NESA Security Penetration Testing Mandatory Guideline. If non-CII entity, we will follow our methodologies for various technical assessments on the offensive domain.
• The scope shall determine how much information is given to the penetration testing team:
• Black Box:?Very limited information: a zero-knowledge team knows nothing about the target site except for publicly available information, such as domain name and company address. It’s as if they are looking at the target as a black box and have no idea what is within the box until they start probing. An attack by a zero-knowledge team closely resembles a real external attack because all information about the environment must be obtained from scratch.
• Gray Box:?Limited information: also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white and black box penetration tests (mostly costs and time constraints). The team may be given information on the network design and configuration details so that they can focus on attacks and vulnerabilities for specific targets.
• White Box:?All information: a full-knowledge team has full access to all aspects of the target environment. They know what patches and upgrades are installed, and the exact configuration of all relevant devices. If the target is an application, they would have access to the source code. It provides the attackers with detailed information about the systems they target.

3. Notify UAE SIA (former NESA) if CII entity:

• The company name of the third party that will perform penetration testing, the scope of the testing, and the team members involved
• Wait for approval (beware that some requests may be rejected)
• Obtain security clearance for the team members involved

4. Be aware of and approve the scanning tools to be used by the third party

Security Assessments and Review

At this point, a security assessment is a systematic examination of the following:

• Enterprise security architecture, design and solutions review
• Security review of web-based systems: Applications security, Database security
• Availability Assessment: Distributed Denial of Service (DDoS) Protection, Web Portal Availability

Enterprise Security Architecture Review

No security architecture is complete and totally secure, and no IT system is foolproof to weaknesses and vulnerabilities. The goal of security architecture is to address as many known weaknesses as possible and to resolve security issues.

A security architecture review is a systematic examination of the entire enterprise architecture that encompasses all aspects supporting business and IT initiatives (business architecture, information architecture, application architecture and technology architecture):

• Review of network topology, segmentation, devices configurations, security controls, environment vulnerability assessment, physical security review
• Server-based infrastructure (e.g., data flow control)
• Client-based infrastructure (e.g., applets, local caches)
• Large-scale parallel data systems
• Distributed systems (e.g., cloud computing, grid computing, peer to peer)
• Cryptographic systems
• Industrial control systems (e.g., SCADA)

Security Review of Web-Based Systems

Software plays a critical role in any security infrastructure because it handles sensitive information and interacts with critical resources.

To ensure web-based systems are secured when exposed on the Internet, software reviews should be performed on web applications during development phase – by the software development team, during integration and testing phase – by the software acceptance team, and in production phase – by the security assessment team. Example of software reviews are:

• Source code review:?pair programming and peer reviews (development phase)
• Software testing:?static testing, dynamic testing, interface testing, and misuse case testing (integration and testing phase)
• Software security review?(production phase)

Even when the development of a software is outsourced, the Client should monitor the execution of all activities during development, integration and testing phases.

Disregarding the execution and/or outcome of previous software review activities, our consultants can perform a security review of web-based systems either before or after go-live, consisting of:

• Source code review?- is the process of reviewing the source code of a web application to verify that proper security controls are present to mitigate security weaknesses and known vulnerabilities at the source code level (e.g. XML, OWASP Top 10 Application Risks), if they work as intended, and that they have been invoked in all the right places.
• Web server security review?– is the process of reviewing the vulnerabilities in web servers.
• Back end database security review?– is the process of reviewing the collective measures used to protect and secure a database from illegitimate use and malicious threats and attacks (e.g., inference, aggregation, data mining, data analytics, warehousing).
• Software security review?– is the method of assuring the security of the software development environment and that software developers are following secure development techniques. A general rule of thumb is that a penetration test should not discover any additional web server or application vulnerabilities after a software security review.

Availability Assessment

The Domain Name System (DNS) is a critical infrastructure server for all infrastructure providers, application owners and internet users, for it resolves any search for a website by matching the website name to its IP address, which is unknown to common Internet users.

Being a server exposed to the Internet, the DNS server can be targeted by attacks for covert resource usage or data exfiltration, but the biggest threat is DDoS attacks which could render your website or your applications completely unreachable.

A DDoS attack is any cyber attack that compromises a website or web application and impairs the ability of legitimate users or visitors to access it. An availability assessment provide assurance on the following:

• Effectiveness of malware propagation controls and scanning protection tools
• Real-time controls to prevent DDoS and protect against volumetric attacks (Botnet / Zombie)
• Web application protections against Application Layer (L7) outages
• Controls protecting critical servers and services (e.g. behavioral, non-signature based, signature based, reputation services)
• Web Portal Availability / Domain Name Service (DNS) management and DNS server protection

Security Audits

The security audit program is a tool that can be used for the completion of a specific assurance process such as:

• Active Directory (AD) audit?– is a review of the physical security of the domain controllers, domain and domain controller configuration settings, AD boundaries, AD management, and administrative practices. The audit evaluates the security design implementation and effectiveness to support the servers and workstations deployed in a Windows environment
• Windows server and workstation audit?– provide an evaluation of server functions (web. email, file/print, etc.) and of the operating system and function (desktop, laptop, special applications, etc.)
• Compliance audit?- with policies, procedures and applicable standards is a review of the effectiveness of the security program, with a focus on security processes such as asset inventory and classification, user access and identity management, log reviews, backup verification data, key performance and risk indicators, etc.provide an evaluation of the compliance with existing policies, procedures and applicable standards, and of the operating effectiveness of the security controls

About myself: I worked with, wrote and implemented secure SDLC frameworks, wrote methodologies for VAPT tailored to various SoW, wrote methodologies for security review of web-based systems, and performed compliance audits, in companies across different sectors.