I’m often asked to perform network security assessments. There are many reasons why organizations want security assessments, but sadly, most have little to do with actually making their networks more secure.
Assessments are often promoted by consulting firms who use them as a fishing expedition. The firms that perform them get to charge top dollar for a few weeks of effort, and it’s a nice way to get follow-on work to fix all those problems they found. External assessors have a built-in tendency (if not a downright conflict of interest) to inflate the severity of the problems they find. The more “high priority” findings in the report, the more valuable the report is, and the more important it is to spend money to fix them.
Many IT departments use independent assessments as a budget justification. They use the critical findings to bludgeon their finance people into giving them lots of money to buy lots of security toys. The problem is no one ever follows up to see if security is improved. Money spent does not equal better security.
There are two reasons why most security assessments aren’t worth the paper they’re printed on. First, security assessments often rate vulnerabilities on a simple severity scale (low, medium, high) that at best is somewhat arbitrary, and often is based on nothing more than the mood of the assessor that day. Again, a lot of conscious or unconscious biases can inflate the results: “Your passwords are not fifteen characters long. You’re all going to die.”
Second, most assessments focus on listing every technical or procedural vulnerability without regard to the real threat it creates (we call this context). A vulnerability on a user workstation is one thing; a vulnerability on a server that controls your manufacturing process is another. There are also a lot of vulnerabilities that are difficult to exploit. Yes, your server may have a vulnerability, but if exploiting it requires someone to physically sneak into your data center, there aren’t that many people within travelling distance who have the skill and motivation to do so, just to get your latest annual report.
A good security assessment, however, can be helpful in determining where your organization needs to focus its resources to protect your electronic assets. Knowing where your real weak spots are is the first step to securing your network.
I’m going to let you in on a secret: you can do a pretty good security assessment yourself. Moreover, you don’t have to spend weeks gathering and analyzing data. If you are readily familiar with your network and IT systems, you could probably do this assessment in ten minutes.
Of course, you’ll object: “You can’t possibly test every vulnerability in only ten minutes!” This is true. But in ten minutes I can tell you if you have the ability to defend against attacks, and detect and respond to them if (when) they occur. If you can, then you have dramatically reduced your risk of data disclosure or theft, and can demonstrate due care in protecting your data. If you can’t, it doesn’t matter how many vulnerabilities you may or may not have — it’s only a matter of time before you become a victim of a cyber-attack.
OK, get out your number 2 pencils, and we’ll begin.
- Do you have systems in place to log network activity, such as logins, traffic blocked by policies, DNS requests, web requests and the general state of your network? Give yourself 5 points if you generate forensic log data . Ten points if you actually look at that data (be honest).
- Do you collect traffic flow data (Netflow data)? Ten points if you capture historical flow data for your users.
- Do you have an alerting mechanism (email, text, phone, etc) to alert you or your staff when suspicious activity occurs? Not to get all philosophical, but if a network gets attacked, and no one knows it, is it compromised? If you have criteria to alert someone when something bad happens, that’s five points. If someone gets alerted 24/7 that’s 10 points.
- Do you have an incident response plan? What will you do when you get that alert message? Have you worked out what your staff will do if your web site is compromised, or if there’s a major virus outbreak? Who has authority to shut down your ecommerce site, and when? Five points if you have a plan, 10 points if you’ve actually tested it.
- Does your external firewall filter outbound traffic? If you restrict outbound traffic to only known ports, that’s 5 points. If you block SMTP and DNS from workstations, and block your servers from Internet in general, give yourself 10 points.
- Do you filter and segregate your internal traffic? Do you block administrative applications like remote console between your users and servers? That’s 5 points. If you filter traffic to critical devices like process control systems or financial servers, give yourself another 5 points.
- Do you practice login account hygiene? Do you restrict your local administrator accounts to only interactive logins? Do you have separate local admin accounts on important servers like domain controllers? Do your system admins have separate logins for administrative work and normal office tasks? Do you track when accounts are created or deleted? Do your users use non-privileged accounts? Give yourself 2 points for each one you do.
- Do you filter web traffic with a product like Bluecoat, Ironport, Websense, Barracuda, or similar? Five points if you do. Ten points if you block “uncategorized” or unknown domains.
- Do you have email (spam) filtering? That’s 5 points. You get 10 points if it has real-time updates.
- Do you routinely install patches to your workstations and servers? If you stay on top of operating system AND application patches, give yourself 10 points.
- Can your users install software themselves or do they need an administrator to do it? Five points if you restrict your users from installing software. Ten points if you block downloads from executing.
- Speaking of which, do you maintain an up-to-date inventory of workstations? That’s worth 5 Points. Ten Points if you get alerted if new software or hardware is installed.
How’d you do? Here’s how you stack up:
0 – 25 points. Not to be too blunt about it, but you’re a sitting duck. Not only are you likely to be compromised, but you would have very little chance of ever detecting or responding if you were. An attacker could steal all your data, and you would have no idea until you saw your company’s name in the the news. You’re deaf, dumb and blind. You’re easy pickings. I could go on and on with the cliches, but you get the idea.
30 – 60 points. You have some basic protections, but you probably lack the ability to respond effectively if — I mean when– you are attacked. You are fairly safe against the “drive-by” sort of attack, but if anyone targets you in particular for what you have or who you are, you’re likely to be working a lot of nights and weekends.
65 – 90 You have some good defenses and a reasonable chance to respond and mitigate an attack when it occurs. There are a number of things you can improve on to make your network more secure, however, so don’t get complacent just yet.
95 -120 You are the rare organization that really “gets” network security. You can successfully thwart lots of attacks, even some fairly sophisticated ones. Unless you are in the defense or finance industry or are politically controversial, you are probably doing enough to protect your data assets. You need to stay vigilant against new threats, but you’re doing the right thing.
Need more in-depth analysis? Call Sami or Ron at 240-452-1337 or firstname.lastname@example.org