Budget, time and staff limitations require companies to be selective about information security spending. How do you determine where to focus security improvement efforts? Enterprises with mature security programs may have a formal risk management process to assist with this task. Midmarket organizations, on the other hand, tend to be more tactical about their decisions.
Here are five steps that have helped many midmarket organizations assess their security state:
- IDENTIFY KEY DATA FLOWS: Understanding what data the business considers sensitive is rarely easy. Yet tackling this challenge will help you better understand the organization's business processes and priorities. It will also allow you to meet key people and hear their concerns; these folks can support your security improvement efforts later. When speaking with them, understand where data comes from, where it goes and which infrastructure components process it. Also, ask about any compliance or contractual requirements that may drive the company's need to protect data.
- UNDERSTAND USER INTERACTIONS: How do people use the data whose flows you identified in the previous step? Pay attention to the access individuals require to get work done: who only reads data, and who requires the ability to change it? This will affect the permissions that should be enforced to control access. Also, understand how people share data internally, as well as with partners and customers -- weak
- sharing practices have resulted in many breaches. At this stage, also assess what change controls are in place to prevent unauthorized modifications to the infrastructure and its data.
- EXAMINE THE NETWORK PERIMETER: As your awareness of data flow and user interactions strengthens, explore network egress and ingress paths. Which venue could offer an attacker the least resistance? What mechanisms exist to detect and block unauthorized access? Would your environment be wide open if one of the perimeter's components, say the border firewall, failed to block the attack? Examine your Internet connection, as well as any direct links to your partners and customers. Include both wired and wireless networks at this stage of the assessment.
- ASSESS THE SERVERS AND WORK STATIONS: After understanding the strengths and weaknesses of your network perimeter, look at the systems located behind it. You'll be looking for missing patches or configuration errors an attacker could exploit to compromise the host and its data. Start with the servers accessible to external parties. Then, move onto your internal servers. Don't forget to assess the state of your desktops and laptops, as attacks on client-side software, such as browsers and their add-ons, have been very successful.
- LOOK AT THE APPLICATIONS: Lastly, consider the vulnerabilities that may exist in custom applications accessible to third parties and internal users. What weaknesses could allow an attacker to compromise the application's security mechanisms to access data without authorization? Pay particular attention to Web-based applications, which have been an attractive target in the recent years. Addressing application-level problems is not easy, which is why we didn't start with this step. Yet, it's important to understand the to risks associated with vulnerable applications to gain a complete perspective on your security posture.
You don't need to complete all five steps outlined above before starting to address the weaknesses you uncover. As you identify critical risks, address them as best you can, and move on. It's easy to get stuck in one phase, trying to address all the problem areas in a perfect way. Consider whether it's OK to reach a state that's good enough for the time being, and then continue your assessment to identify other critical areas that require immediate attention.
As the old saying goes, security is a process. Once you complete all the steps of the assessment and address the appropriate risks, repeat the process. After each iteration, the risks you'll encounter will start feeling more and more manageable.
Lenny Zeltser leads a security consulting team at Savvis, specializing in security assessments and data center security projects. He is also a senior faculty member at SANS Institute, where he teaches a course on analyzing malicious software.
This was first published in April 2009