Making Sense of Security Assessments
A fresh set of eyes can help enterprises to shore up cyber vulnerabilities
- by Calvin Hennick
- Business and technology journalist | June 19, 2019
“Among the entire universe of technologies,” notes Jeff Falcon, cybersecurity practice lead at CDW, “security is the only one that has people actively working against what we’re trying to accomplish.”
Each year, threats grow in number, and attackers become more sophisticated, launching attacks via a variety of vectors that include email, social engineering, malware, denial of service and others. It can feel nearly impossible for organizations to keep up with the rapidly changing cybersecurity landscape, and it’s a particular challenge for security professionals to sniff out vulnerabilities in their own environments. That’s why many organizations bring in third parties for external security assessments that can help to pinpoint weak spots, identify areas for improvement and help ensure regulatory compliance.
“Breaches are inevitable,” Falcon says. “But being able to limit the impact of a breach is well within our control. That’s why organizations should engage in these types of activities.”
Types of Security Assessments
Not all security assessments are created equal. While some are designed to simulate a determined attack by cybercriminals, others mostly focus on ensuring regulatory compliance. Depending on their goals, organizations may want to look into these five types of security assessments:
Vulnerability assessments: These assessments evaluate current IT systems to identify any vulnerabilities that could be exploited by malicious actors.
Penetration testing: In a penetration test, cybersecurity consultants conduct “ethical hacking,” attempting to make their way into an organization’s network and access data and applications.
Compliance assessments: Especially important for organizations in highly regulated industries, compliance assessments help to ensure that IT environments meet the requirements of data safety laws and regulations such as HIPAA and the Sarbanes-Oxley Act.
Framework assessments: Similar to compliance assessments, framework assessments are designed to help organizations meet the requirements of specific data security frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework.
Configuration reviews: Configuration reviews are meant to ensure that tools and systems — including operating systems, administrative tools and identity and access management solutions — are properly configured to enable maximum security.
Making Assessments Meaningful
Chase Cunningham, principal analyst for security and risk at Forrester, warns that assessments can be rendered virtually meaningless when security professionals “game the system” to demonstrate their competence, as opposed to seeking out a realistic evaluation of their organizations’ security posture.
“Assessments are almost comical in the way they’re approached sometimes,” Cunningham says. “An organization will turn on all the updates, do all the patches, put together a perfect subnet, and then bring the testers in. Of course, nothing ever occurs, because everything is bulletproof. But a week later, something will happen. I’ve literally been on red teams where I’ve come in the day after a compliance check and been able to get into the system in under an hour.”
The problem, Cunningham says, is that senior leadership will sometimes use the results of a security assessment punitively. Instead, he says, organizations should go into security assessments with the expectation that the testing may reveal significant gaps in their security posture, and then work to close those gaps once the results are in.
“What often happens is the executive level gets a report that a test revealed all these issues, and then they replace the person who did the test in the first place,” Cunningham says. “It seriously propagates failure. If you’re going to do an assessment, you want it to be real-world, so you know what to fix.”
Often, Cunningham says, assessments reveal issues that internal stakeholders miss, largely because the IT environment is changing too quickly for them to completely keep up. For instance, assessment teams frequently find that users have higher levels of administrative control than internal security professionals realize. “That’s a really simple thing to fix, but people ignore it all the time,” he says.
Cunningham recommends that organizations conduct penetration testing or similar exercises at least twice a year. Company boards and executives should be a part of the process, he says, and security teams should be given a 90-day window to fix any problems.
Seeing Red: Security Assessment In Action
A financial services firm engaged a “red team” from security vendor FireEye to evaluate the effectiveness of its detection, prevention and response capabilities. Among other victories, the red team successfully authenticated to the organization’s ATM management application, gaining the ability to add local administrators and even dispense money.
Multifactor authentication: While organizations are increasingly adopting MFA for remote connections, they frequently fail to apply this protection to applications accessed from within the corporate network. FireEye recommends enforcing MFA for both externally accessible portals and for sensitive internal applications.
Password policy: The red team used brute force attacks to gain access to four privileged service accounts protected by weak passwords. FireEye recommends enforcing a minimum of 20-character passwords for service accounts and using Microsoft Managed Service Accounts or enterprise password vaulting solutions when possible.
Account segmentation: The red team was able to escalate privileges quickly due to lack of segmentation. FireEye recommends separating accounts by user role, even if this results in a single employee having multiple accounts.
The Security Devil Is in the Details
Chris Kissel, research director for security products at IDC, says that the fresh eyes of an external assessment team are essential for catching potentially serious problems caused by small issues – such as updates that weren’t pushed to all devices, or misconfigurations caused by power outages. “It is difficult for any given security team to look at its network dispassionately,” Kissel says. “Nobody likes to look bad, and it is hard to admit or volunteer a mistake. The fresh set of eyes has several advantages that no internal team could match. And the external attack team is probably well-versed in the most successful attack scenarios that are happening currently.”
Falcon says an effective assessment engagement should include the development of a plan to enhance security throughout the enterprise. “That’s the value of these assessments,” he says. “They establish a baseline, and then the assessment team helps you put together a program to track your progress.”
The alternative, Falcon says, is to wait for incidents to happen and then reactively implement new security tools and processes — an approach that he likens to the arcade game Whac-A-Mole. “The head is going to pop up over here, and then it’s going to pop up over there,” he says. “You’re just going to keep playing Whac-A-Mole until you come up with a plan to mitigate risk effectively enough for that threat to go away.”