Managing risk is a constant task for any security administrator. In this video, you’ll learn about threat assessments, vulnerability scans, penetration testing, posture assessments, and more.
Threats to your network can come from anywhere. And it’s important as a system administrator or security professional that you’re able to do the proper research to identify where these threats might be. Threat assessment can interpret data that comes from many different sources.
You may want to look at profiles that are associated with a well-known hacker group. Maybe you’re using some of the same tools that hackers might use to see if you might have a vulnerability in your network or services. Or maybe you’re using the same tools that the hackers use to be able to understand how they might be used on your local network.
You can then begin to make decisions based on the intelligence that you’ve gathered. If you find that there’s a particular part of your network that’s susceptible to one of these tools, you may want to invest additional dollars into making that particular part of the network more secure. Or you may find that hackers are spending more of their time sending spam, so you may want to increase the level of spam detection on your network.
Not only do end users take advantage of these threat assessments, but they’re used extensively by security researchers and security professionals. If you work in an enterprise environment, you’ve probably performed a vulnerability assessment. This is a minimally invasive process where you can identify where potential vulnerabilities might be on your network.
This is usually done through the use of a vulnerability scanner. There are both open source and commercial options available. And it’s an easy way to identify where openings might be in systems. And it’s an easy way to take a well-known database of vulnerabilities and test your own systems to see where openings might exist.
Not only do we commonly perform these vulnerability assessments from the outside so we have the perspective from the hacker, but we also perform them on the inside, so we can understand what the threat might be for someone on the inside.
These assessments can gather a large amount of information. And it’s not unusual to get hundreds of vulnerability checks on a single server. The goal is to collect as much information as possible and then narrow down the focus of the results after the test is complete. These vulnerability scans can give you insights into your security controls, so you can see if your firewall or antivirus is working properly.
These can also discover where there might be a misconfiguration. So if someone has enabled read or write access to a certain type of private data, or they’ve enabled a guest account, a vulnerability scan will identify those misconfigurations. And these vulnerability scanners are designed to find both old and new vulnerabilities that might exist in operating systems or devices.
A more aggressive form of scanning would be a penetration test, where we are going to individual devices to attempt to exploit the vulnerabilities on those systems. This is different than a vulnerability scan, which is simply looking for vulnerabilities. With a penetration test, we want to see if we can really gain access to the system. Sometimes this is a compliance mandate that’s required to be performed over a certain amount of time. And sometimes this requires a third party to provide the penetration test.
A good overview of what you can expect for a penetration test is provided by the National Institute of Standards and Technology, or NIST. They have a Technical Guide to Information Security Testing and Assessment. And I have a link that will take you right to the PDF download on the NIST website.
We also need some way to assess risk on our mobile phones and our tablet devices. These are often BYOD devices, or Bring Your Own Device. And unfortunately, these devices can sometimes be infected with malware or have applications installed on these devices that are unauthorized in the organization.
So before a device is allowed access to the network, we perform a posture assessment. That posture assessment will see if this device is a trusted device. It will identify if it’s running anti-virus and if that anti-virus has been updated. It’ll look to see if corporate applications have been properly installed on the device. And it will make sure that the proper encryption and other security technologies are enabled.
We design these posture assessments to work across many different devices and operating systems. So whether you’re using Windows, Mac, Linux, iOS, Android, or others, we can perform this posture assessment to see if this device meets the minimum requirements for security.
As you can see, there are many different requirements that are checked during this posture assessment, and it’s possible that your device may not meet one of those minimum requirements. If that happens, your device is, obviously, not allowed access to the corporate network. And it’s often put into a quarantine network, where it has the minimum amount of access needed to resolve this particular security shortcoming.
Once the anti-virus signatures have been updated, or the proper applications have been installed, the posture assessment can be performed again. And if everything passes, the device can be added to the network.
Another useful assessment to complete is a risk assessment. It’s useful to know exactly what devices and what type of data could be affected by an attack in your organization. So you want to associate risks with the types of assets that you own and then understand how those risks would be affected by an attack. This would usually list out the hardware, customer data, and any other intellectual property that could be affected by an attack.
We would also need to identify what devices would be susceptible to an attack and what the results of an attack might be. We would then define what type of data would be lost, what services would be disrupted, and anything else that would be affected by that attack.
Not every device has the same risk level associated with it, so we could even define a high, medium, or low risk for each of those assets. And then we can create a process to be able to help protect those devices better. This would allow us to determine where we would invest additional dollars into security devices and software and where we would implement them to have the best effect on security.
Almost every organization has some type of relationship with a third party vendor. This may be someone that provides payroll services. Maybe they provide email marketing. Or they provide the raw materials you use to create your products. There’s usually some type of data that’s shared between you and your third party vendors. This is, especially, true when you look at cloud-based services, where much of your data is going to be stored on that cloud-based system.
These types of data sharing relationships almost always require some type of risk assessment, so you can understand how risky it is to share the information with this vendor and what the results might be if an attack occurs. It’s becoming more common to include the security requirements in the contracts you might have with a third party. This way everyone understands what the expectation would be for security. And you can enforce those expectations through the information in the contract.
Gathering all of this information about risk and vulnerabilities requires some type of large central database. One way to collect this data is through the use of a SIEM. This is the Security Information and Event Management workstation where you can centralize logs from all of your systems to one central consolidation point.
This allows you to define security events for real time analysis, so you can receive alarms and alerts. This is also a centralized consolidation point. So if you need to go back in time to see what happened in the past, you have all of the log files associated with that time frame.
You’re also commonly collecting these log files from many different kinds of devices. You can gather log files from switches, routers, servers, and other devices. And then you can then correlate that data together, even though it was originally gathered from diverse components. If you do have a security event on your network and you need some way to analyze what happened during that time frame, the SIEM is a perfect consolidation point that can provide you with all of that log information.
The SIEM can gather these details from many different places. It can come directly from different operating systems. Maybe you have switches, and routers, and other infrastructure devices with log files. Or you might have third party sensors, like NetFlow sensors that can add additional details into the SIEM.
As you can imagine, these SIEMs can hold a large amount of information. And even one simple query might result in thousands of events being shown on the screen. So it’s useful to be able to filter some of these out. You can even set certain events to already have a particular severity.
For example, some things might be logged automatically as informational, warning, or urgent, which means you can quickly filter on exactly what you’re looking for. This is an example of a query that was made on a SIEM. This query did a simple search for everything that had the word “fail” and the word “password.”
And you can see a number of log entries have occurred with exactly those words contained within the log entry. We can also get a summary of how much of these events have occurred over time. And you can see instances during the day when there were a larger number of events than other times.
These SIEMs can provide you with a view into the data that you simply can’t see by reading through log files. For example, we can see those trends, so that you can see how these statistics have changed over time. And you may be able to understand and predict when certain things might occur.
We can also receive real-time alerts from the SIEM, so we can look for particular events. And if that event occurs, you can be notified immediately. We can also correlate some of this data together to understand if all of this data was coming from one single source or if, perhaps, there were other devices that were included with this particular attack.