INFORMATION SECURITY: Information Security is a process of protecting data which includes policies, hardware, security aware culture, audit, oversight, hacking, patching, reporting, and is constantly changing. There are many definitions of information security but IS is fundamentally protecting data and the assets which the data traverses, is stored on, manipulated with, written or printe and spoken.
It is difficult to provide a single definition as single statements would be inadequate. The best way of looking at IS, is to embrace that it is a process that is always changing and progressing but with good policy, practice and diligence success can be achieved.
There are three basic principles of Information Security; Confidentiality, Integrity and Availability. All IS processes will address one of the foundations of IS.
Confidentiality – Spoken, written or given in confidence, secret, private
Integrity – The state of being whole, entire, unchanged, undiminished
Availability – obtainable or available, capable of being used
Although the foundations of information security reside in these three simple terms, achieving compliance with the CIA triad is a more daunting task.
How does penetration testing and vulnerability assessment assist in achieving compliance with the triad? The assessment will determine, internally and externally, the health of all portions of the information security program, patch management, firewall performance, network performance, router and peripheral configuration compliance. See below a few examples of how the benefits of our testing affect your business:
- Server configuration: All vendor available patches should be applied and kept current. Denial of Service attacks against a server resource that is left vulnerable will keep users from accessing needed resources and violates the Availability directive. Poorly managed and updated antivirus software would easily allow possible virus activity on server resources which could cause damage to data files, which would impact the integrity of data and violates the Integrity directive. Ineffective policy management and server hardening could allow unauthorized users access to confidential data, which violates the final direct, Confidentiality.
- Workstations: hardware replacement could potentially create problems with poorly executed data destruction policies. If you are a required to keep data confidential at all times, please consider the problem of donating hardware, workstations, printers, copiers and any device that handles confidential data. Of course all devices are susceptible to the problems illustrated in the first bullet point SERVERS.
- Perimeter security: Do you have a firewall at the perimeter of your internet presence? Is it monitored at all times? Is the configuration customized to risk and tested or is the factor configuration still loaded with admin codes and passwords set to factory standards? Internet presence, and it does not have to be a public server, can be the biggest risk for your network. All risks should be addressed and only services necessary allowed.
- Good testing and documentation will assist with the enterprise risk assessment.
VULNERABILITY ASSESSMENT All network devices are tested with similar or the same tools as would be utilized by hackers but performed ethically. Instead of using the results to obtain data or achieve other less than admirable goals, the assessment will provide a detailed picture of all settings, patch management the information security program implementation at the network level.
EXTERNAL PENETRATION TESTING: External penetration testing test all devices, servers, services and web code that is accessible from the internet. The methodology utilizes common hacker tools that are used against your perimeter constantly which gives a good picture of your external presence.
Things that can require testing beyond the scope of the annual testing that is required would be changes to devices, new services or additional devices. Issues that could result in openings would be failure to patch operating systems, installation or failure to install updates to firewall and router firmware updates or operating system updates. External penetration testing is one of the most basic of tests but results in pertinent security information.
POLICY: It is important to require strict policy adherence and it is also important to use comprehensive policies to direct all users in usage of network resources. The policy will not only be a roadmap to acceptable usage, it also provides the legal benefit of prosecution for failure to follow accepted policies. The properly written and executed policy is the foundation of an information security program.
SOCIAL ENGINEERING: One of the greatest risks throughout the enterprise is not electronic but human. The human element is the hardest to predict, control, impose rules and understand. Also the human element will change and evolve which will make predicting close to impossible. Outside influences cause people to make poor decisions which greatly affect the security of company assets.
Social Engineering is the testing process that is unique in the fact that no real electronic testing can be performed and results compiled for changes. Social engineering testing requires that multiple methods, such as email spoofing, phishing, pharming and trickery are employed to verify that employees are following policy.
The most effective strategy for social engineering is proper training for staff and enforcement of policies.
WIRELESS: A connection method which utilizes transmission of data via transmitters and receivers. Wireless technology allows for a more flexible network installation but is harder to control since the packets of data are broadcast in an area for anyone to receive. Wireless can be secured by controlling the strength of transmission which limits geographical size, encrypting all transmission and device filtering. Good wireless management, encryption and controls can produce a secure wireless environment.
GOVERNMENTAL GUIDELINES AND LEGAL REQUIREMENTS: The most common requirements are based on Graham-Leach Bliley (GLBA), Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA). These laws which were passed and enacted by Congress have specific rules about the requirements of an information security program.
Information Security is a combination of many measures to protect data, physical and electronic. Discussed here are the pertinent ideas that affect the need for testing. Further reading on the subject is suggested for all information security professionals and management as the scope of this document can only scratch the surface of requirements and liability.