Thinking Beyond Security Assessments

balaji
By balaji

August 16, 2010

Security assessments have been performed for my entire infrastructure and applications, what else? Most of the time, we see that customers feel completely safe after a security assessment of their infrastructure. However, this should not be the case, because factors such as frequent changes in organization infrastructure, various patch releases from software and hardware vendors, new (untrained) employees, and new security threats, will lead to security breach. Security is not a product but a process.

beyond-security-assessments.jpg

Security assessments have been performed for my entire infrastructure and applications, what else? Most of the time, we see that customers feel completely safe after a security assessment of their infrastructure. However, this should not be the case, because factors such as frequent changes in organization infrastructure, various patch releases from software and hardware vendors, new (untrained) employees, and new security threats, will lead to security breach. Security is not a product but a process.

An organization should reiterate the security assessment process at regular intervals and mitigate discovered vulnerabilities through corrective measures or should take necessary preventive measures on discovered findings. Whenever the organization decides to develop or procure new applications, it should follow a secure code practice. The organization should also perform source code reviews for applications that are already in use. By doing this, they might detect backdoors, injection flaws, XSS, and hard-coded authentication credentials. They can improve and maintain security by implementing security monitoring, patch management, configuration management, and by providing security awareness and training for all employees.

Security monitoring

Network Security monitoring helps the organization to detect and prevent hacking attempts. Log monitoring would help in providing an audit trail to detect the identity of attackers. Audit logs should typically include:

  1. Dates, times and details of key events, e.g. log-on and log-off
  2. Terminal identity or location if possible
  3. Records of successful and rejected system access attempts
  4. Records of successful and rejected data, and other resource access attempts
  5. Changes to system configuration
  6. Use of privileges
  7. Use of system utilities and applications
  8. Files accessed and the type of access
  9. Network addresses and protocols 
  10. Alarms raised by the access control system
  11. Activation and deactivation of protection systems, e.g. anti-virus systems

Security awareness and training

End-user security awareness is a significant part of a comprehensive security profile. Social engineering attacks succeed because of weak user awareness in security. Training programs typically include:

  1. Desktop security
  2. Internet usage
  3. Email security
  4. Social engineering
  5. Dumpster diving
  6. Incident reporting
  7. Physical security
  8. Document security
  9. Company policies and procedures
  10. Disciplinary process for noncompliance to policies

Configuration management and Patch management

Configuration management is the process of identifying, updating, verifying, and tracking the status of the organization's infrastructure configurations. Configuration management helps in establishing and maintaining consistency of the system's performance and functional goals. The goal of patch management is to keep the components that form part of the IT infrastructure, up-to-date with latest patches and updates. Notifications of patches from applications, servers, network devices, and database vendors need to be reviewed and applied appropriately. If notifications are not automatically sent, suppliers' websites need to be checked on a regular basis for new releases of patches and updates.


Tags: Best Practices

About

balaji