Assessments, the “sine qua non” of Security

Stethoscope with financial statement

by Monty St John

Who’s gone to the doctor? Okay, raise your hands… wait — put them down, I can’t see them anyway. Why did you go to the doctor? Was it an annual checkup or did an event happen in life that prompted a check of your health?

 

More likely than not an event happened and it prompted a check of your health. Don’t feel bad, that’s the norm. In that health check, your doctor likely took blood and other readings about your body, inquired generally about your state of mind and other actions to assess your general state of health. From that data, they formed a hypothesis that was either reinforced and proven or disproven as they collected data and analyzed it. At the end, they hopefully met your need, provided a report and specific guidance about your health, and likely exhorted you to return at least annually to make sure all was in order or the ailment cleared up.

 

Sound familiar?

 

In security, assessments are the same as a doctor’s check-up. They usually happen the same way — something traumatic happens, which prompts a security assessment. Like the doctor’s visit, security gets a health check, including suggestions and encouragement to repeat the process.

 

Just like you need a minimum yearly check for your body, so does security. It is basic hygiene to stay healthy. Or, in this case, to be secure.

 

“Those who cannot learn from history are doomed to repeat it.” It’s probable that you have heard this statement in one variation or another before. An assessment is the learning endeavor. You examine your history — what you did and the outcomes — to understand what to do next.

 

Not all assessments are made alike. Just like with health checks, security assessments come in different flavors and objectives. To simplify and cut down on battles over the semantics of naming the types of assessment one thing or another, we are going to generalize them into internal, external and intelligence assessments.

 

Internal assessments evaluate security on the inside. They look for host and network issues, such as misconfigurations, vulnerabilities in architecture, entrenched adversaries, gaps in security coverage, and other areas of internal risk. You can expect activities like checks for malware on host machines, evaluation of coverage from security devices, vulnerability scanning and other actions within internal assessments.

 

External assessments focus on what can be learned about your organization from the outside.  The goal is less on breaking in and more on what you can know by examination of public-facing infrastructure. External assessments also look for misconfigurations and vulnerabilities, gaps in coverage and other areas of risk, but with the eyes of the adversary who has no internal foothold. You can expect external scans of public infrastructure, web crawls, research into your company and people in decision-making positions (executives); analysis of susceptibility to phishing, malicious attack and more.

 

Intelligence assessments is a special hybrid of external and internal assessment. It performs some functions of both and many more structured analytical techniques to determine exposure, risk and susceptibility to external or internal attack. You can expect an analysis of the volume and value of the data you expose, evaluation of the ease to fingerprint a company and its employees, type and examples of threat already present against your company; report of compromised or “loose” credentials being used, sold or traded and tons more.

 

Determining which or if all of them are necessary is driven by need. Here are some thoughts to help with that determination.

 

EventAssessment
Security breach or attack — thwarted or successfulSome variation of all three types.  You need to know where the enemy exists, how they achieve that foothold and, as much as possible, everything they did.
Added or sold off a line of businessExternal assessment at a minimum.  Consider an Intelligence assessment to understand the new risk and exposure levels.
Annual maintenanceEither an internal or external assessment this year and the other the next year.  Intelligence assessment every year.
Added or merged businessesSome variation of all three types.  Perform the Intelligence assessment first to guide understanding whether an internal or external assessments should come first.
Major change in infrastructureExternal assessment at a minimum.  Consider an Internal assessment afterward to understand new gaps, misconfigurations and other items that may have occurred.
Business partner attackedPerform an Intelligence assessment to guide understanding whether an internal or external assessments should come next.  If the partner has network or physical access, perform a variation of all three.
Churn in shared market verticalIf many others in your line of business are being attacked, perform an intelligence assessment at minimum, and all three if possible.

 

 

The full list could go on for some time. It’s worth touching on the variations of these types of assessments. Again, I’ll skip the name game and focus on the actions contained in the assessments.

 

Consider it no different than the doctor evaluating you for an illness, after you’ve had a traumatic event. They may send you to the lab (internal assessment) to check for vitamin levels, cholesterol, or do a full panel. Equally, an assessment might focus on a host-based malware check, network traffic assessments, misconfigurations and more.

 

A physical examination (external assessment) would check the presented state of your health and responses to physical interactions. Same on the security side. Digging into your past-history of illness and health (Intelligence assessment) provides that equivalent information.

 

Security, like health, is a journey. Environment impacts your health, just like specific events do as well. Annual checks are a must to make sure you are on track, which is why CyberDefenses, Inc. provides assessments and would be happy to help. If not us, then someone else you trust. The need is too dire, too necessary to ignore.

Learn more here.

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.