A Comprehensive Guide to a Security Risk Analysis

 

            As businesses shift more of their core operations to the network, security is an increasingly important concern for small and midsize companies.  In the past, security attacks were a time-consuming nuisance, but the stakes are now much higher.  As noted in the following article, today, a breach in security on a wired or wireless network can wreak havoc on a company’s most important operations, hampering productivity, compromising data integrity, reducing customer confidence, disrupting revenue flow and bringing communications to a halt(www.gocsi.com/press/20020407.html).

            Not so long ago, business networks were self-contained, and securing them was a relatively straightforward task.  The network perimeter was easy to define, and simple security devices could provide adequate protection for security holes. 

However, as the Internet has matured and wireless networking has becomes commonplace, business networks have changed in ways that present significant new security challenges (http://www.nwfusion.com/newsletters/wireless/2002/01284865.html).  As businesses open their infrastructures to support Internet connectivity, teleworking, wireless mobility, and business-to-business applications, the traditional network perimeter has all but disappeared.  Companies have outgrown security devices designed for legacy networks, and are now much more vulnerable to attacks by hackers and other malicious agents.  A standalone security device or software package is no longer adequate to protect open networks—an in-depth security solution is needed. (http://www.nwfusion.com/supp/security2002/models.html)

            To complicate matters, many security systems in place today are not network-aware or designed to work in cooperation with network services.  This situation leaves businesses even more vulnerable to the increasingly sophisticated attacks being launched today.  (http://www.nwfusion.com/news/2002/1025hackage.html)

What that means is security solutions should be addressed as a process that is regularly applied, because new threats to security are constantly appearing.  Evolving a single product won’t be effective for long.  As new threats emerge and the structure of the business network changes, organizations need to regularly and dynamically evolve their security solution as well. 

            One of the most important steps in assessing network security happens well before any hardware of software is put in place.  As mentioned, security is a continually emerging process; however, before a security policy can be implemented, those vulnerabilities must be identified.  This identification process is better known as a Security Risk Assessment(http://www.nwfusion.com/reviews/2002/0204bgside.html).

                The purpose of a security risk assessment is to identify vulnerabilities in an enterprise’s networked information assets.  Information gained from an assessment establishes a baseline for security-related metrics, which is useful for measuring subsequent security posture improvement.  (http://www.nwfusion.com/reviews/2002/0204bg.html)

            The below illustration describes the security risk assessment process.  It serves as a description of the procedures provided by a security consultant in this process, and also a potential model for recurring security risk assessments for any company.

(http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_maintenance_guide_chapter09186a008007d254.html#xtocid62413)

            A security risk assessment measures the ability to manage unauthorized network activity of all types.  Security consultants performing this process evaluate the vulnerabilities of a companies’ external network to long-term, malicious exploitation, known as secondary exploitation.  Assessment goals include the following:

A security risk assessment is a comprehensive analysis, which results in a thorough list of security vulnerabilities and potential means of gaining unauthorized access for the entire network.  There are traditionally two phases of the risk assessment.  The first phase externally probes the network from the perspective of an Internet or dial-in hacker, while the second phase probes from an internal position on the network, much light a disgruntled employee might.

With the information gained from phases one and two, security consultants validate and confirm the presence of detected vulnerabilities, performing extensive, nondestructive network penetrations to more effectively determine the potential level of unauthorized network access. 

            The security risk assessment offers a wide set of deliverables to help companies achieve network security.  Key deliverables include:

·        Network mapping and target analysis to determine network topology, correlate the network’s Internet presence with information collected from public and corporate records, and provide insight into the probability of a successful attack.

·        Host and service discovery to determine how many hosts are on the network and which network services each host is currently running.

·        Vulnerability analysis to determine all potential vulnerabilities that exist for each network service running on each identified host.

·        Vulnerability measurement and data collection using specialized security assessment tools to identify methods of entry into a corporate network through exploitation of network vulnerabilities.

·        Data analysis and security design review to identify critical deficiencies by comparing test results with current operational requirements.

·        Recommendations and reporting for each system to identify optimum safeguards and specific recommendations.

Security engineers present the above data in a detailed report and briefing, which is kept strictly confidential.  The report addresses security vulnerabilities, recommends specific security improvements, and gives corporate executives and network engineers metrics to characterize the security status of their network.  This data may be used to establish a security baseline or measure incremental improvement and trends from previous assessments.

In order to maintain a secure state in a dynamic network environment, security experts recommend that a security assessment be conducted regularly as a critical component of an ongoing availability improvement program.  In addition, customers have found security assessments helpful before and after major network changes, such as network mergers resulting from acquisitions or an implementation of an e-commerce enabling service.  Periodic reviews help to mitigate the security risks that such network changes invariably change.  Once a company’s network vulnerabilities have been pinpointed, recommendations are documented and presented in a detailed report.

The Actual Assessment Process

            The assessment process is divided into four phases: network discovery, target systems and vulnerability identification, data analysis and security design review, and summary and recommendations.  The flowchart process is illustrated below:

 

 

Network Discovery

            The purpose of the network discovery phase is to identify systems that are active and on the network.  The information collected during network mapping aids in assembling a comprehensive network map—a picture of the configurations and of relationships among corporate information system assets.  A network map is composed of the registered map, the map of record, and the electronic map. 

Registered Map

            The registered map is based on the information available to the public through official registration or through information displayed within the Network Information Center, corporate web pages, or other public network information resources. 

Map of Record

            The map of record is based on the information held by the system owners.

Electronic Map

            The electronic map is based on the information available directly from corporate information systems.  It identifies hardware and software, connectivity, configuration, and potential vulnerability profiles.  The electronic map can have several views, such as the corporate electronic perimeter view or the complete internal network view. 

            The goal of network mapping is to coordinate the information available in the three maps, and to tailor each map to its purpose.  Most organizations provide more information in the registered map than is necessary.  In addition, they do not realize the visibility of their electronic map.  Managing the electronic map carefully can often reduce exposure and risk dramatically.  It is also important to have an accurate map of record.  This map is often incorrect and misleading, and a source of overconfidence regarding the information infrastructure’s level of exposure and risk. 

            Ideally, all maps should be accurate, but the map of record should be comprehensive and the electronic and registered maps should be minimized to reduce corporate exposure.  The management of all three should be the responsibility of a single security management team.

            The security consultants collect information from three sources to assemble the network map details.  The registered map information is from the Network Information Center(NIC) and Domain Name Service(DNS).  Company personnel provide the map of record information during the preaudit survey.  Finally, the security experts assemble the electronic map from information collected online—directly from the systems themselves—during the internal and external assessments.

Target System and Vulnerability Identification

            During the target system and vulnerability identification, the security consultants match specific systems with potential vulnerabilities for further testing.  The team chooses target systems according to their functions or according to importance identified by company personnel.  The consultants then directly contact these target systems and assess them to determine their level of vulnerability.

            It is important to treat this phase as a measurement activity, not just a penetration test.  Although penetrating systems is generally easy to do, it is more important to measure the vulnerability state of the target systems systematically.  The objective of this phase is not to find a way in, but to identify as many ways in as possible. 

Data Analysis and Security Design Review

            The data analysis and security design review integrates the network map information and the vulnerability data, with a look at the network architecture to identify any glaring structural problems.  Due to resource constraints, the consultants usually limit the design review to some basic observations about the network implementation.

Summary and Recommendations

            In the final step, the security experts assemble of summary of findings and

 

recommendations to improve the security posture of the assessed systems.  The

 

recommendations are focused on actions to mitigate the current vulnerabilities identified

 

in the assessment.

 

Overall, due to the rise in security breaches and the increasing numbers of Internet users, companies must take every precaution to ensure the security of their revenue-generating networks.  The model is steadily moving to one where managed service providers own and manage the networks that these companies rely on.  As applications and information moves to the Web, companies must be ready to protect their networks from the security issues that are becoming more common as technological innovation continues and network demands increase.

 

 

 

Appendix A

Security Quotes from Industry Constituents

Mark Carter, COO, CoreFacts, LLC, Data Recovery and Analysis Firm

-Annual Computer Security Institute and FBI Survey, 2001

-Annual Computer Security Institute and FBI Survey, 2001

Appendix B

Top 10 Security Tips

-FBI Security Institute

Additional Online References:

Hard Copy References