Vulnerability assessment best practices for enterprises
Measure Twice, Cut Once
Vulnerabilities
Vulnerabilities are often defined as openings or pathways that a given threat can exploit to do harm to a critical asset.
With the main components of risk in mind, a picture of risk can be formulated as the intersection of all three components (Figure 1).
Clear Guidance
VA activities must have acceptance from the highest levels of an organization. The management team within the organization must understand the importance of the assessment to the organization as a whole and then give the assessment team the approval they need to perform the activities. Once all of the parameters of the assessment are worked out and the risks are laid out, the organization assumes the risks of having their systems scanned.
The assessment team should clearly outline and exchange the following information with the organization being assessed:
- Written authority to perform the assessment from the management of the organization. Note: Be sure to have a finalized version of your authorization, highlighting executive sign-off from the organization with which you are working.
- The systems that will be included in the VA.
- The systems that will not be included in the VA.
- The members of the assessment team.
- Clear identification of the assessment team member who will initiate the scans as part of the VA.
- The tools that will be used in the VA scans, with a list provided to the organization receiving the assessment.
- The time parameters of the VA (how long and when it will take place).
- The time when the most intrusive or the most intensive aspects of the VA take place (e.g., after hours, during the weekend, during a scheduled outage).
- The data likely to be obtained during the VA.
- Assurances (if required by the organization) that the VA will only look at data within the systems agreed to be a part of the VA.
- Assurances (if required by the organization) that the VA will only scan systems and not access the data on those systems (port scanning),
- How the data obtained during the VA will be secured to protect the organization.
- Provisions to account for false positives that may occur during the VA. Do the false positives add to the organization's vulnerability and could they be avoided in the future as a mechanism for remediation?
- Emergency contact information within the organization's management team in case an unforeseen issue occurs during the VA, including during non-working hours.
- The type and scope of the reports that will be generated by the VA.
- Other mechanisms that will be utilized within the VA (i.e., social engineering techniques), with a detail of the framework for these other mechanisms.
- The type of VA to be conducted (e.g., black box, white box, gray box; see the "Black/White/Gray Box Testing Defined" box).
Black/White/Gray Box Testing Defined
Black box testing refers to testing a system with no knowledge of the internals of the system (external threat).
White Box testing refers to testing a system with full knowledge of the internals of the systems (typically admin-level access to systems).
Gray box testing refers to testing a system with limited knowledge of the internals of the systems (typically user-level access to systems).
A successful VA program will include awareness training for the system owners once the VA is complete. Additionally, scanning will produce entries in logfiles that appear to be malicious in nature, so it is always a good idea to let the organization's administrators know, unless you are conducting a black box test. Typically the administrators you educate about the VA tools you will be using will also be the same group that will do the patching and remediation efforts generated from your assessment.
Gathering Information
The organization for which you are conducting the VA needs to make available the IT staff and management personnel that will help you properly ascertain the IT environment of the organization. The IT staff and management interviews can be just as useful in finding vulnerabilities within an organization as any technical control that could be deployed – that is, unless you are conducting a black box test, which would dictate that you have no prior knowledge of the system and the discovery of the IT infrastructure would in fact be part of the VA/penetration test. These types of assessments take more time and effort, which you should explain to the organization you are assessing.
Table 1 shows a broad list of possible question you can ask IT staff and management that might be helpful in evaluating the organization and their vulnerabilities.
Table 1
Assessment Interviews
Risk Assessment |
---|
Has the organization developed, documented, and disseminated a risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance? |
Has the organization developed, documented, and disseminated procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls? |
Are the procedures and policies reviewed and updated (e.g., a risk assessment policy every five years, risk assessment procedures annually)? |
Does the organization develop, disseminate, and review or update the following at an organization-defined frequency: |
* Formal, documented security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance? |
* Formal, documented procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls? |
Has the authorizing official approved in writing the mitigation of risks found on a tested and validated mission-critical IT system? |
Do all security personnel and administrators receive orders and directives to conduct internal defensive measures, including vulnerability alerts and bulletins? |
Information Security (INFOSEC) |
Has the organization developed and disseminated an organization-wide information security program plan? |
Is the security plan approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation? |
Has a security manager or someone with equivalent responsibility been designated in writing to ensure that classified and controlled unclassified information is properly handled during its entire life cycle? |
Cybersecurity |
Does the organization have a program established to prevent damage to, protect, and restore computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation? |
Are all mission IT systems and networks reviewed through a configuration management process to ensure changes do not have a significant effect on security (e.g., new network connections, operating system changes, and a new mission or new threats)? |
Has the organization conducted a comprehensive annual cybersecurity review that evaluates whether the existing policies interconnect with the current system configurations to ensure consistency? |
Has the organization done an analysis to identify assets and support for critical infrastructure networks and components, including cyber systems and assets? |
Does the organization integrate cybersecurity considerations into their business continuity planning? |
Is cybersecurity incorporated into the annual exercise, either in the form of a live exercise or a tabletop exercise? |
Are the system(s) within the organization installed according to the installation policies and standard configuration? |
Does the organization mandate that all systems have the latest security patches installed? |
Does each system have separate accounts and passwords (i.e., email, applications, etc.)? |
Does the organization ensure separation of duties between individuals involved in information system support functions and audit operations? |
Do the information systems enforce a limited number of consecutive invalid login attempts by a user during an organization-defined time period? |
Do the information systems automatically lock out a user account when a predefined maximum number of unsuccessful attempts are exceeded and then only permit reinstatement by an administrator? |
How are audit records and logs reviewed and maintained? |
Are backups conducted on IT systems? |
Are backups periodically checked to ensure they can recover the system? |
How are backups conducted: tapes, backup server (disk packs), storage area network (SAN)? |
Are backups stored at a geographically separate site? |
Are backups stored in a fireproof container? |
Are web servers placed in demilitarized zones (DMZs) and are all unnecessary services and processes removed or disabled? |
Is only authorized and licensed software used on the system? |
Are all ports, protocols, and services that are not required for operations blocked? |
Does each administrator who has access to IT systems have a password? |
Are spare parts or replacement equipment readily available? |
Are any routers configured with a dial-in modem? |
Do routers and switches have appropriate security controls (e.g., access only by authorized personnel)? |
Network Security |
Does the network architecture implement a layered security approach: e.g., proxy servers, DMZ, network intrusion detection systems (NIDSs), virtual private networks (VPNs), host-based intrusion detection systems, early warning devices, and firewalls? |
Does the organization have appropriate measures to ensure that continuous monitoring of the network is maintained to identify any potential security breaches? |
Does a current and comprehensive baseline inventory exist of all hardware (to include manufacturer, type, model, physical location, and network topology or architecture) and software (operating system, applications)? |
How does the organization review and update the baseline configuration of the information system? |
Is a security analysis conducted on the effect of any and all changes to the system, before implemented, to ensure network integrity? |
Does the organization provide basic security awareness training to information system users? |
Industrial Control Systems (ICS) |
Has risk assessment been completed as it relates to ICS? |
Are data flow controls tested to ensure that other systems cannot directly access devices within the ICS environment? |
Does the organization implement a security plan that concentrates on continuous security improvements and that focuses on the life cycle of the ICS? |
Does the ICS organization implement an effective defense-in-depth strategy? |
Does the organization implement policies and procedures governing access to control centers, field devices, portable devices, media, and other ICS components? |
Is the ICS assets list reviewed and updated annually? |
Does the organization have in place procedures for operating the ICS in manual mode, with all external electronic connections severed until secure conditions can be restored? |
Does the organization have clear roles and responsibilities for responders? |
Does the organization have a list for all personnel that have access to the ICS? |
Does the organization implement real-time monitoring of ICS, to include patch management, policy management software, and other security mechanisms? |
Is the ICS manned 24 hours a day seven days a week? |
Are all ICS control panels locked and alarmed? |
Are ICS vendor's laptops allowed to connect to ICS? |
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.