This paper provides a foundational overview of security planning and assessment in organizational contexts. It defines security assessments and distinguishes among the four primary types β audits, assessments, penetration tests, and vulnerability scans β with reference to real-world applications such as the security assessment of the Internet Protocol. The paper examines how network security assessment functions as a continuous, living process that enables business operations, describes two categories of network attackers, and outlines a five-step security assessment methodology. It concludes by emphasizing that a thorough, accurate assessment is the indispensable starting point for any effective information security program.
A security assessment is the process of examining a business and its supporting technologies to determine what security risks are present. It is a process that management can use to determine whether an existing information security program adequately addresses a company's security risks. It is also something that should be conducted on an ongoing basis to ensure that any security implications arising from changes in the environment or new initiatives are properly addressed (Kairab, 2004).
To understand what a security assessment truly accomplishes, consider the very protocol we all use every day on our computers: IP β the Internet Protocol. We all assume it is safe. The fact is, it is as open to problems as anything else on the internet.
IP supplies the basic data transfer capability for the internet β making it critically important. It transfers data in what are called "datagrams" from a source computer or server to a destination computer. To simplify this discussion, the basic data-delivery mechanism of the internet is vulnerable in several areas to security breaches and attacks by hackers. Problem areas include attacks on memory allocation severe enough to crash a computer, as well as problems with the reassembly algorithm and ambiguity in the packet reassembly process. Information is sent in packets over the internet so that a long message can be split into separate pieces for more efficient data transfer. These packets can be intermixed with packets belonging to other simultaneous transfers, and are then reassembled at the destination computer to form a readable or usable message. Due to bugs in that reassembly process, IP is left open to attacks that can lead to memory buffer overload and, ultimately, a system crash.
There are several other vulnerabilities in IP, but the point is that these problems β and their fixes β were only recognized because of a security assessment. The following description of the source document illustrates exactly what a security assessment accomplishes in a real, specific case:
"This document is the result of an assessment of the IETF specifications of the Internet Protocol from a security point-of-view. Possible threats were identified and, where possible, counter-measures were proposed. Additionally, many implementation flaws that have led to security vulnerabilities have been referenced in the hope that future implementations will not incur the same problems. This document does not limit itself to performing a security assessment of the relevant IETF specification but also offers an assessment of common implementation strategies" (Gont, 2008, p. 4).
There are four types of security assessment: Audit, Security Assessment, Vulnerability Scan, and Penetration Test. All are ways to analyze risk, but they emphasize different aspects of risk management, different types of vulnerabilities, and different types of threat (Security Management, n.d.).
Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards it adopts are appropriate for the institution.
Assessments. An assessment is a study conducted to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit in that it does not test against a fixed set of standards. It differs from a penetration test in that the tester is given full access to the systems being evaluated. Assessments may focus on the security process or on the information system itself, and they may examine different aspects of the information system, such as one or more hosts or networks.
Penetration Tests. A penetration test subjects a system to real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is that it identifies the extent to which a system can be compromised before the attack is detected, and it assesses the effectiveness of the response mechanism. Because a penetration test is seldom a comprehensive evaluation of a system's overall security, it should be combined with other monitoring methods to validate the effectiveness of the security process (Security Management, n.d.).
Vulnerability Scan. The goal of running a vulnerability scanner β a software program β is to identify devices on a network that are open to known vulnerabilities. Different scanners accomplish this goal through different means, and some work better than others (Bradley, n.d.).
Any business or organization that wants to control its computers, networks, and data must take an active, aggressive role in security. The entire process β and possibly the future of the business β depends on beginning with a security assessment to both identify and categorize potential risks to those systems. Assessing the security of a company's networks is an ongoing, living process and is never a one-time event.
Security assessment becomes an "enabler of business." In other words, proper assessment, design, and deployment of business networks β whether for a major corporation or a small business β allows that organization to embrace technology to improve and grow its operations, because it knows its systems are secure and has a plan to keep them that way.
Short-circuiting this important path to network security can leave a business open to compromise of its data by hackers. NASDAQ, Cryptologic Inc., Playboy Enterprises, RSA Security, and many others have been victimized in recent years β not because they did everything right and still fell victim, but because they failed in some way to maintain a security policy to protect their networks and data from determined attacks. It all begins with planning and assessment. (Cryptologic, an online gambling company, lost $1.9 million in just a few hours to hackers.) (O'Reilly Media, 2005).
"Opportunistic versus determined network attackers"
"Five-step framework for conducting security assessments"
Third β and crucially β the assessor must understand the business. Without a solid comprehension of how the business operates, it is impossible to fully understand the risks it faces.
Fourth, communication with clients must be emphasized throughout the process. Clients need to be informed of both progress and findings as the assessment proceeds. This is key because the client may be able to offer additional information that could affect a finding, and the client must be prepared to discuss the entire process and its findings when the final presentation is made to management.
Careful planning is a key concept once an organization decides to perform a security risk assessment. Thorough planning economizes everyone's time and produces more comprehensive results. The critical task in planning is defining the scope β determining how to proceed so that time and resources can be allocated to complete the assessment in a timely and thorough manner.
The notable tasks in the planning phase include defining the scope, staffing the project with appropriate personnel, holding a kickoff meeting, developing the assessment project plan, and setting clear expectations with the client (Kairab, 2004).
The importance of an information security assessment in any organization cannot be overstated β but it is only the beginning of a complicated, ongoing process that must be continually updated. If the subsequent steps of the security program are not executed as carefully as the assessment itself, the results will not serve as a business enabler for the client, and the full value of the investment will never be realized.
You’re 70% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.