When designing and deploying security solutions, a thorough understanding of what you have to protect is important as well as understanding the vulnerabilities within and around your assets and infrastructure. A threat analysis considers the range of currently known threats and the potential and likelihood that an attack will be attempted against your organization to help define what’s coming at you.
Threat management is the mitigation of recognized risk in an attempt to lower that risk to an acceptable level. These efforts require the use of auditing and analysis to confirm your efforts. Humans can be your weakest link. Ensure they have received adequate training to stay a step or two ahead of potential attackers.
Audit and Analysis
Audit and analysis are techniques used to measure, record, and understand the threats facing an organization. Audit trails, log files, monitoring data, and other collected data points are used to construct a historical perspective of the infrastructure. Some auditing tools are native to any OS, application, or network service. ISO 27002 lists common controls an organization can use to defend infrastructures. ISACA’s COBIT framework provides ways to test these controls when auditing. Standards and frameworks must be understood to prove corporate governance is compliant with applicable government regulations, such as Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS).
Making a record of events occurring on the network and within a system, as caused by a process or user account, is only the first part. Recorded event details need to be assessed and evaluated in context of all other events, both digital and physical. Such analysis can reveal what actually occurred and whether or not such occurrences are compliant and in adherence with required/expected work tasks. Internal auditing and analysis helps show a company is taking due care of its environment and can lead to resolving employee issues, tracking down criminals, and providing continuous improvement to the organization’s security profile.
Risk Assessment and Mitigation
Risk assessment is the initial and ongoing evaluation of an organization’s security stance in light of their assets, threats, and risks. A risk assessment is performed as a multi-step process that starts with an inventory of assets. Each asset is assigned a composite value based on both tangible and intangible considerations. Threats that could negatively affect each specific asset are listed. Each of these threats is then evaluated in terms of the potential exposure factor (i.e., amount of potential loss), likelihood of occurrence (i.e., probability of becoming real), and annualized rate of occurrence (i.e., how often in a given year threat realization is possible). These calculations are analyzed to determine the threat/asset combination that is expected to cause the most harm the most often and, thus, represents the largest risk to the organization.
Once risks are determined and prioritized based on severity and/or occurrence rate, countermeasures are selected to address top priority threats. Mitigation strategies include risk avoidance (i.e., removing elements of the environment or adjusting work tasks to remove that risk), risk reduction (e.g., installing security products or reconfiguring existing products), risk transference (e.g., assigning risk to others via outsourcing or insurance purchase), and risk acceptance (i.e., choosing to let a risk exist as is due to poor countermeasure options, lack of budget, small loss potential, or infrequency of occurrence). Overall, risk assessment and mitigation aim at taking an organization’s original total risk and reducing it to a manageable and acceptable level. All risk is never eliminated (every new control carries new risks), and risk is not all bad; the ability to analyze risk concisely requires training and exercise.
Social engineering is any attack focusing on the humans of an organization. Since humans are the weakest link in any security solution, it is important to address this growing concern. Social engineering attacks can occur through any means of communication, both real world and digital, whether real-time or not. Social engineering attacks often prey on new or undertrained employees but just as often focus on high-value targets, such as administrators or C-level executives. Confidence games played by hackers can range from seemingly innocent conversations asking for general information (e.g., a name, e-mail address, or phone number), to specifically targeted ploys to trick a victim into revealing secret information or performing a risky task (e.g., opening an e-mail attachment, typing in commands, or visiting a URL).
Due to the nature of social engineering, there are no specific technology defenses that address it. Some filters for SPAM or phishing in e-mail and web browsers can help, but the best countermeasure is employee education and awareness. Employees need to know they are targets. They need to be more suspicious of contacts they don’t automatically recognize or that fail to provide a provable identity. Information classification policy should identify how data is to be classified and labeled. Each strata of classification should clearly identify what content can be shared with whom. When necessary, procedures should dictate the means by which identities can be verified, before revealing information or performing tasks. A thorough understanding of the means of social engineering and the common tactics employed by criminals will assist organizations in designing a training program that equips their personnel with the tools needed to avoid the common traps.
A threat assessment is part of a comprehensive risk assessment and risk mitigation process. It is process of profiling and evaluating threats that loom over an organization and its assets. Only when you know the potential harm that could occur is it possible to design and deploy an appropriate and sufficient security response. Threats include Internet attacks, internal personnel, nature’s physical elements, unplanned downtime, hardware failures, over allocation of resources and capacity, oversights, mistakes, and more. All of these must all be considered when designing an organization’s security solution. Understanding threats (i.e., what they are, how they manifest, how situations are used by criminals, etc.) involves learning how criminal hackers work, understanding the process and costs of incident response and forensic investigations, as well as thoroughly understanding the underpinnings of IT infrastructure, including hardware, firmware, operating systems, applications, file storage, network resources, databases, and networking protocols.
When crafting and maintaining a secure infrastructure, there are three primary phases or elements: risk assessment/analysis, vulnerability assessment/analysis, and penetration testing. Security starts with a risk assessment to establish a foundational security policy. Risk assessments are repeated on a regular basis to incrementally improve upon a security solution. Generally, risk assessments are more often paper-based methods of security assessment and analysis.
Vulnerability assessment is then possible once an initial security policy has been implemented into the deployed infrastructure. Vulnerability assessment seeks to confirm that all necessary patches and upgrades are installed, that reasonable configuration settings are in place, and that known flaws and vulnerabilities are addressed. This assessment is usually performed using mostly automated analysis tools, which include an updatable database of checks, tests, and threat probes. Most vulnerability assessment tools can be run by a well-rounded network or security administrator. These assessment tools are generally safe to use and do not pose a serious risk to the infrastructure.
Once the administrative staff has responded to all issues uncovered by risk assessment and vulnerability assessment, the third phase of security assessment can be performed: penetration testing (a.k.a. ethical hacking). Penetration testing is when a highly skilled team of security experts uses the tools and techniques of criminal hackers to test the resiliency of the deployed security infrastructure, the methods of detection, and human response. The goal of such testing is to reveal vulnerabilities and other issues that automated tools overlook but that skilled and focused criminal hackers may be able to uncover. If you are able to find these concerns before they are abused, defenses can be implemented to prevent those esoteric breaches that may have been unknown prior to the penetration test.