Vulnerability assessments and exploitation, like so many other areas of technology, have progressed from being understood by a few elite practitioners to being automated for the masses.
Each day information security professionals are releasing new software or improving on existing software to make identifying and exploiting network vulnerabilities easier. Unfortunately, these automated tools have produced a “there’s an app for that” attitude toward information security. Many business owners and managers believe that an automated tool can determine if their network is secure, which is ridiculous. Information security encompasses not only vulnerability scanning and exploitation but risk management, user management, and other business processes. No automated tool can identify vulnerabilities in business processes – only a qualified information security professional can do that.
Vulnerability scanners are designed to identify specific issues in network services, operating systems, web applications and software but cannot identify vulnerabilities in the underlying vulnerability management and configuration management processes. Exploitation frameworks, like Metasploit and Core Impact, can exploit a machine but have no ability to determine the value of the data on the compromised machine or the affect the loss of that data would have on the business. In other words when it comes to information security there is not an app for that.
Read More
The ROI of Security Assessments
Stephen Haywood, Security Analyst at Sword & Shield
In the business world, Return on Investment (ROI) is used to evaluate an expense and is calculated by dividing the return (benefit) of an investment by the cost of the investment. This means a higher ROI represents a better investment. In a situation where the return and cost are tangible and easily measured, calculating ROI is not difficult. Unfortunately, calculating ROI for a security assessment is not easy because most of the benefits are intangible and are not easily measured.
The primary benefit of a security assessment is the overall reduction of risk, which is accomplished by identifying and mitigating vulnerabilities, implementing or improving controls to match threat agents and attack vectors, and reducing the impact of an incident by improving incident response procedures. These benefits are difficult to measure at best, while the cost of a security assessment is glaringly obvious. Combine these two issues, and it is easy to see why companies have trouble justifying the cost of a security assessment.
Vulnerability Identification and Mitigation
A comprehensive security assessment will identify not only network vulnerabilities but also vulnerabilities in policies and procedures. The security assessment will typically confirm the vulnerabilities identified within a risk assessment and, in some cases, may identify new ones. In either case, the security consulting firm performing the assessment should provide strategies for mitigating the identified vulnerabilities. These strategies, if followed, should reduce the number of vulnerabilities, resulting in an overall reduction of risk.
It is important to understand that most vulnerabilities are the result of non-existent or poor policies, procedures, and system administration. When a security assessment is limited to only network vulnerability scanning, it may not result in an overall reduction of risk because it will not identify the vulnerabilities resulting from poor policies, procedures, and system administration.
Improved Understanding of Threats and Attack Vectors
A comprehensive security assessment should also include penetration testing. A well documented penetration test is an excellent way to gain insight into the current threat agents and attack vectors. In addition, the penetration test can identify new threats not included in the risk assessment. An improved understanding of the threats, threat agents, and attack vectors should improve the controls used to protect against those threats and threat agents resulting in an overall reduction of risk.
Preparation for Future Incidents
Another benefit of including the penetration testing with a comprehensive security assessment is the opportunity to test incident response policies, procedures and personnel. The results of the security assessment should encourage improvements in incident response procedures that will reduce the time to identify and respond to incidents. Reducing the response time during an incident may also reduce the number of affected systems and the amount of pilfered data. According to the 2011 Cost of Data Breach Study: United States (pdf link) by Symantec and the Ponemon Institute, the average cost of a data breach is 5.5 million dollars. A two percent reduction in the average cost of a data breach will significantly improve the ROI of a comprehensive security assessment.
Conclusion
The primary benefit of a comprehensive security assessment should be the overall reduction of risk. This reduction in risk can only happen when the security assessment:
A comprehensive security assessment that accomplishes these three things will provide the highest return on investment.
Stephen Haywood is a Security Analyst at Sword & Shield Enterprise Security. He has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN). His blog is www.averagesecurityguy.info. Follow him on Twitter @averagesecguy.