Security Testing | Security 4 No0bs - Posture Assessment For An Application

Continuing our "Security 4 No0bs" series, I want to discuss what exactly is this thing called a "Posture Assessment" and how it applies to information security

 

Source: Secure Force - Security Posture Assessment

What is a Security Posture Assessment?

In a way, the Security Posture Assessment (SPA) is kind of like a S.M.A.R.T goal for an organization, as it relates to cyber readiness. The text definition is, "an organization needs to be able to assess their cyber-readiness holistically."

How does it work?

Applying the S.M.A.R.T principle, we can say that an organization can determine their cyber-readiness by setting forth an assessment based on the following (simplified) list:

1. Specific

An assessment of the current state of the security posture is conducted by way of an audit, be it internally or externally; an assessment of the security posture at both a micro and macro level. Based on the results, potential solutions are presented.

2. Measurable

The impact of what was discovered during the audit needs to have some weight (value) associated with it. This can be in the form of a Severity "1-to-5" or "Critical > High > Medium > Low" scale. Whatever is used, the point is to assign a value to the issue so as to take the appropriate response.

3. Achievable

Once solutions are provided, the tactical feasibility is taken in to account. These solutions can become part of an overall program, be it Disaster Planning & Response (DRP) or Continuity of Operations Planning Program (COOP). The solutions outlined must be able to be accomplished within a reasonable time frame and within a budget of some kind.

4. Relevant

The combined results (a Vulnerability Scan performed + Audit + Security Assessment) should be modeled against the security architecture in place. The end result is a concise list of actionable items carrying a point-value and criticality metric relevant to the application or business function.

5. Time-Based

As stated before, the SPA ought to have some degree of efficiency as it pertains to INPUT -> PROCESS -> OUTPUT.

• INPUT

  Initiation of a SPA ought to begin based on a request (trigger) or response to perceived issue, in a timely manner

• PROCESS

  The scope of the SPA can be achieved when all the necessary information is acquired on time. Same goes for completion of any vulnerability scans, security audits, and other such assessments.

• OUTPUT

  The overall conclusion of the SPA has an expressed date and time, but by no means is to be regarded as finished. One can define "Done" as: submitted comprehensive list of recommendations via report, waiting on response and follow-through.

Why bother with this?

In this day-and-age, cyber security is paramount to business continuity as well as web and mobile application security. A SPA, taken as part of a larger comprehensive cyber readiness initiative, adds an immense value to the overall constitution of an organization. It is imperative to the integrity and reputation of a company of any size to get "cyber ready" post haste.

Security Testing | Security 4 No0bs - 5 Steps to a quick Security Audit

The process and procedures around Security Auditing

*** Disclaimer, as I'm learning about Information Security I come across a lot of useful information. Truly, its a firehose of facts, tips, etc. that I write on this blog. As it were, I wish to post the following link along with my notes on the following topic - Security Audit. ***

blog.dashlane.com/conduct-internal-security-audit/

What is a Security Audit?

At its most basic, a Security Audit is a systematic technical assessment of a system or application. The Security Team will conduct interviews, perform all manner of vulnerability scans, analyze the results, and produce a report detailing areas that require attention.

An audit must be thorough, cost-effective (in both time and money),
and free of bias

A more expansive definition can be found by conducting an online search or visiting your local library or bookstore.

Who is this for?

Audits can be applied to banking, commercial, health care organizations, schools, and just about any other institution where there is an exchange or transmission of sensitive end-user data.

Why am I doing this?

As mentioned, anytime a transmission of sensitive user information is involved, there needs to be precautions taken to secure the data. Think: Banking or Retail Site using banking information to complete a transaction.

The CIA triad comes into play.

An audit guarantees data is kept confidential during processing, its integrity is preserved during transmission, and that it is accessible only to the recipients involved.

Security Audits are performed at the behest of a company about to launch an application employing sensitive user data. Another occasion an audit is conducted is mostly as a result of enforcement intervention (ie, a cyber crime was committed ). An investigation must be conducted to determine culpability by way of negligence, willful or otherwise.

Where will it take place?

More often than not, security audits are conducted on-site under the supervision of a third-party agency. Audits can be done internally or externally, the latter being more thorough but expensive.

External audits are performed by seasoned professionals who have all the appropriate tools and software to conduct a thorough audit   — assuming they receive the requisite data and direction

What is in scope?

Should you decide to conduct an internal audit, and you've educated yourself in the compliance requirements necessary to uphold security protocols. Do the following:

1. Define Your Audit
2. Define Your Threats
3. Assess Current Security Performance
4. Prioritize (Risk Scoring)
5. Formulate Security Solutions

What is not in scope?

Anything not otherwise agreed-to, as expressed in the contractual agreement, entered into by the auditor at the request of the client

What is to be audited and what is not will be documented in a list - Valued Assets - and divided into segments of what will / will not be audited. The assets declared highest value is where the focus of the audit should be.

How long does it take?

Start-to-finish, a security audit duration is determined by the scope and list of assets, as well as the volume of potential threats. Audits can span days or weeks. Most importantly, security audits are iterative and ought to be conducted regularly.

What are my deliverables?

Based on the outcome of the audit, a comprehensive report is generated detailing the level of tests conducted, any issues requiring action, and a list of potential security solutions. These can cover anything from "Employee Awareness" seminars, defensive counter-measures, better password policies, and network monitoring. 

This list can go on and on, but it is reliant mostly on the results of the aforementioned audit.