The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.

Am I saying the threat isn’t real? Am I saying the statistics aren’t true? No. What I’m saying is that many users fail to see what relevance any of this has to themselves and their company. Should the fact that e-Bay supposedly spent $120,000 dollars recovering from Mafia Boy's DDoS attack really have an impact on the reader's corporate IT policy? Perhaps not.

And yet, users can't afford to ignore these facts completely. That would be just plain dumb. What they need to do is to recognize that there are new threats and challenges and, like the other threats and challenges that businesses have always known, these need to be met and managed. No need to panic. No need to spend any money. Yet.

What users really need to do is to understand what the specific risks are that their company or home network faces from being connected to the Internet. In the same way that you don't borrow your business strategy from e-Bay, you probably shouldn't borrow your IT security strategy from them either. You need to develop an IT security strategy to meet your unique needs. You understand your company's own unique risk profile.

As with so many other things in life, the key to effective information security is to work smarter, not harder. And in this case, working smarter means investing your valuable time, money and human resources on addressing the specific problems that are the most likely to cause the most damage. The math is really quite simple. But before you can do the sums, you have to identify the variables. Here are some of the questions you'll have to ask yourself:

1. What are the resources - Information & Information Systems - I'm actually interested in protecting?
2. What is the value of those resources, monetary or otherwise?
3. What are the all the possible threats that that those resources face?
4. What is the likelihood of those threats being realized?
5. What would be the impact of those threats on my business or personal life, if they were realized?

Having answered the five questions above, you can then investigate mechanisms (both technical and procedural) that might address those risks, and then weigh up the cost of each possible solution against the potential impact of the threat. Once again, the math is simple: if the cost of the solution is higher then the potential financial impact of the risk (or risks) being addressed, then one may need to investigate other solutions, consider accepting and living with a part of the risk, or accepting and living with the risk completely.

This article is the first of a series that is designed to help readers to answer questions three and four in the context of Internet-connected systems: What are the threats that my Internet-connected systems face and what are the chances of those threats being realized. Over the next few weeks we will explore the thinking around Internet Security Assessments, not only why they are done, but also how they are done. By the end of this series you should understand how performing an Internet security assessment can contribute to an effective information security strategy, what you should expect from such an assessment and even how you could go about performing such an assessment yourself.

The Reasoning Behind Security Assessments

Background

An Internet Security Assessment is about understanding the risks that your company faces from being connected to the Internet. As already discussed, we go through this exercise in order to effectively decide how to spend time, money and human resources on information security. In this way our security expenditure can be requirement driven, not technology driven. In other words, we implement controls because we know that they’re needed, not just because the technology is available. Some firms refer to security assessments as ethical hacking or penetration testing. Although I also use these terms, I see them as referring to something completely different than risk assessment and thus do not see their use as appropriate in this context.

Security Assessments vs Risk Analysis

Later in this article, I'll show you a diagram of what is know as the "security life cycle", a depiction of the concept that security is a continual cycle with a number of distinct phases being repeated on an ongoing basis. You'll notice that this cycle distinguishes between a risk analysis and a security assessment. You may even have come across both terms before and wondered at the distinction. It's not my intention to argue semantics here. Indeed, I'm not even convinced that there is universal consensus on the precise definition of each term. Here's how I see it, briefly: A risk analysis is typically performed early in the security cycle. It's a business-oriented process that views risk and threats from a financial perspective and helps you to determine the best security strategy. Security assessments are performed periodically throughout the cycle. They view risk from a technical perspective and help to measure the efficacy of your security strategy. The primary focus of this paper is on this kind of assessment.

Internal vs External Assessments

I have further limited this paper to a discussion of Internet Security Assessments. Let me point out right from the start that this is only a part of the picture. An Internet security assessment can consist of one or both of two things: an internal assessment and an external assessment. The company for which I work distinguishes between the two in the following way:

"An external assessment is also known as perimeter testing and can be loosely defined as testing that is launched from outside the perimeter of the private network. This kind of testing emulates the threat from hackers and other external parties and is often concerned with breaching firewalls and other forms of perimeter security.

On the other hand, in internal testing the analyst is located somewhere within the perimeter of the private network and emulates the threat experienced from internal staff, consultants, disgruntled employees, or, in the event of unauthorized physical access or a compromise of the perimeter security. These internal threats comprise more then 60% of the total threat portfolio."

Although an Internet assessment is attractive because it is finite and answers a direct question, the following should be noted at the outset:

1. An Internet assessment will not identify all the risks to your information resources. Areas that are clearly not addressed include the following:
   1. Threats from within the trusted environment;
   2. Threats from RAS and other external connections; and,
   3. Threats from your extranet and connections to 3rd parties.
2. There are other ways of assessing risk, without doing a technical assessment.

Although it's beyond the scope of this discussion, the scope of an Internet Assessment can easily be expanded to include areas like RAS and the Extranet (which is why we actually refer to the service as an external assessment). However, even with the limited scope, there are a number of strong reasons for performing an Internet Security Assessment.

But first, let's remind ourselves why we want to do an assessment in the first place.

Reasons for performing a Technical Security Assessment

I've often thought, at the end of a security assessment project, that I probably could have advised the customer without having to perform the entire analysis. Internet installations are generally fairly similar and one sees the same mistakes being made at different installations all over the world. And yet I haven't quite given up on the idea. There are a number or reasons for my continued faith in technical assessments.

Firstly, a technical assessment allows me to fully familiarize myself with the customer's architecture. By the time the assessment is finished, I usually understand the client's Internet architecture at least as well they do, often even better. This puts me in a unique position to offer then real and useful advice and ongoing technical support.

The technical familiarity I've acquired also very often buys me the respect of the customer's technical personnel. That, in turn, puts me in an even better position to advise them. Because our clients themselves are often non-technical people, such as risk managers and financial managers, it is essential that we also win the trust and respect of the technical team. Penetration testing, a later phase in the assessment methodology during which we actually attempt to breach security and compromise the customer's systems, is particularly effective in this regard. It's hard for someone to argue that their security is sufficient when you've already clearly demonstrated that it can be compromised. The fact that our findings are based on a formal assessment methodology lends weight to the recommendations we make.

Sometimes an organization needs an objective assessment from an independent third party is necessary to convince others that they are taking security seriously. This is becoming more of an issue in certain sectors, where government, shareholders and other regulatory authorities are expecting companies to provide proof of proper information security.

Moreover, the fact is that a properly executed assessment may very well identify problems that otherwise may have gone unnoticed. A single small finger-fault in your firewall configuration may be all that's needed by an attacker and a thorough technical assessment may be the only way of determining this.

But most importantly, an assessment introduces objectivity. With the overwhelming number of security products and vendors in the market, it's important that security-conscious organizations and individuals spend money for the right reasons. A good assessment should help you to understand and prioritize your security requirements, allowing you to invest resources effectively. Very often, the most serious requirements will not be addressed by the simple acquisition of more technology, and it's important for the customer to understand that.

Actually, this last point is nothing new and security assessments have been seen as an important phase in the security lifecycle for as long as there has been information security theory. One version of the lifecycle looks like this:

Notice how the assessment phases (threat/risk analysis and security assessment) are the first and last step in the process. The analysis is used to identify what needs to be done, and the assessment is used to measure how effective the other phases in the cycle have been. A number of companies are even starting to use the outcome of these repeated assessments to measure the performance of their technical personnel. Some companies even use security assessments as a key performance area for regular personnel. Now there's an interesting idea.

Reasons for performing an Internet Security Assessment

Hopefully I've convinced you now of the value of a technical security assessment. But I've also said that this paper is limited to a discussion of Internet security assessments only. Does it make sense to focus on one area of your system like that? Actually, no. But Rome wasn't built in a day, and a complete assessment of a large environment will typically need to be broken up into a number of distinct and manageable phases. The Internet is only one of a number of different areas we could examine. However, Internet-connected systems are the single area we assess more than any other. And, given limited time and resources, it is sometimes the only area we consider for clients. Here is a summary of the reasons that companies still perform Internet security assessments:

1. Internet systems are an obvious part of the problem: Given the almost overwhelming size of the complete information security problem, it's often hard to know where to start. Internet systems are very often a clearly defined subset of the complete infrastructure and can be easily isolated, analyzed and secured. Although we realize that this only a small part piece in a much larger puzzle, it very certainly is a piece. If we can confirm that the Internet systems are secure many managers feel "Whew, at least that's out of my hair."
2. The Internet is a unique network: The tools and methodologies that we apply in analyzing Internet security are different from those we use when looking at "internal" spaces like WANs, LANs and Extranets. For this reason we tend to see an Internet assessment as a separate body of work from the rest of the assessment and tackle it separately.
3. Internet systems are an obvious target: Attack via the Internet is by no means the only threat your company faces, but it is a clear and obvious threat and one would be foolish to ignore it. And, just as you want to be sure you've locked your front door, you want to be sure you've secured your connections to the Internet. The threat of attack via the Internet is easily identified, tested and eliminated. We test our Internet security because then we can know that it has been done and move on.
4. Internet systems are a high-profile target: It smarts to be hacked from the Internet. Even though the financial impact of such an attack is often smaller then other forms of attack, a defaced Web site and other forms of Internet attack can often do huge damage to your company's reputation. For this reason we want to know that our Internet security has been taken care of.
5. Internet systems are often beyond our control: The Internet began its life a utopian exercise in community collaboration. Although this early utopianism has long since evaporated and the Internet has now developed in a battlefield for new-world commerce, there are still a rather scary number of uncontrolled inter-dependencies that make it possible for your company to operate on the Internet. The magical routing of IP packets from one network to the next is one example of this. The mapping of machine names to IP addresses via the Domain Name System is another. Yet we have no real control over these systems. They are critical to the safe operation of our Internet infrastructure and yet their security is beyond our control. Similarly, we have no control over when new vulnerabilities will be discovered in our Internet technologies. Quite simply, the only defense we have is to regularly assess this infrastructure for safe and secure operation. This is probably more true for the Internet then for other areas of your infrastructure.

Conclusion

In this section I've tried to convince you of the value of doing a technical risk assessment and to explain why we often consider the Internet systems separately from the rest of the infrastructure. In the next installment in this series, I'll give you an overview of the steps that we follow in performing this kind of assessment. The methodology is designed to ensure that our work is complete and consistent.

Charl van der Walt works for a South African company called SensePost that specializes in the provision internationally of information security services, including assessments of the kind discussed in this article. His background is in Computer Science, he is a qualified BS7799 Lead Auditor and he has been doing this kind of work for about five years now. he has a dog called Fish.

To read the next installment in this series, click here.