The Importance of Vulnerability Assessment For Your Organisation

Transcription

1 RCS Newsletter January 2011 Vulnerability Assessment Fitting it into your Increasing incidents of automated attacks on information systems Automated attacks on information systems, and especially attacks against Internet-connected systems, have continued to grow in number of incidents and negative financial impact over the last decade. In December 2010, for instance, MasterCard, VISA and PayPal's websites suffered Denial-of-Service (DoS) attacks from hackers and were thus temporarily unavailable. Malicious intruders are able to access organisations' critical information assets due to security vulnerabilities on the respective information systems. According to Carnegie Mellon's Computer Emergency Response Team (CERT), the number of catalogued system security vulnerabilities increased exponentially between 1995 and Q as illustrated in the figure below: In addition to the continually increasing number of incidents and the rising number of known vulnerabilities, the speed at which systems are attacked has also continued to accelerate. Consequently, it is imperative for an organisation to identify and address vulnerabilities in a timely manner to adequately protect its critical information assets. What is? The information security management system () refers to a coherent set of policies, processes and technologies utilised by organisations to identify and monitor risks to its information assets, while developing and implementing mitigating controls to achieve acceptable levels of information security risk. The ISO/IEC and ISO/IEC and related standards (published jointly by ISO No. of catalogued vulnerabilities Year Vulnerability Assessment Fitting it into your / Q1-Q3, 2008

2 International Organisation for Standardisation; and IEC International Electrotechnical Commission) provide one of the best known internationally accepted guidance for development and implementation. These standards recommend the use of the PDCA (Plan Do Check Act) model for the as follows: Plan (establish the ) this involves establishing security policy, objectives, targets, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organisation's overall policies and objectives Do (implement and operate the ) this involves implementing and operating the security policy, controls, processes and procedures Check (monitor and review the ) this involves assessing and, where applicable, measuring process performance against security policy, objectives and practical experience and reporting the results to management for review Act (maintain and improve the ) this involves taking preventive and corrective actions, based on the results of the management review, to achieve continual improvement of the. The diagram below further illustrates the PDCA model: Plan Establish the Information security requirements and expectations Do Implement and operate the Development, maintainance and improvement cycle Maintain and improve the Act Enterprise information security Monitor and review the Check Vulnerability Assessment Fitting it into your / 2

3 Vulnerability Assessment Vulnerability Assessment (VA) is the iterative process of identifying, quantifying, prioritising and remediating vulnerabilities (i.e. exploitable weaknesses) in a system which in our context refers to the information assets of an organisation. VA is central to the Check work area of the and is therefore critical to the effectiveness of the in achieving the organisations expectation of protecting valuable information assets. Vulnerability assessment practices address the two key locations of information security vulnerabilities i.e. internal and external. Internal vulnerabilities refer to information security vulnerabilities that can potentially breach critical information assets from within the organisation. Through internal vulnerability assessment, an organisation seeks to identify and assess internal information security vulnerabilities. Internal vulnerability assessment focuses on personnel, processes and systems that can be accessed from within the organisation such aspersonnel: System administrators, HR staff, Process owners Processes: User profile management; Physical and environmental security; Transactions processing and financial reporting Systems: business applications, databases, operating systems platforms, network devices and security devices. External vulnerabilities refer to information security vulnerabilities that can potentially breach critical information assets from outside the organisation. Accordingly, these vulnerabilities primarily target an organisation's network. External vulnerability assessments enable an organisation to identify and assess external information security vulnerabilities. This assessment focuses on personnel, processes and systems that can be reached via attempts that originate outside the organisation such as: Personnel: Customer service officers, HR staff, Physical security personnel, Third-party service providers Processes: Customer relationship management, Vendor management; Physical and environmental security; Systems: External access points and gateways such as firewall, proxy server, mail server, on-line payment platforms and web server in addition to other devices (e.g. routers) that serve as gateways to external networks. Vulnerability assessment tools, in general, work by attempting to automate the steps employed by malicious intruders to logically compromise critical information assets on an organisation's network: Vulnerability Assessment Fitting it into your / 3

4 Perform a footprint analysis Enumerate targets Test/obtain access through user privilege manipulation Escalate privileges Gather additional passwords and secrets Install backdoors Leverage the compromised system The vulnerability assessment tools target network attached devices (such as servers, desktops, switches, routers, and firewalls) for vulnerabilities. Often the vulnerabilities that are identified by these tools are programming flaws; however, some tools provide enough data that an analyst can uncover design, implementation, and configuration vulnerabilities. Examples of VA tools include Algo SEC Firewall, AppDetective, Nmap, Cain & Abel, SNMPWalk, EtterCap, Nessus, John the Ripper, Pwdump, Nikto, and Paros. Another critical VA tool (howbeit not necessarily automated) is social engineering. Social engineering is the act of manipulating people (which is a key component of the information security chain) into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. Fitting VA into your Fitting VA into an organisation's can greatly enhance the overall effectiveness of the. To achieve this, provisions for VA practices need to be included in the Plan and Do phases even though VA is fully operational at the Check phase. The following steps need to be taken to integrate VA into the : Plan (establish the ) this involves articulating specific VA plans and guidelines in line with the organisation's information security objectives and risk appetite. Do (implement and operate the ) this involves implementing the needed VA resources, practices and tools. Check (monitor and review the ) the VA is fully operational during this phase. For an organisation with large infrastructure, it is necessary to leverage automated the VA operations for better efficiency. The use of VA tools is critical to gaining a snapshot view of the vulnerabilities that exist on the organisation's network. Most scanning tools include a reporting option or module that explains the vulnerabilities detected and provides a ranking of the criticality of each problem (e.g. High/Medium/Low). Assessments should be performed on a routine basis to gain an insight into the changes Vulnerability Assessment Fitting it into your / 4

5 (improvements or otherwise) in the organisation's information security environment. It is advisable to run two or three different VA tools so as to reduce the number of false positives and false negatives is to run two different scanners against a given network and compare the results. In most cases, the results of both tools will complement each other so that no weaknesses are overlooked. Act (maintain and improve the ) this involves taking preventive and corrective actions, based on the results of the VA performed to achieve continual improvement of security of critical information assets. Based on their severity and priority levels, identified vulnerabilities should be corrected promptly via security patches, updating, or even reconfiguring the affected system. personnel must work with management to share the VA findings and weigh the costs versus benefits of correcting the identified vulnerabilities before adopting a solution that fits. After all is said and done, operators of the who wish to reap the values of an effective VA process must always remember that security is like a chain which is only as strong as its weakest link or a wall that is only as strong as its weakest frame. VA, to be successful, must be intently focused on identifying and continuously strengthening the weakest link or frame in the organisation's chain or wall of security. Disclaimer The information contained herein and that which will be delivered during the course are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG Professional Services, a partnership registered in Nigeria and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in Nigeria.