Skip to content

Page273

Analyze and Report Test Outputs

Accumulating vast quantities of security test results is easy; remediating findings based on those results is much more difficult. An example of this is organizations performing vulnerability scans on an almost continuous basis. However, simply producing that report does nothing to improve the situation. Producing the security testing data is a necessary first step but is not sufficient to improve future test results.

The volume of data to be analyzed is likely staggering, but an approach should be employed to prioritize reviewing and acting on some results before others. As with many things in security, the approach to triage should be informed by an understanding of risk. Imagine the exact same flaw or vulnerability existed on every system in an organization. Would the risk associated with each vulnerability be the same? No, of course not. Even though the exact same flaw exists, the risk could be drastically different based upon, for example, the criticality of the system or data, and the likelihood of an adversary being able to exploit each manifestation of the flaw.

The organization should already have significant data that speaks to confidentiality, integrity, and availability concerns for business assets. This data should be used to inform the analysis of security testing output. Depending upon how easily consumable the risk data is, some basic prioritization and analysis might be able to be automated. Other data will require manual review, at least initially, but to the extent possible should be documented in a way that helps better automate future test data review.

A formal process for managing exceptions needs to be in place. Legacy systems are a common example. They often lack modern controls, and typically are deemed critical risks by vulnerability scanning software. Replacing all legacy systems with modern, secure systems is the obvious choice, but budget constraints may make that impossible, at least in the short term. Compensating controls (such as additional firewalls, physical segmentation, application whitelisting, and additional monitoring) should be used in that case. A documented risk acceptance by the system or data owner should be required in this case.

Collecting Security Process Data

Organizations need to collect data supporting the day-to-day effectiveness of their security processes and controls. Questions to be asked include: how operationally effective is account management, can backups be restored, and can they be restored in a timely fashion? Note that collecting Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) data is also part of this process. We will discuss DRP and BCP in Chapter 8, Domain 7: Security Operations.

Account Management

Auditing the operational effectiveness of account management is critical. New employees enter an organization, existing employees may change roles, and employees may leave the company. A key question to answer is: how accurately does the actual account access match the desired? Common auditing steps include:

  • Procure a list of employees who have exited the company in the past year and verify that all their accounts and access have been revoked. This includes computer accounts, email accounts, physical access to buildings and garages via smart cards.

  • Ask human resources to provide a list of all employees whose job roles have changed, and verify unneeded accounts or access tied to their old roles has been revoked.

  • Audit the account provisioning process. Assuming formal approval is required, compare the time and date of final account approval with the time and date of actual account creation on the system. The former should always occur before the latter (and not vice versa).
  • Verify that temporary and emergency accounts have been disabled in a timely fashion.
  • Identify inactive accounts (that have not been accessed for a long period of time) and verify that they have been disabled in a timely fashion.
  • Audit all privileged groups (such as Windows Active Directory domain administrators) and verify all included accounts are correct.