Feb
15
2012

Expanding the scope of security testing

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

 

 

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.

 

 

 

Share