The nuts and bolts of a security assessment

July 8, 2004 (Computerworld) A year ago, the announcement of a patch for an operating system vulnerability preceded an attack by an average of 30 days.
In May, the average vulnerability announcement-to-attack code propagation was less than 18 days. In other words, the attack-code propagation cycle was 60% faster than for the same period a year ago. This marks a dramatic change in the threat profile for corporations over the past year. Yet our response to these threats via policy, procedures, testing, monitoring and mitigation techniques in this same time frame have not seen the same 60% improvement.
One step that can immediately improve information security efficiency is to conduct routine security assessments. The real value of an assessment is not in vulnerability identification but in interpreting results that lead to the root cause of risks. The vast number of vulnerabilities identified in an assessment report can be mitigated with relatively minimal effort. Without an information security program in place, other vulnerabilities will surface, however, and could spread within your organization's infrastructure. For this reason, root-cause analysis, when combined with a robust security program, will achieve the maximum return on your organization's information security investment.
When performing a security assessment, work with your vendor to ensure that the data is interpreted and an evaluation is performed using your security process. The data required to perform a root-cause analysis should include everything from business goals to process documentation.
A root-cause assessment view can also be leveraged to ensure compliance with established procedures and the review process. With federal, state, regulatory and voluntary standards now seen as a key business driver of information security programs, enabling compliance processes can be a key funding driver for your periodic assessment program.
What to include in your assessment
When developing your assessment approach, it's best to have specific requirements in mind that will help you meet your goals. These requirements can range from a list of systems to be tested to detailed testing scenarios.
When reviewing the scoping requirements and the vendor's selection criteria to perform an assessment, consider a technology assessment that includes process-improvement recommendations. This will provide the added value of gleaning industry best-practice information on processes and architecture analysis. Ideally, these recommendations will also cover procedure and training requirements.
As the requirements and assessment goals are defined, consider how they will be met by a vendor. The reporting format is the primary way a vendor will provide the results to meet your requirements. Therefore, the reporting format should be agreed upon prior to starting an assessment.
Here are some items to include in the report:

• An on-site presentation of findings and recommendations;
  
• An executive summary that examines the overall health of your organization and a comparison of its current security posture to others in your industry;
  
• A management summary that includes an explanation of findings and prioritized mitigation requirements with detailed resource and time requirement definitions;
  
• A technical detail report that includes explicit processes and detailed findings from each phase of the assessment. This report should include technical mitigation recommendations, technical process improvements and recommendations on proactive mitigation strategies.

The report structure can be organized by anything from geography to cost center. How you assign the report remediation recommendations for action and completion validation should be considered when defining the report format. Defining the report format and reviewing sample deliverables before choosing a vendor will save many hours of interpretation and segmentation of the report findings when it comes time to align the report with a remediation approach.
Finally, be sure to document a knowledge transfer process in your assessment requirements to the vendor. Knowledge transfer can be as simple as training personnel in technical resources or involvement of your personnel in the assessment process. Training on the tools used in performance of the assessment and review of the vendors' proprietary tool data will allow for more effective remediation of findings and can even assist in the internal development of process and procedure development once root-cause analysis is complete.
Surviving an assessment once the report has been finalized and your requirements have been met while gaining the maximum long-term return on your investment is an achievable goal.
Information security assessments are valuable tools for determining the real-time status of your information security posture. With adequate planning and consideration, assessments can have a long-term impact on an information security program. One thing is certain: Vulnerabilities identified in an assessment can be mitigated. However, it's guaranteed that if the information security program doesn't address the root cause of the vulnerabilities identified, more are sure to follow.
Mark Perry is vice president of Global Consulting Services at Symantec Corp.