Partner Perspectives  Connecting marketers to our tech communities.
6/10/2015
11:45 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Breach Defense Playbook: Assessing Your Security Controls

Do you include physical security as part of your cybersecurity risk management plan?

Physical access to your network and IT assets is as important as access through 1s and 0s. A security controls assessment is meant to test the perimeter defenses that you have implemented around your physical appliances, hardware, wiring, and support systems.

You should leverage real-time assessments of your security measures in order to protect your sensitive data. Organizations that perform security controls assessments generally leverage penetration testing and social engineering, but there are so many more weaknesses in a physical infrastructure that can also be exploited. Being effective at testing the multiple facets and layers of perimeter security can yield significant improvements in security and reduce costs by streamlining the overall security plan for the organization. Likewise, after weaknesses are identified, an organization will know the areas within the IT network, physical structures, and personnel security that need additional training or support to prevent external or internal threats from manipulating those weaknesses.

Equally important as external threats are the threats from insider attack. No organization wants to imagine that they have hired someone who would attempt to cause harm, but the reality is that this is not as uncommon as organizations would hope. Therefore, reasonable precautions should be implemented to protect sensitive data.

When performing your security controls assessment, you should structure the assessment on three areas that will overlap one another:

  • Physical security
  • Social engineering
  • On-premise internal network vulnerability

For guidance, you can leverage NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations; SANS Security Laboratory: IT Managers -- Safety Series; the PCI Data Security Standard; and the SANS Institute InfoSec Reading Room: Security Assessment Guidelines for Financial Institutions, Developing Security Policies For Protecting Corporate Assets, System Administrator -- Security Best Practices, and Data Center Physical Security Checklist.

Physical Security Assessment

Your assessment should be tailored to meet your specific environment and testing needs. Evaluate the physical security measures currently in place and the documentation implemented to protect critical data systems and information. Include in your review both external and internal controls and policies that govern employee access, vendor access, visitor access, responsibilities, and educational awareness. Focus your physical security assessment in eight primary areas:

  • Location (community, region)
  • Perimeter penetration testing by unauthorized personnel
  • Interior computer room penetration testing by unauthorized personnel
  • Disaster recovery and geographic location risks analysis
  • Monitoring of internal and external areas for unauthorized personnel
  • Personnel access requirements
  • Support facilities, including water and HVAC
  • Wireless access points vulnerabilities

Social Engineering Assessment

To assess security awareness and attempt to bypass the physical access controls of a building, use social engineering techniques. Social engineering refers to techniques of establishing trust relationships between an attacker and victim, with the objective of gathering information otherwise unauthorized through social interaction with employees, suppliers, and contractors. This information is used to breach your computer network defense assets and controls. Social engineering activities test a less technical but equally important security component, which is the ability of the organization’s people to contribute to or prevent unauthorized access to corporate entities. This includes office spaces and information systems.

Your process should be designed to determine the level of security awareness among employees. Impersonating vendors and other trusted personnel, your assessment should test the extent to which access to sensitive areas within the data center may be possible. You can begin to focus your social engineering assessment with four example scenario methods:

  • Dumpster diving to test document destruction compliance
  • Impersonation or piggybacking as vendors, inspection officials, or other trusted personnel
  • Dropping USB drives in strategic communal locations that contain a benign program indicating its unauthorized access to internal systems
  • Phishing via email, text messages, and telephone conversations

On-premise Internal Network Vulnerability Assessment

Your on-premise testing should also be scenario-based by focusing on internally accessible devices and applications with the goal of attempting to access sensitive data. Your scope should include both wired and wireless access points. After accessing the network, you should attach to the appropriate network segment and test the services and resources. Keep your stakeholders involved as you are moving from segment to segment so that if operations are impacted, system owners can respond appropriately. You want to keep any impact to ongoing operations to a minimum. You can begin to focus your on-premise testing in three example scenarios:

  • Wireless security penetration testing
  • Controlled access with unauthorized devices added to the internal network
  • Internal penetration testing and vulnerability exploitation

The local penetration testing must evaluate the security of the network infrastructure and services from the perspective of an insider or unauthorized user who has gained inside access. The focus of the scenarios is to understand the potential weaknesses and impacts to production systems that store, process, or transmit data on the inside. Four techniques may be used to perform your on-premise testing:

  • Passive data collection
  • Network scanning and OS fingerprinting
  • Attempted vulnerability exploitation
  • Privilege escalation

Ultimately, your security controls should be tested regularly with a report that includes the scope of testing, the approach taken, the goals, a timeline of activities, identified gaps, and recommended remediation activities. The report should include an executive summary written in non-technical terms. Lastly, the report should have a grading chart so that from period to period, improvements can be tracked. Socializing the report with all stakeholders is also a must so that everyone involved can take ownership.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.