Partner Perspectives  Connecting marketers to our tech communities.
6/10/2015
11:45 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Breach Defense Playbook: Assessing Your Security Controls

Do you include physical security as part of your cybersecurity risk management plan?

Physical access to your network and IT assets is as important as access through 1s and 0s. A security controls assessment is meant to test the perimeter defenses that you have implemented around your physical appliances, hardware, wiring, and support systems.

You should leverage real-time assessments of your security measures in order to protect your sensitive data. Organizations that perform security controls assessments generally leverage penetration testing and social engineering, but there are so many more weaknesses in a physical infrastructure that can also be exploited. Being effective at testing the multiple facets and layers of perimeter security can yield significant improvements in security and reduce costs by streamlining the overall security plan for the organization. Likewise, after weaknesses are identified, an organization will know the areas within the IT network, physical structures, and personnel security that need additional training or support to prevent external or internal threats from manipulating those weaknesses.

Equally important as external threats are the threats from insider attack. No organization wants to imagine that they have hired someone who would attempt to cause harm, but the reality is that this is not as uncommon as organizations would hope. Therefore, reasonable precautions should be implemented to protect sensitive data.

When performing your security controls assessment, you should structure the assessment on three areas that will overlap one another:

  • Physical security
  • Social engineering
  • On-premise internal network vulnerability

For guidance, you can leverage NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations; SANS Security Laboratory: IT Managers -- Safety Series; the PCI Data Security Standard; and the SANS Institute InfoSec Reading Room: Security Assessment Guidelines for Financial Institutions, Developing Security Policies For Protecting Corporate Assets, System Administrator -- Security Best Practices, and Data Center Physical Security Checklist.

Physical Security Assessment

Your assessment should be tailored to meet your specific environment and testing needs. Evaluate the physical security measures currently in place and the documentation implemented to protect critical data systems and information. Include in your review both external and internal controls and policies that govern employee access, vendor access, visitor access, responsibilities, and educational awareness. Focus your physical security assessment in eight primary areas:

  • Location (community, region)
  • Perimeter penetration testing by unauthorized personnel
  • Interior computer room penetration testing by unauthorized personnel
  • Disaster recovery and geographic location risks analysis
  • Monitoring of internal and external areas for unauthorized personnel
  • Personnel access requirements
  • Support facilities, including water and HVAC
  • Wireless access points vulnerabilities

Social Engineering Assessment

To assess security awareness and attempt to bypass the physical access controls of a building, use social engineering techniques. Social engineering refers to techniques of establishing trust relationships between an attacker and victim, with the objective of gathering information otherwise unauthorized through social interaction with employees, suppliers, and contractors. This information is used to breach your computer network defense assets and controls. Social engineering activities test a less technical but equally important security component, which is the ability of the organization’s people to contribute to or prevent unauthorized access to corporate entities. This includes office spaces and information systems.

Your process should be designed to determine the level of security awareness among employees. Impersonating vendors and other trusted personnel, your assessment should test the extent to which access to sensitive areas within the data center may be possible. You can begin to focus your social engineering assessment with four example scenario methods:

  • Dumpster diving to test document destruction compliance
  • Impersonation or piggybacking as vendors, inspection officials, or other trusted personnel
  • Dropping USB drives in strategic communal locations that contain a benign program indicating its unauthorized access to internal systems
  • Phishing via email, text messages, and telephone conversations

On-premise Internal Network Vulnerability Assessment

Your on-premise testing should also be scenario-based by focusing on internally accessible devices and applications with the goal of attempting to access sensitive data. Your scope should include both wired and wireless access points. After accessing the network, you should attach to the appropriate network segment and test the services and resources. Keep your stakeholders involved as you are moving from segment to segment so that if operations are impacted, system owners can respond appropriately. You want to keep any impact to ongoing operations to a minimum. You can begin to focus your on-premise testing in three example scenarios:

  • Wireless security penetration testing
  • Controlled access with unauthorized devices added to the internal network
  • Internal penetration testing and vulnerability exploitation

The local penetration testing must evaluate the security of the network infrastructure and services from the perspective of an insider or unauthorized user who has gained inside access. The focus of the scenarios is to understand the potential weaknesses and impacts to production systems that store, process, or transmit data on the inside. Four techniques may be used to perform your on-premise testing:

  • Passive data collection
  • Network scanning and OS fingerprinting
  • Attempted vulnerability exploitation
  • Privilege escalation

Ultimately, your security controls should be tested regularly with a report that includes the scope of testing, the approach taken, the goals, a timeline of activities, identified gaps, and recommended remediation activities. The report should include an executive summary written in non-technical terms. Lastly, the report should have a grading chart so that from period to period, improvements can be tracked. Socializing the report with all stakeholders is also a must so that everyone involved can take ownership.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.