Business Security Posture
Business Security Posture
Communication and Question for the Security manager
In the last two decades, information and communication technology has been greatly used in most businesses, organizations, and institutions for different purposes. Daily activities and business operations are implemented using information communication technology. For this reason, security management has become one of the priorities in businesses. Security managers are tasked with the role of ensuring security of data, information, and other organizational resources (Fox, Henning, Farrell & Miller, 2006).
The business security posture is the overall security plan, and the approach that the business takes to ensure security of data and information in the organization. It involves all the steps from planning to the implementation of security procedures and mechanisms in an organization. The security posture always comprises of both non-technical, and technical controls, and procedures that are put in place to protect the business from external and internal threats (Fox et al, 2006).
In order to effectively carry out penetration testing and reporting in the business security posture, the first step is to pose the following security questions and communication to the manager;
In your capacity as the security manager, how can you rate the company’s security posture? Do you have a clear picture of the overall security posture in the organization and how this relates to the relevant industry practices?
How and when do you carry out security assessments such as the penetration tests and any other assessments?
Have you established a process that is used to address computer security issues in the organization?
How confident are you that the laid down processes and procedures to address the inherent security threats in the organization?
2. Documents used in the First meeting.
In the first meeting, several documents will be needed for presentation to the security manager in the organization.
Contract: The contract to carry out the penetration testing is important to determine the scope of activities for the penetration testing.
Security policies: The second document crucial during this meeting is the security policy. It is important to review the security policies before determining the actions to take. This document will have all the information on security policies inherent in the organization hence a review will help identify the possible areas to focus on during the penetration testing.
Organization security and compliance document: These are documents that entail the organization’s security details including the security mechanisms employed to address the different security threats and vulnerabilities. The document will act as a starting point to carrying out the penetration testing. Identification of security issues in the organization will be based on the organization security and compliance document.
Schedule of activities report: A report for schedule of activities that include the chronology of tasks and their allocated time, together with the budgetary allocation should be presented to the security manager for review and approval before the penetration testing is initiated.
Non disclosure agreements: The non disclosure agreement is part of the contract and should be presented to the security manager for review and approval before commencement of the exercise.
3. Chronology of events
According to Wai (2002), the following steps are followed in order to achieve effective and efficient penetration testing in any organization;
Planning and preparation
There must be adequate planning and preparation that ultimately determines the effectiveness of the penetration testing. Some of the activities included in this step include holding a kick off meeting between the respective stakeholders such as the security manager, the penetration testers and selected staff members in the organization (Wai, 2002).
During this meeting the objectives and main goals of the penetration testing will be determined and laid out for all the participants. This step also includes scoping and the determination of the duration of the penetration testing exercise (Wai, 2002).
Information gathering and analysis
The next step in this process is to gather as much information as possible of the organization and the target systems. To do this, we will need to employ the use of several tools and online resources to obtain the necessary data and information. The first step is to go to the online platforms such as websites and other platforms and collect as much information as possible. Another means of information gathering and analysis is through network surveys which can be done using effective tools such as Nmap (Tiller, 2004).
Once all the relevant data and information has been gathered and analyzed in the organization, then the vulnerabilities associated with each system are scrutinized. Once all the vulnerabilities and exploits have been indentified, they can be availed to the penetration testers to be used for the testing process. Vulnerabilities can be scanned and detected manually, often referred to as manual vulnerability scanning. Another option is automation of vulnerability detection using tools such Nessus obtained from www.nessus.org. Upon completion of vulnerability detection, a list of possible targets will be produced. The list can then be used in the next stage to test each target (Tiller, 2004).
Once the lists of targets have been identified, the next step is to identify the potential targets to attempt penetration testing. The simplest penetration attempt is password cracking that involves the use of dictionary attacks, hybrid cracking and brute-force cracking among others (Wai, 2002).
Analysis and reporting
Once all these activities have been done an analysis and a report should be produced for the organization. The analysis and report will have analysis and commentary on the vulnerabilities that should be addressed first and they should be ordered and highlighted to the organization (Wai, 2002).
A cleanup then follows to remove any messes that might have been caused during the penetration testing. This must be done securely so as not to affect the normal operations in the organization.
4. Expected Results
The collection or gathering of data and information is a vital step in carrying out penetration testing in the organization. To achieve this, the Nmap tool is used to carry out a network survey of the organization. The results expected from the use of Nmap to carry out a network survey should contain the domain names, server names, IP addresses, internet service provider information and a network configuration map (Tiller, 2004). Additionally, Nmap is useful in determining the domain registry information for the servers. Nmap is also known to determine the kind of operating system that runs on the network including the firewalls and packet filters ( Scarfone et al, 2008).
Nmap also does port scanning to determine the open and closed ports in the network. By using Nmap we are able to see open ports in the system as shown in the diagram below. Basically, the results expected from a port scan are the list of open ports available on a particular IP address (Scarfone et al, 2008).
5. Importance of the Non- Disclosure Agreement
Penetration testing involves the hacking into the organizations network and gaining unauthorized access to accounts, email address among other confidential information. These in essence are illegal practices that are aimed at identifying the vulnerability of the company’s system and providing solutions. Consequently, the two parties must sign a Non Disclosure Agreement that binds them not to disclose any information to a third party (Tiller, 2004).
In the context of XYZ Company, the penetration testers are going to carry out an illegal activity in the company, with an aim of identifying security vulnerabilities in the company. Therefore, the company will be bound by the Non Disclosure Agreement not to divulge any information particularly the personal details of the penetration testers. Subsequently, the penetration testers are bound by the Non Disclosure Agreement not to divulge any information regarding the company’s security flaws and vulnerabilities. The two parties are protected by the Non Disclosure agreement and both parties gain from the penetration testing.
Penetration testers may gain access to information, data and other confidential data during the penetration testing process. Should that be the case, the Non Disclosure agreement prevents them from sharing the information or using it in any way that could potentially harm the company. Additionally, they may gain access to personal data and information of employees in their email accounts and other locations. Therefore, with the Non disclosure agreement the company’s data and information together with that of their employees remains confidential.
6. Main Pre-Penetration testing steps
Penetration testers are often sourced externally; hence, they are new to the organizational activities and procedures. Therefore, they should perform some pre-penetration test steps before beginning the initial phases of the XYZ penetration test. These steps include;
This is where both the tester and the organization determine the scope of penetration testing. This step is important since it helps both parties and most importantly the testers to ensure all vulnerable areas are included in the test.
It is important that the tester should go through all available documentations to ensure that they are familiar with the organization, the system to be tested and the requirements of the penetration testing. Such documents include application interface documentation, implementation guides among others. With this information the tester will be able to understand how functionality should work and whether the results received are the ones expected (Tiller, 2004).
Review of past threats and vulnerabilities
The tester should look through historical threats and vulnerabilities that have been experienced in the company within the last 12 months. Armed with this information, the tester will be in a better position to handle the vulnerabilities and threats anticipated in the system. Additionally, the tester should be aware of vulnerabilities and threats common within the last 12 months within the industry (Wai, 2002).
Set the rules of engagement
The tester together with the organization must come to an understanding regarding the rules of engagement. These include the conditions in which testing is performed and the degree of tester’s exploitation. This way, the tester is able to test the environment and ensure that the organization understands the results and expectations of the penetration test (Wai, 2002).
Fox, K. L., Henning, R. R., Farrell, J. T., & Miller, C. C. (2006). U.S. Patent No. 7,096,502. Washington, DC: U.S. Patent and Trademark Office.
Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical guide to information security testing and assessment. NIST Special Publication, 800, 115.
Tiller, J. S. (2004). The ethical hack: a framework for business value penetration testing. CRC Press.
Wai, C. T. (2002). Conducting a penetration test on an organization. Sans Institute.