Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/10/2015
11:45 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Breach Defense Playbook: Assessing Your Security Controls

Do you include physical security as part of your cybersecurity risk management plan?

Physical access to your network and IT assets is as important as access through 1s and 0s. A security controls assessment is meant to test the perimeter defenses that you have implemented around your physical appliances, hardware, wiring, and support systems.

You should leverage real-time assessments of your security measures in order to protect your sensitive data. Organizations that perform security controls assessments generally leverage penetration testing and social engineering, but there are so many more weaknesses in a physical infrastructure that can also be exploited. Being effective at testing the multiple facets and layers of perimeter security can yield significant improvements in security and reduce costs by streamlining the overall security plan for the organization. Likewise, after weaknesses are identified, an organization will know the areas within the IT network, physical structures, and personnel security that need additional training or support to prevent external or internal threats from manipulating those weaknesses.

Equally important as external threats are the threats from insider attack. No organization wants to imagine that they have hired someone who would attempt to cause harm, but the reality is that this is not as uncommon as organizations would hope. Therefore, reasonable precautions should be implemented to protect sensitive data.

When performing your security controls assessment, you should structure the assessment on three areas that will overlap one another:

  • Physical security
  • Social engineering
  • On-premise internal network vulnerability

For guidance, you can leverage NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations; SANS Security Laboratory: IT Managers -- Safety Series; the PCI Data Security Standard; and the SANS Institute InfoSec Reading Room: Security Assessment Guidelines for Financial Institutions, Developing Security Policies For Protecting Corporate Assets, System Administrator -- Security Best Practices, and Data Center Physical Security Checklist.

Physical Security Assessment

Your assessment should be tailored to meet your specific environment and testing needs. Evaluate the physical security measures currently in place and the documentation implemented to protect critical data systems and information. Include in your review both external and internal controls and policies that govern employee access, vendor access, visitor access, responsibilities, and educational awareness. Focus your physical security assessment in eight primary areas:

  • Location (community, region)
  • Perimeter penetration testing by unauthorized personnel
  • Interior computer room penetration testing by unauthorized personnel
  • Disaster recovery and geographic location risks analysis
  • Monitoring of internal and external areas for unauthorized personnel
  • Personnel access requirements
  • Support facilities, including water and HVAC
  • Wireless access points vulnerabilities

Social Engineering Assessment

To assess security awareness and attempt to bypass the physical access controls of a building, use social engineering techniques. Social engineering refers to techniques of establishing trust relationships between an attacker and victim, with the objective of gathering information otherwise unauthorized through social interaction with employees, suppliers, and contractors. This information is used to breach your computer network defense assets and controls. Social engineering activities test a less technical but equally important security component, which is the ability of the organization’s people to contribute to or prevent unauthorized access to corporate entities. This includes office spaces and information systems.

Your process should be designed to determine the level of security awareness among employees. Impersonating vendors and other trusted personnel, your assessment should test the extent to which access to sensitive areas within the data center may be possible. You can begin to focus your social engineering assessment with four example scenario methods:

  • Dumpster diving to test document destruction compliance
  • Impersonation or piggybacking as vendors, inspection officials, or other trusted personnel
  • Dropping USB drives in strategic communal locations that contain a benign program indicating its unauthorized access to internal systems
  • Phishing via email, text messages, and telephone conversations

On-premise Internal Network Vulnerability Assessment

Your on-premise testing should also be scenario-based by focusing on internally accessible devices and applications with the goal of attempting to access sensitive data. Your scope should include both wired and wireless access points. After accessing the network, you should attach to the appropriate network segment and test the services and resources. Keep your stakeholders involved as you are moving from segment to segment so that if operations are impacted, system owners can respond appropriately. You want to keep any impact to ongoing operations to a minimum. You can begin to focus your on-premise testing in three example scenarios:

  • Wireless security penetration testing
  • Controlled access with unauthorized devices added to the internal network
  • Internal penetration testing and vulnerability exploitation

The local penetration testing must evaluate the security of the network infrastructure and services from the perspective of an insider or unauthorized user who has gained inside access. The focus of the scenarios is to understand the potential weaknesses and impacts to production systems that store, process, or transmit data on the inside. Four techniques may be used to perform your on-premise testing:

  • Passive data collection
  • Network scanning and OS fingerprinting
  • Attempted vulnerability exploitation
  • Privilege escalation

Ultimately, your security controls should be tested regularly with a report that includes the scope of testing, the approach taken, the goals, a timeline of activities, identified gaps, and recommended remediation activities. The report should include an executive summary written in non-technical terms. Lastly, the report should have a grading chart so that from period to period, improvements can be tracked. Socializing the report with all stakeholders is also a must so that everyone involved can take ownership.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8105
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8106
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8058
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an use after free vulnerability. Successful exploitation coul...