How do we effectively and quickly evaluate a system's security posture?
There are many scenarios in which the security of an information system needs to be explored. Perhaps you are an auditor who needs to determine whether or not an information system meets all of the controls detailed in your security framework of choice. Perhaps you are the new CISO at a company and you need to quickly understand the security controls currently deployed in your organization. Finally, maybe you are a security engineer working on the really granular pieces of the system in question and you just feel it's time to take a step back and look more holistically at the system's security architecture.
While there are many ways to perform a security review, one method which tends to evoke positive interactive discussion is an Experts Interview Panel. While it's called an interview panel and can be conducted very formally, it is usually more productive to allow the session to be more of a casual conversation between people who are interested in advancing the security of the environment. Essentially, you gather the people who are most knowledgeable about the information system in question and have them answer questions from other individuals who are experts in security or the technologies used in the information system. Smaller organizations with less mature information security programs may find it valuable to start out by performing this exercise for their entire infrastructure all at once instead of for individual systems or environments
When actually participating in the interview panel and asking questions, it is important to evaluate technical controls but don't forget about the "human factor" of security. Make sure you cover all aspects of information security:
- Governance: What policies are in place that govern the secure operation and use of the system? Such policies should include:
- Access control that is governed by the principles of least privilege and separation of duties. The fox should not be guarding the hen house!
- Strong change and configuration management. Are the authorizations required for each change appropriate? Are all of the potentially affected stakeholders notified of high risk changes?
- Consistent Auditing. Auditing should on a consistent enough basis to notice indicators of compromise before an attacker can cover their tracks or cause damage to the system.
- Procedures: Do the procedures that are used in day-to-day operations always take into account the best interests of the information system's security?
- Do changes include documented install, test, and backout plans? Before an engineer begins a change, do they know how to fix anything that goes wrong and restore services?
- Can you tell if an unauthorized individual accessed the system?
- Would you notice if an unauthorized change were made to the system?
- Technical controls: This is what many people think of as the "fun stuff," but it is certainly not the only component of information security.
- Are communications sessions encrypted?
- How is data at rest protected?
- Are any advanced system integrity controls are in place? Are you hashing system files daily to know if they have changed or using application whitelisting software on the servers?
Participating in the Interview Panel
Ask the Basics to Assess the System's Threat Profile
It is important to understand the threat profile of your system in order to more effectively assess security controls. Ask questions to figure out where the highest risk portions of the system are and perform threat modeling activities:
- Is the system accessible from the Internet?
- Is the system accessible from most, or all, of the internal network?
- Does the system use privileged credentials which provide access to other systems?
- How attractive of a target is the system? Does it hold critical data or perhaps control access to other systems of interest?
Lay the Groundwork
Can the experts easily enumerate the controls that are in place to ensure an information system's confidentiality, integrity, and availability? The experts should also be able to quickly explain how they have implemented the basics of access control: authentication, authorization, and accounting.
Do not spend a lot of time on this unless there are clearly gaping holes in the security controls. These are the basics that the system experts should be able to discuss off-hand, but you are also likely to receive the same answers that the experts give to anyone who asks about security. This panel is about making people think outside of the box about their security posture.
Use Scenario-Based Questions to Make People Think Differently
Engineers who work very closely with systems often get stuck in certain mindsets. They believe their systems are secure or that they know all of the potential threats and methods of attack. However, there are often pieces of that puzzle missing. Proposing a scenario and asking how the controls currently in place would prevent or detect the security incident forces people to think more creatively about these problems.
- If an attacker initiated an unauthorized privilege escalation, how would you detect and respond to that?
- If an attacker gained unauthorized access to the system by compromising a privileged account, how would you detect and respond to that? How is this scenario prevented in the first place?
- If a rogue administrator were to change the baseline system configuration, how would that be detected? This question could of course be more specific, as in "would anyone notice if encrypted communications were turned off or if the Administrators group suddenly had another user?"
- If a compromise did occur, would the attacker quickly have access to other systems? In other words, can this system be used as a pivot point in the network to cross boundaries or can the account credentials used to access this system be used to access other systems?
- Once an attacker gains a foothold in the system and begins to exfiltrate data, would this activity be detected?
Additionally, it can be very effective to ask an engineer to think like an attacker:
- If you were outside of the organization and wanted to steal information from this system, how would you do it?
- If you were a regular user inside of the organization and you wanted to compromise this system, how would you do it?