Six Security Assessments You’ve Never Had But Should

Monday, October 24, 2011

Stephen Marchewitz


Six Information Security Assessments You’ve Never Had (But Should)

You probably are familiar with the classic security assessments:  internal and external penetration testing, security risk assessments, and PCI gap assessments. 

You may not be as familiar with, or even aware of, other assessments that may be just as valuable for strengthening your security program. 

Some of these less familiar assessments are new, the result of emerging technology and regulations, but others have been around for several years and just haven’t gotten the attention they deserve. 

Consider performing these six assessments at least once in your organization to combat the constantly looming hacker threat.

1.       Social Media Assessment

The use of social media sites is rampant.  Would you like to know what is being said on them about your organization?  Assessing your databases and social networks (Facebook, Twitter, LinkedIn, blogs, etc.) detects what is being disseminated on the Internet about your organization – including all of the information that your organization, employees, ex-employees, and the public are putting out there.

 In addition, assessing any confidentiality agreements and social media policies you have in place will detect holes in your social media protocol.  This will allow you to integrate effective social media policies into your organization’s overall IT program.You might be surprised at the large number of existing social media channels through which information is disseminated. 

A thorough Social Media Assessment looks at roughly 30-40 of them, including both the well-known sites and some obscure ones such as Hi5, Tagged, Friendster, Bebo, Orkut, Yammer, and Yelp.  In addition, a good Social Media Assessment looks at message boards, online forums, and blogs/micro-blogs like Google Blogger and Tumblr to provide a more complete picture of your organization’s social media posture

.2.       Host Interrogation

Ask security professionals what a Host Interrogation is, and you probably will get more than a few blank stares in response.  The purpose of a Host Interrogation is to identify potential misconfigurations or security flaws on DMZ-based servers.  It provides the insider’s view of servers in much the same way a Firewall Ruleset Review does, which then can be matched up to get more value out of your Penetration Tests. 

The Host Interrogation process reviews hardening techniques and best practices in order to establish a baseline, which improves the overall state of security in the DMZ systems.  A good Host Interrogation combines the latest in automated assessment tools as well as a manual review of the overall configurations associated with the DMZ devices. 

3.       Social Engineering Assessment

Attackers prey on humans’ inherent trusting nature, making the “human network” an easy avenue to gain access to sensitive data or to fully compromise an organization.  The attacker works to gain a level of comfort or form a trust relationship with the individual on the phone, and leverage that trust for an attack. 

There are several components of Social Engineering Assessments, to address different ways of prompting a person to divulge information.  Typical assessments utilize phone calls to individuals within a company with the objective of convincing the user to reveal sensitive information. 

Originating phone numbers can be “spoofed” to appear to be calling from your phone block, to persuade the individual to download backdoors or to reveal such sensitive information as usernames, passwords, credit card information, salary information, and trade secrets.

Others, like client-side attacks, simulate the main attack methods of the hacking community:  An attacker gains full access to an organization’s network and systems simply by getting an employee to browse a Web site.

 Because most organizations’ Internet-facing systems are a high security zone with layers of protection, attackers have shifted their methods and re-focused their attention onto organizations’ employees, taking advantage of human nature and weak security in client-side systems.

4.       Work at Home Assessment

Although telecommuting, or working at home, has been offered by organizations for years, oftentimes the architecture surrounding the remote environment has never been tested.  What an employee does on their computer at home can generate a host of issues that your organization would never face if that employee were in the office every day. 

It’s important to test both technical and procedural controls to ensure proper safeguards have been implemented effectively.  For technical controls, there are two primary areas of review:  the remote access architecture including VPN, and the end-user environment including patch levels and other host controls.  

For procedural controls, the focus is on reviewing an organization’s Work At Home program policies and procedures.

5.       Incident Response Plan Gap Assessment

When an event occurs that adversely affects the safety and security of your organization’s personnel, systems, and data, a well thought out Incident Response Plan (IRP) is what an organization needs to bring together required resources in an organized manner at a chaotic time. 

Most organizations do not have a well-defined IRP that ensures an approved policy is in place to define and address an incident, and that incorporates and tests existing incident response procedures.  During an IRP Gap Assessment, existing gaps within the referenced policies, response methodologies, and accompanying procedures are identified. 

Testing such as Attack and Penetration and Table-Top Incident Exercises is strongly recommended to identify any security exposures or threats that are being missed within the current security program.  This methodology ensures the IRP is properly implemented and tested, and correctly follows approved policies.

6.       Privacy Assessment

Although technically not a security assessment, a Privacy Assessment is a critical component of understanding an organization’s risk as it relates to protecting Personally Identifiable Information (PII). 

This is important because of HIPAA having more teeth thanks to the Hi-Tech Act, and with the increase in international business and the resulting need for compliance with the EU Safe Harbor framework.  Organizations must have in place a functioning privacy program.

A Privacy Assessment is comprised of a privacy risk analysis, the identification of domestic and international data flows, the assessment of PII safeguards and privacy controls, and the development of a remediation plan and next steps.Organizations that have undergone a Privacy Assessment - after stating “We’ve got it” or “Our privacy program is working,” are surprised by the Assessment’s findings.  

Not only did these organizations not “Have it,” most of them did not even have a fully functioning privacy program.  Whether it was due to outdated policies, non-existent procedures, or a lack of data identification, all of these organizations had gaps in their privacy programs. 

Most organizations assessed were in breach of all privacy regulations applicable to them, which could have led to large fines and sanctions.

Stephen Marchewitz is President of SecureState, a Information Security and Privacy Consulting Firm. He can be reached at 

Possibly Related Articles:
Information Security
Social Engineering Social Media Data Loss Prevention Penetration Testing Network Security Assessments Gap Analysis
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.