ISSA E-News: May 7, 2009

In this Issue

  1. May Issue of the ISSA Journal: Now Available Online
  2. University of Virginia Security Patch Management Survey
  3. The May ISSA Journal Featured Article: Ethical Hacking - From Start to Success
  4. The ISSA Journal Goes Green

Sponsors


IronKey: Featured White Paper: The Perils of Using the Wrong Approach to USB Flash Drive Security
Only hardware ensures that data stays in and malware stays out Download now.


May Issue of the ISSA Journal: Now Available Online

This month's issue of the ISSA Journal is now available online and features peer-reviewed articles on:

  • Ethical Hacking: From Start to Success
  • Electronic Information Used in Litigation
  • Litigation Preparedness
  • Tokenization and Enterprise Data Security
  • No One Is Listening
  • Web Application Security Portfolios
  • Network Security Architecture
  • Privileged ID Management

If you would like to receive your Journal electronically, just log in to the ISSA website and update your member profile.

University of Virginia Security Patch Management Survey

The University of Virginia has initiated a survey intended to gather benchmarking information related to the processes and costs associated with security patching activities. Analysis of responses will permit an understanding of how patching varies across business sectors, from company to company within a sector, and between larger and smaller companies. All collected data will be presented only in aggregate and will remain non-attributable and secure. The intent is to expose the results to an audience of government organizations and industrial firms. It is anticipated that the results will be incorporated into a Master's Degree thesis.

Typically the survey takes 15 minutes to complete and in no case more than 20 minutes.

To participate in this research study, CLICK HERE

The May ISSA Journal Featured Article: Ethical Hacking - From Start to Success

By Rob Kraus - ISSA member, Alamo (San Antonio), USA Chapter

Ethical hacking services provide a unique solution to help IT practitioners secure their networks and other assets before malicious attackers gain a foothold on the secrets of the organization.

Ethical hacking is nothing new. The term has been used in the information security world and accepted by the security community for quite some time. Even though many have an understanding of the practical application of ethical hacking, organizations still fail to apply remediation recommendations based on assessment outcomes. This article does not identify innovative methods to put a new spin on an old concept, but instead focuses on where organizations fail to ensure success. For this reason, pre- and post-ethical hacking engagement activities are discussed rather than specific attacks or vendor selection criteria. Before exploring what organizations can do to maximize the ROI, consider the basic elements of ethical hacking and security principles.

Traditional ethical hacking

Let's face it, ethical hacking services are a part of the information security community and serve many purposes. In its most generic form, ethical hacking allows organizations to make use of professionals talented in the "black arts" of hacking and vulnerability identification. An ethical hacking engagement can be outsourced to a third party or can be conducted by an established internal team. Ethical hacking engagements may include social engineering, wireless penetration testing, Web application reviews, and other consulting services in addition to the commonly associated external and internal penetration tests. The goal is to identify vulnerabilities in organizational information technology (IT) assets and non-IT related assets.

Of course, overlap is possible in some cases, and those instances should be addressed as necessary. Physical security and organizational practices, policies, and procedures must be addressed for a complete approach.

Management acceptance

As a general foundation for ethical hacking and other security-related initiatives, recall the most elemental of requirements: management acceptance and support. No security plan is guaranteed success. Additionally, no security plan lacking management support will succeed. Sometimes the most difficult part of embarking on a successful ethical hacking engagement is conveying to executive management the importance of the engagement in the overall security program. This point may be common sense to most, but common sense is not always common. Ethical hacking should be a means to identify weaknesses in an organization's security posture. However, as a practitioner, I find a large number of organizations use ethical hacking engagements to measure the organization's implemented controls against Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), or Payment Card Industry (PCI) compliance directives, or simply to check-the-box. True management buy-in means supporting the assessment because the organization wants to be secure in addition to being compliant.

Getting back to basics

A "holistic approach" to security has been recommended by security practitioners for some time. Unfortunately, marketing and sales professionals may use this word in a different context than intended. In the eyes of the security professional, a holistic approach implies a comprehensive analysis of critical assets having a high risk at vulnerabilities may be leveraged or having an increased potential of loss. To the buzzword-enabled salesperson, it may sound like "holistic" means "kitchen sink." Rather than using holistic terminology, address organizational needs by evaluating existing controls against "best practices." Following best practices means implementing controls and taking the course of a "prudent man." A biblical reference to a prudent man states, "A prudent man seeth the evil, and hideth himself; But the simple pass on, and suffer for it." In short, do not accept the deal of the week. Take a hard look at what is important, assess the risk, and engage in assessment activities that apply to your organization.

Defining a scope

One of the most important decisions an organization can make when preparing for ethical hacking engagements is to first conduct a risk assessment. Risk assessments allow organizations to review threat scenarios and quantify risks to which the organization may be vulnerable. Third-party risk assessments can rove to be valuable by allowing organizations to benefit from an experienced facilitator. If the organization has an internal risk assessment team, it may be a good idea to have a third party review prior assessment results, assist with verification, and aid in further risk identification. Ensure a consistent and clear risk assessment methodology is followed. As an example, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology and tools provide a flexible approach to risk assessments. This methodology is currently maintained by the Software Engineering Institute at Carnegie Mellon University. Once an initial risk assessment has been performed and the organization has an opportunity to review the risks, a plan should be developed to verify if vulnerabilities exist that can be leveraged to turn a risk into a reality. Where ethical hacking is concerned, a risk assessment provides the organization an educated view of required assessment services and extraneous services that may be draining the budget but providing little ROI.

To continue reading or for the complete article CLICK HERE

The ISSA Journal Goes Green

If you would like to receive The ISSA Journal in electronic format you can now opt-in to this new alternative by updating your ISSA member profile. Those who prefer the hard copy will continue to receive their usual copy unless they opt-in to e-delivery.