Envisioning Perspective

30 November -0001

In order to properly assess the security posture of any organization it is essential to first make sure you can accurately gauge the landscape. Taking stock of your assets is the first step to determining any security plan. First you have to inventory what you've got before you can begin to protect it. Discovering what servers, applications, services, devices, databases, and other assets exist within your organization can be a challenging and daunting task in and of itself. In fact, this task is often so difficult that it is a roadblock to a mature information security plan. Auditing your systems takes time and effort that is difficult to justify when the daily crisis of security are competing for attention. This step, however, is the cornerstone of a good information security plan and is absolutely essential to your success.

Polling your infrastructure takes time and patience. Fortunately there are tools that can help you. Using a network scanner, a vulnerability scanner, and other auditing tools can help you determine the extent of assets that exist within your realm of responsibility. Once these assets are identified, and only once they are completely inventoried, you can can begin planning your information security.

Armed with a complete list of assets it becomes necessary to assign value to the various components and services in your organization. Taking stock of the assets allows you to come up with a complete list from which to begin this task. Look at every aspect of your infrastructure and determine its value. The reason a complete inventory is so important at this point is because each asset will often lend value to or depend upon another asset. For instance, a certain database server might be critical to operational support of a highly valuable application or service. This elevates the value of the database server, and so on.

Once you have assigned value to your assets it becomes time to gauge risk. Gauging risk is difficult because you must take into account factors such as the motivations of malicious users. Being able to accurately determine these sorts of X factors makes this step particularly difficult. You must look at your assets and determine the likelihood of their compromise. This calculation takes into consideration particulars such as underlying operating system, quality of code, exposure over the network, and perceived value of the asset to intruders.

Gauging risk can often times be aided by auditing tools. By examining malicious traffic traversing your infrastructure it is sometimes possible to determine the most common attack vectors employed against your organization and their potential intent. By looking at malicious activity on your networks and in your logs you can often spot common patterns of attack attempts. Although these most often represent unsuccessful attempts they are instructive nonetheless. If you observe lots of attacks that seem automated and appear to target systems you don't possess it is tempting to simply discard this finding. It is important, however, to look more closely at this evidence to try and determine intent. Are attackers using automated tools to gain access to databases, to exploit web applications, to gain interactive shells? The calculation of attacker intent is much more valuable than the specifics of the attack and can be used to help you calculate the risk to your assets.

Sometimes looking at such traffic and logs doesn't reveal much. You might find attackers attempting to gain access to a specific resource but be left wondering about the motivation for wanting that resource. It is in answering these sorts of questions where honeypots become invaluable. By deploying controlled environments vulnerable to known attack vectors it becomes possible to observe the intent of attackers by monitoring their activities after a successful attack. Using a honeypot you can determine if attackers seem to be trying to gain access to your resources to host service of their own, to utilize them as a platform for further attacks, or for other purposes. Understanding this post-compromise behavior can help you in two ways. It can reveal more about the motivations of the attackers threatening your systems allowing you to more accurately determine risk. It can also reveal post-compromise patterns, or attack fingerprints, that can be use to develop defensive measures or alerting processes that can be used to notify system administrators when these attack fingerprints are observed on systems (indicating an otherwise undetected compromise).

Traditional risk calculations are determined using a [ value x vulnerability = risk ]. However, by understanding an attacker's motivations you can develop a much richer understanding of the "value" component of this calculation. Although an asset might have a low value internally, it might have a high value to an attacker. A dusty Windows NT box that sits in a corner for the sole purpose of displaying a fishtank screen saver would be a low organizational value asset, but to an attacker it's a file server, or spam relay, or phishing site host, or IRC bot, or whatever. Understanding that attackers might value your assets in different ways than you might value them helps you develop a more accurate overall value rating for your asset.

Once you have determined the values of your assets, and the risk associated with each it becomes much more apparent where to deploy resources. Information security is usually underfunded and the challenges facing a security group can seem overwhelming. By allowing a calculated risk analysis to guide resource allocation you ensure that your highest value, most exposed systems, command the utmost attention. This is often instrumental in freeing security personnel from chasing the cause du jour that can make information security seem like an unending game of whack-a-mole.