As we wrap up another year, now is a great time to perform an account audit of your systems, networks and applications. Accounts that belong to staff members who may have left the organization are a primary focus for this process. Begin by inspecting your primary data store or identity tree against a current list of employees from HR. If you find accounts for people not on the list, then flag those accounts for investigation.
Likely, you will discover accounts for people who have left your organization or for services that are no longer needed. These accounts should be disabled and removed as soon as possible. Many organizations argue against these audits because they claim that they have controls in place for employee terminations. While this may be true, a quick review of a list of departed employees should still be performed at least yearly as a control to make sure that the process is being followed.
Another area to look at along these lines is to audit the system and application rights of folks who may have moved from one line of business or department to another. Often, their accounts are mis-configured and may give them rights to access data that they no longer need. These should also be investigated and refined as soon as possible. Don’t forget to ensure that routers, network gear and off site systems are included in the audit.They often house old accounts long past their prime.
Do this and you’ll save resources for the New Year! Here’s to a prosperous and successful 2012 for you and your organization!
We caught up with Brent recently to ask about application security and his thoughts on its future for 2012. In this video, he talks about a common “weak link” for organizations as they focus on application security, OWASP, and more. Take a moment to watch and let us know your thoughts!
In your search for security vendors, be aware of those who offer assessments on the “we find holes or it’s free” basis. Below are a few points to consider when evaluating your choices.
Security testing choices should not be based on price. They should be based on risk. The goal is to reduce the risk that any given operation (application, network, system, process, etc.) presents to the organization to a level that is manageable.
Trust me, I have been in the security business for 20 years and all vendor processes are NOT created equal. Many variations exist in depth, skill level, scope, reporting capability, experience, etc. As such, selecting security testing vendors based upon price is a really bad idea. Matching vendors specific experience, reporting styles and technical capabilities to your environment and needs is a far better solution for too many reasons to expound upon here.
The “find vulnerabilities or it’s free” mentality can backfire.It’s hard enough for developers and technical teams to take their lumps from a security test when holes emerge, but to also tie that to price makes it doubly difficult — “Great, I pay now because Tom made some silly mistake!” is just one possibility. How do you think management may handle that? What about Tom?
Believe me, there can be long term side effects for Tom’s career, especially if he is also blamed for breaking the team’s budget in addition to causing them to fail an audit.
It actually encourages the security assessment team to make mountains out of mole hills.Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically built on severity (it’s human nature), then it certainly behooves the security team to note even small issues as serious security holes.
In our experience, this can drastically impact the perceived risk of identified security issues in both technicians and management and has even been known to cause knee-jerk reactions and unneeded panic when reports arrive that show things like simple information leakage as “critical vulnerabilities”. Clearly, if the vendor is not extremely careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.
In my opinion, let’s stick to plain old value. We can help you find and manage your risk. We focus on specific technical vulnerabilities in networks, systems, applications and operations that attackers could exploit to cause you damage. The damages we prevent from occurring saves your company money. Look for a service vendor that provides this type of value and realize in the long run, you’ll be coming out ahead.
A vulnerability is the process of identifying and quantifying vulnerabilities on your network systems. A penetration test is a goal-oriented exercise — it can be to get data on the system or to cause as much damage as you can in order to test the system. – Adam Hostetler, MSI Network Engineer and Security Analyst
What is the best security assessment for you? A vulnerability assessment or a penetration test? Are’t they the same? In this episode of MSI Strategy & Tactics, the techs discuss the differences between the two and how to know which one is best for you. Take a listen! Discussion questions include:
The difference between a vulnerability assessment and a penetration test
The width versus depth analogy
When an organization should use a vulnerability assessment and when to use a penetration test
How an organization can make sure they are asking for and getting the right fit
Brent Huston, CEO, Founder, and Security Evangelist
Adam Hostetler, Network Engineer and Security Analyst
Phil Grimes, Security Analyst
John Davis, Risk Management Engineer
Mary Rose Maguire, Marketing Communication Specialist and moderator
Click the embedded player to listen. Or click this link to access downloads. Stay safe!
A web application security scan is a great way to get rapid feedback on the security and health of your web-based applications.
You can think of the web application scan as a sort of vulnerability assessment “lite”. It leverages the power and flexibility of automated application scanning tools to do a quick and effective baseline test of your application. It is very good at finding web server configuration issues, information leakage issues and the basic SQL injection and cross-site scripting vulnerabilities so common with attackers today.
This service fits particularly well for non-critical web applications that don’t process private information or for internal-facing applications with little access to private data. It is a quick and inexpensive way to perform due diligence on these applications that aren’t key operational focal points.
Many of our clients have been using the application scanning service for testing second-line applications to ensure that they don’t have injection or XSS issues that could impact PCI compliance or other regulatory standings. This gives them a less costly method for testing the basics than a full blown application assessment or penetration test.
While this service finds a number of issues and potential holes, we caution against using it in place of a full application assessment or penetration test if the web application in question processes critical or highly sensitive information. Certainly, these deeper offerings find a great deal more vulnerabilities and they also often reveal subtle issues that automated scans will not identify.
If you are interested in learning more about the applications scanning service, please fill out the contact formand put in the “Questions” box:Web App Scan. We can help you identify if these services are a good fit for your needs and are more than happy to provide more detail, pricing and other information about web application scans.