If you have the curiosity and time, I recommend reviewing NIST Special Publication 800-115, “Technical Guide to Information Security Testing and Assessment”. In addition to being 80 pages of excitement and fun, this document provides us with rich details on testing information technology systems using a consistent approach.
For the sake of simplicity, we’ll summarize the three key techniques:
- Interviews – Discussions with people
- Examination – Observations of records and configurations
- Testing – Exercising a system to observe response (and compare to expectations)
As part of an overall risk management process, these techniques provide higher levels of confidence when identifying risks and taking corrective action.
Why is that important? Better security assessments mean we’re better at fixing the right problems. I like to describe security assessments in terms of a typical visit to a doctor.
- Interviews rely on verbal and written questions and answers describing systems, operations, and capabilities. While this provides valuable insight, it can only reveal problems already known to staff or issues recognizable by their described symptoms. If we are to draw an analogy to a medical check-up or office visit, this is the level of detail you can describe to a front office scheduler. Some details may jump out, but much is left uncovered.
- Examinations involve observation of a system, specific records, configuration data, or logs. To extend our analogy, this is like the check-in process at the doctors office including initial height and weight measurements. When combined with additional interview questions, results are better than just an interview alone. Since we now have a skilled observer involved, we may uncover important details.
- Testing provides a more accurate assessment of a systems security state and provides details that may not be observable easily and without the assistance of specialized techniques and tools.
Like blood tests, x-rays and MRIs actual testing reveals significantly more Information in ways that can be referenced to diagnose very specific problems. Most information security standards require testing of networks, web applications, as well as servers, PCs and mobile devices attached to networks. Because of the sheer volume of devices and the permutations of exploitable software defects and configuration errors, this process almost always start with tools. Iterative rounds of testing, including “penetration tests” intend to exploit identified exposures and allow both the verification and elimination of exposures from your final risk management reviews.
Without effective security assessments, we can find ourselves treating problems that are neither urgent nor high risk. If we approach assessment thoughtfully, any time we spend will be saved later.