You need to have a security program in place before it can be assessed

February 19, 2007 // Posted in Security, Security Consultation  

Steve Hunt at Security Dreamer recently posted a quick test for knowing if your network is vulnerable. The test: well, there is no test. You can take for granted that your network is vulnerable. Steve’s point? You don’t need a security consultant to perform a $30,000 security assessment to tell you that.

I see Steve’s point, but let’s take a step back here. I really think Steve is too narrowly defining the term “security assessment” (he never actually uses the words “security assessment”, but it is easy to determine that is what he is talking about). The type of assessment he is talking about is designed for those that have a somewhat solid security program in place and need to find the flaws with it. If you fall into this category, then you can benefit from this type of assessment because it will be an overarching, far-reaching, and deep-digging look at your systems, policies, procedures, etc. with the express purpose of telling you where your vulnerabilities lie.

But I think Steve is assuming you don’t fall into this category and you don’t have a good security program in place. If that is so, then you need to listen to Steve. Why? Because a huge assessment is probably going to give you a bunch of stuff you already know (or should know). You really don’t need anyone to tell you that you don’t have enough policies when your policy manual only has two sheets of hand-written notes. You don’t need someone to perform password auditing when you have a universal password for everyone that is, you guessed it, “password”. Essentially, you will be no better off than you were before you spent $30,000 for a deliverable thicker than War and Peace with no remediation plan included.

What you need is a whittled down security assessment to give you more of a “tell you what you need” approach rather than a “tell you what you don’t have” approach. There’s a fine line between those two approaches, but the gist of it is the first approach is a positive type of assessment that is designed to build a security program rather than tear into one. However, it is still an assessment because there is most definitely something in place for security, so it has to be assessed to create a starting point.

So if you are in the shape that Steve thinks you are, then you don’t need a full blown assessment. What you need is someone to help you build your security program. Steve is correct that you can probably do a lot of that building yourself and not pay some firm to do it for you. In fact, I would say the building of the program will be more expensive than the testing of the program, so it might be a good idea to do it yourself if you have the time to spare or don’t have the money to get help (I find the latter is generally the issue – if you have time, then you are among the few lucky ones).

But DO NOT forsake the idea of a full blown security assessment. It is a totally legitimate course of action to have a third party assess your security program once it is in place. However, you need to be discerning in who you choose for your assessment. Have them show you sample proposals and deliverables. Have them introduce some of their team to you. Check out resume’s. Don’t just throw a dart.

One more thing. You can tell me I am biased because I work for a security consulting firm. And you would be half correct. Yes, I am biased, but it is not because I work for a security consulting firm. I am biased because I believe a security assessment is a good security practice. I had an assessment performed when I was an information Security Manager (no, my current company did not perform the assessment). Though it was not the best done assessment, it still was valuable.

Vet

This entry was posted on February 19, 2007 at 3:14 pm and is filed under Security, Security Consultation. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.