IT Security professionals know that there are always multiple ways to solve a given security challenge. Specific methodologies provide a level of confidence for specific circumstances so it is no surprise that something as important as security assessments also have multiple approaches.
why security assessments?
We have discussed Security Assessments extensively in previous blogs, so you can get a refresh there. What was not covered was how to rationalize the value of security assessments. According to ISSCA:
“Organizations have many reasons for taking a proactive and repetitive approach to addressing information security concerns. Legal and regulatory requirements aimed at protecting sensitive or personal data, as well as general public security requirements, create an expectation for companies of all sizes to devote the utmost attention and priority to information security risks. An IT security risk assessment takes on many names and can vary greatly in terms of method, rigor and scope, but the core goal remains the same: identify and quantify the risks to the organization’s information assets. This information is used to determine how best to mitigate those risks and effectively preserve the organization’s mission.”
The 5 specific areas for evaluation include:
- Cost justification: While improving security usually requires additional budget, it doesn’t usually generate a measurable return on investment. However, effective security assessments will educate key business stakeholders on specific critical risks associated with the use of technology, and therefore will directly provide justification for those security investments.
- Productivity: IT operations, security and audit department productivity will improve with security assessments. Formalizing a process for review, creating a review structure, collecting security knowledge within the system’s knowledge base and implementing self-analysis features will also facilitate security assessments boosting productivity.
- Breaking Barriers: Both management and the IT staff need to be in alignment for security to be effective. While the executive team is responsible for making decisions that relate appropriate levels of security across the company, the IT staff is responsible for the implementation of the specific systems, applications, data and security controls requirements.
- Self-Analysis: Getting security to become inherent to the corporate culture will require ongoing vigilance to be as easy as possible. Having security assessments be as self-sufficient as possible will also be able to be accomplished by unskilled resources freeing up your IT security staff for more important projects.
- Communication: Requiring cross department communication not only expedites decision making, it also increases the visibility to potential risks that may not be seen in an individual department silo.
Now that you understand the rational for security assessments, it would be helpful to better understand the differences between continuous and non-continuous security assessments, or more specifically, authenticated and non-authenticated assessments.
authenticated versus non-authenticated
The most common type of security assessment is authenticated because they are more comprehensive and show less false positives. This is because authenticated scans require valid login credentials for each scanned device. The credentials are used by the scanner tool to authenticate and obtain detailed information about the operating system and installed applications, including configuration issues and missing security patches.
For the alternative approach, according to UC Berkley Information Security Office:
“Continuous Vulnerability Assessment requirement refers to the non-authenticated scanning technique that is one of the most common vulnerability discovery techniques. Without using credentials to the scanned system, a non-authenticated vulnerability scan can gather basic information about the system which may include:
- Operating system name and version
- Network ports open
- Services listening on the ports, if these details are available without authentication using techniques such as banner-grabbing
- Data “leaked” by the listening services, such as the listing of open file shares and insecure configurations that allow access using default/known credentials
The scanning tool obtains this information by sending probing queries over the network to scanned devices. The scanning tool may be able to use these details from non-authenticated scans to identify some vulnerabilities, such as missing security patches and configuration weaknesses. As non-authenticated scans are less intrusive to the scanned devices and easier to set up, it should run more frequently than authenticated scans to detect risks associated with future vulnerabilities.”Whether you are looking for authenticated or non-authenticated security assessments, it is always a good choice to partner with experienced partners.
experts in security assessments
Continuous (AKA non-authenticated) security assessment are now being used more frequently to create a level of on-going vigilance for organizations with adding expensive security resources.
nVisium leverages a testing methodology that is both comprehensive and targeted. We integrate with your team’s existing development processes to help build a more robust software security program within your organization. Each member of our team has an extensive background in both software engineering and security. We have expertise in Java, .NET, Node, Angular, Ruby, Python, Scala, iOS, Android, AWS, Azure, and more. We stand by our work and take great pride in developing security solutions for our clients. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Call us when you are ready for security assessments to test the vulnerability of your applications, Internet of Things (IoT), networks, mobile and cloud. Schedule a demo today.