.

Security Risk Management Program

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Sun Jun 20, 2010 11:14 am

Security Risk Management Program

The aim of a security risk management program is to "Reduce the number of vulnerabilities and reduce the severity of the bugs you miss."

SDL is good but that’s only for new projects that are being developed, how about the hundreds of implemented systems and applications already in production. Is penetration testing every system every year the best way to do this?

What do you think the best approach to "Reduce the number of vulnerabilities and reduce the severity of the bugs you miss."
<<

vekarman

User avatar

Newbie
Newbie

Posts: 28

Joined: Thu Mar 19, 2009 1:21 am

Post Mon Jun 21, 2010 9:24 am

Re: Security Risk Management Program

Security Risk Management Program is lengthy and time consuming when you are doing it for the first time. Later on, based on Risk Analysis, you must have various controls in place. So, later on, you have to just monitor performance and activity will be marginal and less time consuming.

Penetration testing is more relevant with technology, where as Risk Management covers all 3, people, process and technology. For technology part, to ensure that nothing has bypassed the technical security controls, penetration testing is the best option which is generally conducted bi-annually.
CISSP
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jun 21, 2010 1:26 pm

Re: Security Risk Management Program

The response to this would be enough to write a book, in fact many books have already been written on this subject... If you're focused on performing a penetration test to immediately assess your risk you will fail. Your first focus when it comes to this type of "risk assessment" is to determine what your risks are. After you've concluded what those risks are, you begin at the 50k foot view and determine the weights of those risks. After all the paper pushing and math is done, then you'd perform a penetration test where it's needed.

Imagine for a moment you have 3 networks (/24's). One is production, one is devel and one is internal. What is your first priority here? Obviously the forward facing network (production) is most important. Allocate your priorities. The risk of having a vulnerable version of IIS on an internal server is far lower than having it on the outside.

You calculate your risks based on your business objectives. What do you need to do, how do you need to do it, what's defensible, what comes secondhand. Performing a full blown penetration test in my example network would be overkill. I'd perform a focused technical (non social engineering) test on my external network and go from there. Using something like GFI + OSSIM on the internal and development network would give me great results I could act on. Lowering the costs (time) to perform a full blown test. With the monies save, I could use it where its needed.

If I had to reduce vulnerabilities, my first goal would be my entrypoint. I'd focus most of my resources there and use compensating controls (GFI + OSSIM maybe even metasploit (using autopwn)) internally. However, focusing my resources means focusing on the systems that matter. (Bread and butter)
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Tue Jun 22, 2010 1:46 am

Re: Security Risk Management Program

This question is very BROAD in a sense because realistically there are a lot of elements that need to be covered within a risk management program as verkarman says (people, process and technology). I guess as a company you have to determine what is your priority, is it likely that a more technical company will have a bigger insider threat due to knowledge and curiosity as opposed to a company of recruitment consultants? This is one that i think considers serious thought!

Just to give you an insight i am an entry level penetration tester with only a few months experience and is something i have thought about.....

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software