In this video, Marc Menninger introduces the Performing Technical Security Audits and Assessments course. Learn that this course will cover a high-level overview of a well-executed security assessment. Discover that this course is based on the recommendations of NIST Special Publication 800-115, an internationally recognized security standard.
- Effective security assessments are repeatable processes, meaning they follow a consistent methodology, not a haphazard approach. This allows you to compare the results of different security assessments conducted over time to determine if and where security improvements are being made. Documenting your security assessment methodology facilitates consistency and repeatability for security testing, reduces the risks of skipping important tests or introducing potentially harmful tests, facilitates continual improvement of your testing methodology after each iteration, and helps new assessment staff more quickly come up to speed on the improved testing methodology.
Make sure to update you testing methodology whenever changes are necessary. Your written security assessment methodology should be a living document. Your methodology should also address any resource constraints on your organization as they relate to conducting security assessments. All security assessments require time, staff, hardware, and software. By identifying the resources required to conduct technical security assessments, you'll be in a better position to reuse resources such as trained assessment staff and testing tools and systems, spend less time scrambling for resources, and reduce the overall cost of conducting assessments due to saved time and reused resources.
Effective security assessment methodologies have at least three phases: planning, execution, and postexecution. In the planning phase, you'll be gathering the information you need to conduct the assessment. This information could include the assets which must be tested, potential threats to these assets, and the security controls you expect to be in place on these assets. You'll also select your assessment viewpoint in this phase, a step I'll explain in more detail in an upcoming video.
I dedicate an entire chapter of this course to the planning phase called "Planning Technical Security Assessments." The execution phase is where you'll identify and validate security vulnerabilities. I go into much more detail about the execution phase in the chapter called "Executing the Technical Security Assessment." And in the postexecution phase, you'll analyze the vulnerabilities you identified to find root causes, develop mitigation plans, and write the final report.
You'll learn more about this phase in the upcoming chapter called "Post-Testing Activities." If you'd like to refer to actual technical security assessment methodologies, two good examples are NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations and Open Source Security Testing Methodology Manual. Both of these are detailed methodologies which you can model yours after.
And the best news is, they can both be downloaded for free. I've included links to them in the handout which you can find in the exercise files for this course. Having a well-defined, written testing methodology will improve your ability to have effective and successful technical security assessments.
- Developing technical security assessments
- Conducting technical security reviews
- Identifying and analyzing targets
- Validating target vulnerabilities
- Planning a technical assessment
- Conducting a technical assessment
- Implementing remediation and mitigation