What is a Technical Security Assessment?
A Technical Security Assessment (TSA), also known as a Security Audit, is simply a study of an organization’s IT systems to determine whether the system has any weaknesses. The study looks at both the system itself, and the the actual use by staff. A TSA is the first step in insuring an organization has a secure system, safe from unauthorized use, robust in its defenses, strong in its user policies, and yet minimally intrusive when actually being used.
Organizations may perform a TSA as a single project. However, performing the TSA regularly as part of an organization’s routine IT activities is a best practice. IT professionals should perform a TSA at a minimum whenever adding new hardware models, software applications, or operating systems to an existing IT environment. ETTE also recommends an audit when manufacturers publish technological changes to the cloud or network systems.
ETTE, with the cooperation of our client organization, performs a comprehensive, 20-point assessment corresponding to the well-known SANS 20 Critical Security Controls (CSC), an industry standard now in its 7th update. Our evaluation of control areas includes:
Inventory of Authorized and Unauthorized Devices
ETTE will provide a comprehensive list of all hardware and devices connected to your organization’s IT environment. With the help of your technical staff, we will determine which of these devices were installed and approved by management. The assessment will also seek to determine whether ad-hoc devices, such as USB flash drives, were connected to the system. We will also provide a list of unapproved devices connected to your system.
Inventory of Authorized and Unauthorized Software
ETTE will survey all the installed software (applications, operating systems, cookies, and possible malware) in your organization and will determine which software has been approved by management for user use. Note that this inventory will assess authorization on a user basis (that is, whether or not a specific user is authorized to use a specific item of software).
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
This control area verifies that all authorized hardware and software has adequate security controls to resist unauthorized access by undesirables. We include testing whether remote devices may be accessed through unauthorized wireless systems. We also test if unauthorized hardware is or could be connected to the IT environment.
Continuous Vulnerability Assessment and Remediation
ETTE will report on how your organization’s IT department processes the continuous stream of information regarding systems vulnerabilities, and the updates and patches developers produce to address those vulnerabilities.
Controlled Use of Administrative Privileges
We list who in your organization has full and limited IT administrative privileges. We will also list who is empowered to make changes to security policies regarding administrative passwords and identity verification.
Maintenance, Monitoring, and Analysis of Audit Logs
ETTE will verify that audit logs are in place for the entire environment to record user logins and other system events. We will also will confirm that those logs are uploaded to a central repository. Lastly, we will report on the IT staff log review process that determines whether an attack has occurred.
Email and Web Browser Protections
ETTE will verify that the most recent versions of email services and Web browsers are installed. We will confirm you have activated all the tools to resist misleading emails or malware click bait. We will also survey the users to determine if they have a good understanding of safe practices for email and Web browser use.
ETTE will confirm that your organization has the current version of its chosen anti-malware software, and that the anti-malware is being actively used throughout the system.
Limitation and Control of Network Ports, Protocols, and Services
ETTE will review your organization’s network services to insure they correctly match your needs. We will also confirm your system has removed default user IDs (a common attack entry point).
Data Recovery Capability
ETTE will verify that your organization has a robust data recovery capability, including automated backup and secure access to backup data. We will test the backup system to confirm it routinely backs up your important data at appropriate time intervals. Click here for more information on data recovery services.
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
ETTE will confirm network devices are configured securely and not merely set to default settings, which may leave systems vulnerable.
ETTE will review your organization’s security settings to insure they properly monitor your boundary traffic (connections into and out of your contained IT environment). Ideally, the system limits boundary traffic to verified IP addresses wherever possible.
ETTE will confirm your data is adequately compartmentalized with appropriate security protocols that directly relate to data sensitivity.
Controlled Access Based on the Need to Know
We will confirm the lists and responsibilities for each user match the level of access given the user in your IT environment.
Wireless Access Control
ETTE will review any wireless access points, confirming that they 1) are authorized by your IT department, 2) properly encrypt data flowing to and from the access point, and 3) keep traffic from untrusted sites and devices separate and more carefully filtered that traffic from trusted sites and devices.
Account Monitoring and Control
ETTE will verify that user accounts are properly monitored and properly locked down promptly once they have reached the end of their life cycle, and that no questionable user accounts exist in the IT environment.
Security Skills Assessment and Appropriate Training to Fill Gaps
This CSC focuses on the users, and not the system. ETTE will survey the user population to insure they are aware of your organization’s policies and procedures regarding IT security. We will also confirm they are following those procedures.
Application Software Security
If an organization develops software internally, ETTE will review their software development guidelines to insure software is developed securely, and without room for exploitable holes in the code.
Incident Response and Management
ETTE will review your IT policies and procedures in response to a security incident.
Penetration Tests and Red Team Exercises
ETTE will conducts tests where we will (with your knowledge) attempt to penetrate your systems, and report on our results.
Our final summary will list recommendations for system actions following our assessment for hardware, software, users, and usage policies. We will also provide a risk analysis of identified weaknesses in your system, using a two dimensional analysis The dimensions are risk of breach or damage based on the weakness, and the potential impacts to your business and IT environment if an attack is successful. The risk analysis will help identify priorities for improving your security.
ETTE can perform this assessment as a “one off” engagement. Or, we can incorporate periodic security assessments as part of our comprehensive per seat managed services. Note that while recommending solutions to identified issues and prospective weaknesses, the assessment itself does not include performing the corrective actions recommended. However, you may contract those recommendations separately as a follow-on project, or include them in our managed service package.
To fully assess the technical security stance of the client organization’s IT environment, our assessment requires:
- Access to a technical contact at your organization
- Access to your available technical documentation, where available
- Access to your servers and network devices within the scope of assessment
- Authorization to install non-disruptive agent software on each server and endpoint within the scope assessment
- Authorization to perform internal and external network vulnerability scanning during defined time windows