Security Assessment 101: Planning a Successful Security Assessment

Posted: May 13, 2021

It’s important to evaluate your security posture and identify areas that need improvement, but a successful security assessment does not happen on accident. Have you ever wondered what goes into planning a security assessment?

There is no “one-size-fits-all” security assessment strategy. There are a variety of approaches, and each has pros and cons. It’s important for you to understand the essential strengths and weaknesses of the different security assessment strategies so you can choose what will work best for your organization.

Throughout this six-part series of blog posts, I will introduce you to our most popular security assessment categories, provide an overview of the methodologies we leverage, and explain the tactics, techniques, and procedures (TTP) common for each assessment type.

Security Assessments are Not Always Black and White

IT security teams have used penetration tests within organizations for years. Red Team, Blue Team, and Purple Team exercises enable companies to stress test their defenses and security controls in as close to a real-world threat scenario as possible without actually being attacked.

It’s important to outline the basic rules of engagement, though. When you engage Set Solutions to perform security assessments against your organization, we begin with pre-engagement interactions and ask several key questions to determine your primary business objectives. Essentially, what are you trying to validate or evaluate, and what are your expectations for the outcome of the exercise?

When producing assessment recommendations, our strategy is to identify the purpose of the assessment and your organization’s data infrastructure and business model. This information helps us align our objectives with yours and keeps us focused and in scope throughout the assessment. That starts with establishing a baseline that we can all agree on.

There are effectively three different levels of assessment depending on the scenario and objectives:

Black Box. This scenario assumes an outside attacker with no prior knowledge of or access to any networks, applications, or data.

  • Exposing vulnerabilities and exploiting weaknesses
  • Outsider threat perspective starting with no access to any of the organization’s IT assets
  • Insider threat perspective using a non-corporate resource (i.e. external laptop, Raspberry Pi, Intel NUC, etc.)

White Box. A white box assessment is less about emulating an external attacker and more about testing the defenses and security controls of a specific entity.

  • A working target is known and made visible throughout the assessment
  • Partial or complete application source code is provided during a web application assessment
  • Network topologies, IP address information, and other relevant infrastructure details are shared

Grey Box. As the name implies, a grey box test is somewhere in between the other two. The simulated attacker in this scenario is like an insider threat—he or she knows more and has more access than an external attacker but does not have intimate knowledge of the details of the target systems or applications.

  • Insider threat with limited infrastructure knowledge
  • Low-level privilege access on a corporate resource (i.e. Domain User, Domain Service account, Non-domain account)
  • Limited access to a target workstation, server or VPN connection

We offer a variety of security assessment categories for customers to choose from. This blog series will provide a closer look at our five most requested security assessment categories and what you can expect out of each one. As we move forward through this series, I will cover:

External Assessments

  • Used to simulate real-world attacks against perimeter systems without prior access or knowledge of them.

Wireless Assessments

  • Used in identifying and analyzing all connections between wireless devices and the corporate network (i.e., Guest, Production, etc.), mitigate or bypass security defenses within its configuration and abuse protocol implementation weaknesses.

Web Application Assessments

  • A dedicated web application assessment consisting of both manual and automated testing to achieve best results. The web application security assessment type is granular by nature, and testing is performed on specific applications and backend systems.

Cloud Assessments

  • Identify and mitigate security risks within the cloud toward account security, such as IAM policies, logging configuration, and account hardening best practices. Assess the cloud service security for the following, S3 bucket policies, VPC access restrictions, and high-risk Cloud Formation/Terraform templates. Finally, conduct web application security to test for logic and design flaws, code flaws, etc.

Internal Assessments

  • Focus on identifying what could be accomplished by a threat actor that has already gained a foothold on your network, i.e., contractor, employee, third-party access, disgruntled employee, etc. We take an assumed breach stance where client-side attacks are made out-of-scope in place of a more focused attack, and heavy emphasis is placed on Active Directory attacks when in a Microsoft environment.

With a better understanding of the different types of security assessments available, what they focus on, and the relative strengths and weaknesses of what they evaluate, you can plan a successful security assessment that yields valuable insights to help you improve your security posture. In the next post, we will dive into External Assessments.

***

This blog was written by Jimmy Mejia, Principal Security Consultant at Set Solutions.