What Approach to Assess the Level of Security of My IS?

Between the hacking of more than a million COVID tests last September and the Log4Shell vulnerability, which recently caused a real outcry among thousands of companies: the subject of cybersecurity has made headlines in IT news more than once in 2021. 

This article aims to paint the portrait of three approaches that will allow you to proactively assess the level of security of all or part of your computer system. 

This can concern your technical base (architecture, servers), application (software), or organizational (management of rules and users).

We will use a simple metaphor to illustrate them: that of a house exposed to potential break-ins, comparable to an IS with certain vulnerabilities.

If the RSSI budgets related to cyber issues are set to increase in 2022, certain simple practices can already allow you to avoid the worst.

Level 1: Vulnerability Scanning

What Is That?

A vulnerability scan is a process that can be automated and allows you to comb through all or part of a computer system (application, servers, network). The goal? Detect possible vulnerabilities, weaknesses, and errors in the way a system is designed, configured, and protected.

In What Context and How Often Should It Be Used?

It is recommended to carry out these tests several times a year internally: at least once a quarter and, at best, once a month.

Most of these scans are automatic; it is all the easier to conduct them on a regular basis. In a more granular way, it is also possible to set up tools that perform scans on each new deployment (to check that dependencies are updated, for example).

Advantages and Disadvantages

Advantages:

• Cost: these scans can be done in-house, therefore at a lower cost, and are for some Open-Source tools.
• Time: It is possible to use automatic tools, which can take only a few hours to complete, depending on the scope defined.

Disadvantages:

• Relevance: the analysis remains on the surface, and all the scans do not necessarily recommend fixes for the identified vulnerabilities.
• Quality: there are regularly false positives in these scans, which require human intervention to sort them out afterward.
• Prioritization: these scans report vulnerabilities that are not contextualized with your business challenges and therefore require human intervention to reprioritize the projects to be undertaken.

But What Does It Have to Do With Our House?

In this scenario, the idea is to go around your house yourself (= SI) to list all the faults that could lead to an offense: a broken window, a lock dating from the 18th century, a security camera flat monitoring, etc. (= vulnerabilities).

The exercise does not go any further, and your list will not necessarily tell you if these flaws are exploitable: perhaps the lock, apparently fragile, will ultimately prove to be inviolable. Impossible to know until you try to force it.

Level 2: Security Audit

What Is That?

A security audit consists of a human intervention, often carried out by an external service provider, and allows to have a view at time T of all or part of the security risks of an IS.

The goal this time is not only to verify compliance with established standards and protocols (for example, procedures or laws/regulations specific to the company's field) but also to take advantage of the expertise of a listener.

In What Context and How Often Should It Be Used?

Given the cost of these audits, the frequency is logically lower than vulnerability scans. It also greatly depends on the exposure of your company and the industry in which it operates: a financial institution or a pharmaceutical laboratory will tend to carry out these audits more regularly.

On average, it is therefore recommended to organize at least one audit per year and one per quarter, ideally. These audits may also be necessary in the event of data breaches, system updates, or data migrations. Or, more generally, any major change in your IS.

Advantages and Disadvantages

Advantages:

• Expertise and objectivity: an audit conducted by an external actor allows you to obtain more in-depth and relevant observations and recommendations. This also avoids any opacity or conflict of interest vs. an audit that would be conducted internally.
• Regulations: an audit provides “a stamp” or proof that your IS complies with certain standards. It can prepare you for a more official audit (government, ANSSI-type organizations, etc.)

Disadvantages:

• Cost: calling on an external service provider is indeed more expensive than a vulnerability scan or even an internal audit
• Time: the expert must take the time to become familiar with your IS and your business challenges to make the best possible recommendations.

But What Does It Have to Do With Our House?

This time you ask your neighbor, a police officer, to carry out the previous exercise for you. This will take a more objective and sharper eye on the security of your home and, above all, know the security standards of the market.

Not only will he be able to observe the potential flaws in your home (like you), but he will also make recommendations for you to bring you up to market standard: armored door, five-point lock, burglar-proof windows. However, he always does just watch and doesn’t try to break into your home.

Level 3: The Penetration Test, or “Pen Test”

What Is That?

The intrusion test, or “penetration testing,” makes it possible to contextualize an attack and exploit the vulnerabilities found as much as possible.

It is ultimately a more realistic and concrete audit: you mandate someone outside your company to put themselves in the shoes of a hacker and attack your IS (applications, servers, network). It is even possible to physically simulate a real attack scenario by simulating the theft of a developer workstation, for example.

There are three ways to conduct these pen tests:

1. In a black box: the attacker has no access/information on your IS. This mode simulates an attack from a hacker completely foreign to your company.
2. Gray box: the attacker has some access to your IS. This operating mode simulates, for example, an intrusion attempts by a former employee who does not have all the latest information to date.
3. In a white box: the attacker has all the necessary access to your IS. This mode of operation simulates, for example, an intrusion attempts by a company employee or by an attacker with access from the company. It is, therefore, a method that is very similar to the security audit, the intention being slightly different (intention to compromise vs. compliance objective).

In What Context and How Often Should It Be Used?

Like security audits, the frequency greatly depends on your exposure and the industry in which your business operates.

However, be careful not to misunderstand: all sites and applications face risks: for highly sensitive applications, it is advisable to achieve slightly more than market standards. For an application that is not very exposed, it may be enough to create some with each major version upgrade.

Advantages and Disadvantages

Advantages:

• Realism/relevance: the pen test is the most concrete approach to simulating a real attack; the report is, therefore, less hypothetical, and the recommendations very actionable.

Disadvantages:

• Risk: by simulating an attack in real conditions, you fully expose the security of your IS. A poorly calibrated pen test can have consequences such as data corruption or server crashes.
• Ethics: the techniques used to be the same as real hackers; it is important to probe and know how these pen tests can be perceived by your employees, your customers, your service providers, etc.

But What Does It Have to Do With Our House?

This time you ask this same neighbor, still stationed at the local police station, to break into your home, but through a specific and most sensitive place: your front door. Its objective is to have access to and attempt to compromise as many items as possible inside your home, to analyze the main flaws, and to list what can easily be stolen.

However, you have the choice between three approaches:

1. White box: you give them not only the keys to your front door but also those to your garage, your safe, etc. 
2. Gray box: you only give them the keys to your front door.
3. Black box: you give them nothing, and you see if they manage to enter your home.

This practice test will allow you to confront the assumptions you had about the security of your home with reality. And maybe that 18th-century lock you held so dear will turn out to be much stronger than the scan or audit reports indicated.

Conclusion

Several approaches, therefore, allow you to analyze the level of security of your IS. It is quite possible for you to combine several, but your decision will depend on several criteria: the sensitivity of the environment of your company, the size of your IS, as well as the time and the budget that you wish to allocate to it.
If you want to dig deeper into the subject, or if your company is already mature enough on it, a fourth approach is likely to interest you: the “ Red Team ” pen test. Derived from the classic pen test, this approach covers a much wider perimeter (an entire IS, for example) and Spreads over a longer period (several months), Implying that very few people in your company are aware.