If you are a regular reader of Cybersecurity Magazine, you may have come across Security Assurance before. In this article, we take a look at what is behind this abstract term and why it is so important.
Security assurance is an umbrella term for several processes aimed at ensuring individual system components can adequately protect themselves from attacks. Doing so requires not just a one-time effort, but actually spans the complete system lifecycle. After all, what is considered an acceptable security posture may change over time depending on, for example, newly emerging threats or changes to how the system itself is utilized.
We summarize the key processes that should be part of every security assurance program as follows:
- Security Hardening
- Security Testing
- Vulnerability Management
In the remainder of this article, let’s take a closer look at what these individual processes entail.
Security hardening describes the minimization of a system’s attack surface and proper configuration of security functions. The former may be achieved by disabling unnecessary components, removing superfluous system accounts, and closing any communication interfaces not in use – just to name a few. The latter configuration task focuses on security controls within the system itself and ensures that these can perform their functions as intended. This can include the configuration of host-based firewalls, intrusion detection/ prevention capabilities, or operating system controls, such as SELinux.
Security hardening is particularly important before a system is deployed, but should be verified regularly thereafter to confirm that the system still meets the defined hardening standard in the context of its current operating environment.
Security testing aims to validate a system’s security posture by trying to identify any weaknesses or vulnerabilities possibly remaining after security hardening. This activity can take many different forms, depending on the complexity of the system under test and the available resources and skills. In its most basic form, it may comprise an automated vulnerability scan from the outside as well as an authenticated scan from the perspective of a user on the system. More advanced tests would go a step further by analyzing the system’s responses and reasoning about communication flows that may afford an attacker with a way into the system. Established best practices, such as the OWASP Top 10, can serve as a useful guide here to focus the test activities on the most common vulnerabilities. Beyond that, fully manual test could dig even deeper, for example, trying to discover vulnerabilities in the systems source code if available.
Similar to hardening of the system, security testing should also be performed before and during a systems operation. Regular, automated security scans can be a great tool to identify new vulnerabilities early on.
Vulnerability management takes the results of the security tests performed and attempts to mitigate them. This includes the analysis of each finding (Is this actually an issue in the context of this system?), prioritization (How big of an issue is it?), and mitigation (How can it be fixed?). While the last part should be fairly obvious, the first two are just as essential since it is important to take a risk-based approach to vulnerability mitigation. No system will ever be completely free of vulnerabilities, but the goal should be to avoid the ones that are critical and easily abusable.
We hope with this article we were able to provide you with a good overview of security assurance. Please note, the term is not strictly defined, so in some organizations further aspects may be considered part of it, such as a secure software development process. Let us know what other security basics you would like us to cover or which we should explore in more detail.