Banner Image

Business and Technology Insights

Paper vs Tool Based Vulnerability Assessment: Resolving a CISO’s Dilemma

 
September 25, 2017

With the adoption of digital technologies like Big Data, cloud, and analytics becoming imperative, enterprises feel the need to secure information assets that are non-tangible, unquantifiable, and not constrained to a definite form. Senior leaders usually depend on the chief information security officer (CISO) and his team to uphold the organizations security posture with minimum investment and 100% perfection. And, the preliminary step would be to identify the security weaknesses or vulnerabilities in your IT asset landscape, which is best done with tests or assessments.

The assessment dilemma

An interesting dialogue between two characters in a recent movie caught my attention. One character tells another that its easy to distinguish a good person from a bad one, the difficult task is choosing one good person over another, and the situation gets even trickier when you have to choose a bad person over another. I was able to draw a parallel between these lines and the day-to-day decisions I make as a security analyst. Its easy to decide if an application or network element needs an assessment or not, but the real dilemma is deciding if the asset needs a vulnerability assessment (VA) or a penetration test. Things get even more complicated when I have to choose between conducting a theoretical paper-based security assessment and a tool-based assessment. The reasons for this confusion are pretty simple the large and diversified landscape of assets, low security budget, minimum turnaround time, immense pressure to deliver more value at a lesser cost, etc.

One might suggest classifying the assets into critical and less critical and then start from there. Though its not as simple as that. CISOs know that the real challenge is having to list the parameters that help in this categorization.

The ideal process

Hence, defining threat profiling parameters should be the step succeeding asset identification. Analyzing information assets like applications and network infrastructure elements based on these threat profile parameters will help bucket them based on criticality and threat potential. This will also help you choose an appropriate mechanism to assess its security posture. At a broad level, these assets can be categorized into two types those that need to undergo security tests and those that need a paper-based assessment. The magnitude of a security test can range from a lightweight tool scan to an intense tool-based test combined with intrusive manual tests. However, turnaround time, effort, and budget constraints often lead organizations to take up paper-based assessments.

To conduct a theoretical paper-based VA, its necessary to formulate a comprehensive assessment questionnaire and have quantitative and qualitative measurements tagged to each response received to evaluate an assets security strength. The experience and skill of the security analyst play a vital role during discussions with key stakeholders, and while recording and validating their responses. He has to use his own discretion to draw logical inferences on the current security posture and conclude with results. Based on the outcome, appropriate remediation measures can be suggested for implementation or critical assets can undergo comprehensive tool-based and manual tests.

Making it a team effort

Conducting this theoretical exercise is challenging as every assessment question posed to the stakeholder and inference drawn is subject to bias or doubt. Its usually recommended to have these kinds of assessments conducted by a team of at least two, as in this case multiple cooks make the broth tastier and safe to consume. The results of these assessments need to be specific and unbiased, and most importantly the remediation measures for the identified weak points should be quickly implemented.

Its agreed that the effectiveness of a paper-based assessment and the conclusions made are subject to debate both for accuracy and completeness. But as technologies keep evolving and enterprises have large asset inventories, it is important to first draw initial observations about the security dimension of an information asset and then decide on the next step, be it for an application, server, or a database.

And even though cyber security experts often say, there is no such thing as 100% security or 0% risk, I believe you should consider every possibility. Be mindful of the fast-paced business world and dynamic market needs.

Need help assessing your enterprises information security posture or landscape? Contact us for support.

Dinesh Sawrirajan is an Information Security Consultant & Delivery Lead with the Cyber Security Practice at Tata Consultancy Services (TCS). He has more than nine years of experience in application security, risk management & data security. He has worked with leading customers including one of the big four audit & consulting firms, a large government sector customer in the UK and a leading Australian retailer. Dinesh is a mechanical engineer and holds double masters degree in management - Operations, Marketing & Finance.