Question

Discuss the processes involved with security assessments. What types of analysis is performed with this assessment?

Answer 1

Process Involved in security assessments-

1. Identification. Determine all critical assets of the technology infrastructure. Next, diagnose sensitive data that is created, stored, or transmitted by these assets. Create a risk profile for each.
2. Assessment. Administer an approach to assess the identified security risks for critical assets. After careful evaluation and assessment, determine how to effectively and efficiently allocate time and resources towards risk mitigation. The assessment approach or methodology must analyze the correlation between assets, threats, vulnerabilities, and mitigating controls.
3. Mitigation. Define a mitigation approach and enforce security controls for each risk.
4. Prevention. Implement tools and processes to minimize threats and vulnerabilities from occurring in your firm’s resources.

The different security assessment types are:

1. Vulnerability Assessment: A significant security assessment type, vulnerability assessment involves identifying, quantifying, prioritizing, and classifying vulnerabilities and threats in a system or its environment, while offering information to rectify them.
2. Penetration Assessment: Penetration test or pen test, as it is commonly known, is a process of intentionally, yet safely, attacking the system and exploiting its vulnerabilities, to identify its weakness as well as strength. Pen test helps validate the effectiveness of various security measures implemented in the system, as well as its adherence to security policies.
3. Red Team Assessment: Though quite similar to penetration assessment, red team assessment is more targeted than the former. It identifies the vulnerabilities in the system as well as gapes across an organization’s infrastructure and defense mechanism. In short, the objective of this assessment is to test an organization’s detection and response capabilities.
4. Security Audit: Security audit is an extensive and thorough overview of an organization’s security systems and processes. It offers in-depth reviews of system’s physical attributes as well as identifies gaps in the security policies, and conducts major vulnerability assessments. This is an extremely important type of assessment, as it validates conformance with standard security policies.
5. White/Grey/Black-Box Assessment: Though grouped together, these assessments cater to different attributes of the system as well as organization’s infrastructure. They indicate the quantitative and qualitative estimation of the internal information shared with the tester. In white-box assessment the tester has full knowledge of the internal workings of the application or the system. Whereas, in gray-box assessment limited information is shared with the tester. In black-box assessment the internal information of the system as well as its environment is not required, moreover, this is performed from the perspective of the hacker.
6. Risk Assessment: During this type of security assessment, potential risks and hazards are objectively evaluated by the team, wherein uncertainties and concerns are presented to be considered by the management. Additionally, it brings the current level of risks present in the system to the one that is acceptable to the organization, through quantitative and qualitative models.
7. Threat Assessment: Threat assessment is the process of identifying, assessing, and managing potential threats, and determining their credibility as well as seriousness. It measures the probability of detected threats becoming a real risk. In short, this assessment type is quite different from others as it is more focused on physical attacks rather than making assumptions.
8. Threat Modelling: Threat modelling is a process of apprehending and reporting vulnerabilities, risks and threats, by evaluating risks from the perspective of the hacker. It helps identify, enumerate and prioritize issues and risks, while assessing their impact on the system’s functioning.
9. Bug Bounty: Bug bounty is the most effective way of finding security vulnerabilities in the system. It comprises various professional testers, who test the system for any security breaches and issues through thorough assessment.