Whether you're a proponent of formal risk assessments or of less stringent methods for identifying security control requirements, it's important to know what questions to ask. Missing a question can result in overlooking one or more critical vulnerabilities.
The first step is to form a general hypothesis about the target system. For the purpose of this post, the system consists of an application server, a Web server, and a database server. The Web server provides access to customer information via the Internet. Customer data consists of name, address, phone number, and credit card information.
The general hypothesis we'll test is that the data is secure from unauthorized access -- either internal or external. The testing process begins with assembling a team with a variety of skills. For example, our test requires a team consisting of one or more of the following:
- Database administrator
- Security analyst
- Network administrator
- Server engineer
- LAN/WAN engineer
Of course, the first question you might ask is if it's absolutely necessary to store the credit card information. If so, why is it necessary to expose that information to remote access? In any case, the answers to these questions provide valuable input into whatever risk assessment approach you prefer.
Although each network will be different, the list you come up for one system/network combination will be largely applicable to additional systems on that same network. In other words, only a few brainstorming sessions are necessary until a library of useful assessment questions is available.
If you're like me and prefer pictures, you can convert the table above to an attack tree. The objective becomes the root with the questions used to construct various attack vectors. How to build and use an attack tree is covered in A Practical Approach to Threat Modeling.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.