Whether you’re a proponent of formal risk assessments or of less stringent methods for identifying security control requirements, it’s important to know what questions to ask. Missing a question can result in overlooking one or more critical vulnerabilities.
The first step is to form a general hypothesis about the target system. For the purpose of this post, the system consists of an application server, a Web server, and a database server. The Web server provides access to customer information via the Internet. Customer data consists of name, address, phone number, and credit card information.
The general hypothesis we’ll test is that the data is secure from unauthorized access — either internal or external. The testing process begins with assembling a team with a variety of skills. For example, our test requires a team consisting of one or more of the following:
- Database administrator
- Security analyst
- Network administrator
- Server engineer
- LAN/WAN engineer
The team begins by brainstorming various attack objectives. As with any brainstorming activity, no suggestion should be eliminated when first volunteered. Once attack objectives are identified, the next step is to ask questions about how criminal elements might attempt to reach each objective. Table 1 offers an example of what the results might look like when documented. I’m sure you can think of quite a few additional objectives and questions very quickly.
Of course, the first question you might ask is if it’s absolutely necessary to store the credit card information. If so, why is it necessary to expose that information to remote access? In any case, the answers to these questions provide valuable input into whatever risk assessment approach you prefer.
Although each network will be different, the list you come up for one system/network combination will be largely applicable to additional systems on that same network. In other words, only a few brainstorming sessions are necessary until a library of useful assessment questions is available.
If you’re like me and prefer pictures, you can convert the table above to an attack tree. The objective becomes the root with the questions used to construct various attack vectors. How to build and use an attack tree is covered in A Practical Approach to Threat Modeling.