A lot of companies do V/A (vulnerability assessments) with scanners like Beyond Security or Nessus. We took a hybrid approach for an internal security assessment using a Fidelis Security Systems network DLP appliance for detecting data loss vulnerabilities and structured human interviews to identify assets and analyze business threats such as competitors who might steal designs. The objective of the study was to quantify value at risk in dollar terms and propose a cost-effective, prioritized set of security countermeasures.
We performed the formal internal security risk assessment for a NASDAQ-traded company in October-November 2007. The study evaluated the internal and external threats that impact the company’s information assets using our Business threat modeling (BTM) methodology. A PTA threat model was constructed and a number of threat scenarios were analyzed.The CFO and CIO quantified the Euro-value of the assets in the threat model; the output of the study was asset value at risk in dollar terms based threat probability of occurence and level of potential damage.
I will email the PTA threat models we used upon request.
The bulk of the security budget is currently spent on sustaining network perimeter security and system availability. Not surprisingly, these countermeasures are not particularly effective in mitigating insider threats such as lost or stolen hardware and information leakage, which now dominate the company’s risk profile.
In corporate IT Security operations: The two major data security systems that were purchased in 2007, Imperva and Fidelis XPS Extrusion Prevention System have not yet been fully implemented and do not provide the expected benefit. To be specific, Imperva needs to be able to produce real-time alerts on violations based on logical combinations of OS user, DB application and DB user. Fidelis needs to be deployed in the subsidiaries. Monitoring from both systems needs to become a daily operational tool for the security officer.
In the Asia Pacific region: Loss of notebooks to the tune of 2-3 / quarter is a major vulnerability although content abuse of the corporate network is assessed as negligible due to cultural factors.
In general: Publicly facing FTP servers must be monitored carefully for violations of the company acceptable usage policy. In the course of the risk assessment, we discovered strategic plans and proprietary source codes that were stored on publicly accessible FTP servers.