 |
|
 |
|
|
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 13 | June 29, 2009
|
 |
Is there a difference between an internal audit and an internal assessment? A distinction between an internal scan and an internal penetration test?
This month's Redspin SMA gives you the inside scoop on "Internals."
|
|
1. Internal Scan
This is the most basic thing you can do to get a picture of your internal network security. Usually it's generated solely by an automated tool, and outputs reports that can run hundreds of pages long.
|
Cheap, fast and dirty. Useful for a professional IT person who wants to double-check patching and device hardening.
|
|
Outputs lots of false positives, and can make your network look like Swiss cheese. Since it doesn't differentiate vulnerabilities based on your environment, it can create lots of work. Better for validation than assessment.
|
2. Internal Penetration Test
A security engineer hacks into internal systems (or at least tries to) from the vantage point of someone that already has physical access to the internal network. This will give you a better idea of the extent that employees (or a hacker that gains access to your internal network) can access sensitive data. For example, how easy is it to access the company HR files or servers where credit card data is stored?
|
|
Highlights relevant risks, and gives you actionable output. Necessary for PCI compliance, and fulfills the requirements set forth in PCI DSS 11.3.1. Helps to ensure that cardholder data is secure.
|
|
|
More expensive than an automated scan, although it may save you money by more tightly focusing on actual issues.
|
3A. Internal Security Audit
An Internal Security Audit is purely about regulatory issues and/or internal security controls. If you are in a highly regulated industry, or have a very strict "dress code" for all your network processes and procedures, then an audit checks to see whether or not you're actually following the correct regulations/procedures.
|
|
Important to check whether or not all the great rules you created are truly being followed. May be necessary for compliance with PCI, FFIEC, or other regulatory bodies.
|
|
|
Probably won't point out weaknesses in your network security that lie outside the scope of the regulations.
|
3B. Internal Security Assessment
An Internal Security Assessment is a more comprehensive version of the Internal Security Audit. Where the audit will ask, "Are you following the dress code?" the assessment will ask, "Are you using the correct dress code?" Where an Internal Security Audit uses a specific set of regulatory guidelines or policies as a baseline, an Internal Security Assessment uses general risk as a baseline; an assessment answers the questions: "How are we doing?" and "Where is our risk?" and "What can we be doing better?"
|
|
An independent viewpoint on security issues can highlight unnoticed vulnerabilities and security risk. Useful for industries that have sensitive data to protect. Can help to prioritize security risks.
|
|
|
Again, a bit more expensive but may save money by being the most focused of any type of internal on identifying security risk which both avoids the bad publicity and expense of a security breach or data loss, and focuses IT resources on the most important issues.
|
Hopefully, this will help you choose the correct Internal Scan/PenTest/Audit/Assessment for your organization.
|
|
|
 |
