Technical Internal Security Assessment

Redspin's Technical Internal Security Assessment utilizes a risk-based approach to manually identify critical infrastructure vulnerabilities throughout your entire enterprise. This assessment focuses on three primary areas of your technical control environment:

Ensuring your sensitive data is secure

Ensuring your network is secure

Ensuring your workstations and servers are deployed according to best practices

The goal of this assessment is to accurately and cost-effectively isolate areas of risk and provide actionable recommendations (both strategic and technical) for improvement.

This assessment sends expert security engineers into your environment to talk with key system owners to understand your business, leverage a risk-based approach to focus on areas that are most critical to your operations, and validate that all implemented technical controls are configured as expected.

Why perform a Technical Internal Security Assessment?

We have never performed an internal assessment before.
We just had a breach and need to prevent an incident from occurring again.
We are looking for a technical review of controls to compliment our annual IT audit.
We would like a comprehensive internal vulnerability assessment.
I just took over management of IT and need helping identifying my technical security.
We want to know how we compare to similar companies.
We want to know the high-risk issues on which to we focus.
We want a second set of eyes on our systems.

Scope

The scope of our Technical Internal Security Assessment is informed by a variety of sources:

Redspin Personnel's Experience — (covered in other sections) and Redspin's proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds of information security assessments over the last ten years.
Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for an organization's size and business operations complexity and technology presence.
NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.
FFIEC — The "Information Security Booklet" published in the July 2006, Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).
Payment Card Industry (PCI) Data Security Standard (DSS), v1.2, October 2008.
An Introductory Resource Guide for Implementing the HIPAA Security Rule (Special Publication 800-66), NIST (National Institute of Standards and Technology), October 2008.
Cyber Security Standards CIP-002-2 through CIP-009-2 (Critical Infrastructure Protection), NERC (North American Electric Reliability Corporation), December 2009.
Technical Guide to Information Security Testing and Assessment (Special Publication 800-115), NIST (National Institute of Standards and Technology), September 2008.

Some of the Questions a Technical Internal Security Assessment Answers Include Data Security —
Is our data secure?

If a laptop is stolen, does it have sensitive data that is stored unencrypted that would require us to notify our customers? (i.e. What data did I really lose? Was it protected?)
How can I restrict my employees from using personal media such as USB drives and iPhones?
Can portable media be used to install malware & viruses and steal confidential data?
Is backup media stored securely off-site?

Network Analysis —
Is our network secure?

Does our network define logical security domains to segment sensitive data and systems from untrusted areas such as the Internet and potentially hackable systems or untrusted users?
Are the firewalls and other network devices actually configured to implement the domains the way we think they are?
Are we connected to other companies & networks in such a way that if they get hacked or have a malicious employee, our entire network and data could be compromised?
Do we allow remote access in a secure way that minimizes risk?
Is there currently malicious traffic on our network about which we are unaware? Are controls in place to detect malicious traffic?
Can someone walk into our facility and plug into the network and have extensive data and network access?
Are our network devices implemented according to best practices?
Are we logging sufficient network information so that we can perform the necessary investigation in case of a security incident? If not, even a minor security incident may result in a customer-wide sensitive data disclosure notice.
What cost-effective actions can we take to improve logging?
Is our network monitoring appropriate?

Physical Security —
Who can access our network?

Who is allowed access to the data center?
How do we know who really accessed the data center?
How long can our critical infrastructure withstand a power outage?
Is critical infrastructure protected from a fire?
Are necessary heating and cooling controls in place for all critical infrastructure?
Can an untrusted unescorted user access critical infrastructure? If so, what can they access?

System Analysis —
Are our workstations and servers configured securely?

Do we have appropriate password requirements?
Do our users have the capability to override the security configurations of their workstations?
Can our users install software on their workstations that might unintentionally impact the security of our entire network?
Do we have applications on our network that might be vulnerable to remote attack allowing one of our users to, for example, accept an email attachment with a Trojan application that could then attack our network from the inside?
Do we have an effective patch management strategy in place? Does it include operating systems and applications?