Security Assessment from PTP:  Elements, Results and Value

by | Jan 10, 2022 | Blog, Cloud Security, Managed Security, News, Security, Security Assessment

Typical conversations with clients around data security include the simple desire to not be breached of sensitive information and a discussion around what security protection technologies and practices are in place.  For our biotechnology growth company customer base, the discussion is typically about remote users, a lab environment, Microsoft O365 and their data and data analytics in the cloud, asking how to best secure a dynamic environment despite a low user count and very limited resources.  While a discussion around VPNs, single sign on (SSO), multi-factor authentication (MFA), firewalls, endpoint protection, encryption and other protection techniques is necessary, knowing how well they have been deployed or how well they are working through a security assessment will tell the real story of data security hygiene.  Just like how a person can eat well, exercise, and sleep well, the overall health assessment including lab work during a routine physical demonstrates how those practices are working.  PTP offers a high-value, low-cost assessment solution to do just that – – provide a routine evaluation of how an organizations security practices are working, and recommendations on areas for improvement.

 

I have security tools in place.  Why should I conduct a security assessment?

In all areas of business, measurement is a best practice and security is no different.  The fact that a highly regarded endpoint security tool is purchased and deployed does not mean that it is on every machine or that every machine is being updated.  It also doesn’t mean that when issues are presented by the endpoint security that action is being taken.  Same for firewalls, DNS security, email security and all other technologies. Additionally, there can be complex configuration for these tools to work while allowing communications and those configurations may or may not be optimized.  The work in an assessment identifies these non-best practice configurations and the team simply investigates whether there is a valid reason a particular config was used, perhaps requirements for a specific business application, or whether it was a mistake.

The environments PTP works with are typically very dynamic and changing to address developing needs, thus the importance to be either monitoring security on a real-time basis or conducting periodic security assessments to provide data-driven actionable security intelligence.

 

What comprises PTP’s Security Assessment?

Our service has four primary components, assembled to extract the greatest amount of value in security status and visibility without excessive overhead or cost.  Below is an outline that summarizes each element of the service, how we go about the assessment and examples of what can be expected.

  • Ingress/Egress Data Flow Review
    • Add PTP collector, Fluency, as flow destination from source devices
    • Gather 14 days of flow data
    • Confirm and analyze data
    • Document key findings and recommendations
    • Examples of concerns uncovered through this procedure are nefarious network activity, unwanted user internet activity, connections to known risky countries, and risks relating to application data.
  • Vulnerability Test
    • Configure central scanner and scan for known vulnerabilities against the Common Vulnerabilities and Exposures (CVE) database (cve.mitre.org).
    • Confirm and analyze data
    • Document key findings and recommendations
    • Examples of concerns uncovered through this procedure are down-level system code, known risky protocols, unauthorized remote access, and dangerous internet facing ports.
  • Domain Configuration Review
    • Utilize PTPs threat intelligence feeds to scan customer public domain name space
    • Identify security risks and possible exposures
    • Confirm and analyze data
    • Document key findings and recommendations
    • Examples of concerns uncovered through this procedure include domain registration validation, customer owned SSL certs, DNS subdomain validation, and domain locations.
  • Review of Security Prevention Device Configurations
    • Security Protection Tools
      • Review and analyze security configurations for security infrastructure elements in scope: Firewalls, IPS devices and Endpoint Security.
      • Confirm and analyze data
      • Document key findings and recommendations
      • Examples of concerns uncovered through this procedure include broad and dangerous rule sets, signature status, code/patch levels, and review of configuration best practices.
    • Cloud Security Best Practices
      • Configure PTP’s cloud management platform to associate with cloud accounts
      • Review and analyze security best practice issues by severity
      • Filter and prioritize issues by impact and summarize
      • Document key findings and recommendation
      • Examples of concerns uncovered through this procedure include lack of use of multi-factor authentication, use of root accounts, large numbers of Administrator access, lack of encryption of cloud storage, public facing instances and inadequate password policies.

 

 

What kind of findings can I expect?

Upon completion of the data collection phase of the assessment, a PTP Sr. Security Engineer will gather the data, review the output from each of the tools from each of the elements and prioritize and summarize the findings.  The deliverable report will contain all of this summarized for ease of review and action, coupled with all of the detail exported from our tools.  Customers may receive 100+ page reports, but our team will extract out the top issues for review in the assessment summary findings section.

While there are too many possible issues to list, examples of our team has reviewed with customers from recent assessments are listed below:

  • RC4 found in Kerberos negotiations
  • Firewall DENY rules inconsistent
  • Printers broadcasting their own WiFi networks
  • VPN clients affected by Barefruit DNS tracking
  • Rogue wireless APs on the network
  • Abnormally high numbers of login failures for the AD Administrator account
  • DNS configuration inconsistencies
  • End of Life software versions for ancillary software such as Apache Tomcat
  • Weak encryption algorithms in place
  • Website missing security headers
  • Telnet in use

 

 

When does it make sense to conduct a Security Assessment?

There are a number of reasons why and when you may want to reach out to PTP for an assessment.  Several are listed below:

  1. You or your team is new to the environment and needs to establish a security hygiene baseline.
  2. You do not have a security monitoring service or internal security monitoring and as a quality practice, should assess the environment annually.
  3. You have been experiencing users with malware.
  4. You are receiving large quantities of phishing emails.
  5. There has been a meaningful change in your environment either with new locations, new applications or growth in users.