30 Days of Security Testing – Day Eleven

The challenge for Day Eleven is – Try to figure out the Posture Assessment for an application.

This challenge was a pinch confusing for me, as I didn’t know what a “posture assessment” was I decided to google the definition

The security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defence of the enterprise and to react as the situation changes.

Capture
Not sure how I’d classify this Posturing

The definitions I found all referred to the security posture of an overall organisation/enterprise/business, not just an application.  So for the sake of clarity, I’ll be looking at how an organisation would conduct a security posture assessment across the whole organisation rather than an individual application.

Having never conducted a security posture assessment, I can take an educated guess and suggest that it would involve the following steps:

  • Identify data that would be targeted e.g. credit card details, intellectual property, medical records etc
  • Highlight the methods and levels of protection in place for these target areas.   A good resource is the SANS Critical Security Controls
  • Conduct a security audit
  • Organise a simulated attack – this can be inline with what has been tested in the audit, or can be a bit nastier and attacking parts that weren’t covered – or a good combination of both
  • Monitor how well the defenders (if any) were able to detect and manage any threats presented.
  • Have the attack team produce a report on what they were able to access and achieve.
  • Build a plan on how to protect against these attacks/vulnerabilities in the future
  • Establish a robust method of monitoring your network and reporting any breaches etc.

I found a great infographic on assessing your security posture from Hitachi Systems Security

6-steps-to-define-cybersecurity-posture

Having completed a security posturing assessment your organisation will have a good baseline to work with for future assessments, and a high level view of how strong/weak it currently is against attack.


 

Thanks for reading my post and following my progress through the 30 Days of Security Testing.

For more on Security Testing please visit here  or any of my other ramblings visit here

Feel like joining in? Sign into the WeTest Slack group and get involved!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: