The challenge for Day Eleven is – Try to figure out the Posture Assessment for an application.
This challenge was a pinch confusing for me, as I didn’t know what a “posture assessment” was I decided to google the definition
The security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defence of the enterprise and to react as the situation changes.
The definitions I found all referred to the security posture of an overall organisation/enterprise/business, not just an application. So for the sake of clarity, I’ll be looking at how an organisation would conduct a security posture assessment across the whole organisation rather than an individual application.
Having never conducted a security posture assessment, I can take an educated guess and suggest that it would involve the following steps:
- Identify data that would be targeted e.g. credit card details, intellectual property, medical records etc
- Highlight the methods and levels of protection in place for these target areas. A good resource is the SANS Critical Security Controls
- Conduct a security audit
- Organise a simulated attack – this can be inline with what has been tested in the audit, or can be a bit nastier and attacking parts that weren’t covered – or a good combination of both
- Monitor how well the defenders (if any) were able to detect and manage any threats presented.
- Have the attack team produce a report on what they were able to access and achieve.
- Build a plan on how to protect against these attacks/vulnerabilities in the future
- Establish a robust method of monitoring your network and reporting any breaches etc.
I found a great infographic on assessing your security posture from Hitachi Systems Security
Having completed a security posturing assessment your organisation will have a good baseline to work with for future assessments, and a high level view of how strong/weak it currently is against attack.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!