security_it_system
DevOps
• 5 min

Evaluate the security level of my IT system

Hubert Angebeau

Hubert Angebeau

23 May 2023

The purpose of this article is to describe three approaches that will allow you to proactively assess the security level of all or part of your IT system. This can concern your technical, application, or organizational base.

While CISO budgets related to cyber issues are expected to grow in 2022, some simple practices can already help you avoid the worst: a previous article by Lucas, COO of Padok Security, for example, explained how to apply the best DevSecOps principles to improve your security system.

Level 1: Vulnerability Scanning

What is a vulnerability scan?

A vulnerability scan is a process that can be automated and that allows you to scrutinize all or part of a computer system (application, servers, network). The goal? To detect possible vulnerabilities, i.e. weaknesses and errors in the way a system is designed, configured, and protected.

In what context and how often should they be used?

It is recommended to perform these tests several times a year internally: at least once a quarter and at best once a month. Since most of these scans are automatic, it is even easier to conduct them on a regular basis. At a more granular level, it is also possible to set up tools that perform scans for each new deployment (to check that the dependencies are updated, for example).

Advantages and disadvantages

Advantages:

  • Cost: these scans can be done internally, therefore at a lower cost, and are for some Open Source tools
  • Time: It is possible to use automatic tools, which can take only a few hours to complete, depending on the defined scope.

Disadvantages :


  • Relevance: the analysis remains on the surface and not all scans necessarily recommend patches to the identified flaws.
  • Quality: there are regularly false positives in these scans, which requires human intervention to sort them out later.
  • Prioritization: these scans bring up vulnerabilities that are not contextualized with your business issues and therefore require human intervention to reprioritize the work to be done.

But what does this have to do with our house?

In this scenario, the idea is to go around your house yourself (= IS) and list all the flaws that could lead to a breach: a broken window, a lock dating from the 18th century, a flat surveillance camera, etc. (= vulnerabilities).

This is as far as the exercise goes, and your list will not necessarily tell you whether these vulnerabilities are actually exploitable: perhaps the seemingly fragile lock will turn out to be unbreakable. You won't know until you try to break it.

Level 2: Security Audit

What is a security audit?

A security audit consists of a human intervention, often carried out by an external service provider, and allows one to have a view at a given moment of all or part of the security risks of an IS.

The goal is to verify not only compliance with established standards and protocols (e.g. procedures or laws/regulations specific to the company's domain) but also to benefit from the expertise of an auditor.

In what context and how often should they be used?

Considering the cost of these audits, the frequency is logically lower than vulnerability scans. It also depends greatly on the exposure of your company and the industry in which it operates: a financial institution or a pharmaceutical company will tend to conduct these audits more regularly.

On average, it is therefore recommended to organize at least one audit per year, and ideally one per quarter. These audits may also be necessary in the event of a data breach, system upgrade, or data migration. Or more globally, any major change in your IS.

Advantages and disadvantages

Advantages:


  • Expertise and objectivity: an audit conducted by an external actor allows you to obtain more in-depth and relevant observations and recommendations. It also avoids any opacity or conflict of interest vs. an audit that would be conducted internally.
  • Regulatory: an audit allows you to obtain a "stamp", or proof that your IS is compliant with certain standards. It can also prepare you for a more official audit (government, organizations such as ANSSI, etc.)

Disadvantages:


  • Cost: calling on an external service provider is indeed more expensive than a vulnerability scan or even an audit conducted internally
  • Time: the expert must take the time to familiarize himself with your IS and your business issues in order to make the best possible recommendations.

But what does this have to do with our house?

This time you ask your neighbor, a police officer, to carry out the previous exercise for you. He will have a more objective and sharpened eye on the security of your house, and especially knows the security standards of the market.

Not only will he be able to observe the potential flaws in your home (as you do), but he will also make recommendations to bring your home up to market standards: armored door, five-point lock, burglar-proof glass... However, he is still only observing and not trying to break into your home.

Level 3: Penetration testing, or "pentesting

What is it?

The penetration test allows you to contextualize an attack and exploit the flaws found. It is finally a more realistic and concrete audit: you mandate an external person to put himself in the shoes of a hacker and attack your IS (applications, servers, network).

It is even possible to physically simulate a real attack scenario, by simulating the theft of a developer's workstation for example.

There are three ways to conduct these pentests:

  • In black box: the attacker has no access/information on your IS. This mode simulates an attack from a hacker who is completely foreign to your company.
  • In grey box : the attacker has some access to your IS. This mode of operation simulates, for example, an intrusion attempt by a former employee who would not have all the latest information.
  • White box: the attacker has all the necessary access to your IS. This mode of operation simulates, for example, an intrusion attempt by an employee of the company, or by an attacker with access from the company. It is therefore a method that is very close to the security audit, the intention being slightly different (intention to compromise vs. compliance objective)

To dive into the practice, follow directly a Kubernetes cluster attack performed by Thibault, CTO of Padok Security, in July 2021.

In what context and how often should it be used?

As with security audits, the frequency depends greatly on your exposure and the industry in which your company operates. However, be careful not to misunderstand: all sites and applications face risks. For highly sensitive applications, it is advisable to perform slightly more than market standards.

For an application that is not very exposed, it may be sufficient to perform some at each major version upgrade.

Advantages and disadvantages

Advantages:

  • Realism/relevance: the pentest is the most concrete approach to simulate a real attack, so the report is less hypothetical and the recommendations very activable.

Disadvantages

  • Risk: by simulating a real attack, you fully expose the security of your IS. A poorly calibrated pentest can have consequences such as data corruption or server crashes
  • Ethics: since the techniques used are the same as those used by real hackers, it is important to probe and know how these pentests may be perceived by your employees, your customers, your service providers, etc.

But what does this have to do with our house?

This time you ask this same neighbor, still stationed at the local police station, to break into your home, but through a specific and most sensitive place: your front door.

His objective is to gain access and try to compromise a maximum of goods inside your house, to analyze the main flaws, and to list what can easily be stolen.

However, you can choose between three approaches:

  • White box: you give him not only the keys to your front door, but also to your garage, safe, etc.
  • Grey box: you only give him the keys to your front door
  • Black box: you give him nothing and see if he manages to enter your home.

This practical test will allow you to confront the assumptions you had about the security of your house with reality. And maybe that 18th century lock you were so fond of will turn out to be much stronger than the scan or audit reports indicated...

Conclusion

Several approaches allow you to analyze the security level of your information system. It is possible to combine several of them, but your decision will depend on several criteria: the sensitivity of your company's environment, the size of your IS, as well as the time and budget you wish to allocate.

If you want to dig deeper into the subject, or if your company is already mature enough on it, a fourth approach is likely to interest you: the "Red Team" pentest.

Derived from the classic pentest, this approach covers a much larger perimeter (an entire IS for example), spreads over a longer period of time (several months), and implies that very few people in your company are aware of it.

Do you want to take action? Do not hesitate to contact us!