Performing an information security gap analysis against an enterprise network is an exercise that is highly advantageous, but rarely performed correctly. First, an organization must understand its purpose before it will
If network security policies are not reviewed on a regular basis, they are absolutely useless to the organization.
An organization should use a network security gap analysis to find holes in its networks and help uncover areas that need attention. The security team may or may not already be aware of the gaps that are discovered, but the process serves as an opportunity to find and fix network security issues that can be remedied with minimal work, and bring more complex, glaring problems to upper management in a formal way.
When performing a gap analysis against a network, an organization needs a benchmark to compare its environment against, normally one or more standards or regulations to the organization or its industry. There are many such frameworks available right now, some of which are mandated, such as the Payment Card Industry Data Security Standard (PCI DSS), and others that are healthy examples on how to apply standards and best business practices, such as those from the National Institute of Standards and Technology (NIST). Few organizations completely meet any standard to the letter, and the gaps that are discovered in the analysis should be used to identify areas that need to be addressed and places to focus attention afterward. If the chosen framework does not cover everything desired, an organization can combine other aspects of different standards to create an initial benchmark. Depending on your industry and your environment, it’s going to be hard to find a framework that will fit all your needs perfectly. Using one standard as a benchmark, along with other controls from different benchmarks is completely normal. Administrators have to use their judgment on what they’ll enter in their analysis. Many frameworks will work, but it’s up to you to make the final call on what the framework ultimately looks like. This is an authoritative starting point, but an organization should still choose its controls appropriately based on its own unique criteria and business objectives. This doesn’t mean something can’t be changed, but you should try and finalize your framework as best as possible before starting your analysis.
A gap analysis can be broken down into four major areas: policy and procedure, auditing, technical review and findings/prioritization summary. Each of those four phases is reviewed below.
Information security gap analysis step 1: Policy and procedure
During this initial phase, an organization needs to review all the written or electronic forms used on a network according to its network security policy. Worse yet are stale policies that sit on a network file share unrevised and unutilized. Remove the unneeded, update the current, delete the old and add any new policies in written form. If network security policies are not reviewed on a regular basis, they are absolutely useless to the organization. An example of this is evident when it comes to firewall changes in your network. What are your policies when it comes to changes? Who can make and approve a firewall change in your network? The business needs to be aware of the policy to request a change; management needs to understand the approval process and the administrators need to have standard operating procedures to complete the changes appropriately.
Information security gap analysis step 2: Auditing
The second phase of gap analysis is auditing, which involves reviewing the framework selected along with any updated policy and procedure. Also, verify the organization is following its own policy by applying the framework standards to them. The analysis is not just a technical issue, but a human issue too. For example, engineers need to be aware of policies to follow when making a change to a firewall. They must enter the appropriate change management tickets and have them reviewed.
When auditing open ports on a firewall, for instance, an organization should be able to show all the appropriate change-control tickets for each one. When there is a hole in the firewall without a change control, a gap, both technical and procedural, needs to be filled. The selected framework assists in what ports should be open, and by auditing the network with the framework in mind, an organization can conclude there is a hole to fill. Keeping with the firewall example, if port 3389 were opened inbound on a firewall, first determine where the appropriate change controls were for this change. This helps with auditing the procedure. Then take this a step further using the selected framework and determine that having this port opened inbound is a security breach and against organization standards. This is how to tie in the audit of policy procedure with the framework.
Information security analysis step 3: Technical review
Phase three of gap analysis consists of a technical review of the network. This phase is tightly wound together with the audit phase, but relies more on framework than policy and procedure. In the auditing phase, an organization takes policy and procedure and applies the framework toward them to ensure it complies with new standards. In the technical review phase, an organization verifies its technical infrastructure is up to date with the framework and reviews the security of its systems at a granular level. Apply the framework to the network to determine if it meets the standards. If the framework states, for example, that an IPS is installed with egress filtering on the firewall, the organization should verify that is correct. If not, the organization needs to put technology in place to fill these holes in its network.
This is to verify the appropriate technical controls are in place. This goes hand-in-hand with an audit eventually, but the framework must be up to par first. Ask questions such as: Is an organization using antivirus on all of its servers? Does it have vulnerability management? Does it use encryption on its databases? These are some examples of controls that a framework would have in place for comparison. This provides clarity for an organization and allows it to understand where it stacks up in today’s standards.
Information security gap analysis step 4: Findings and a prioritization summary
Lastly, phase four is the review of findings and the prioritization of new tasks. With this phase, an organization reviews the findings of the other phases, appraises what was found, and arranges tasks to fix the holes. This includes meeting with management and interviewing anyone needed for more information. It also includes addressing holes in policy and procedure, discussing possible fixes that are needed immediately and what needs to be in place technically to meet the current benchmark.
Proper prioritization should also occur on all of these phases. These areas need to be discussed and resolved in order to close these gaps. Finally, a gap analysis should be run against an organization on a regular basis to ensure it does not backslide into bad habits. There should be a running list of areas that need improvement. This list can be compiled by the audit team while doing spot audits between scheduled gap analyses. When exceptions are found, the particular area of the framework should be reviewed. The goal is to have consistent adherence to the framework, not an annual clean up. When these issues are discovered, they should be fixed immediately or brought to the attention of upper management.
Remember that a network security gap analysis is not an easy task and it could take a lengthy period to comply with an organization’s selected frameworks standards. When performing an analysis, an organization might unearth some unpleasant discoveries, but that is the purpose of the exercise. The ultimate goal is to protect an organization from those that intend to harm it, which means finding these issues before the enemy.
About the author:
Matthew Pascucci has more than 10 years of experience in IT and is currently an information security analyst in the financial sector. He holds multiple certifications and is actively involved with InfraGard to help educate others in information security. You can follow his blog at www.frontlinesentinel.com or on Twitter at FrntLineSentneL.
This was first published in March 2012