Tried, Tested and Proven

A brief insight into one of the interesting, more involved, consultancy engagements that Portcullis offers.

Striking a balance…

It is good sometimes to balance the usual efforts of breaking into systems during a penetration test with that of helping to fix the issues that one finds.  Compliance Auditing and Management is an important activity that occurs on the other side of the fence. All new systems and technologies usually go through a Compliance auditing and Certification procedure that ensures that the deployment and implementation of the various components is compliant with industry standard good security practice. The process is an interactive one that requires the consultant to identify the weak spots which are subsequently remediated by the project team and re-tested to ensure compliance has been met.

If only things were that simple…

As you can imagine, it is not as simple as that.  Solutions may not be deployed in the same way, even when the same technologies are used. Clients usually have their own business and operational requirements that may not agree with what you may be recommending. There may be time constraints imposed by the project or client to go live without fully remediating the issues. These are just some of the obstacles that the consultant may encounter and have to work with to help the client move through the compliance process.

Aiming for the stars…

Following some simple steps can really help to streamline the process. The first step should be to determine what benchmark needs to be used for the auditing phase. In short, a benchmark is usually a consensus-based, good-practice security guide that is produced by Government, Business or Academia.  Examples include, Center for Internet Security (CIS), Defence Industry Security Association (DISA), National Institute of Standards and Technology (NIST) and Federal Desktop Core Configuration (FDCC), to name but a few. Once a benchmark has been selected, the rest of the process should be fairly clear, as the consultant has a target to aim for. The client may have their own internally defined benchmark for certain settings, so this should be taken into consideration when performing the audit.

Getting your hands dirty…

Now that you have the guides to the desired outcomes, how do you conduct the actual audit? Don’t worry, thanks to some effort on the part of organisations and generous individuals, there are tools that can be used to automate the process. One of the most commonly used tools for this purpose is the Tenable Nessus scanner. The compliance auditing engine that comes as part of the scanning options can be used in conjunction with a benchmark standard (.audit file) to conduct the comparison with the running configuration of a device. Many benchmark audit files have already been written and are available as part of the Nessus subscription.

As you can probably imagine, the process of defining a hardening standard for a new technology takes some time. It is usual for the consultant to encounter a situation where a new technology has been deployed that does not yet have an audit file created for it within Nessus. Not to worry, as part of the consultancy service, Portcullis will create a tailored audit file for just this situation. Portcullis has created many audit template files for many newly emerged technologies which have been instrumental in delivering a high standard of service to clients.

Round and round we go…

As we have already mentioned, the actual audit is an iterative process. Review the running configuration of the device and report failures back to the project for remediation.  We keep doing this until we have a technology that has no further failures and is compliant.  In the end, a certificate of compliance is issued for the device configuration in question.

Light at the end of the tunnel…

This process can take some time to complete, it all depends on how many different technologies need to be complaint. Looking on the bright side, going through the pain once is all that is really needed, as it is highly repeatable without any additional effort for a large network estate that uses the same technology.

Faisal Dean

To speak to one of our Consultants call us on 0208 868 0098 or get in touch via our Contact US page

Categories