The Control Policy Group

In a recent article published online at the JFK School of Government at Harvard - Malcolm Sparrow talked about how controlling risks, is a central challenge for government regulators charged with the task of reducing societal ills and preventing bad things from happening.

Professor Sparrow notes there does not seem to be a well-established language for risk assessment.

We think it is interesting to analyze the causes for this situation

1. We believe that US and EU government regulators are responsible for the focus on the compliance process as opposed to focus on cost-effective risk-mitigation (which does have a common language of dollars and Euros).  It is ironic that regulation which was primarily created for consumer protection has turned into an onerous corporate audit activity far removed from the original charter of protecting customers.

Regulators generally provide a checklist of things companies must do and in the case of Sarbox, a general statement for financial reporting guidelines (section 404 of SOX).   When government uses a regulatory stick with business organizations, we are essentially telling them that research into understanding the root cause of risk, is a non-value-added activity. Ours is not to reason why…

2.  However - there an excellent methodology for understanding the root cause of risk already exists and it is complementary to the compliance process.  The methodology is called threat modeling.  Threat modeling is a mature methodology with implementations from Microsoft and groups like PTA (Practical Threat Analysis) Technologies.

In threat modeling exercises - analysts and business decision makers use a model of assets, vulnerabilities of assets, threats (that attack by exploiting vulnerabilities) and countermeasures (that mitigate threats).   Threat modeling provides a common language that any person working in an organization can understand.

You can download the free risk assessment tool PTA Professional - we’d be happy to hear if you also think that threat modeling is a useful tool for risk assessment. Please feel free to contact us at any time by phone or email.

The biggest bugs are hiding in the system integration interfaces your integration team glued on the day before delivery. They go home, you might get fired.

Perhaps you have been in this situation before:

You’re a CIO/VP IT/IT manager and you’re preparing to implement a packaged business application - for example a new CRM system. Something in the back of your mind says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first). What should you do?

• First inspect and penetration-test the system using black-box testing.
• Then, using white-box testing - assess infrastructure components, database interfaces and Web applications for vulnerabilities using our Legacy Risk Analysis Loop technique.
• We will help you identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
• We can go in and perform an onsite audit of the vendor secure software development practices during your RFP/RFI/pre-purchase stages.

This process helps give your organization a much better picture of software defects  before you send the vendor the purchase order. Our Web collaboration tool supports continuous risk analysis and management with two main applications: a knowledge base and issue tracker:

The database of standard CVSS scores for components and CLASP problem types classifications is always available for the entire organization. Users can add new entities and modify scores as the business environment changes. By using an  issue tracker you can see a:

• A consistent thread of requests, changes and open action items during the risk analysis process and in particular in the Validate findings step
• An Updated implementation status of countermeasures.
• Real-time status tracking where unlike email, issues cannot get lost or be ignored!

Why not use Excel for an ISO 27001 audit?

How PTA helps automate ISO27001

Motivation

ISO Standards

The ISO standard for information security risk assessments-ISO 27001, continues to gain a reputation for helping organizations improve their business practices and protect information assets. ISO 27001 is both important and increasingly popular for two reasons:

1. Compliance
2. The need to achieve the most effective risk mitigation controls

Perhaps one of the more significant comments that underscores the relevance of ISO 27001 for the industry was made last year by ISO Secretary-General Alan Bryden :
“SMEs may mistakenly perceive of International Standards as being only for big business and government. In fact, SMEs too can benefit from the state-of-the-art technology and management practices disseminated by International Standards which also open the door to export markets and participation in global supply chains”.

Compliance

Standards and privacy compliance regulation like ISO, SOX and PCI are fueling demand to improve information security practices. It has becomes a trend trickling up and down the value chain of regulators, customers and suppliers. Customer data breach incidents have steeply increased over the past 3 years, pouring additional fuel on the value chain of compliance. Once the exclusive domain of large institutions; many SMEs are now performing risk assessments as their customers call on them to manage their data better and prove it by certifying to ISO 27001.

Attaining effective risk reduction

The output of an ISO 27001 risk assessment is two fold:

1. Certification
2. Identify appropriate risk reduction controls for the organization

The certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats and then, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire check list of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy ( i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

It is worth noting at this point that additional security controls do not necessarily reduce risk.

Modifying your existing infrastructure (like firewalls and proxies) and installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. Many firms see the information security issue as mainly an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further threat analysis reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down.

The PTA ISO 27001 library enables a risk analyst to provide a quantitative risk model to her client and construct an economically-justified, cost-effective set of countermeasures that reduces risk in the customers business environment. More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of an all-or-nothing checklist implementation that massively erodes the competitiveness of the business

ISO 17799 compared to ISO 27001

ISO 17799 is Part 1 of BS 7799 (the ISO standard for information security). ISO 17799 is a code of best practice for information security management and provides practical guidance on implementation of the security controls that should be implemented on the basis of the ISO 27001 risk assessment. ISO 17799 will be renumbered to ISO/IEC 27002 in the course of 2007.

ISO 27001 is Part 2 of BS 7799 is the risk assessment standard for certification and sets the requirements that an organization must fulfill in order to establish an information security management system. The PTA ISO 27001:27005 is a full implementation of the ISO 27001 compliance check list. If you find that ISO 17799 is more relevant to your practice, please contact us and we may consider development of a PTA library for this standard as well.

How we created the PTA ISO 27001 library

The ISO 27001 contains 185 items in 11 sections, where each item has a reference number, and describes a security policy and a corresponding security control. For example Item 6.1.5 is a “Confidentiality agreements” security policy with the following control: “Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed”

First we needed to map the ISO 27001 data model to the PTA threat model concept which is composed of threats, vulnerabilities, assets and countermeasures

Unlike PTA, the ISO data model does not refer to particular threats or assets. We realized that the top level items in each section (number x.y) mapped nicely to PTA vulnerabilities and that the the sub-items were controls that translate directly to PTA countermeasures. For example:

06.1 “Internal organization; information security is lacking or not well-defined” can be easily defined as a PTA threat model vulnerability mitigated by the following PTA threat model countermeasures:

• 6.1.1 Management shall actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of information security responsibilities.
• 6.1.2 Information security activities shall be co-ordinated by representatives from different parts of the organization with relevant roles and job functions.
• 6.1.3 All information security responsibilities shall be clearly defined
• 6.1.4 A management authorization process for new information processing facilities shall be defined and implemented.
• 6.1.5 Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
• 6.1.6 Appropriate contacts with relevant authorities shall be maintained.
• 6.1.7 Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
• 6.1.8 The organization’s approach to managing information security and its implementation (i.e. control objectives, policies, processes, and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

After the conceptual mapping of the ISO 27001 data model to the PTA threat model, we then used the import entities from text file functions in the PTA Professional Edition in order to load an Excel worksheet of the ISO 27001 checklist into a baseline PTA threat model of vulnerabilities and countermeasures and packaged as a PTA library.

How analysts use the PTA ISO 27001 library

The standard specifies that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). The PTA ISO 27001 library provides not only a systematic, but also a quantitative approach to risk assessment that adds a great deal of value by enabling you to arrive at a set of controls optimized for your business situation.

You will discover that doing a risk audit process with the PTA ISO 27001 library is faster, easier and a lot more robust than with an Excel spreadsheet.

An ISO 27001 risk assessment typically involves a two-stage process:

Stage 1 is a “table top” review of the existence and completeness of key documentation for Security Policy and Information Security Management System (ISMS). This would be done by cycling through the PTA threat model, tagging top level vulnerabilities with a status and storing appropriate documentation in the model, while linking to the appropriate entity.

Stage 2 is a detailed, in-depth audit that tests existence and effectiveness of control policies as well as their supporting documentation. Controls that already exist would be marked as “Already Implemented” in PTA Professional Edition countermeasures detail screen. Other controls needing work, would be tagged with an action-required status (see the tagging option of the PTA tool).

PTA ISO 27001 step by step.

Here is how you would use the ISO 27001 PTA library for a risk assessment (after installing the PTA Professional Edition freeware on your workstation)

• Step 0 - Fire up PTA
• Step 1 - Load the ISO27001.2.thl library into your own threat model or just open the ISO27001.2.thm data model in its entirety
• Step 2 - Create assets with valuations
• Step 3 - Enter the costs of countermeasures (the PTA ISO 27001 library that we provide is agnostic that way - we figure everyone has their own estimates of how much a control policy should cost.
• Step 4 - Run the Optimized Countermeasure report - and you have now just built a cost-justified plan of controls compliant with ISO 27001.
• Step 5- During and after implementation of controls, don’t forget that you can return to PTA at any time and reevaluate the risk profile and your progress in the process of continuous risk mitigation. For a structured methodology for continuous security assessment see the excellent article on the Software Associates web site  Practical software security assessment

In order to illustrate the power of the PTA ISO27001 library, we built a simple model with assets and threats - download the threat model and you will be up and running in just a few minutes.

We hope that the PTA for ISO 27001 will helpfacilitate your ISO certification and risk assessment practice- feel free to download PTA for  ISO 27001:27005  and let us know what you think! The PTA Professional Edition free risk assessment software is available for download here.

This  post reviews the main areas for concern for protecting information assets from internal threats and vulnerabilities. It starts with an anecdote from an interview with a senior manager and concludes with a recommendation for implementing an approach to protect data directly (as opposed to commonly-used methods that attempt to protect the network and limit user permissions).

The background to problem

We start by sharing an anecdote taking from an interview with a senior manager  at a bank.

…I’m not concerned about data theft. We’ve outsourced our entire IT operation to a big bank’s data center and they’re up to speed on information security. I can always go back to the logs and figure it out if something happens.
Vice President Internal Audit of a private banking institution with $5BN in assets.

Just 2 months later, the “big bank” had a major data theft event. Both banks missed their earnings estimates and took a beating in the market. Today the private institution is trying to break out of their 5 year outsourcing contract.

Extrusion is any unauthorized transfer of valuable data assets - credit cards, customer records, transactional information, source code or other classified information.

Extrusion has a strange nature that derives from unexpected actions by trusted insiders and systems in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls.

Management and technical controls for extrusion prevention

Human resources controls

Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations (such as? Could you name a few areas?)defense contractors or securities traders add additional screening such as polygraphs and security checks to the hiring process. Over time, organizations may sense personality changes, domestic problems or financial distress that indicate increased extrusion risks for employees in sensitive jobs.

Disconnect #1: HR isn’t accountable for the corporate brand and therefore doesn’t pay the price when trusted employees and contractors steal.

Internal audit

Extrusion prevention needs to be part of an overall internal audit process that helps an organization achieve its objectives in the areas of:

• Operational effectiveness
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Internal auditors in the insurance industry say regulation has been their key driver for risk assessment and implementation of preventive procedures and security tools such as intrusion detection. Born in the 1960s and living on in today’s Windows and Linux event logs, log analysis is still the mainstay of the EDP (What does EDP mean? My guess is electronic data processing) Yes it does - EDP audit is sort of a buzz word I thought - we can use IT audit if you think it is clearer audit. Over the past 7 years our industry evolved to Client-Server computing, XML Web services and converged IP networks. Welcome to stateless http transactions, dynamic IP addressing and Microsoft Active Directory, where your ability to audit network activity depends on which versions of Windows run on your workstations and servers. Offline analysis of logs has fallen behind and yields too little, too late for the EDP auditor!

Disconnect #2: EDP audit have the job but they don’t have the tool.

Physical security

Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building. Many companies run employee awareness programs to remind the staff to guard classified information and to look for suspicious behavior.

Disconnect #3: Perfect physical security will be broken by a Nokia 3650 (cell-phone with camera)

Information security

Information security builds layers of firewalls and content-security at the network perimeter, and permissions and identity management that control access by trusted insiders to digital assets, such as business transactions, data warehouse and files. This structure lulls the business managers into a false sense of security. Let’s not forget that firewalls let traffic in and out, and permissions systems grant access to trusted insiders by definition. Could your explain a little more what you mean here or give an example of what you mean? For example, an administrator in the billing group will have permission to logon to the accounting database and extract customer records using SQL commands. He can then zip the data with a password and extrude the file using a private Webmail account.

Content-security tools based on http/smtp proxies are used against viruses and spam. These tools weren’t designed for extrusion prevention; they don’t inspect internal traffic, they only scan authorized e-mail channels, they rely on file-specific content recognition and have scalability and maintenance issues. When content security tools don’t fit, we’ve seen customers roll out home-brewed solutions with open source software such as Snort and Ethereal. A client of ours recently used Snort to nail an employee who was extracting billing records with command line SQL and extruding the results by Web mail.

Disconnect #4: Relying on permissions and identity management is like running a retail store that screens you coming in but doesn’t put magnetic tags on the clothes to prevent you from wearing that expensive hat going out.

Implementing the controls

To correct the disconnects and protect your digital assets, you need CEO level commitment to management and technology controls. Your company’s management should mandate direct protection of digital assets in addition to conventional methods that protect the network, the servers and control access to resources by users.

• Soft controls - Training and continuous behavior sensing
• Direct controls - Good hiring and physical security
• Indirect controls - Internal Audit

The management controls must be based on classifying your key digital assets in financial terms and what the damage and probability of impact of a threat might be.  The PTA (Practical Threat Analysis) freeware is a great way to do a risk assessment of your digital assets.
Mandate this direct approach independently of privileged system managers, permissions and identity management systems and complex perimeter security systems.

One of the most common problems a CIO/VP information technologies has is understanding what are the most effective security products.   The cost of evaluating a new security technology can be very high, and often an IT manager will need to take a decision to implement a particular type of product (for example two-factor authentication) before she knows if the products will be effective.

If you’re an IT executive you are probably familiar with this predicament:

• You need to provide your CEO with financial justifications in Euro - not high or low risk.
• You need security controls that don’t disrupt the business.

We recommend employing a 7 step  process with the Practical Threat Analysis (PTA) free risk Assessment software that will help you generate financial justification in dollar/Euro terms before the evaluation and implementation

• Step 1 - Assess your assets and valuate them
• Step 2 - Assess and mitigate  threats:
  • Data leakage
  • Data abuse by trusted insiders
  • Network abuse by trusted insiders
• Step 3 - Assess your vulnerabilities
• Step 4 - Identify cost-effective security controls
• Step 5 - Build the financial justification for the CEO. The output of our practical threat analysis process is a financial justification for an effective risk mitigation plan. The plan includes the most cost-effective countermeasures that reduce the risk level to a minimum at a given capital and variable cost.
• Step 6 - Approve implementation plan
• Step 7 - Implement the countermeasures

Abstract

Data leakage prevention is a rapidly emerging network security technology area that has matured from simple regex-based Web / email content filtering products into products such as Fidelis Security Systems XPS that perform deep inspection of documents such as Microsoft Word and Adobe PDF with high levels of precision and recall.

Motivation

Network content monitoring is generally used for monitoring of employee or students surfing and filtering out violence, pornography and drug-related content.This sort of Web content filtering became “mainstream” by 2005 with wide-scale deployments in schools and larger businesses by commercial closed source companies such as McAfee and Bluecoat and Open Source products such as Censor Net and Spam Assassin.Similar signature-based technologies are also used to perform intrusion detection and prevention.

However, a new class of content monitoring products has emerged that is aimed squarely at protecting firms from unauthorized “information leakage”, “data theft” or “extrusion”. The motivation for using these products is economic not behavioral; transfer of digital assets by trusted insiders or trusted systems can cause much more economic damage than viruses to a business. Unlike viruses, once a competitor steals data you cannot reformat the hard disk and restore from backup. Companies often hesitate from publicly reporting extrusion events because it damages their corporate brand, gives competitors an advantage and undermines customer trust.

Having established motivation, the question is who buys this technology. There are two potential “internal customers” for content monitoring in a company – business management (risk management and/or internal audit) and IT infrastructure management.

Senior business management wants to protect their brand by protecting their information assets from criminals, competitors and trusted insiders.There seem to be three schools of thought on this with CxO’s; one common approach is to ignore the problem and brush it under the carpet of compliance monitoring. Another approach is to monitor asset flows without telling employees or the whole world. The smart CEO seems to like an extrusion prevention system as a deterrent and as a way of enhancing the brand (“your assets are safer with us”).Passive content monitoring of asset flows in the network that operates independently of existing I.T systems can be an effective auditing tool for threats to digital assets in any case.Employees and hackers cannot detect a Layer 2 Sniffer device and a Sniffer is immune to configuration and operational problems in the network. If it can’t be detected on the network than school of thought number 2 has plausible deniability.

Firewalls are not enough

Many firms now realize that a firewall is not enough to protect digital assets inside the network and look towards incoming/outgoing content monitoring. This is because:

1. The firewall might not be properly configured to stop all the suspicious traffic.
2. The firewall doesn’t have the capability to detect all types of content, especially embedded content in tunneled protocols.
3. The major of attacks and extrusions are not on the IT infrastructure but on the data itself.
   
4. Most hackers do not expect creative defenses so they assume that once they are in, nobody is watching their nasty activities.
5. The firewall itself can be compromised. As we have more and more Day-0 attacks and trusted insider threats, so it is good practice to add additional independent controls.

Detection, Prevention and Security Management

Detection

Sophisticated incoming and outgoing content monitoring technologies basically use three paradigms for detection:

1. AD- Anomaly Detection - describes normal network behavior and flags everything else
2. MD- Misuse Detection - describes attacks and flags them directly
3. BA - Burglar alarm – describes abnormal network behavior (“detection by exception”)

In anomaly detection, new traffic that doesn’t match the model is labeled as suspicious or bad and an alert is generated. The main limitation of anomaly detection is that if it is too conservative, then it will generate too many false positives (a false alarm) and over time the analyst will ignore it. On the other hand, if a tool rapidly adapts the model to evolving traffic change, then too little alerts will be generated and the analyst will again ignore it.

Misuse detection describes attacks and flags them directly, using a database of known attack signatures and constantly tries to match the actual traffic against the database. If there is a match, an alert is generated. The database typically contains rules for:

1. Protocol Stack Verification– RFC’s, ping of death, stealth scanning etc..
2. Application Protocol Verification – WinNuke , invalid packets that cause DNS cache corruption etc.
3. Application Misuse – misuse that causes applications to crash or enables a user to gain super user privileges; typically due to buffer overflows or due to implementation bugs.
4. Intruder detection. Known attacks can be recognized by the effects caused by the attack itself. For example, Back Orifice 2000 sends traffic on default port is 31337
5. Extrusion detection. Detect unauthorized network transfer of data according to the content itself – for example by file types, compound regular expressions, linguistic and/or statistical content profiling. Extrusion detects functions at a much higher level than an IDS/IPS – since it needs to understand file formats and analyze the actual content such as Microsoft Office attachments in a Web mail session as opposed to doing simple pattern matching of an http request string.

Using a burglar alarm model, the analyst must have deep understanding of her network and what should not happen with it. She builds rules that model how the monitored network should work, in order to generate alerts when suspicious traffic is detected. The richer the rules database, the more effective the model. The advantage of the burglar alarm model is that a good network administrator can leverage knowledge of servers, segments and clients (for example a Siebel CRM server which is a client to a Oracle database server) in order to focus-in and manage-by-exception.

Prevention

Anomaly detection is an excellent way of identifying network vulnerabilities but a user cannot prevent data breach events based on general network anomalies such as usage of anonymous ftp. When it comes to prevention there is also a fundamentalproblem with misuse detection. If misuse is detected then unless the event can be prevented (either internally with a TCP reset, blocking inline or by notifying the router or firewall) – then the usefulness of the devices is limited to forensics collection. An additional hurdle to overcome in the area of prevention of data breach events is performance. The widespread usage of load balancers and multiple IDS servers will not work since packets that compose a client-server application session may be spread over multiple servers and it will be impossible to prevent data leakage since no single server has a complete picture of the entire session.

Management - event analysis and reporting

A SIM (or security information management) system consolidates reporting, analysis, event management and log analysis.There are a number of dedicated tools in this category, Net Forensics is one, but the direction appears to be that the content monitoring system will include its own analytical database of events due the specialized nature of content monitoring and filtering. Note that the management sub-system itself does not perform detection or prevention functions – it manages and receives reports from other system components. A typical architecture has a central SIM (management console) and multiple / distributed sensors that feed events (not raw traffic) into the SIM.

Attack the attackers

I believe many people involved with IT security have a feeling of frustration that stems from continuously reacting to external forces: spam attacks, spyware attacks, insider threats, analyst reports and new product announcements. Whats a fella to do? Well, step back and consider three basic tenets of IT Security

* Network Security is Warfare, if its “kill or be killed” in the sales department, then why not in IT Security?
* Most of your information security strategy is reactionary with “Penetrate and Patch” methods
* Few implementations address the collection of information about attackers.

The key Elements in Information Security Strategy

Stop reacting and go back on the offensive, with a proactive security strategy based on control, collection, capture and change:

Control: Managing the access of information to and from the network and systems.
Collection: Gathering information about user habits and systems behavior.
Capture: The capture of information from anomalous events on the network.
Change: Adapt the security posture to meet new situations.

By basing both defensive and offensive tactics on these four strategic elements, you can poractively control who accesses your network, collect information about abnormal transactions, capture anomalous events, and adapt your security posture to meet changing situations.
Traditional Information Security Tactics are Defensive

* Backups
* IDM - Identity Management
* Network Access Control using firewalls/routers
* Host Access Controls
* Intrusion Prevention Systems/Intrusion detection systems
* Inbound content filtering for abusive/malicious content

Offensive Information Security Tactics

* Attacking and auditing your own systems.
* Proactive response to attacks.
* Extrusion prevention
* Honey Pots and Honey Nets.

I’d like to thank Chris Neitzert (Chris[at]Neitzert[dot]com) for his ideas on improving IT security with both offensive and defensive tactics. Download Chris’ well-written article at: Guerilla Anti-Penetration Tactics

The CEO committed to shipping June 1, the VP engineering is under the gun, the programmers know they are cutting corners, your resellers are getting ready to jump ship to your latest competitor.
What it looks like

We can help you:

* Eliminate those minor security releases that put a huge dent in your ship schedule and damage hard-earned customer equity.
* Proactively control vulnerabilities and create a disclosure process with your customers that makes security an asset not a liability.
* We can help you to improve your work practices in the software development life cycle by training and helping you build a team that can sustain quality.
o Learn how to reduce avoidable rework
o Learn how to reliably identify fault-prone modules in a company’s particular operation
o Learn how to identify modules with the most impact on system reliability and downtime
o Learn how to develop sustaining metrics for defect reduction
o Train your application programmers in best security practices and help them see themselves as part of an integrated company-wide commitment to quality software.
o Help your organization choose and implement disciplined practices such as Watts Humphrey’s PSP (Personal Software Process) and TSP (Team Software Process) that can have high ROI in defect reduction in new software development.

The biggest bugs are hiding in the system integration interfaces your integration team glued on the day before delivery. They go home, you might get fired.

Perhaps you have been in this situation before:

You’re a CIO/VP IT/IT manager and you’re preparing to implement a packaged business application - for  example a new CRM system. Something in the back of your mind says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first). What should you do?

First inspect and penetration-test the system using black-box testing.
Then, using white-box testing -  assess infrastructure components, database interfaces and Web applications for vulnerabilities using our Legacy Risk Analysis Loop technique.
You must identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
We also suggest an on site audit of the vendor’s secure software development practices during RFP/RFI/pre-purchase stages.

The process helps give the company a clear, updated picture of defects even before they hit BugTraq. Our Web collaboration tool supports continuous risk analysis and management with two main applications: a knowledge base and issue tracker:

* The database of standard CVSS scores for components and CLASP problem types classifications is always available for the entire organization. Users can add new entities and modify scores as the business environment changes.
* The issue tracker provides:
o A consistent thread of requests, changes and open action items during the risk analysis process and in particular in the Validate findings step
o An Updated implementation status of countermeasures.
o Real-time status tracking where unlike email, issues cannot get lost or be ignored!

Control Policy Group in Warsaw is the first professional security consultant in Europe to become certified partner of PTA Technologies.

We are proud of this achievement and happy to collaborate with our esteemed colleagues at PTA.

We created  PTA ISO 27001 library and contributed it to the risk expert community world-wide in hope that it will help consulting colleagues like us be more productive in their risk assessment efforts.

Practical Threat Analysis is important component in our comprehensive program of information security management for large institutions in Poland and their management board.

PTA threat modeling functions on risk-economic basis in Euro - evaluating firm’s risk using structured PTA database of multiple dimensions and complex relationships between vulnerabilities, threats, assets and security controls.

Contact us today for PTA professional service support or wish to improve your information security management system. We always are looking for interesting projects.