Network security assessments and network security testing are often used interchangeably because they both evaluate the security of an organization’s network. However, they differ in terms of scope and execution. This blog explores the structure of network security assessments and the role of testing within the assessment process.
Defining network security assessments
A network security assessment is a process that determines whether an organization’s network security controls are effective and in compliance with the organization’s security objectives. It seeks to answer three questions:
- Are the network security controls implemented correctly?
- Are the network security controls operating as intended?
- Are the network security controls producing the desired outcome?
Three distinct activities of network security assessment
A network security assessment has three distinct activities. Each activity focuses on a different aspect of security, which, when combined, maximizes the likelihood of uncovering network vulnerabilities.
- Evaluating configuration files, policy documentation, system logs, network architecture diagrams, etc., to verify that the network security controls are configured, implemented, and operate as intended. For example, review the firewall running configuration and rule set, inspect security alerts, and check firmware update releases.
- Interviewing employees to gain visibility into behaviors that differ from the documented security policies. Example interview questions are: How often do you receive security training? Do you share network administration passwords? What do you do if you suspect a network breach?
- Testing network security to identify weaknesses and vulnerabilities in the network infrastructure. For example, using vulnerability scanners to check for open switch ports, running wireless scanners to discover rogue Wireless Access Points (WAPs), and conducting penetration tests that simulate real-world attacks.
Figure 1 summarizes the primary focus of the three distinct network security assessment activities. Network security testing is a critical activity in the broader network security assessment. It provides a real-world assessment of an organization’s network defenses.
Pro Tip:
Different sub-teams typically do the evaluation, interviewing, and testing. It is crucial to consider how these activities will interwork and share information.
Implement a tracking system to log findings uncovered during the network security assessment. The tracking system should enable findings to be cross-referenced across the three evaluating, interviewing, and testing activities to facilitate information sharing.
Categorizing network security controls
Security controls enforce policies and provide the mechanisms and procedures to protect the organization from threats. A network security assessment looks at three areas of security controls:
- Management security controls
These define the policies that guide an organization in implementing, maintaining, and enforcing network security. For example, implement remote access and password policies, conduct annual network vulnerability assessments, and use specific cryptographic suites to ensure compliance with regulatory requirements. - Operational security controls
These are the day-to-day administrative processes and procedures that enforce the organization’s security policies. For example, configure security settings on networking equipment such as switches and firewalls, monitor the network for unauthorized access, and run vulnerability scans to identify network weaknesses. - Technical security controls
These are the hardware and software technologies that enforce the network security policies and ensure the network’s Confidentiality, Integrity, and Availability (CIA). Example technologies include firewalls and intrusion protection systems (IPS), as well as IPsec and TLS security protocols that protect network traffic, and 802.1X port-based authentication, which controls network access.
Technical controls are typically the first line of defense within an organization. These controls operate in real-time and can be systematically tested. Network security testing primarily focuses on technical controls. However, testing may be needed to verify management and operational security controls. For example, verify that all network equipment utilizes digital certificates for authentication, and confirm that network changes were authorized.
Determining the scope of network security testing
The overarching goal of the network security assessment shapes the focus and scope of the evaluation, interview, and testing activities. These assessment goals drive the scope of what should be tested and how the tests should be performed. To illustrate this, Table 1 lists three example assessment goals along with their corresponding testing plans.
| Assessment Goal | Testing Plan |
|---|---|
| Assess the risk of real-life attacks on the network. | Network simulation attacks using penetration test tools. |
| Verify network access meets regulatory requirements. | Tests directly map to regulatory requirements and associated policies. |
| Identify vulnerability in the network. | Identify weaknesses using vulnerability scanners. |
Table 1: Examples of how assessment goals impact testing
Additionally, the findings from evaluation or interviewing activities may reveal areas that require further network security tests. For example, a Wi-Fi discovery scan test was added after an interview revealed that users deploy unauthorized Wi-Fi access points, and a dictionary-based brute force test was added after the policy evaluation showed that weak passwords, consisting of eight characters with no complexity, were permitted.
Pro Tip:
Prioritize testing of the business-critical network controls first. For example, the network backbone of switches, routers, and load balancers, and network access controls, including firewalls, Wireless LAN Controllers (WLCs), and authentication servers.
What to do after reading this blog
After reading this, you should:
- Determine when your organization plans to conduct its next network security assessment.
- Review the structured methodology or framework your organization uses for conducting the network security assessments.
- Read the current and previous network security assessment objectives and understand the rationale behind any changes.
- Identify the different teams responsible for evaluating, interviewing, and testing network security.
- List the business-critical components in your organization’s network.
