In a previous article, “A Security Model for the Internet of Things (IoT),”, we described how to measure the security of discrete network devices, and how to aggregate the resulting scores to the network level. In this article, we will refer to the evaluation of devices using that approach as calibrating the “security capacity” of those devices and networks, and show how evaluating security capacity compliments traditional methods of measuring device and network security.
We will further show that calibrating the security capacity of a network can be key to achieving and maintaining a secure network, particularly in challenging network environments in which traditional security testing may not be possible.
We will conclude by showing that security configuration is a realization of security capacity, and that both must be optimized to achieve the greatest defensive posture.
Security Configuration refers to a specific inter-connectivity (i.e. physical and logical network topology) of a set of devices, and how their individual settings collectively resist attempts at intrusion and attack.
Security Configuration is established by the security and network engineers that connect those devices into a network and configure their settings to achieve the business objectives and technical functions of the network.
Proper security configuration is verified through examination, Network Vulnerability scanning, and Penetration Testing (i.e. Ethical Hacking) exercises, which yield vulnerabilities representing risk to the network.
It is interesting to note that the security capacity of a network may or may not be fully realized by its security configuration, as all the security features supported by networked devices may not be enabled or properly configured.
Evaluating Security Configuration
As noted, Security Configuration is measured through Network Vulnerability scanning and Penetration Testing. Scanning and testing detect vulnerabilities that are classified by severity using a standard Common Vulnerability Scoring System (CVSS) that characterizes the risk associated with a vulnerability as a value from 0.0 (no risk) to 10.0 (maximum risk).
A method to calculate an aggregate network-level score from such testing can be debated, but one method for doing so is laid out in the article Securing IoT Networks: Measuring Network Security. For the remainder of this article, we will refer to aggregate device scores and aggregate network scores as their Security Configuration Score.
Thus, a security configuration score can be used to express the current risk exposure of a device, a network segment, or an entire inter-network. The insight it provides, of course, is limited to problems the scans detected.
Reflections on Security Configuration
A “typical” network is a set of interconnected devices; some of which support security controls to protect the device, its operations, and the data it handles, and some that do not (think: Internet of Things).
A secure configuration thus requires such a network to be “protected” by one or more perimeter gateways (i.e. Firewalls), which filter network traffic and squelch dangerous traffic. The network is considered “secure” from a configuration point of view if it either successfully filters out malicious traffic, or the protected devices ignore or cannot be exploited by any malicious traffic that reaches them.
The problem, as any CISO will tell you, is that it is not sufficient to simply establish protections to prevent intrusion. It is also necessary to assume that at some point in time, the perimeter will be breached, and the organization must be prepared to deal with that eventuality. Historically, this was addressed by deploying Intrusion Detection Systems (IDS) to alert the organization to the presence of intruders, and by creating Incident Response Plans to mobilize specialized teams and activate the appropriate contingency plans in response to cyber-events.
Clearly, this “state of the art” came about in consequence of the fact that not all “internal” devices could be relied upon to protect themselves against malicious traffic. Some were better than others, but some were utterly unprotected.
Measuring Security Configuration is critical because it directly reflects the ease with which an attacker may penetrate the network.
One problem with focusing on Security Configuration is that it occurs from a certain perspective, typically from outside the perimeter of the network, and may be uninformative and even misleading as a measure of the relevant security of other perspectives. Consider an example of a network that yields minimal vulnerabilities when scanned from the outside, but is riddled with vulnerabilities and is wide-open (no encryption, no authentication, etc. ) on the inside.
The “inside” security configuration is often assessed through internal scanning (I.e. from within the firewall), which while helpful, only detects vulnerabilities in the current configuration, and is silent on what “could be.” Scanners, for example, are typically blind to a device’s ability to update itself.
From the Security Configuration perspective, security risk (internal or external) is reduced by eliminating vulnerabilities and minimizing the aggregate CVSS score.
Security Capacity refers to the set of security features that each device supports and how they combine to form a security score for that device.
Thus, security capacity is based on the security characteristics of a product, whereas a security configuration score is an attribute of its deployment.
As we elaborated in “A Security Model for the Internet of Things (IoT),” it is possible to calibrate the security of the discrete devices comprising a network, and then aggregate those metrics to obtain a security score for the entire network. We call this score the Security Capacity of the device and rate it on a scale from 0 to 10.0 (most secure). Although the methodology includes dynamic testing, it is possible to calibrate the Security Capacity of devices without dynamic testing, using only device specifications and documentation.
It is important to remember that while evaluating a device’s Security Capacity is not an automated process, it only need be done once for any make, model, and version of a product.
The Security Capacity score of a network segment is the lowest score of any of the devices on that segment. The Security Capacity score of an inter-network is the lowest score of any of its component networks.
Security Capacity scoring provides an objective metric reflecting the potential security of each device, network segment, and inter-network.
Reflections on Security Capacity
The Security Capacity score of a network can be viewed as a measure of potential defensive capability, a measure that may or may not be realized through configuration.
Security risk is reduced by replacing devices with lower Security Capacity scores with devices with higher scores. For example, a device that updates its firmware automatically is considered more secure than one that does not. The configuration perspective misses such changes and many other relevant criteria.
Security Capacity is independent of security configuration. Consider the scenario in which a Network Vulnerability Scan yields no serious problems, and then several devices on the network are upgraded to more secure versions, and the scan is performed again and yields the same results. Clearly the network is more secure, at least from the internal perspective, but the difference is transparent to configuration testing. A similar argument could be made for Penetration Testing.
In some scenarios, Security Capacity may be the only means to calibrate internal network security, because the devices are deployed in a 24×7 production environment, and intrusive testing is perceived as too risky.
The Complete Picture: Security Configuration AND Capacity
Both Security Configuration and Security Capacity are worth examining, and both contribute to accurately understanding the true security risk of a network.
A network must support the necessary security features to properly secure it (Security Capacity), and must also be configured properly (Security Configuration) to achieve that potential.
This implies that the Security Configuration score of a network, reflecting the CVSS scores of its known vulnerabilities, should be minimized, while its Security Capacity score, reflecting the security posture of its weakest device, should be maximized in order to achieve the strongest defensive posture.