Hi everyone, Ed Amoroso here, and
I want to talk to you in this video about security assessment.
Let me start a little story.
The early days of cyber security, particularly at our conferences,
was pretty obvious that the security equation broke into two pieces.
The first was building functionality to protect systems,
building encryption systems and authentication systems, the functional
mechanisms that comprise what most of us would consider cyber security.
But there was a second piece of the equation that was referred to as
assurance or also as a trust.
Like how do I demonstrate or provide convincing evidence to somebody
that what I've actually built is really working?
Think about it.
Security does not have a lot of good demos, right?
I've built something that's going to prevent an attack.
So now prove to me that you did.
Well, I could run a bunch of attacks and show you that they don't work,
but how do you know that there aren't other attacks that maybe I
didn't think of that would work?
So you can see that it is reasonable to think of security in those two contexts.
There's building something, and
then providing evidence that in fact what you've built is secure.
And it turns out there's a couple of different ways that that evidence
can be built.
One is something called security assessment.
It's usually very non-confrontational thing, is usually a scheduled project,
there's usually some discretion about being put in place a nice partnership
between the assessors and the team building something will come in and
together trying to determine are there weak spots,
can I test for certain types of things?
Can I do an overall architectural assessment, or
investigation to try to determine if you've done things right?
Security assessments are best done by experts with some experience,
now once in a while you may see some younger people learning
might be some apprenticeship that goes into the business of security assessment.
A lot of you watching might get a job at some point working for
say a consulting firm, or a security architecture firm or
a penetration testing firm that does assessments.
They come in and they follow a very structured methodology to look
at things though, go through the different phases,
and try and understand where there might be some weak points.
So, security assessment is, like I said, non-confrontational.
There is a second approach and that's referred to as security audit and
that is a little different.
Security audits usually are confrontational.
[LAUGH] It's not those adversary but the auditor is not
necessarily sort of working hand in hand with the team that's building the system.
They're in there to find problems that may not be scheduled.
There may be results that will come out that may not have a lot of discretion,
may go out to the whole company.
Maybe you get a grade.
So, it can be a little different.
The relationship between auditor and sort of auditee are in fact different.
Now the goal in both cases,
is to try to provide evidence that a system is in fact, secure.
And like I said, it's a little different than if I was building a communication
system that had to meet, say, some performance characteristics.
Like I had to build a system that supports a 10 gig requirement, I put it in place.
We drive 10 gig through and we all high five because we did it.
If the security requirement there is something that's not as easily
demonstrated, then we become reliant on these two approaches, security assessment
through partnership, or security audit, which is done by a third party.
Partnership may not be the word that would be used.
Both are important, both are things that you should understand,
and you should recognize the difference between the two.
They certainly are both focused on evidence but
they're accomplished in slightly different ways.
Hope this has been a little useful comparison of security assessment,
security audit, toward providing evidence of security in the context usually
of a business or government.
I hope this has been helpful, thanks.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
