You don’t need to be paranoid to be a chief information security officer, but it helps. Whether certifiably paranoid or, as the Woody Allen joke goes, just keenly observant, the chief security officer must tune into threats that others can’t see, quantify risks that others can’t fathom, and uncover weaknesses – in the company’s networks, systems, and business processes – that want to remain hidden.
It's a big job that requires a comprehensive plan, strong skills, and a good set of tools. The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly.
An open source method
The open source testing framework I recommend is called the Open Source Security Testing Methodology Manual (OSSTMM). The brainchild of Pete Herzog and his legion of dedicated security testing professionals, this project is well supported by the open source community, and it continues to impress me with its documentation and approach. Providing specific testing objectives and procedures, the OSSTMM is the cookbook for using your tools, in what order and at what time.
The OSSTMM is not simply a penetration testing approach but a methodological framework. The methodology helps guide the planning of the security audit project and properly quantifying the results, and provides the rules of engagement for those performing the audit. It relies on best practices and a threats database as well as knowledge of the target organization to provide a broad view of the risks posed to the infrastructure of the enterprise. Most testing frameworks, such as ISO 27001 (formerly 17799), OCTAVE, COBIT, and ISM3, take an organizational approach to assessment and evaluation. The OSSTMM takes an operational view of enterprise risk.
The OSSTMM contains six testing modules, covering information security, process security, internetworking, communications systems, wireless networks, and physical security. Together, they offer testing methodology and guides to measuring risk to intellectual property, private information, and paper documents, to social engineering attacks, to routers, switches, and firewalls, to PBX's, voicemail, and faxes, to WLAN sniffing and surveillance, and to environmental dangers to buildings and the locks on the doors.
The OSSTMM manual provides a wide range of template documents for the conduct of tests involved in each of the six modules. This set of templates negates the need for supporting software in completing other testing frameworks such as ISO 27001 or COBIT. However, you may need training from ISECOM (the OSSTMM’s parent organization) in the best use of the templates and modules.