Ok folks, we're almost at the end of the tunnel with our audit checklist part 5 of our 6 part series on Simplifying Firewall Audits and Ensuring Continuous Compliance, which focuses on risk assessment… after all what's the purpose of undergoing an audit anyway if pinpointing your risk isn't part of it (besides typically being forced by industry or regulatory bodies)?!
A comprehensive risk assessment is essential to address security gaps (the root cause of security incidents) proactively instead of waiting for a threat and then responding to the symptoms. From a firewall perspective, it is important to be able to identify risky rules and ensure that rules are compliant with internal policies and relevant standards and regulations.
Step 5: Conduct a Risk Assessment and Remediate Issues
A good place to start is to review firewall rules and configurations and identify any potentially “risky” rules. What is “risky” can be different for each organization depending on the network and the level of acceptable risk, but there are many frameworks and standards you can leverage that provide a good reference point. This can be based on your own definitions of what a risky rule or configuration is, but should also include those defined by industry standards and best practices such as PCI-DSS, SOX, ISO 27001, NERC CIP, Basel-II, FISMA and J-SOX. And they should be prioritized by severity. Some questions that you should be able to answer as part of this step include:
- Are there firewall rules that violate your corporate security policy?
- Are there any firewall rules with “ANY” in the source, destination, service/protocol, application or user fields, and with a permissive action?
- Are there rules that allow risky services from your DMZ to your internal network?
- Are there rules that allow risky services inbound from the Internet?
- Are there rules that allow risky services outbound to the Internet?
- Are there rules that allow direct traffic from the Internet to the internal network (not the DMZ)?
- Are there any rules that allow traffic from the Internet to sensitive servers, networks, devices or databases?
Once you've gone through your list of risk analysis questions (hopefully more exhaustive than the above though this is a good start), then it is recommended that you document and assign an action plan for remediation of risks and compliance exceptions found in risk analysis. Once you've conducted remediation efforts, make sure you document those as well and verify that these efforts and any rule changes have been completed correctly.
As with anything security and compliance related, you need to have a process in place to continuously assess risk and measure the effectiveness of your security policy over time. In our final blog of this series, we'll focus on the aspect of "continuous compliance" and how to make sure that all of the steps discussed in previous blogs become part of your security and business processes.