Monday, April 13, 2009

Red Teams: An Audit Tool, Technique and Methodology for Information Assurance

http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=30762&TEMPLATE=/ContentManagement/ContentDisplay.cfm
by Frederick Gallegos & Matthew L. Smith

With businesses and organizations increasingly dependent on information systems in everyday practice, a large responsibility is placed on the involved organizations and government legislation to ensure the safety and security of private customer information. This publication seeks to address the growing risks threatening information security, by employing the tactic of red teaming.

Red teaming is a valuable tool for information security auditors to directly identify new and emerging security threats within an organization, allowing them to provide evidence to support modifying that organization's security system and practices. This article describes the use of "white-hat hackers" to infiltrate the system, exposing and exploiting system vulnerabilities for the purpose of developing actionable evidence for system modifications. It is important that these individuals are obtained externally, so they have no pre-existing knowledge of the organization's network and its security infrastructure. Employing external , uninformed individuals to execute this "test" is a good way to obtain unbiased evidence of system weaknesses.

The red team should be made up of SMEs well-versed in computer forensics. In an IS red teaming exercise, the team will test four main areas of an information system: operating system/platform security, networks/communications; applications/decision processes; policies, passwords, permissions. Additionally, a training path should be developed for the red team members, and they should provide a record of observations and practices in a database for other team members to share.

1 comment:

  1. Do you believe a red team comprised completely of outsiders to the organization is better than an internally formed or mixed team?

    ReplyDelete