Traditional IT Security Assessments are based on concepts of a network that are fifteen to twenty years old. The vast majority focus on the Device and Network Transport layers, this approach is no longer sufficient to develop an IT Security Profile
The advanced persistent threats (APT) and targeted attacks that we face today exploit more than IT technology vulnerabilities. Attacks are implemented using techniques such as social engineering to make the initial breach of the corporation; this is often the result of a failure in process, not of technology. Successful targeted attacks require knowledge of internal systems often gained through initial access to documentation or social engineering. By the time an attack is mounted the attackers will have performed reconnaissance and other intelligence gathering activities, and will often have very detailed knowledge about the IT infrastructure.
There are two orthogonal stacks in an IT ecosystem: Implementation or Doing and Parametric or Directing.
A full security assessment covers all aspects of security that impact on an IT ecosystem and its supporting services. The full assessment uses a layered matrix of targeted assessments; each layer of the matrix interacts with the adjoining layers and therefore a security assessment must look at all layers and their interactions. The output of a full IT security assessment is a profile that describes the current state of a company's IT security.
Implementation Stack
Applications are how people interact with their data, make decisions and run their business. The way that applications interact with the corporate IT ecosystem impacts the security profile of the corporation.
The Infrastructure Services layer provides services such as authentication and authorisation that manage and control the IT ecosystem. This layer defines the type of network, and is the layer that people interact with when they ‘logon' to the network.
The devices that physically host the applications and processes used to run the business are where people interact with their IT environment. This is an area of rapidly changing technologies, vulnerabilities and threats that require increasing levels of security awareness at all levels of the corporation.
The network transport connects all the layers together; these are the switches, routers and firewalls that are typically regarded as the physical network and the network protocols that move information between devices. This is the layer that devices interact with when they plug in to the network.
Too often IT security assessments focus only on one of these areas. So doing a full IT security assessment requires more focus on diagnosing where all your vulnerabilities are and not just the obvious ones.
Parametric Stack
Documentation covers all layers of the stack; implementing a highly secured application on the network is not effective if the documentation that describes it is stored in an unprotected repository.
Processes and Procedures are often a step child of security; it's like having a house with high security locks and alarm systems but the alarm is not turned on and the doors are not locked when it is empty. Dexa looks at the processes and procedures that relate to security, security vulnerabilities and the governance models that ensure that the processes and procedures are followed.
Governance defines the mechanisms which ensure that processes and procedures are followed and the penalties to be applied if they are not followed.
View All 
