Ruslan Rakhmetov, Security Vision
The implementation of organizational and technical measures for cybersecurity should lead to an increase in the level of cyber security and cyber resilience of the company and its assets (personnel, processes, technologies, data). To check the state of cybersecurity, various security analysis methods are used to assess the extent and quality of security measures implemented, to understand the sufficiency of countermeasures, and to develop recommendations for their adjustment and improvement of the company's security level. In this article, we will talk about various types of security analysis and discuss the stages of its implementation, as well as provide examples of methodologies for assessing security.
Security analysis can be defined as the process of verifying how well the assessed facility is protected from cyber threats and intruders that are relevant to it, in which security flaws are identified and recommendations are provided to improve the facility's security. Security analysis is not a one—time event, but a continuous process corresponding to the PDCA Deming cycle (Plan — Do — Check — Act, i.e. Planning — Execution — Evaluation — Adjustment), in which the evaluation results serve as input information for process adjustments, which provides feedback. The ultimate goal of the security analysis process is to create a list of recommendations and plans to eliminate vulnerabilities and deficiencies in technical and organizational security measures, which helps to increase the level of cybersecurity of the assessed object (employee, process, technology, information system, network, infrastructure, individual device, dataset) and the entire organization. The initial data for the analysis process will be the properties of the security object and information about the current security status, regulatory and internal requirements for the security of the object and the countermeasures taken, the results of work to identify the vulnerabilities of the object and the shortcomings of the countermeasures, reports from automated verification tools (security scanners, cyber attack emulators, frameworks for pentests) and reports on completed work (interviews with responsible persons, completed questionnaires, facility survey reports, results of information security audits, pentests, Red Team assessments, cyber studies, Bug Bounty programs).
The concept of security analysis is used in a number of regulatory documents. Thus, the "Methodology for assessing the indicator of the state of technical information protection in information systems and ensuring the security of the environment", approved by the FSTEC of Russia on 11.11.2025, states that the security indicator characterizes the degree to which an organization achieves the minimum required level of information protection from typical current threats at the time of assessment and under specified conditions. This technique is applied in accordance with the requirements of 31 of the FSTEC of Russia Order No. 117 dated 04/11/2025 — it states that the assessment of the information security status should be based on the security indicator, which characterizes the current state of information protection from the basic level of cyber threats. In accordance with the provisions of this methodology, the security indicator is determined by assessing compliance with the requirements for the organization and management of information security, protection of users of information systems, protection of information systems themselves, information security monitoring and response to cyber incidents. In addition, Decree of the President of the Russian Federation No. 250 dated 05/01/2022 "On additional measures to ensure the information security of the Russian Federation" stated that key Russian organizations needed to take measures to assess the level of security of their information systems and provide the results of the assessment, which underlines the importance of measures for operational analysis of security in the face of a sharp surge in cyber threats and an increase in intensity cyber attacks.
In the special publication NIST SP 800-115 "Technical Guide to Information Security Testing and Assessmen" It is said that cybersecurity analysis is the process of determining the effectiveness and completeness of the fulfillment of information security requirements by the evaluated object (host, system, network, procedure, employee), and the results of the security analysis are used to determine the correctness of the security measures applied to the object. The main types of security analysis according to NIST SP 800-115 are:
· testing: the process of evaluating an object under certain conditions to compare expected and actual behavior;
· assessment: the process of checking, inspecting, reviewing, observing, examining or analyzing an object to ensure understanding and obtaining confirmation (proof) of the operation of protective measures;
· interviewing: the process of discussing an object with employees of the organization to ensure understanding and obtaining confirmation (proof) of the protection measures.
The methodology for conducting security analysis in accordance with the provisions of NIST SP 800-115 should include at least the following steps:
1. Planning:
Develop an analysis approach and collect the information necessary to perform the analysis, including a list of facilities, a list of cyber threats to assets, and possible protection measures to counter these threats. Each integration of security analysis should be performed in accordance with the principles of project management, including the development of a project plan, the definition of goals, objectives and boundaries of the project, requirements, constraints, success criteria, assumptions, available resources, the formation of a list of roles and responsible persons, a timeline and expected reporting materials. When planning, it is important to develop a policy for conducting security analysis, prioritize and plan necessary measures, select and customize analysis techniques and tools (taking into account possible damage to the infrastructure during the analysis and taking into account the data processed in the evaluated system), select the appropriate specialist or external company to conduct the analysis, determine the format of the assessment (remotely or on the customer's site), select tools and resources for conducting security analysis, and work out legal issues (for example, provide for the allocation of responsibility in case of accidental leakage of protected data or for disruption of the functioning of services during invasive testing), develop a detailed procedure for conducting analysis and / or rules for the implementation of the project (ROE, Rules of Engagement).
2. Execution:
The application of the selected method and security analysis tools to identify vulnerabilities and verify their applicability. During execution, coordination must be observed between auditors/pentesters/Red Team members and those responsible for the system being analyzed, which will help provide the necessary authority to the performers, ensure awareness of those responsible, avoid performing assessments when updating systems or during their high workload, and suspend analysis in the event of a combat incident or if malicious activity is detected in the system being evaluated. the system. The security analysis should be carried out in accordance with the developed procedure for conducting the analysis and taking into account the predicted consequences of the analysis. When performing a security analysis, it is also necessary to take into account such difficulties as possible opposition from those responsible or users of the system (which is eliminated by the approval received from the heads of the organization), lack of realism in the analysis (for example, stricter security policies are applied to the system at the time of assessment), immediate elimination of identified deficiencies by those responsible (in violation of established corporate management procedures changes), the choice of a time window for analysis (which may reduce the realism of verification), possible negative consequences from the analysis (therefore, all actions of auditors should be logged), as well as a lack of resources and qualifications for detailed analysis, including when working with the latest technologies. As part of the execution phase, security analysis specialists conduct an initial assessment of the identified deficiencies and vulnerabilities in order to re-scan or perform a manual analysis if in doubt. At the execution stage, it is important to follow the rules for the secure processing of the received data, including the information collected about the architecture and configuration of the analyzed objects, as well as logs of actions performed by auditors during the security analysis. It is also important to ensure the confidentiality of documents used in the framework of the security analysis project: the procedure for conducting the analysis or the rules for implementing the project, documentation on the infrastructure and the objects being analyzed, the results of security scanners and reports from automated analysis tools, a report on the analysis performed and a plan of proposed corrective actions. It is important to ensure confidentiality during the transfer and storage of the received data, including through the use of cryptographic information protection methods, as well as to securely destroy or depersonalize documents after completion of work, guided, among other things, by the provisions of NIST publication SP 800-88 "Guidelines for Media Sanitation".
3. Post-testing activities:
At the final stage, a detailed analysis of the identified vulnerabilities is performed, the root causes of their occurrence are determined, recommendations are developed to eliminate the discovered vulnerabilities and a plan of proposed corrective actions to increase the level of cyber security of the organization, and a final report is issued with the results of the security analysis project.
Examples of common root causes of vulnerabilities and weaknesses are:
· Disadvantages of the patch management process: late installation of security updates, installation of patches not on all vulnerable systems — to improve the quality of this process, you can use the recommendations of the NIST SP 800-40 document "Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology", which we wrote about earlier;
· Disadvantages of the cyber threat management process: incorrect or insufficiently strict rules on SPI, lack of network segmentation, insufficient filtering of mail and web traffic, etc.;
· Disadvantages in reference images and Baseline configurations, lack of hardening - that is, secure device configuration according to manufacturers' recommendations and best information security practices;
· Shortcomings in the processes of developing secure software (SSDLC, Secure Software Development Lifecycle), lack of AppSec practices in the development and customization of software in the organization;
· Architectural deficiencies of information systems, including the absence or incorrect integration of security technologies;
· Deficiencies in cyber incident management processes and procedures;
· Poor awareness and preparedness of users and administrators regarding cyber threats and information security incidents.
The security analysis steps described in NIST SP 800-115 can be applied to various types of security assessments, including information security audits, vulnerability scans, pentests, Red Team assessments, cyber studies, and Bug Bounty programs. Let's talk about each type of security analysis in more detail.
1. Information security audit is an audit of the completeness and effectiveness of the information security management system (ISMS), including verification of the implementation of organizational and technical measures and assessment of the ISMS compliance with the requirements of internal and external regulations. As part of an information security audit, the adequacy and correctness of organizational measures, including developed policies, standards, regulations, procedures, and instructions on information security, is checked, and the level of information security awareness of the company's employees is assessed. To evaluate technical measures, configurations of information systems, network equipment, individual devices (servers, workstations) are checked, as well as settings of existing EDR/XDR, SIEM, DLP, traffic filtering systems, etc. To assess the degree of compliance, the implementation of both organizational and technical measures is checked in accordance with regulatory requirements. acts (internal regulatory documents, industry standards, state regulatory legal acts). An audit can be internal or external: an internal audit of information security is carried out by dedicated employees of the organization itself and is a process of evaluating the completeness and effectiveness of ISMS with the adjustment of individual countermeasures based on the results of these audits, and an external audit of information security is implemented as a project and is carried out according to the requirements of regulations or by decision of the heads of the organization.
2. Vulnerability scanning is the process of automated detection of vulnerabilities and configuration flaws in a company's infrastructure. Vulnerabilities are flaws in the development, implementation, and configuration of information systems or security tools that can be used by attackers for cyber attacks. Vulnerability scanners that perform various types of scans (banner reading, authenticated scanning, agent scanning, retro scanning), as well as read current system settings and evaluate their security in accordance with manufacturers' recommendations and best information security practices, help automate the process of detecting vulnerabilities and configuration flaws. Such scanning is performed, for example, by Security Vision VM (Vulnerability Management), Security Vision VS (Vulnerability Scanner), and Security Vision SPC (Security Profile Compliance) products. Vulnerability scanners use various vulnerability registries, such as the FSTEC Database of Russia and the Common Vulnerabilities and Exposures (CVE) database, in which CVE records are associated with data from the classifier of errors (CWE) that occur during software development and lead to vulnerabilities. In addition, it is important to remember that vulnerabilities can also be weaknesses in the organization of corporate processes — they cannot be detected by automated security scanners, they can be detected either by the results of an investigation of an incident, or as part of information security audits, pentests, and Red Team assessments.
3. A pentest is penetration testing, which is the conduct of a controlled cyberattack in order to detect weaknesses in a company's cyber defense and subsequently increase its security level. Pentests are conducted using black, gray and white box methods, which differ in the level of knowledge of pentester specialists about the object under study (infrastructure, network, system). Pentests, by analogy with information security audits, can be internal and external: internal pentests allow you to simulate an attack carried out by an insider from a corporate network, and external ones allow you to reproduce the actions of a third—party attacker - a hacker, hacktivist, cyber hacker, etc.. In addition, pentests can be hidden and open: hidden ones are performed without warning IT administrators and information security specialists (only selected managers in the company under review should know about the pentest), which allows you to simulate a sudden cyberattack in real conditions, and open ones assume that the company's employees are aware of the testing, which reduces the potential negative damage in the future. in case of a successful training cyberattack, it also helps the company's specialists to visually see exactly how the attackers are acting. It is possible to automate pentest checks by using BAS (Breach and Attack Simulation) class systems that simulate hacks and cyber attacks, as well as using the CPT (Continuous Pen Test, continuous non-penetration testing) service offered by some cybersecurity players. You can look at your infrastructure through the eyes of a hacker using attack surface management systems (EASM, External Attack Surfarem), solutions for continuous search, analysis, prioritization, vulnerability management and potential vectors of cyber attacks.
4. Red Team (or Red Teaming) checks — this is a simulation of the actions of professional and motivated cybercriminals, conducted for a long time using various vectors of cyber attacks to achieve pre-agreed conditional goals (for example, compromising a privileged account, gaining access to a "secret document", unauthorized transfer of 1 ruble to an account of a third-party company).Within the framework of Red Teaming, the "attackers" information security experts apply various relevant tactics, techniques and procedures of the attackers, which are found in real attacks "in the wild", conduct detailed preliminary reconnaissance., They use methods of social engineering and physical penetration into the territory of the company under review, search for new vulnerabilities and use self-written exploits, and try to remain unnoticed throughout the Red Team project. This type of security analysis provides the most up-to-date and accurate data on the state of a company's cybersecurity in conditions as close to combat as possible, however, Red Teaming projects last a long time (up to several months) and require the involvement of the best information security experts (white hat, i.e. ethical hackers) and therefore are quite expensive, and can also distract the attention of the information security team of the company under review from the real attack and actions of real cybercriminals.
5. Cyber training is a simulation of cyber attacks on a company scale to train and improve the coherence of defenders, to ensure awareness of various types of threats and methods of counteraction. Cyber studies are conducted in the formats of theoretical (Table-top exercise) and practical training, in the form of CTF competitions (Capture The Flag), as well as other variations that differ in the level of realism of simulated cyber attacks and personnel actions. To automate and support cyber learning, a cyber Range can be used — a virtual infrastructure in which elements of a real company (networks, servers, applications, users) are modeled and attacks and responses to them are carried out. In addition to the Red Team (attackers), the Blue Team (defenders, information security specialists from the SOC center or incident response team) participates in cyber training, and the Purple Team (the Red Team + Blue Team team, in which attackers exchange data with defenders to develop the most effective countermeasures), the Yellow Team can also participate. (the development team that receives information about current vectors and techniques of cyber attacks from the Red Team and optimal countermeasures from the Blue Team), the White Team (a team of managers and managers, who monitor the correctness of the work and actions of the Red and Blue Team members, develop methodologies and policies, and monitor compliance with legal requirements).
6. The Bug Bounty program is a way to detect vulnerabilities and security flaws by involving information security researchers (bug hunters) on a commercial basis. For a monetary reward, researchers are offered to find an error or vulnerability on a website, service, infrastructure, or application - within the framework of certain rules, with researchers providing detailed reports on the flaws found. This method allows companies to attract a wide range of information security specialists to detect vulnerabilities and increase security, and for ethical hackers it can be a great way to apply their skills and make money from it.
In addition to NIST SP 800-115, there are a number of other methodologies and frameworks for security analysis:
- OWASP Web Security Testing Guide (WSTG);
- OWASP Mobile Application Security (MAS);
- OWASP Firmware Security Testing Methodology (FSTM);
- PCI DSS Penetration Testing Guidance;
- Open Source Security Testing Methodology Manual (OSSTMM).
Various tools can be used to analyze security, from the well-known Kali Linux distribution to a variety of Open Source utilities, some of which are listed on the OWASP project page and in various GitHub repositories.
.jpg)