There is an irrefutable truth that we have to deal with: Our information security systems are vulnerable to intruder attacks. Hackers are everywhere and they are constantly probing our networks for weaknesses. These attacks can originate from outside or inside our organization. There is no denying it. You are going get hit. How prepared are you in understanding the damage the attacker can do and how do you prepare yourself for the attack? The key to Internet security is to be proactive. The solution is to perform vulnerability assessments and penetration testing.
What is the difference between vulnerability assessment and penetration testing?
Before we define what a vulnerability assessment is, perhaps we should begin by defining the term vulnerability. In computer and information security terms, a vulnerability refers to a weakness in a system allowing an attacker to violate its confidentiality, integrity or availability. Vulnerability assessment then is the process of determining the weaknesses in a system or network architecture that could be exploited. Vulnerability scanning, therefore, is the process of identifying vulnerabilities in a network to determine if and where a system can be exploited. Vulnerability scanning typically employs software that uses a database of known flaws and checks if those flaws exist in the target system. A vulnerability assessment will stop just short of compromising information. That is, a vulnerability assessment is an information gathering process.
Penetration testing, on the other hand, is the process of attempting to gain access to the system. A successful penetration would lead to obtaining or subverting sensitive information (breach of confidentiality), modifying information (breach of integrity) or rendering the systems inoperable (breach of availability).
There are several reasons why organizations should perform vulnerability assessments and penetration testing. First, these activities help identify threats facing your organization’s information assets. With this information you can quantify your information risk and provide adequate information security funding. This results in a reduction of your organization’s IT security cost and provides you with a better return on IT security investment by identifying and resolving vulnerabilities and weaknesses. Maintaining a secure computing environment provides your organization (and management) with a reasonable assurance that adequate controls are in place to limit the risk of exposure to hacker attacks.
More importantly, performing a vulnerability assessment and penetration testing allows you to find the holes in your security architecture before someone else does. Hackers employ a number of automated tools and network attacks looking for ways to penetrate systems. In this day and age of regulatory compliance (Sarbanes-Oxley, GLBA, FDIC, HIPAA), penetration testing is a way to identify gaps in compliance.
Performing your own testing also provides two more valuable benefits. First, it provides security training for the network staff, because it offers a chance to recognize and respond to a network attack. Second, it provides an ideal time to test new technology/systems before they go live on production systems.
What are the different types of tests we can use to help find out the security of our networking environment?
1. External penetration testing – As the name implies, this test focuses on determining the network weaknesses from outside our network. The main focus is on the servers, infrastructure and the underlying software (operating system and applications). This type of test can be performed with no prior knowledge of the site (also known as “black box” testing), or with full disclosure of the topology and environment (also known as “while box” testing). The external penetration test typically involves a comprehensive analysis of publicly available information, a network enumeration phase where target hosts are identified and analyzed, and the analysis of perimeter security devices such as firewalls and routers.
2. Internal security assessment – Similar to the external penetration test, this test involves a view of the security posture from inside the network. Testing is typically performed from a variety of network access points including partner company (extranet) connections.
3. Application security assessments – This assessment identifies and assesses the threats to the network infrastructure through vendor, proprietary applications or systems (especially Internet-facing web applications). These applications may provide interactive access to potentially sensitive materials. This is a very important test because an organization can have a strong perimeter security posture but weak application security that can expose a company’s critical data.
4. Wireless and/or remote access security assessment – The proliferation of wireless networks (such as Wi-Fi) increases the risk of unauthorized access to corporate resources. If your organization has a wireless network, it is vital that you determine if its deployment and configuration are secure.
5. Telephony security assessment – This assessment addresses the security concerns related to corporate voice technologies including PBX, modem use and voice over IP. The use of these technologies may increase the potential risk of eavesdropping.
6. Social engineering – Not all of the exposures will be technical in nature. In fact, the biggest weakness in information technology often involves tricking people into breaking normal security procedures.
Testing should be performed at least annually, or more frequently if changes are made to your network infrastructure (or if you find that your systems are constantly under attack). Vulnerability assessments and penetration testing are responsible proactive ways to address hacker attacks – by anticipating what hackers will do and eliminating any security problems before the hackers get in to your network.
Mark Edmead, MBA, CISSP, CISA, is an information security consultant with over 25 years of experience in computer systems architecture, information security and project management. He is a principal partner with MTE Advisors in Escondido, Calif. He can be reached at mark(at)mteadvisors.com.
Copyright August-September 2007 Western Banking (BankNews Publications)