Just as secure software relies on extensive testing throughout the development
process to dig out bugs, glitches and interoperability issues (see Hacker
challenges fall short), secure networks require regular assessment to expose
policy problems, misconfigurations and architecture flaws.
While vigilant administration should uncover most of those issues, the complexity
and fluidity of modern networks renders it all but impossible to catch every
security problem in the normal course of business.
The good news is that businesses are much less resistant to auditing and assessment
than they are to most other security measures. Assessments are outsourced easily—indeed,
third parties are often necessary to develop a thorough and accurate picture
of the situation—and companies have increasingly begun to view security
as simply another type of audit. Security firms have stepped up to the plate,
offering a wide range of different assessment services, as have the Big Five
The bad news is that companies regularly ignore the results of their own assessments,
rendering them all but useless. From a manager's perspective, much of the allure
of a third-party audit lies in its inobtrusiveness. By writing a check, a CTO
can "do something about security" with little or no planning or disruption
of normal business practices. Implementing the resulting recommendations is
an entirely different matter, often requiring substantial changes in operating
procedures, software configuration and/or network architecture. It is often
much easier to defer implementation indefinitely and write off the costs as
a security expenditure, when, in fact, any improvements to overall security
may be negligible at best.
The worst examples of that phenomenon are typically associated with policy
audits. The vast majority of network security weaknesses stem from non existent,
poorly developed or unenforced security policies. As such, policy adjustments
are likely to provide the most "bang for the buck" in terms of improved
security, and thus are prime focal points for auditing.
Implementing the recommendations of vulnerability as sessments often meets
less re sistance from both man age- ment and staff, in large part be cause the
burden falls al most exclusively upon the IT staff. Managers are often un willing
to provide the necessary re sources to overworked systems administrators. As
a result, the work is often done in a makeshift fashion. Changes that may limit
or disrupt network functionality are often deferred.
The single most important thing to realize when considering a security audit
or assessment is that it is only the beginning of the process, and it will do
no good without determined follow-through. Resources available for security
are simply too scarce to be spent on theoretical exercises that won't show appreciable