Assessing network security

Expert advice only helps if you listen.

Just as secure software relies on extensive testing throughout the development process to dig out bugs, glitches and interoperability issues (see Hacker challenges fall short), secure networks require regular assessment to expose policy problems, misconfigurations and architecture flaws.

While vigilant administration should uncover most of those issues, the complexity and fluidity of modern networks renders it all but impossible to catch every security problem in the normal course of business.

The good news is that businesses are much less resistant to auditing and assessment than they are to most other security measures. Assessments are outsourced easily—indeed, third parties are often necessary to develop a thorough and accurate picture of the situation—and companies have increasingly begun to view security as simply another type of audit. Security firms have stepped up to the plate, offering a wide range of different assessment services, as have the Big Five consultancies.

The bad news is that companies regularly ignore the results of their own assessments, rendering them all but useless. From a manager's perspective, much of the allure of a third-party audit lies in its inobtrusiveness. By writing a check, a CTO can "do something about security" with little or no planning or disruption of normal business practices. Implementing the resulting recommendations is an entirely different matter, often requiring substantial changes in operating procedures, software configuration and/or network architecture. It is often much easier to defer implementation indefinitely and write off the costs as a security expenditure, when, in fact, any improvements to overall security may be negligible at best.

The worst examples of that phenomenon are typically associated with policy audits. The vast majority of network security weaknesses stem from non existent, poorly developed or unenforced security policies. As such, policy adjustments are likely to provide the most "bang for the buck" in terms of improved security, and thus are prime focal points for auditing.

Implementing the recommendations of vulnerability as sessments often meets less re sistance from both man age- ment and staff, in large part be cause the burden falls al most exclusively upon the IT staff. Managers are often un willing to provide the necessary re sources to overworked systems administrators. As a result, the work is often done in a makeshift fashion. Changes that may limit or disrupt network functionality are often deferred.

The single most important thing to realize when considering a security audit or assessment is that it is only the beginning of the process, and it will do no good without determined follow-through. Resources available for security are simply too scarce to be spent on theoretical exercises that won't show appreciable results.