As businesses continue putting their infrastructure jewels online
via Web-enabled e-commerce sites, the importance of security and
privacy becomes increasingly critical. A crucial way of addressing
this need to protect the company Web site is to conduct a security
vulnerability assessment (SVA)--a security audit or ethical penetration
test, as an SVA is also known.
Your infrastructure requires seamless information access so that you can deliver the level of service that your customers have grown to expect. Dealing with security vulnerabilities on your Web site and your internal networks is not an option. You want to deliver services without worrying if the systems you or your customers are using are vulnerable to wily hackers.
How an SVA works
If an outside consultancy is performing a network SVA, they'll ask your CIO to sign a form which entitles them to do one. You can have this document reviewed by your legal counsel, and be sure there is a section that proclaims the audit results to be as confidential as possible. You don't want your audit report showing up as market data on a Web site without your prior consent.
Prepare yourself by bringing all your security processes, procedures, and network maps to the audit interview. Expect the audit interviewer to ask to keep these copies and not return them. It is appropriate for at least one senior member of the management team, and one person knowledgeable about security and network technology to attend such a session. After the in-person audit interview is complete, they will want to schedule up to a week's time to perform the penetration test on all your networks, and possibly longer depending upon the size of your network infrastructure. If they are clever, they will poke at both the TCP and UDP ports. Less clever auditors, and sometimes very well-known technology organizations, have been known to neglect the UDP ports. A knowledgeable security engineer viewing the logs on your corporate firewall can ascertain which ports are being prodded.
If you are having the audit done for a potential acquisition inspection, make sure that you find an auditor that will check UDP, as well as TCP ports. A best-of-breed SVA usually starts out by doing some data gathering, and looking for reconnaissance information. Some of the kinds of data the auditor will look for are such things as trying to retrieve your routing table, trying to see if they can obtain ICMP netmasks, looking for IRC servers, looking for SSH configuration information, and looking for password files. Other kinds of things they will try will be checking for include an assortment of vulnerabilities associated with file transfer protocols, hardware peripherals, hacker Trojans and backdoors, SMTP and messaging problems, network file system vulnerabilities, Web site and CGI holes. Checking for denial of service attacks, Intrusion Detection System functionality, and UDP ports is something that sets the premiere auditors apart from the rest.
Make sure you receive a copy of the report, and make sure it lists the risks in order of their severity. It will then be possible for you to systematically correct the network weaknesses that expose your information technology infrastructure--and your customers'--to a multitude of threats and attacks. Ask for all related diagrams and network maps associated with your vulnerability report. The report should summarize, in ranked order, the potential threats, as well as the recommended action to take to reconcile the vulnerability. Your team can then work on reconciling as many of the vulnerabilities as possible and then determine what they are unable to resolve. In the end, you can decide if it makes sense for to hire an outside consultancy to resolve the final outstanding issues.
A SVA demonstrates your management's due diligence to assure
site availability, data integrity, and information protection
for your organization and your customers. It does not, however,
guarantee that your site cannot be successfully attacked or
compromised. The report does give you a profile of what your
security posture looks like at a given snapshot in time. This
profile can be used as a guide for tracing historical unsavory
network activity as well as to secure weak links in your network
and system infrastructure helping you mitigate the risk of future
system and network compromises.