As businesses continue putting their infrastructure jewels online
via Web-enabled e-commerce sites, the importance of security and
privacy becomes increasingly critical. A crucial way of addressing
this need to protect the company Web site is to conduct a security
vulnerability assessment (SVA)--a security audit or ethical penetration
test, as an SVA is also known.
Your infrastructure requires seamless information access so that
you can deliver the level of service that your customers have
grown to expect. Dealing with security vulnerabilities on your
Web site and your internal networks is not an option. You want
to deliver services without worrying if the systems you or your
customers are using are vulnerable to wily hackers.
How an SVA works
If an outside consultancy is performing a network SVA, they'll
ask your CIO to sign a form which entitles them to do one. You
can have this document reviewed by your legal counsel, and be
sure there is a section that proclaims the audit results to
be as confidential as possible. You don't want your audit report
showing up as market data on a Web site without your prior consent.
Prepare yourself by bringing all your security processes, procedures,
and network maps to the audit interview. Expect the audit interviewer
to ask to keep these copies and not return them. It is appropriate
for at least one senior member of the management team, and one
person knowledgeable about security and network technology to
attend such a session. After the in-person audit interview is
complete, they will want to schedule up to a week's time to
perform the penetration test on all your networks, and possibly
longer depending upon the size of your network infrastructure.
If they are clever, they will poke at both the TCP and UDP ports.
Less clever auditors, and sometimes very well-known technology
organizations, have been known to neglect the UDP ports. A knowledgeable
security engineer viewing the logs on your corporate firewall
can ascertain which ports are being prodded.
If you are having the audit done for a potential acquisition
inspection, make sure that you find an auditor that will check
UDP, as well as TCP ports. A best-of-breed SVA usually starts
out by doing some data gathering, and looking for reconnaissance
information. Some of the kinds of data the auditor will look
for are such things as trying to retrieve your routing table,
trying to see if they can obtain ICMP netmasks, looking for
IRC servers, looking for SSH configuration information, and
looking for password files. Other kinds of things they will
try will be checking for include an assortment of vulnerabilities
associated with file transfer protocols, hardware peripherals,
hacker Trojans and backdoors, SMTP and messaging problems, network
file system vulnerabilities, Web site and CGI holes. Checking
for denial of service attacks, Intrusion Detection System functionality,
and UDP ports is something that sets the premiere auditors apart
from the rest.
Make sure you receive a copy of the report, and make sure it
lists the risks in order of their severity. It will then be
possible for you to systematically correct the network weaknesses
that expose your information technology infrastructure--and
your customers'--to a multitude of threats and attacks. Ask
for all related diagrams and network maps associated with your
vulnerability report. The report should summarize, in ranked
order, the potential threats, as well as the recommended action
to take to reconcile the vulnerability. Your team can then work
on reconciling as many of the vulnerabilities as possible and
then determine what they are unable to resolve. In the end,
you can decide if it makes sense for to hire an outside consultancy
to resolve the final outstanding issues.
A SVA demonstrates your management's due diligence to assure
site availability, data integrity, and information protection
for your organization and your customers. It does not, however,
guarantee that your site cannot be successfully attacked or
compromised. The report does give you a profile of what your
security posture looks like at a given snapshot in time. This
profile can be used as a guide for tracing historical unsavory
network activity as well as to secure weak links in your network
and system infrastructure helping you mitigate the risk of future
system and network compromises.