CFO Accounting Alert

Understanding IT Security Testing
 

Understanding Security Testing

Information technology systems are the hub of business. They are the keepers of valuable information, the gateway to a business’ inner workings, and they interconnect in complex ways that make business run smoothly. But even though a company may have policies and software in place to keep its systems secure, how does it know that its systems are in fact so?

Through the implementation of security testing, businesses can utilize two proven methods designed to detect system flaws: vulnerability assessments and penetration tests. Each method gathers information about the security of a system, but with different goals in mind. When considering conducting a security test, it is important to have an understanding of these two processes in order to get the information you need to maintain the security of your business’ technology environment.

Vulnerability Assessments

A vulnerability assessment is a full assessment of a business’ information systems. It is conducted in a manner that is thorough and does not hinder daily business activities. Security Auditors utilize this proven methodology based on NIST 800-42 standards to identify and catalogue the level of vulnerabilities in networks, servers, databases, firewalls, routers, and other critical applications, with the goal of preventing attacks in mind. The following points describe the steps typically involved in conducting vulnerability assessments:

  • Information Gathering – During this phase of the vulnerability assessment, the Security Auditor gathers information about the company's network via various automated tools.

  • Port Scanning / Network Mapping – The Security Auditor conducts scans of the company's networks in order to discover any rogue web servers that may be broadcasting from printers, routers, switches, mainframes, desktops, and servers. This process is also designed to identify services installed by default on network appliances. Rogue servers are a security risk because they often do not follow a company’s security standards.

  • Rogue Review – The Security Auditor reviews network traffic, which allows for the identification of other unauthorized applications, modems, or system configurations.

  • Firewall Rule Testing – This process evaluates the strength of the firewall's configuration. Inappropriate rule sets or conflicting rule sets can be identified and any firewall “backdoors” can be discovered. The placement of vulnerable systems behind the firewall can also be assessed.

  • Vulnerability Scanning – Security Auditors utilize automated tools to test system servers, routers, switches, mainframes, and databases. This procedure identifies potential vulnerabilities in the system and can confirm that system patching is consistent and appropriate.

  • Password Testing – Using various tools, the Auditor assesses the effectiveness of passwords on servers, mainframes, and routers. This provides valuable feedback on whether or not passwords are present, effective, or complex enough to keep the company's systems secure.

  • Web-based Application Assessment – The Security Auditor tests applications that face the web, including the operating system platform, web server platform, and database functionality.

  • Intrusion Detection System Effectiveness – During this process, the Security Auditor employs various non-destructive attack tools to test the effectiveness of the locations and configurations of the company's Intrusion Detection System.

  • Desktop Security – The vulnerability of employee computers to spyware, virus, and worm attacks is tested. The Auditor does this by reviewing antivirus software, patch management, the rate of spyware infection, and the rights given to users to change their configurations.

  • Virtual Private Network Effectiveness –  If a company allows users to access the corporate network from outside the network boundary using a Virtual Private Network (VPN), the Auditor will test the effectiveness of the VPN effectiveness of the VPN access points and company management.

Penetration Testing [1]

Unlike a vulnerability assessment, penetration testing actually simulates a true attack – utilizing varying approaches to identify vulnerabilities that a hacker would exploit to gain access to critical company data. This type of testing is recommended for complex or critical systems as it allows companys to see potential ramifications of a true attack on their systems. Although this type of security testing is a more realistic test of vulnerability to a true attack, it may not identify as broad a range of threats as a vulnerability assessment would.

There are four types of penetration testing known as “black box,” “white box,” “non-destructive,” and “full attack.”

“Black Box”

During a black box text, the Auditor has no previous knowledge of the network to be tested. Instead, only the company name, office location, or the IP address is known. The Auditor attempts to convince employees to volunteer information such as passwords or access devices that will allow the Auditor to access inappropriate areas of the network. This type of penetration test simulates “real world” hacking by someone who has no knowledge of the client’s environment.

“White Box”

During a white box test, an Auditor is provided with significant knowledge of the remote network, such as the types of network devices, web server details, operating system, database platforms, load balancers, and firewalls. This type of penetration test simulates an attack by an internal hacker who has detailed knowledge of the network environment.

“Non-destructive”

A non-destructive test identifies a broad range of possible vulnerabilities, analyzes and confirms findings, maps the vulnerabilities with exploits, exploits the remote system with care to avoid disruption, and provides a Proof of Concept (PoC). It does not attempt to perform a Denial of Service (DoS) attack.

“Full Attack”

A full attack also identifies possible vulnerabilities, analyzes and confirms findings, and maps the vulnerabilities with exploits. This type of attack differs from a non-destructive one because it utilizes all forms of attack including DoS and buffer overflows.

Conclusion

Many steps in the vulnerability assessment are similar to penetration tests; however, the two differ in their intent. Vulnerability assessments are typically conducted because a business wants to identify system flaws and weigh the monetary cost of fixing these flaws against the potential cost to the business if a system flaw were not corrected and exploited. On the other hand, a penetration test is usually conducted to test the feasibility of an attack. A penetration test portrays the actual potential impacts on a business if a flaw were discovered and successfully exploited.

When considering whether to conduct a vulnerability assessment or a penetration test, it is important for a company to identify its requirements and needs before entering into an agreement with a Security Auditor. Having a clear understanding of the various processes means the organization is far more likely to get the information it needs to have a secure business environment.


[1] http://www.infosecwriters.com/text_resources/pdf/pen_test2.pdf