The Whys and Hows of a Security Vulnerability Assessment
Taylor - August 9, 2000
As businesses continue putting their web-enabled e-commerce sites containing
the jewels of their infrastructure online, the importance of security
and privacy becomes increasingly critical. A crucial way of addressing
this need to protect the company website is to conduct a Security Vulnerability
Assessment. A Security Vulnerability Assessment is a risk management process,
usually conducted by expert consultants. Below TEC outlines the reasons
for having a Security Vulnerability Assessment done, how a security vulnerability
assessment is performed, what can be gained by enlisting the Security
Vulnerability Assessment process, and what you should expect to see in
a Security Vulnerability Assessment report.
There are many other reasons why obtaining a Security Vulnerability Assessment
of your network, or someone else's, may be important to you. The primary
reasons for doing a Security Vulnerability Assessment include:
your revenue stream
your customers' revenue stream
site outages and performance problems
secure and seamless information access
denial of service attacks
precautions during acquisitions or mergers
customer contractual obligations
against the repercussions of stock fluctuations
your Intrusion Detection System
your systems from vulnerabilities created by cavalier engineers
for Information Protection Insurance
requires seamless information access so that you can deliver the level
of service that your customers have grown to expect. Dealing with security
vulnerabilities on your website and your internal networks, is not an
option; you have to do it. You want to deliver services without worrying
if the systems you or your customers are using are vulnerable to wily
The most important reason for having a Security Vulnerability Assessment
performed is to enable corrective action. How can you know what to secure
if you don't know what is insecure?
a Security Vulnerability Assessment will assist you in understanding what
risks your organization is exposing its infrastructure to. If you are
a publicly held company, or are planning to go public, the SEC requires
that you understand all your corporate risks, and convey this information
to your potential investors in your Prospectus. Having a Security Vulnerability
Assessment done by an independent outside authority shows that your organization
has taken due diligence and objectivity in working towards a secure infrastructure.
Denial of Service Attacks
Your systems are a global village of transactions, providing you with
highly sensitive and confidential corporate and customer information.
You cannot afford to allow inappropriate access to your backend systems,
or to expose your customer credit card numbers, something that could lead
to costly and time-consuming litigation. Security Vulnerability Assessments
assist you by identifying security vulnerabilities, and making recommendations
before they affect your bottom line. Site outages due to denial of service
attacks are a sure way to plug your profitability. You need to keep your
revenue stream alive, and if you are an ASP, or any sort of outsourcing
provider, you may have contractual obligations to keep your customers'
revenue stream alive.
the February 9th distributed denial of service attacks that affected Yahoo!,
Amazon, E*Trade, Ebay, and Buy.com? Denial of service attacks are not
new. They have been around since the beginning days of the Internet, but
have gained much more popularity in recent years due to the widespread
information published on hacker websites, which give succinct instructions
on how to perpetrate these attacks. The kinds of denial of service attacks
that occurred on these well-known websites are called Synfloods. Contrary
to some of the news stories that were generated as a result of these denial
of service attacks, Synfloods are preventable. A denial of service attack
basically floods a network, or website, with more traffic than it can
handle, causing enough performance problems that legitimate users are
then denied service, which is where the name comes from.
the perimeter of most websites, a router tells Internet traffic, known
as packets, which way to go. Routers are not really like stop lights,
because Internet traffic never really stops. Routers are more like rotaries
- the packets come in from one direction and go out in another. More often
than not, routers are of the stateless type. This means that they simply
pass packets, and do not try to learn from the packets. Stateful or dynamic
network devices pass packets, and, try to learn from the packets. Stateful
devices that can learn about the patterns of the traffic passing through
them can make better decisions on what to do with the packets.
good Security Vulnerability Assessment can tell you which denial of service
attacks are able to compromise your site or network. Having this kind
of information on hand can help you decide if you need to purchase a content
smart stateful packet inspection device, and which devices might be best
for your organization. Having this kind of information enables you to
take appropriate corrective action. If Yahoo!, Amazon, E*trade, Ebay,
and Buy.com had done a recent Security Vulnerability Assessment, they
would have known ahead of time that their sites were vulnerable to denial
of service attacks. As security vendors who have the technologies to protect
against Synfloods saw their stocks rise after the February denial of service
attacks, the victims saw their stocks lose market cap.
Precaution During Mergers and Acquisitions
With the fast-paced consolidation of today's technologies and markets,
part of any business to business acquisition or merger should always include
the review of a current outside, and independent, network Security Vulnerability
Assessment by the company who is pursuing the organization undergoing
consideration for acquisition. If a current Security Vulnerability Assessment
report is not available, the acquiring company can request that one be
generated as part of the acquisition process. You wouldn't buy a house
without having it go through an inspection process. Similarly, when evaluating
a company for an acquisition in which Internet commerce is part of the
game plan, you'll want to know what risks you are facing before closing
Your Existing Protection
If you have an Intrusion Detection System installed on your network, how
do you know if it is functioning properly? A respectable Security Vulnerability
Assessment can let you know if your Intrusion Detection System is actually
working, or just creating extra CPU cycles and bandwidth that is depleting
your management resources. Secure systems ensure that your infrastructure
is free from unwanted intrusions and disruptions, eliminating delays in
your development and service provisioning cycles.
you employ the use of Firewalls, Intrusion Detection Systems, proxy servers,
SSL, ssh, or secure encrypted channels, a security assessment can help
determine if your current configurations contain any unknown, and potentially
unauthorized, network extensions left by legacy contracts, and cavalier
engineers. Hardware multiplies like rabbits. There is a good chance you
have IP based network devices on your network generating network traffic,
and consequently security holes, that you don't even know about.
commonly throw new devices on the network without taking into consideration
the security implications. Your organization needs to assure its customers
that their e-business channel is secure. An independent security assessment,
or audit, is a way of showing your customers that you are serious about
security, and care about their transactions. The time and money you will
save, and the customer loyalty that you will build by enlisting best-practice
security services will give you the competitive advantage you need to
maintain a leadership position in the market.
How does a Security Vulnerability Assessment work, and what kind of information
can you expect to obtain from a Security Vulnerability Assessment report?
It is possible to perform a Security Vulnerability Assessment yourself,
and this is something TEC encourages every organization to do if they
have the time and resources. However, for objectivity purposes, you should
also have an outside authority do one for you. Just as when your business
creates its own annual report, it also has an outside consultancy audit
the report for objectivity, due diligence, final inspection, and legal
ramifications. Similarly, a Security Vulnerability Assessment process
needs to be undertaken with your information infrastructure, website,
and e-commerce systems. Whoever is performing the Security Vulnerability
Assessment should use a reputable security-industry scanning product such
as Cybercop, or Internet Security Scanner.
an outside consultancy is performing a Security Vulnerability Assessment
of your network, it is likely that they will ask your CIO, or Director
of Information Technology to sign a form which entitles them to do an
Ethical Hacker Penetration test, which is just another
name for a Security Vulnerability Assessment, or security audit. If you
desire, feel free to have this document reviewed by your legal counsel,
and be sure there is a section that proclaims the audit results to be
as confidential as possible. You don't want your audit report showing
up as market data on a website without your prior consent.
all companies should take the initiative of conducting a Security Vulnerability
Assessment, banks and financial institutions know they will be the subject
to a security audit at some point. Initiating your own audit, can proactively
prepare your company in advance.
you are an online banking institution, it is quite possible that your
parent corporation, or your investor team, will first send in their auditors
to interview you. As well, your regional Federal Reserve Bank may send
in its team of auditors to interview you in person first. A formal in-person
audit conducted by a reputable financial institution is comprehensive,
in-depth, extremely challenging, and very exhausting. It is not uncommon
for such an in-person audit to last an entire day or two.
you are expecting this kind of preface to an Ethical Hacker Penetration
test, it is best to prepare yourself in advance, and bring all your security
processes, procedures, and network maps to the audit interview. Expect
the audit interviewer to ask to keep these copies and not return them.
It is appropriate for at least one senior member of the management team,
and one person knowledgeable about security and network technology to
attend such a session. After the in-person audit interview is complete,
they will want to schedule up to a week's time to perform the penetration
test on all your networks, and possibly longer depending upon the size
of your network infrastructure. If they are clever, they will poke at
both the TCP and UDP ports. Less clever auditors, and sometimes very well-known
technology organizations, have been known to neglect the UDP ports. A
knowledgeable security engineer viewing the logs on your corporate firewall
can ascertain which ports are being prodded.
you are having the audit done for a potential acquisition inspection,
make sure that you find an auditor that will check UDP, as well as TCP
ports. A best-of-breed Security Vulnerability Assessment usually starts
out by doing some data gathering, and looking for reconnaissance information.
Some of the kinds of data the auditor will look for are such things as
trying to retrieve your routing table, trying to see if they can obtain
ICMP netmasks, looking for IRC servers, looking for SSH configuration
information, and looking for password files. Other kinds of things they
will try will be checking for include an assortment of vulnerabilities
associated with file transfer protocols, hardware peripherals, hacker
Trojans and backdoors, SMTP and messaging problems, network file system
vulnerabilities, website and CGI holes. Checking for denial of service
attacks, Intrusion Detection System functionality, and UDP ports is something
that sets the premiere auditors apart from the rest.
Make sure you receive a copy of the report, and make sure it lists the
risks in order of their severity. It will then be possible for you to
systematically correct in your network the weaknesses that expose your
information technology infrastructure, and your customers', to a multitude
of threats and attacks. Ask for all related diagrams and network maps,
associated with your vulnerability report. The report should summarize,
in ranked order, the potential threat, as well as the recommended action
to take to reconcile the vulnerability. Your organizational team can then
work on reconciling as many of the vulnerabilities as possible yourself,
and then determine what they are unable to resolve, and decide if it makes
sense for to hire an outside consultancy to resolve the final outstanding
A Security Vulnerability Assessment demonstrates your management's due
diligence to assure site availability, data integrity, and information
protection for your organization and your customers. It does not, however,
guarantee that your site cannot be successfully attacked or compromised.
The report does give you a profile of what your security posture looks
like at a given snapshot in time. This profile can be used as a guide
for tracing historical unsavory network activity as well as to secure
weak links in your network and system infrastructure helping you mitigate
the risk of future system and network compromises.
summary, a Security Vulnerability Assessment helps you manage customer
expectations and comply with SEC requirements. It also prevents litigations,
protects your revenue stream, protects your customer's revenue stream,
prevents denial of service attacks, reduces site outages and performances
problems, creates secure information access, mitigates risk during acquisitions
or mergers, fulfills customers contractual obligations, protects against
stock fluctuations, tests your Intrusion Detection System, reports problems
left by legacy network extensions and cavalier engineers, builds customer
loyalty, helps your business gain competitive advantage, enables correction
action, and qualifies you for Information Protection Insurance.
Taylor, former Director of Research for Security at TEC is now the Chief
Technology Officer at Relevant Technologies, Inc.
more information go to www.relevanttechnologies.com.