Home
 > Research and Reports > TEC Blog > The Whys and Hows of a Security Vulnerability Assessment

The Whys and Hows of a Security Vulnerability Assessment

Written By: Laura Taylor
Published On: August 9 2000

The Whys and Hows of a Security Vulnerability Assessment
L. Taylor - August 9, 2000

Introduction

As businesses continue putting their web-enabled e-commerce sites containing the jewels of their infrastructure online, the importance of security and privacy becomes increasingly critical. A crucial way of addressing this need to protect the company website is to conduct a Security Vulnerability Assessment. A Security Vulnerability Assessment is a risk management process, usually conducted by expert consultants. Below TEC outlines the reasons for having a Security Vulnerability Assessment done, how a security vulnerability assessment is performed, what can be gained by enlisting the Security Vulnerability Assessment process, and what you should expect to see in a Security Vulnerability Assessment report.

Justification

There are many other reasons why obtaining a Security Vulnerability Assessment of your network, or someone else's, may be important to you. The primary reasons for doing a Security Vulnerability Assessment include:

  • Customer expectations

  • Preventing litigation

  • Protecting your revenue stream

  • Protecting your customers' revenue stream

  • Reducing site outages and performance problems

  • Creating secure and seamless information access

  • Preventing denial of service attacks

  • Taking precautions during acquisitions or mergers

  • Meeting customer contractual obligations

  • Protecting against the repercussions of stock fluctuations

  • Testing your Intrusion Detection System

  • Protecting your systems from vulnerabilities created by cavalier engineers

  • Building customer loyalty

  • Gaining competitive advantage

  • Enabling correction action

  • Qualifying for Information Protection Insurance

Your infrastructure requires seamless information access so that you can deliver the level of service that your customers have grown to expect. Dealing with security vulnerabilities on your website and your internal networks, is not an option; you have to do it. You want to deliver services without worrying if the systems you or your customers are using are vulnerable to wily hackers.

Understanding Your Risks

The most important reason for having a Security Vulnerability Assessment performed is to enable corrective action. How can you know what to secure if you don't know what is insecure?

Performing a Security Vulnerability Assessment will assist you in understanding what risks your organization is exposing its infrastructure to. If you are a publicly held company, or are planning to go public, the SEC requires that you understand all your corporate risks, and convey this information to your potential investors in your Prospectus. Having a Security Vulnerability Assessment done by an independent outside authority shows that your organization has taken due diligence and objectivity in working towards a secure infrastructure.

Understanding Denial of Service Attacks

Your systems are a global village of transactions, providing you with highly sensitive and confidential corporate and customer information. You cannot afford to allow inappropriate access to your backend systems, or to expose your customer credit card numbers, something that could lead to costly and time-consuming litigation. Security Vulnerability Assessments assist you by identifying security vulnerabilities, and making recommendations before they affect your bottom line. Site outages due to denial of service attacks are a sure way to plug your profitability. You need to keep your revenue stream alive, and if you are an ASP, or any sort of outsourcing provider, you may have contractual obligations to keep your customers' revenue stream alive.

Remember the February 9th distributed denial of service attacks that affected Yahoo!, Amazon, E*Trade, Ebay, and Buy.com? Denial of service attacks are not new. They have been around since the beginning days of the Internet, but have gained much more popularity in recent years due to the widespread information published on hacker websites, which give succinct instructions on how to perpetrate these attacks. The kinds of denial of service attacks that occurred on these well-known websites are called Synfloods. Contrary to some of the news stories that were generated as a result of these denial of service attacks, Synfloods are preventable. A denial of service attack basically floods a network, or website, with more traffic than it can handle, causing enough performance problems that legitimate users are then denied service, which is where the name comes from.

On the perimeter of most websites, a router tells Internet traffic, known as packets, which way to go. Routers are not really like stop lights, because Internet traffic never really stops. Routers are more like rotaries - the packets come in from one direction and go out in another. More often than not, routers are of the stateless type. This means that they simply pass packets, and do not try to learn from the packets. Stateful or dynamic network devices pass packets, and, try to learn from the packets. Stateful devices that can learn about the patterns of the traffic passing through them can make better decisions on what to do with the packets.

A good Security Vulnerability Assessment can tell you which denial of service attacks are able to compromise your site or network. Having this kind of information on hand can help you decide if you need to purchase a content smart stateful packet inspection device, and which devices might be best for your organization. Having this kind of information enables you to take appropriate corrective action. If Yahoo!, Amazon, E*trade, Ebay, and Buy.com had done a recent Security Vulnerability Assessment, they would have known ahead of time that their sites were vulnerable to denial of service attacks. As security vendors who have the technologies to protect against Synfloods saw their stocks rise after the February denial of service attacks, the victims saw their stocks lose market cap.

A Precaution During Mergers and Acquisitions

With the fast-paced consolidation of today's technologies and markets, part of any business to business acquisition or merger should always include the review of a current outside, and independent, network Security Vulnerability Assessment by the company who is pursuing the organization undergoing consideration for acquisition. If a current Security Vulnerability Assessment report is not available, the acquiring company can request that one be generated as part of the acquisition process. You wouldn't buy a house without having it go through an inspection process. Similarly, when evaluating a company for an acquisition in which Internet commerce is part of the game plan, you'll want to know what risks you are facing before closing the deal.

Testing Your Existing Protection

If you have an Intrusion Detection System installed on your network, how do you know if it is functioning properly? A respectable Security Vulnerability Assessment can let you know if your Intrusion Detection System is actually working, or just creating extra CPU cycles and bandwidth that is depleting your management resources. Secure systems ensure that your infrastructure is free from unwanted intrusions and disruptions, eliminating delays in your development and service provisioning cycles.

Whether you employ the use of Firewalls, Intrusion Detection Systems, proxy servers, SSL, ssh, or secure encrypted channels, a security assessment can help determine if your current configurations contain any unknown, and potentially unauthorized, network extensions left by legacy contracts, and cavalier engineers. Hardware multiplies like rabbits. There is a good chance you have IP based network devices on your network generating network traffic, and consequently security holes, that you don't even know about.

Engineers commonly throw new devices on the network without taking into consideration the security implications. Your organization needs to assure its customers that their e-business channel is secure. An independent security assessment, or audit, is a way of showing your customers that you are serious about security, and care about their transactions. The time and money you will save, and the customer loyalty that you will build by enlisting best-practice security services will give you the competitive advantage you need to maintain a leadership position in the market.

Methodology

How does a Security Vulnerability Assessment work, and what kind of information can you expect to obtain from a Security Vulnerability Assessment report? It is possible to perform a Security Vulnerability Assessment yourself, and this is something TEC encourages every organization to do if they have the time and resources. However, for objectivity purposes, you should also have an outside authority do one for you. Just as when your business creates its own annual report, it also has an outside consultancy audit the report for objectivity, due diligence, final inspection, and legal ramifications. Similarly, a Security Vulnerability Assessment process needs to be undertaken with your information infrastructure, website, and e-commerce systems. Whoever is performing the Security Vulnerability Assessment should use a reputable security-industry scanning product such as Cybercop, or Internet Security Scanner.

If an outside consultancy is performing a Security Vulnerability Assessment of your network, it is likely that they will ask your CIO, or Director of Information Technology to sign a form which entitles them to do an Ethical Hacker Penetration test, which is just another name for a Security Vulnerability Assessment, or security audit. If you desire, feel free to have this document reviewed by your legal counsel, and be sure there is a section that proclaims the audit results to be as confidential as possible. You don't want your audit report showing up as market data on a website without your prior consent.

While all companies should take the initiative of conducting a Security Vulnerability Assessment, banks and financial institutions know they will be the subject to a security audit at some point. Initiating your own audit, can proactively prepare your company in advance.

If you are an online banking institution, it is quite possible that your parent corporation, or your investor team, will first send in their auditors to interview you. As well, your regional Federal Reserve Bank may send in its team of auditors to interview you in person first. A formal in-person audit conducted by a reputable financial institution is comprehensive, in-depth, extremely challenging, and very exhausting. It is not uncommon for such an in-person audit to last an entire day or two.

If you are expecting this kind of preface to an Ethical Hacker Penetration test, it is best to prepare yourself in advance, and bring all your security processes, procedures, and network maps to the audit interview. Expect the audit interviewer to ask to keep these copies and not return them. It is appropriate for at least one senior member of the management team, and one person knowledgeable about security and network technology to attend such a session. After the in-person audit interview is complete, they will want to schedule up to a week's time to perform the penetration test on all your networks, and possibly longer depending upon the size of your network infrastructure. If they are clever, they will poke at both the TCP and UDP ports. Less clever auditors, and sometimes very well-known technology organizations, have been known to neglect the UDP ports. A knowledgeable security engineer viewing the logs on your corporate firewall can ascertain which ports are being prodded.

If you are having the audit done for a potential acquisition inspection, make sure that you find an auditor that will check UDP, as well as TCP ports. A best-of-breed Security Vulnerability Assessment usually starts out by doing some data gathering, and looking for reconnaissance information. Some of the kinds of data the auditor will look for are such things as trying to retrieve your routing table, trying to see if they can obtain ICMP netmasks, looking for IRC servers, looking for SSH configuration information, and looking for password files. Other kinds of things they will try will be checking for include an assortment of vulnerabilities associated with file transfer protocols, hardware peripherals, hacker Trojans and backdoors, SMTP and messaging problems, network file system vulnerabilities, website and CGI holes. Checking for denial of service attacks, Intrusion Detection System functionality, and UDP ports is something that sets the premiere auditors apart from the rest.

The Report

Make sure you receive a copy of the report, and make sure it lists the risks in order of their severity. It will then be possible for you to systematically correct in your network the weaknesses that expose your information technology infrastructure, and your customers', to a multitude of threats and attacks. Ask for all related diagrams and network maps, associated with your vulnerability report. The report should summarize, in ranked order, the potential threat, as well as the recommended action to take to reconcile the vulnerability. Your organizational team can then work on reconciling as many of the vulnerabilities as possible yourself, and then determine what they are unable to resolve, and decide if it makes sense for to hire an outside consultancy to resolve the final outstanding issues.

Conclusion

A Security Vulnerability Assessment demonstrates your management's due diligence to assure site availability, data integrity, and information protection for your organization and your customers. It does not, however, guarantee that your site cannot be successfully attacked or compromised. The report does give you a profile of what your security posture looks like at a given snapshot in time. This profile can be used as a guide for tracing historical unsavory network activity as well as to secure weak links in your network and system infrastructure helping you mitigate the risk of future system and network compromises.

In summary, a Security Vulnerability Assessment helps you manage customer expectations and comply with SEC requirements. It also prevents litigations, protects your revenue stream, protects your customer's revenue stream, prevents denial of service attacks, reduces site outages and performances problems, creates secure information access, mitigates risk during acquisitions or mergers, fulfills customers contractual obligations, protects against stock fluctuations, tests your Intrusion Detection System, reports problems left by legacy network extensions and cavalier engineers, builds customer loyalty, helps your business gain competitive advantage, enables correction action, and qualifies you for Information Protection Insurance.

About the Author

Laura Taylor, former Director of Research for Security at TEC is now the Chief Technology Officer at Relevant Technologies, Inc.

For more information go to www.relevanttechnologies.com.

 
comments powered by Disqus

Recent Searches
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Others

©2014 Technology Evaluation Centers Inc. All rights reserved.