Hacking Your Own System Helps Assess Vulnerabilities

It takes more than just hiring a hacker to find holes in a company's infrastructure. A real solution involves a thorough security testing program that covers all the bases.

Much as home invasion experts do a house tour to look for open windows and broken locks, network security professionals should be called in to find the holes and flaws in a companys IT infrastructure and systems, said security experts on Thursday.

During Ziff Davis Internets Security Virtual Tradeshow, panelists offered advice on how companies can assess which type of professional firms are right for them, what type of protections to put in place, and why its important to set long-term security goals.

Lenny Mansell, senior manager of security consulting at Eclipsecurity, noted that when some enterprises are ready to do security assessments, they consider hiring hackers to defeat the companys firewalls and other protective measures, but such a tactic may not be reliable.

"What you want is a security professional to conduct regimented testing," said Mansell. "Dont just look for people who can break into your computers."

/zimages/1/28571.gifIs security too lax to keep up with todays IT threats? Click here to read more.

Companies should keep in mind that a good security testing program will have several types of assessments, noted Mansell.

These include penetration testing to determine how easily systems can be overtaken, and vulnerability testing to discover problems once someone is inside the network.

Also worth noting is that there wont be a one-size-fits-all approach, which means companies will need to have goals in place before the work begins.

"No two client environments are the same," Mansell said. "Each engagement is a custom job. The scope, time and effort are dependent on the engagement parameters like size and complexity of the target environment. Clients should choose which parameters support their goals."

Once the objectives of a vulnerability assessment are in place, and companies have targeted which systems will be checked, the next step is often to find a firm that can handle the work.

For this, there are several options, each with their own pros and cons, noted Brian Serra, senior security consultant of Forsythe Consulting.

The "big four" audit firms—Ernst & Young, PricewaterhouseCoopers, KPMG and Deloitte & Touche—have the advantage of a strong reputation, large audit capacity and product management experience.

But they also tend to cost more than smaller firms, assign junior staff to assessments and they dont implement their recommendations.

Security vendors like Symantec, McAfee, ISS and VeriSign also have solid reputations, and have the added benefit of in-house researchers that examine new vulnerabilities as well as dedicated security consulting services.

However, they may also be product or service biased, and could offer low-cost assessments in order to push a specific product, Serra said.

/zimages/1/28571.gifRead here about Mozillas new Firefox security makeover.

Security consulting companies like GreenPages, Red Siren and FishNet boast large product management experience and use senior consultants to deliver assessments, but companies may find there are limitations in terms of regional focus and consultant availability.

Finally, there are independent security consultants, Serra noted. These professionals can be very focused and specialized, but sometimes lack the documentation thats needed for the task.

In general, Serra recommends that companies hire consultants that are able to articulate and follow a formal process for setting scope, defining an approach, and documenting the results.

"Also, setting expectations is a very important step," said Serra. "Look at how and when testing will be conducted, how the results will be presented and what will be implemented afterward."

Security consultants can also examine more than IT assets and architectures, said Brady Justice, director of systems engineering for TraceSecurity Inc. Some security risks are not the result of clever hackers finding open ports, he noted, but rather of good old social engineering tactics.

This strategy, in which employees are persuaded to give out company information, is a classic in the technology arena.

Hackers pose as fellow employees, and even professionals like fire marshals, to gain entry to a building and collect company data. Some even root through a companys garbage to find material that has been tossed instead of shredded.

"With many of the new prevention measures like firewalls, its become more difficult for hackers to get into networks," said Justice. "Sometimes its easier, and lower risk, to use social engineering instead."

Security professionals can be brought in to do on-site testing, he noted, in order to ascertain how significantly human error might be affecting a companys overall security plan.

"With this type of assessment, you can fine-tune whats being done for your companys security," Justice said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.