Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Hacking Your Own System Helps Assess Vulnerabilities

    By
    Elizabeth Millard
    -
    September 15, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Much as home invasion experts do a house tour to look for open windows and broken locks, network security professionals should be called in to find the holes and flaws in a companys IT infrastructure and systems, said security experts on Thursday.

      During Ziff Davis Internets Security Virtual Tradeshow, panelists offered advice on how companies can assess which type of professional firms are right for them, what type of protections to put in place, and why its important to set long-term security goals.

      Lenny Mansell, senior manager of security consulting at Eclipsecurity, noted that when some enterprises are ready to do security assessments, they consider hiring hackers to defeat the companys firewalls and other protective measures, but such a tactic may not be reliable.

      “What you want is a security professional to conduct regimented testing,” said Mansell. “Dont just look for people who can break into your computers.”

      /zimages/1/28571.gifIs security too lax to keep up with todays IT threats? Click here to read more.

      Companies should keep in mind that a good security testing program will have several types of assessments, noted Mansell.

      These include penetration testing to determine how easily systems can be overtaken, and vulnerability testing to discover problems once someone is inside the network.

      Also worth noting is that there wont be a one-size-fits-all approach, which means companies will need to have goals in place before the work begins.

      “No two client environments are the same,” Mansell said. “Each engagement is a custom job. The scope, time and effort are dependent on the engagement parameters like size and complexity of the target environment. Clients should choose which parameters support their goals.”

      Once the objectives of a vulnerability assessment are in place, and companies have targeted which systems will be checked, the next step is often to find a firm that can handle the work.

      For this, there are several options, each with their own pros and cons, noted Brian Serra, senior security consultant of Forsythe Consulting.

      The “big four” audit firms—Ernst & Young, PricewaterhouseCoopers, KPMG and Deloitte & Touche—have the advantage of a strong reputation, large audit capacity and product management experience.

      But they also tend to cost more than smaller firms, assign junior staff to assessments and they dont implement their recommendations.

      Security vendors like Symantec, McAfee, ISS and VeriSign also have solid reputations, and have the added benefit of in-house researchers that examine new vulnerabilities as well as dedicated security consulting services.

      However, they may also be product or service biased, and could offer low-cost assessments in order to push a specific product, Serra said.

      /zimages/1/28571.gifRead here about Mozillas new Firefox security makeover.

      Security consulting companies like GreenPages, Red Siren and FishNet boast large product management experience and use senior consultants to deliver assessments, but companies may find there are limitations in terms of regional focus and consultant availability.

      Finally, there are independent security consultants, Serra noted. These professionals can be very focused and specialized, but sometimes lack the documentation thats needed for the task.

      In general, Serra recommends that companies hire consultants that are able to articulate and follow a formal process for setting scope, defining an approach, and documenting the results.

      “Also, setting expectations is a very important step,” said Serra. “Look at how and when testing will be conducted, how the results will be presented and what will be implemented afterward.”

      Security consultants can also examine more than IT assets and architectures, said Brady Justice, director of systems engineering for TraceSecurity Inc. Some security risks are not the result of clever hackers finding open ports, he noted, but rather of good old social engineering tactics.

      This strategy, in which employees are persuaded to give out company information, is a classic in the technology arena.

      Hackers pose as fellow employees, and even professionals like fire marshals, to gain entry to a building and collect company data. Some even root through a companys garbage to find material that has been tossed instead of shredded.

      “With many of the new prevention measures like firewalls, its become more difficult for hackers to get into networks,” said Justice. “Sometimes its easier, and lower risk, to use social engineering instead.”

      Security professionals can be brought in to do on-site testing, he noted, in order to ascertain how significantly human error might be affecting a companys overall security plan.

      “With this type of assessment, you can fine-tune whats being done for your companys security,” Justice said.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Elizabeth Millard
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×