Evaluating and Testing Access Controls

It’s not enough to build an access control environment without testing it to see how it performs and behaves. In many cases, access control is the only barrier between outsiders and sensitive information. A great example is online banking: The only thing protecting your bank account information is your userid and password. Don’t you want to be sure that the bank’s access control mechanism is working properly to protect your precious information from outsiders?

Computer systems contain information, which, in many cases, must only be accessible to authorized persons. However, weaknesses or vulnerabilities in the software may permit those without the necessary credentials to also access this information.

Why test?

Penetration and vulnerability testing should be performed on these systems to ensure that they don’t possess any of these vulnerabilities or weaknesses that could permit unauthorized persons to view or alter information. Penetration testing, or pen testing, can be carried out manually, but more often than not, automated tools can be used to quickly and easily identify most weaknesses in a system or its software applications.

Some of the terms that you’ll need to know include

• Port scanning: The process of probing a system to determine which TCP/IP service ports are running on the system.

• Application scanning: The process of assessing whether an online application has any specific weaknesses that could permit exploitation. Some types of application scanning examine the source code itself in order to more easily identify vulnerabilities.

• Black box testing: This type of testing is carried out with no prior knowledge of the system being tested. This is the kind of testing that hackers perform - they don’t know anything about the system(s) they are probing.

• White box testing: The person(s) doing the testing have complete knowledge about the system being tested. This testing provides maximum assurance that any vulnerabilities can be identified, even if the people doing the testing are given hints in advance.

• Grey box testing: You guessed it - the people doing the testing have some knowledge about the system being tested.

• Host scanning: The process of scanning a network in order to discover any host computers on the network.

• OS detection: Determining the version of a host operating system, or the version of an operating system or network device software version.

Numerous open-source and commercial scanning tools are available, each designed to identify vulnerabilities in software applications, database management systems, operating systems, and network devices.

When and how to test

Most experts agree that systems must be tested for vulnerabilities before they are placed into production use. This principle is especially true for systems that will be accessed through the Internet. If you don’t test an Internet-facing system, it could be exploited and “owned” faster than you can say
“vulnerability testing.”

Software that is accessed over the Internet or company networks should also be tested for vulnerabilities as part of the functional testing performed prior to the release of new versions. This additional testing can help to prevent any serious weaknesses from ever seeing the light of day (or the dark side of the Internet).

Organizations should adopt a software development life cycle (SDLC) process to govern any software development or integration activities. Software vulnerability testing should be a formal part of the SDLC.

 Cross-Reference   Read more about the software development life cycle in Chapter 7.