Network Vulnerability Assessment Policies: Why Am I Hearing about My Network Leaking Sensitive Information on the News?

Every organization contains risks, ranging from finance to procurement. Given the risks in doing business through the Internet, it is surprising how many businesses are not finding more ways to enable safeguards and protect their critical assets.

Frequently, there is one technique that is overlooked by organizations when developing systems: the vulnerability assessment policy. This is the process of attempting to exploit system vulnerabilities to gain unauthorized access to sensitive information. Vulnerability assessments are attacks originating from a friendly system assessment team targeting a computer system to discover ways of breaching the system's security controls, penetrating the protection afforded to sensitive information, obtaining unauthorized services, or damaging the system by denying services to legitimate users. These policies form a base of testing discovering features, functions, and system capabilities that may be unspecified and unknown to its developers and users. Vulnerability assessments attempt to discover system capabilities that are flaws in the design, implementation, operation, documentation, change controls, and maintenance.

A vulnerability assessment is as thorough as the talent, training, skills, and diligence of the employees performing it. It can place reasonable limits on the knowledge and experience required for the intruder to gain unauthorized access. That knowledge applied to safeguards and protective measures can restrict intruder access below this limit, and give some degree of assurance that the system is operating securely.

Performing the vulnerability assessment utilizing the organization's own resources has certain advantages in the area of in-house knowledge building, employee control, reliability, and trustworthiness. It may lead to discovering risks before attackers do and assist in highlighting the enterprise's security position. There is a lot of preparation that must be performed in the construction of an effective vulnerability assessment. Policies and procedures must be drafted, approved, and installed; relevant employees must be trained; and there must be stringent compliance auditing, a well-developed change management process, and postmortem critique conducted of the assessment where flaws and improvements are addressed.

As with any job, policies and practices must address the means by which vulnerability assessments are conducted. Before the actual vulnerability assessment, there must be a strong foundation of policies and procedures. It is important to ensure that the underlying policies relevant to the organization's network security are in place, facilitating the process. These documents will be the principles underwriting the actions taken when planning and executing the assessment. The organization's vulnerability assessment policy should address the following active components.

Plan to Conduct Vulnerability Assessments

The planning step will include gathering relevant information, defining the assessment activities, defining roles and responsibilities, and making relevant employees aware of the need to make changes based on the findings of the assessment.

A comprehensive vulnerability test plan will improve the odds of achieving system penetration. Penetration planning establishes the ground rules, limits, and scope of the process. The plan identifies the object being assessed and determines when the test is complete. Some planning steps may include interviewing system administrators, reviewing appropriate hardware and software documentation, and reviewing appropriate policies and procedures relative to targeted systems.

Create and develop a good penetration team. Desirable characteristics for the team members include experienced vulnerability testers, employees knowledgeable of the target system, creative people with unusual ideas, SDLC development methods, access control structures, and programming abilities in several languages. Successful team members are characterized by being patient, detail-oriented, having good people and communications skills. One key requirement is of highly ethical, mature professionals who can protect proprietary, sensitive data and flaws in the target system.

Encourage the assessment team to use a variety of mechanisms to achieve unauthorized access, involving exploiting hardware, software, and human resources vulnerabilities. With senior management's consent, more than one vulnerability assessment team has asked for and received root passwords from an employee.

Identify Exposures

This phase may include a variety of tasks. It may include but not be limited to reviewing the resulting data from the assessment phase, actually deploying mechanisms to discover system vulnerabilities and linking findings to the management process so that individual accountability for assessment findings is established and risk issues can be resolved. Of course, this step must be conducted with a great deal of cooperation from senior managers and employees responsible for the system's development, monitoring, and maintenance.

Vulnerability assessments should be framed in the organization's policy as a method to reduce risks and raise profitability. If there are risks associated with negligence on the part of individual employees, senior managers should weigh the assessment's findings in light of employee accountability.

Resolving Exposures

This phase resolves the risks identified in the previous phase. Before any substantive steps can be taken to address assessment findings, an investigation must be done to determine if the risk is in fact relevant to continued business operation. If risks are identified that do not have bearing or insignificant bearing on business operations, then it is possible they may be excused as irrelevant.

Performing a vulnerability assessment can provide a point-in-time representation of the organization's risk position. In fact, this mechanism is insufficient. There must be a method incorporated into the organization's policies and procedures ensuring that the vulnerability assessment process is conducted on a frequent or continuous basis. Only in this manner can policy minimize network risk. Vulnerability assessments are best employed to discover broad capabilities of the target system and flaws contrary to security policies, rather than resulting in a gaming situation between the target system's administrators and the assessment team trying to penetrate a protected asset.

An organization's vulnerability assessment policy must require that all known flaws are repaired. As part of their postmortem critique, the system assessors may suggest the implementation of corrections or safeguards. After the system has been repaired, policy should require that the system is reevaluated to confirm the fixes and to ensure no other flaws were introduced by the repairs or implemented safeguards. An organization's reevaluation process is a complete repetition of the vulnerability assessment process.

By completing policies requiring continuous vulnerability assessments, you facilitate the identification of potential risks before attackers do. Early detection allows the opportunity to address assessment findings before attackers can exploit the vulnerabilities resulting in damage to the company's critical assets.

Policies requiring continuous vulnerability assessments can deliver a picture of how secure sensitive information is, and go a long way in preventing having to read about critical assets being stolen or compromised in the news.