Types of Security Assessments

Your organization can use different types of security assessments to verify its level of security on network resources. You must choose the method that best suits the requirements of your situation. Each type of security assessment requires that the people conducting the assessment have different skills. Consequently, you must be sure that the people whether they are employees or outsourced security experts have extensive experience with the type of assessment you are interested in.

Vulnerability Scanning

Vulnerability scanning is the most basic type of security assessment. Vulnerability scanning assesses a network for potential security weaknesses. Most commercial vulnerability scanning software packages do the following:

Enumerate computers, operating systems, and applications.
Vulnerability scanning software searches network segments for IP-enabled devices, including computers and network devices. It also identifies the configuration of the devices, including the OS version running on computers or devices, IP protocols and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening, and applications installed on computers.
Identify common security mistakes.
Such software scans for common security mistakes, such as accounts that have weak passwords, files and folders with weak permissions, default services and applications that might need to be uninstalled, and mistakes in the security configuration of common applications.
Search for computers with known vulnerabilities.
Vulnerability scanning software scans computers for publicly reported vulnerabilities in operating systems and applications. Most vulnerability scanning software packages scan computers against the Common Vulnerabilities and Exposures (CVE) index and security bulletins from software vendors. The CVE is a vendor-neutral listing of reported security vulnerabilities in major operating systems and applications and is maintained at http://cve.mitre.org.
Test for exposure to common attacks.
Such software tests computer and network devices to see whether they are vulnerable to common attacks, such as the enumeration of security-related information and denial-of-service attacks.

Vulnerability scanning is effective in assessing a common weakness discovered on a network that has not been previously scanned and when verifying that security policy is being implemented on software configuration. Because vulnerability scanning reports can expose weaknesses in arcane areas of applications and frequently include many false positives, network administrators who analyze vulnerability scan results must have sufficient knowledge and experience with the operating systems, network devices, and applications being scanned and their role in the network.

For example, a vulnerability scan of a server running Microsoft Windows 2000 might reveal that global system objects and process tracking are not audited. An inexperienced administrator who has no knowledge of the functionality of global system objects and process tracking might see this report and decide to enable auditing on these two things, reasoning that auditing is a recommended security measure. In reality, enabling auditing on global system objects and process tracking does little to augment an organization s security and will almost certainly result in filling up the event log.

Vulnerability scanning software is limited to what it can detect at any one point in time. As with antivirus software, which requires that the signature file be updated when new viruses are discovered, vulnerability scanning software must be updated when new vulnerabilities are discovered and improvements are made to the software being scanned. Thus, the vulnerability software is only as effective as the maintenance performed on it by the software vendor and by the administrator who uses it. Vulnerability scanning software itself is not immune to software engineering flaws that might lead it to miss or misreport serious vulnerabilities.

The Microsoft Baseline Security Analyzer (MBSA) is an example of a vulnerability scanning application. The MBSA can scan computers that are running Microsoft Windows NT 4.0, Microsoft Windows 2000, and Microsoft Windows XP, as well as applications such as Microsoft Internet Information Services (IIS) and Microsoft SQL Server. The MBSA scans for the installation of security updates and service packs, common vulnerabilities such as weak passwords, and security best practices such as checking to see whether auditing is enabled.

For detailed information on MBSA, see Chapter 24, Using Security Assessment Tools, in this book.

Penetration Testing

Penetration testing, often called pen testing, is a much more sophisticated type of security assessment than vulnerability scanning. Unlike vulnerability scanning, which generally only examines the security of individual computers, network devices, or applications, penetration testing assesses the security of the network as a whole. Similarly, penetration testing can help educate network administrators, IT managers, and executives about the potential consequences of a real attacker breaking into the network. Penetration testing also will reveal these security weaknesses missed by vulnerability scanning:

How vulnerabilities are exploited
A penetration test not only will point out vulnerabilities, it also will document how the weaknesses can be exploited and how several minor vulnerabilities can link those exploited vulnerabilities and, in combination with them, compromise a computer or network. Most networks inevitably will have vulnerabilities you will not be able to resolve because of business or technical reasons. By knowing how these vulnerabilities can be exploited, you might be able to take other types of security measures to prevent them from compromising the network without disrupting business continuity.
Weakness in people and processes
Because vulnerability scanning is based on software, it cannot assess security that is not related to technology. Both people and processes can be the source of security vulnerabilities just as easily as technology can. A penetration test might reveal that employees routinely allow people without identification to enter company facilities where they would have physical access to computers. Similarly, a penetration test might reveal process problems, such as not applying security updates until a week after they are released, which would give attackers a seven-day window to strike known vulnerabilities on servers.

Because a penetration tester is differentiated from an attacker only by his intent and lack of malice, you must use caution when allowing employees or external experts to conduct penetration tests. Penetration testing that is not completed professionally can result in the loss of services and disruption of business continuity.

Before conducting any type of penetration testing, you must get written approval from management. This approval should include a clear description of what will be tested and when the testing will take place. Because of the nature of penetration testing, failure to obtain this approval might result in committing computer crime, despite your best intentions.

IT Security Audit

IT security auditing differs greatly from vulnerability scanning and penetration testing. IT security audits generally focus on the people and processes used to design, implement, and manage security on a network. In an IT security audit, the auditor and your organization s security policies and procedures use a baseline. IT security audits should be initiated by IT management. Conducting IT security audits is beyond the scope of this book.

The National Institute of Standards and Technology (NIST) has created an IT security audit manual and associated toolset to conduct the audit. You can download the manual and toolset from the NIST Automated Security Self-Evaluated Tool (ASSET) Web site at http://csrc.nist.gov/asset/.