Critical systems to focus on during security testing
Kevin Beaver, CISSP
09.06.2007
Rating: -5.00- (out of 5)
|
When testing Windows networks for security vulnerabilities, it's easy to assume that you just test everything, right? After all, if you don't look at every single host, application and database, you may be leaving some stones unturned -- and some vulnerabilities hiding in the mix.
But reality tends to kick in around the time you start realizing how much money testing is going to cost for good tools and how much effort it's going to require to manually poke and prod for vulnerabilities in every nook and cranny on the network. Not to mention the days, weeks or months of dedicated time it can require to do it right -- time that you likely need to spend doing other things.
So what should you do? Just look at servers? Or, maybe just your databases and Web applications? There's actually a good balance you can achieve to find the most vulnerabilities on the fewest number of systems while still minimizing business risks (your ultimate goal anyway). When faced with choosing which applications to test, it's likely you'll want to focus on the following systems. Remember to look at each of these with a malicious mindset from two perspectives: the untrusted outsider and the trusted insider.
By concentrating on your important systems first, you can then spend quality time addressing the urgent vulnerabilities. This will help you get the most bang for your security-testing buck.
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
Odds are that the vulnerabilities you find on your most critical systems are also present on many -- if not all -- other systems, which can help with pushing out patches and configuration changes.
If and when you are able to get a better handle on your systems management and testing processes – through more people, better tools or good old experience – you can then focus on expanding your scope of testing to other lesser systems. Regardless of which systems you test, document what you're doing and why you're doing it. That will make the auditors happy, your boss proud and will serve to CYA in the event that something bad does happen.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
|
|
|
|
|
|
