Relying on audit checklists and automated tools

When it comes to performing security assessments on your Windows system, avoid these five mistakes in order to help cut back on weaknesses in your network.

There's certain value in performing basic checklist audits on your systems. Various security standards from The...

Center for Internet Security and the National Institute of Standards and Technology can point you in the right direction. Using an audit checklist during a security assessment will help you validate that certain controls exist. The problem is, you won't know which vulnerabilities can actually be exploited. It's this exploitation component you should focus on; you've got to look at the entire picture.

Similarly, with automated vulnerability scanning tools, you may find missing patches and misconfigurations, but that's not the entire picture. I write often on the importance of using good tools to find security vulnerabilities. I strongly believe we can't live without them. The problem is it's easy to stop at automated vulnerability scans assuming they're omniscient. This is not true.

Without manual checks through the eyes of a malicious user or external attacker, we won't know which vulnerabilities can actually be exploited in the context of our networks. We also won't be able to see other usability-centric flaws that no tool would ever find.


Security assessments and five mistakes to avoid

 Home: Introduction
 Step 1: Relying on audit checklists and automated tools
 Step 2: Not considering the side effects of your tests
 Step 3: Not looking at the whole picture
 Step 4: Spending too much time trying to fix everything
 Step 5: Assuming testing once is enough

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheelsaudiobook series. You can reach Kevin at kbeaver@principlelogic.com>.

 

This was first published in May 2007

Dig Deeper on Endpoint security management tools

PRO+

Content

Find more PRO+ content and other member only offers, here.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

  • VDI assessment guide

    Wait! Don't implement VDI technology until you know your goals and needs. A VDI assessment should consider the benefits of a VDI ...

  • Guide to calculating ROI from VDI

    Calculating ROI from VDI requires a solid VDI cost analysis. Consider ROI calculation models, storage costs and more to determine...

  • Keep the cost of VDI storage under control

    Layering, persona management tools and flash arrays help keep virtual desktop users happy and VDI storage costs down.

SearchWindowsServer

SearchExchange

Close