When testing Windows networks for security vulnerabilities, it's easy to assume that you just test everything, right? After all, if you don't look at every single host, application and database, you may be leaving some stones unturned -- and some vulnerabilities hiding in the mix.
But reality tends to kick in around the time you start realizing how much money testing is going to cost for good tools and how much effort it's going to require to manually poke and prod for vulnerabilities in every nook and cranny on the network. Not to mention the days, weeks or months of dedicated time it can require to do it right -- time that you likely need to spend doing other things.
@41783 So what should you do? Just look at servers? Or, maybe just your databases and Web applications? There's actually a good balance you can achieve to find the most vulnerabilities on the fewest number of systems while still minimizing business risks (your ultimate goal anyway). When faced with choosing which applications to test, it's likely you'll want to focus on the following systems. Remember to look at each of these with a malicious mindset from two perspectives: the untrusted outsider and the trusted insider.
- Production servers with high visibility, such as public Web servers, file servers and SQL Server database servers. Development and QA servers are not as good a target because they're typically not maintained very well. That said, I have found some critical holes and "live" customer data on those types of systems, which ended up being sizable problems. Focus on missing OS patches as well as share and file permission weaknesses that could permit an internal user to gain access to sensitive customer data.
- Web applications that provide the most delicate access to back-end databases such as e-commerce sites and financial systems. Focus on weak login mechanisms, cross-site scripting and SQL injection.
- Database systems housing the most sensitive information (i.e., credit card numbers, HR records or private customer records). Concentrate on unsecured user accounts and missing patches. Also, use a tool like SQLPing3 to find other database instances on your network you may not have known about but that could be creating risks nonetheless.
- Cross section of workstations, including highly visible workstations, such as those belonging to HR, developers, customer service reps, key executives and those in IT. This includes laptops and even handhelds. I've found that a 10% to 20% cross section is good representation. If you only have a few dozen or so workstations, it may make sense to go ahead and check them all. As with servers, focus on missing patches as well as share and file permission weaknesses that very likely are exposing unstructured files containing sensitive information.
- Network infrastructure systems available to the outside world, such as routers, firewalls and wireless access points. Focus on weak login mechanisms and denial of service weaknesses. If you use the right tools like QualysGuard and the BackTrack suite, you can easily uncover these types of problems.
By concentrating on your important systems first, you can then spend quality time addressing the urgent vulnerabilities. This will help you get the most bang for your security-testing buck. Odds are that the vulnerabilities you find on your most critical systems are also present on many -- if not all -- other systems, which can help with pushing out patches and configuration changes.
If and when you are able to get a better handle on your systems management and testing processes – through more people, better tools or good old experience – you can then focus on expanding your scope of testing to other lesser systems. Regardless of which systems you test, document what you're doing and why you're doing it. That will make the auditors happy, your boss proud and will serve to CYA in the event that something bad does happen.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.