Effective security testing of new IT products is constrained by staff shortages, inadequate equipment and crunched timein short, by a scarcity of resources. But even with all these hurdles, security testing canand shouldbe done and done well.
eWEEK Labs has access to some of the most advanced test gear, expertise and vendor support available, but many of our test practices can be modified and implemented in resource-constrained IT organizations.
In a manner of speaking, we’ve taken some of our security testing “recipes” and adapted them for use in a production IT department. The result is a soup-to-nuts collection of testing practices, as well as recommendations for useful security testing tools.
The good news is that nearly every security test practice is in step with the process of tuning systems and applications for optimum performance. The reason for this is simple: IT staffers must become at least advanced administrators of any system if they are to run meaningful tests on it, and, along the way, they will learn about more advanced performance-tuning techniques.
Be it here in our Labs or in an enterprise testbed, planning is the key to achieving meaningful results. Taking the time to plot out a course of actionand, in the process, anticipating and avoiding potential pitfallsis a must.
One of the most effective tools that IT managers can use todayand use as the basis for all subsequent security and other testingis a network diagram.
Microsoft Corp.’s Visio and SmartDraw.com’s namesake utility are two good diagramming tools. Regardless of which diagramming tool is used, updating the diagram is a key part of the IT change management process.
eWEEK Labs recommends that IT managers start security testing as part of product implementation and user training. This is a good way to reduce the cost associated with security testing alone while gaining the same resultexpert knowledge of a product’s strengths and weaknesses.
One way in which this naturally happens is with the creation of administrative accounts for applications.
Although it has been a long-standing recommendation of eWEEK Labs to change any and all default accounts and passwords, it is equally important to track these changed passwords and any ACLs (access control lists) that are modified to accommodate new products.
To correctly create these new accounts, IT staff must fully understand the privileges needed by these accounts. This process is often a view into the soul of any application, large or small.
There are many new and updated password management tools that can help IT managers track these user credentials across the enterprise. eWEEK Labs will be evaluating several of these, including new tools from RSA Security Inc. and Vintela Inc., in the coming weeks. When we test the security of these tools, we will also determine whether additional IT resources will be needed to manage user privilege information.
Security testing also requires using a range of penetration tools that emulate and automate hackers’ actions. Many of these tools are widely available and at no cost. However, learning to use the tools effectively means investing at least several hours per week on an ongoing basis.
Indeed, we have long and often used Nessus to probe for weaknesses in products under test and Nmap to scan for open ports required by applications that we are testing, but we are constantly learning new ways to use these tools.
These and many other tools can simplify security testing, but applications and systems often are too complex for a single test tool to fully reveal all vulnerabilities.
Next page: Complex systems.
The axiom that complex systems break in complex ways is maddeningly true, and such complexity requires a very granular approach to security testing.
For example, during a recent forum with members of eWEEK’s Corporate Partner Advisory Board, Gary Gunnerson, IT architect at Gannett Co. Inc. and a Corporate Partner, said, “We go so far as to look at the handshakes inside applications to see what those look like.”
Many vendors offer tools for finding vulnerabilities in the ways that distributed systems communicate. TippingPoint Technologies Inc.’s UnityOne-200 and Symantec Corp.’s SNS 7160 are two strong contenders in this testing area.
With nearly every new laptop equipped with integrated wireless capabilities, IT managers must make wireless detection a mandatory part of the security tests they perform on the overall network.
We recommend that IT managers consider a protocol analyzer such as Network Instruments LLC’s Observer 10 or WildPackets Inc.’s EtherPeek NX, both of which have wireless detection modules.
In addition to providing an accurate network diagram, a protocol analyzer is one of the most useful tools available for security testing. Nearly all protocol analyzers on the market today offer well-honed expert decodes of the packets “sniffed” from the network. And a protocol analyzer is practically the only reliable way to document the application handshakes that Gunnerson referred to.
Protocol analyzers and other tools that monitor network trafficincluding a clever little utility we recently discovered from Paessler GmbH called PRTG Traffic Grapher enhance security testing by letting IT managers see what normal and, thus, abnormal application and system behaviors look like.
Ed Benincasa, vice president of MIS at FN Manufacturing Inc. and an eWEEK Corporate Partner, said he takes great pains to ensure that products under test will fit into his existing network architecture.
Speaking of wireless networking, Benincasa said, “If an unauthorized station comes ineither a workstation or an access pointwe have intrusion protection.” In addition, he said, “All wireless goes through a separate firewall with restricted access.”
We use and have tested commercial vulnerability scanning systems including Qualys Inc.’s QualysGuard and Foundstone Inc.’s FoundScan product. (Foundstone is now in the process of being acquired by McAfee Inc.) In fact, we use these products daily to scan our test networks for vulnerabilities. We recommend that IT managers invest in some kind of automated vulnerability scanning process to detect the holes that can be exposed in even the most well-managed and well-monitored network.
eWEEK Labs’ test network is in a constant state of flux, so we see new vulnerabilities almost daily. To lower costs, IT managers with stable networks may be tempted to forgo automated vulnerability scanning because a stable, well-maintained network usually slows in the rate at which it will present problems. But we warn administrators not to become complacent. Vigilant network scanning is one of the best ways to find weaknesses in large networks.
In any case, vulnerability assessment tools should also be incorporated into a security testing workflow to ensure that discovered holes get patched.
Finally, we document our work in the reviews and analysis you read in print and online at eWEEK.com. Likewise, IT managers should make documenting security test results a priority. In addition to providing proof that IT is doing real work, documenting security testing and security features is a core best practice.
“Security by obscurity” doesn’t protect IT assets from outside hackers, and it certainly doesn’t help other IT staffers manage the network. And depending on oral tradition to pass security knowledge from one IT staff member to another will likely (and rightly) go the way of the dodo in the not-too-distant future.
Technical Director Cameron Sturdevant can be reached at email@example.com.
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.