This month's topic is about how to approach security vulnerability scanners and how they fit into a full ISO 17799 based security assessment.
I am often on my security soapbox talking about how good security testing tools are an absolute necessity for information security success. This is especially true for operating system, web application and database vulnerability scanners. Security testing tools are quick and efficient and they can root out security weaknesses in your Operating Systems (OS) and applications that can take even the most seasoned security expert days or weeks to find. But you've got to take what they find and what they rank as vulnerabilities with a grain of salt. What vulnerability scanners find isn't always reality, they have to be interpreted and analyzed correctly.
Vulnerability scanners return information that the vendors think are important. The problem is that many of the vulnerabilities found and ranked as high, medium or low priority may not really apply to your environment. A glitzy report containing security weaknesses looks good, but it is likely not in your organization's best interest. I will sometimes come across issues that are flagged as "Level 5" or "Critical Priority", that really have no immediate impact in the environment that I am performing the test.
They have included the following issues:
Separating fact from fiction is all about context and what was being tested at the time, where it was being tested from, how it was being tested, who you were logged in as, why the vulnerability is exploitable, and whether or not there is a viable fix. This is where you can educate others on the fact that you can't lock everything down completely. There will always be a certain level of security risk that must be accepted by the owner.
With this in mind, here are some tips to incorporate in your daily routine:
There you have it. No matter how sophisticated your security scanning tools are and no matter what the vendors say, you're still going to need to get involved and use your knowledge of your network and information security in general to determine which issues need to be addressed and which ones don't apply. You need good tools but in the end there's no better tool than the human element and good old-fashioned security experience.
To respond to this or previous newsletters or to inquire about an on-site
presentation, please feel free to call us at 508-995-4933 or email us at
Founder & Principal Consultant
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2011-05-02 Michael Desrosiers