Follow Us On

  • Newsletter Subscription Form

    Sign up for a FREE newsletter

    • USA | India call  305 447 6750
    Print-friendly version
    Shopping for IT Security Services
    Posted on January 10, 2011 by admin

    (January 2011) – Finding the right vendor for IT security services is not an easy task. The first step is to select a trustworthy vendor that can provide added value and act as a strong counselor and ally. Second, but not less important, is to have a clear understanding about the various services and the terminology being used in the IT security industry, as it is used interchangeably but often misleadingly.

    This article will clarify some of most common errors when shopping IT security services and provide guidance to help buyers incorporate some of the main IT security services into an organization’s security program.

    Basic Services to Support a Risk Management Program
    The core of any solid IT security strategy should be a risk assessment. By using a risk-based approach, an organization will identify all the assets requiring protection. The risk assessment will also identify the threats affecting the assets, their inherent risk, and controls in place to mitigate such risk. As a result of the risk assessment, an organization will have clearly determined what assets need security services.
    The next step is to determine the best suite of services for your risk management program:

    Network Vulnerability Scan
    A network vulnerability scan is an assessment performed by an automated tool such as Qualys Guard or Nessus. The tool scans the systems in the network, searching for certain patterns. When a match is found, the tool flags it as vulnerability. A network vulnerability scan is automated, so relatively inexpensive and quick. However, a scan may cause a high number of false positives, vulnerabilities detected by the scanning tool that in reality are not risk issues. To mitigate this, service provider can “clean” the report by removing the false positives after proper validation as required by the PCI DSS. To ensure your report provides the best information, customers should ensure that this service is included in the agreement.

    Network Penetration Test (aka Ethical Hacking)
    A vulnerability scan is the first phase of a network penetration test. During a network penetration test, a professional will observe the results of the vulnerability scan and exploit the vulnerabilities identified using an “intrusive” approach in order to test if a hacker could breach the targeted systems. Using this approach, the tester will compromise one system, hop from that system to compromise another and so on. As a result, network penetration tests require more time to perform, are more thorough and thus more costly than simple vulnerability scans. However the information from these penetration tests is invaluable for further protecting your assets.

    There are two approaches to network penetration tests: external and internal. External testing refers to attacks on the organization’s network perimeter performed from outside the organization’s network, such as the Internet. Internal testing is performed from inside the organization’s network perimeter and is utilized to test what a malicious insider could do, if he/she had internal access to network as a regular employee of the organization.

    Social Engineering
    Social engineering is a penetration test where the attacker will attempt to engage employees into divulging sensitive information that may be used to perform more sophisticated attacks such as a network penetration test. People can be the weakest link in risk management for any organization. As such, social engineering should be part of any network penetration test initiative. Social engineering will enable you to assess your employees’ knowledge of information security concepts, phishing methods, and organization’s policies and procedures.

    Application Penetration Test
    Application penetration testing should not be confused with network penetration testing, as they have different targets and methodologies. Application penetration testing targets software applications (web based or not) used by the organization to support operations such as the payroll system, e-commerce website, and others. Application penetration testing also assesses different vulnerabilities ranging from the conventional (e.g. SQL Injection, Cross Site Scripting) as well as the latest cutting edge security vulnerabilities.

    Vulnerability Assessment
    Vulnerability assessments use a completely different approach than penetration tests. Usually, penetration tests are “blind”, performed with no or minimum knowledge of the environment being assessed. Penetration tests also assess the security of information systems from a network perspective. Instead, a vulnerability assessment is used to assess the individual security of a system by observing its configuration files, users, permission settings and any other available security parameters.

    Vulnerability assessments require a prior in-depth knowledge of the system and its components. The system is broken down into its single components (e.g. application server, database, etc.) which are then analyzed individually. Each component configuration is compared with best security practices and standards to identify any possible misconfiguration that can pose a security risk and be exploited by hackers.

    Using these Services Effectively
    The services described above should be combined together to achieve the best results. An effective strategy is to perform a comprehensive vulnerability assessment of the main information systems first, especially if the organization has never performed one. At the same time, an organization should also perform external network penetration (including social engineering) and application penetration tests for critical Internet-facing applications, as they are vulnerable to attacks at any time.

    The organization should then start the remediation phase and address all the deficiencies identified. After the remediation is completed, the organization should repeat the external network and applications penetration tests and perform internal network penetration tests to ensure that all the deficiencies previously identified were remediated and that new ones were not introduced.

    After the first set of tests, the organization can move into a steady maintenance program. Performing various types of penetration tests once a year will provide an organization with reasonable assurance of being in good shape to withstand any attacks.

    Conclusions
    IT security needs to be managed methodically to achieve your objectives and prevent the organization from spending more than is necessary for security. Engaging the right professionals will make the difference. They should understand both the client needs and possess the technical skills to meet such needs. Savvy customers will understand the various services offered, along with their methodologies and objectives to create a sound information security program both within your organization and with the assistance of consultants when needed.

    This entry was posted in Government & Public, IT Risk Advisory, Newsletters, Penetration Testing, Technology, Vulnerability Assessments. Bookmark the permalink.

    Comments are closed.
  • Get Our Free Mobile
    Device Security Whitepaper

  • UVP – All Pages

    First Name: *
    Last Name: *
    Title: *
    Company Name: *
    Email: **
    Phone: *
    * Required field.

    ** Please use a non Gmail, Yahoo, or Hotmail email address.