Assessing Network Security book by Kevin Lam, et al.
I had a meeting with a potential Impacta client the other day and they were inquiring about getting a ‘penetration test’ performed against their network. Upon talking more and more with them, turns out that they needed something much different than a penetration test and I told them this openly. Sure, I could have sold them a penetration test, but I think this particular industry could do with a little more integrity than what’s currently available. I gave them a copy of my book and explained to them the different types of security assessments. No signed contract came out of the meeting, but at least I was able to help steer them in the right direction.
I think a lot of people can benefit from some of the same information I shared with this potential client, so if you have a copy of my book Assessing Network Security (Microsoft Press, ISBN: 9780735620339) then you’ll want to read up on chapters 1, 3, 4 and 5. If you don’t have a copy of Assessing Network Security (shame on you ;P) then this blog was written especially for you.
Vulnerability Scanning
This is the most basic form of security assessment and usually carried out by some software package. These software packages assess networks and applications for known configuration weaknesses and vulnerabilities. They are useful for enumerating current assets, identifying common security mistakes, searching for computers with known vulnerabilities and testing for exposure to common attacks.
- Benefits: Can be automated, finds known vulnerabilities
- Limitations: Subject to frequent false positives, results depend entirely on the quality of the software, can report only commonly known vulnerabilities
Penetration Testing
Penetration testing differs from vulnerability scanning in that it looks at the security of a network or application as a whole, whereas with vulnerability scanning it is done on a per system basis. Penetration tests also typically begin without administrative rights (that’s the ultimate goal of a penetration test – to get administrative privileges!) whereas most vulnerability scanners require administrative privileges. Penetration tests answer the question of how detected vulnerabilities can be exploited and weaknesses in people and processes.
- Benefits: Exposes weaknesses not possible with vulnerability scanning like social engineering weaknesses, exposes method with which vulnerabilities can be exploited
- Limitations: Requires highly skilled security professionals, results depend on the skill of the penetration tester, may disrupt network services if done recklessly
IT Security Audits
IT security audits are much different from vulnerability scanning and penetration testing. IT security audits focus on people and processes that support, manage and implement security on a network or applications. An IT security audit will help you understand if you have the necessary infrastructure to main a secure computing environment.
- Benefits:Can be used to provide evidence for industry regulations (SOX, HIPAA, etc.), provide a snapshot of the appropriateness of current security policies and procedures
- Limitations: Can be very time consuming
The book has a lot more detail than shown here, but I hope you still found this useful, enjoy! If you have questions, please feel free to email info@impactalabs.com or submit a comment.
–Kevin
8 Comments
Good post – thanks. I’d add 2 small tweaks (perhaps they are already in your book :).
1. Goal of a pen-test should be defined by business objectives; e.g. figure out how to print cheques or modify AP etc. Gaining admin rights is often part of that but demonstrating sufficient application/process knowledge to show the screen where you can affect a business process directly tends to have more impact in the report out.
2. I tend to see IT audits as ‘top down’ approaches whereas pen-testing is more ‘bottom up’. Thus the two complement each other nicely.
Cheers,
Craig
Craig, these are great points — thanks for sharing!
–Kevin
Pen testing also must be scoped correctly. All too often testing is limited to focusing on certain systems, and the full consequence of certain mistakes/errors does not bubble to the top. It is then up to the clients staff to realize this revelation and take action. In the event the client company is very compartmentalized, some results will never be shared and the skill level to understand these consequences is not leveraged since typically testers are not part of this process. If this happens, the overall value to the test is greatly diminished.
Lou,
You’re quite correct in your observation — lots of things can go wrong to diminish the overall value of penetration tests. That’s unfortunate. Thanks for taking the time to comment!
–Kevin
I work in a SaaS company and carve up the scanning/penetration world a bit differently. For example, I don’t consider the goal of pen testing a web-based application to be able to gain administrative privileges. You don’t need to be an admin to exploit sql injection or phishing vulnerabilities.
Hi Philip, thanks for sharing your thoughts and taking the time to post a comment. Indeed, the goal of a pentest does not necessarily have to be to gain administrative privileges. From a broader perspective, the goal really is to be to use an application in some fashion that was not intended by the designers and developers of the application — gaining administrative privileges through that application is but only one instance of that broader goal. Actual goals will differ from organization to organization.
–Kevin
Hi Kevin,
I’m interested in your book as I am just finishing ‘Counterhack Reloaded’ by Ed Skoudis & Tom Liston.
Since your book was published a while back and includes a CD with tools and scripts, do you have plans to release an updated edition with a revised CD?
Thanks!
Hi Bill, thanks for reaching out and asking about the book. When I wrote the book I was a full time employee at Microsoft, and now that I left not sure if that’s possible. I’ve been wanting to write another book so who knows …
@All: One day I’ll get around to writing another book, so if you’re interested in getting updates in the future, send an email to info@impactalabs.com and I’ll get you on the list. Thanks!
–Kevin
One Trackback/Pingback
[...] everyone, I got several emails recently (in response to this blog posting) regarding how you can get a hold of a copy of Assessing Network Security (ISBN: 9780735620339, [...]