(Another in our series of Guest Blogs from Kevin Beaver. Enjoying his excellent writings? You can find more on his own website; Kevin Beaver's Information Security Books, Articles, Whitepapers, Webcasts, Podcasts, and Screencasts.)
It seems that the more we test for security vulnerabilities the less progress we make in terms of actually uncovering the meaningful security flaws. In fact, it seems that all security problems, no matter how old, continually come back to life. Perhaps in a different form. But we're still missing them.
An example I like to give when I’m presenting to live audiences is a book entitled Security, Accuracy, and Privacy in Computer Systems by the late IT pioneer James Martin. The book covers many of the core information security control and testing principles we should have in place today: security in systems programs, audits, psychology of the system breaker, and so on. The thing is, Mr. Martin’s book has a copyright date of 1973. You get my point.
We’re all busy. Too much to do and improper time management contribute to the problem. However, I think a lot of it has to do with us merely going through the motions, unwilling to step out of our old ways of doing things. Here are four things you can do to immediately start improving your security testing program which will, no doubt, help you minimize your information risks over the long haul:
1) Know what you’re scanning.
Are you looking at everything? Do you even need to? Perhaps scanning a cross-section of your workstations will suffice. Are you looking in all the right places, on all your network segments including wireless? What about those servers at some remote facility you rarely visit that store sensitive information nonetheless? You may need to scan and analyze all hosts. Maybe not. Only you will know. The option in Nexpose’s Web Spidering Restrictions Don't scan printers, multiple-use devices, or print servers is an example of how you can fine-tune your scope. Know your network so you know what you’re actually looking at and what the picture of risk you’re painting truly represents.
2) Run authenticated scans – at least some of the time.
Running your vulnerability scans with authentication opens up an entirely new realm of security weaknesses - things you likely have never thought of before. Nexpose makes it painfully simple to run authenticated scans. These scans are especially beneficial if you have a diverse environment with numerous versions of Windows and Linux. Authenticated scans are exceptionally eye-opening if you don’t have your third-party patches under control. With authenticated scans, you’ll also increase your odds of finding flaws that are exploitable via Metasploit. One of the ultimate ways to validate that your security assessments are paying off is a screenshot of remote command prompt you’ve obtained on a critical system you shouldn’t have had access to otherwise.
3) Think about context.
Does it really matter that you can exploit a flaw on a training room printer? Or, is it ‘critical’ that SNMP version 2 is enabled with default community strings on network switches that make up your dev/test environment? Furthermore, is an exploit still a risk if there’s nothing you can do about it? Perhaps the missing patches or otherwise unhardened systems belong to someone else (i.e. a vendor or business partner). This happens a lot. Again, only you will know. When in doubt, at least make your findings known – and understandable, of course – and let management decide how they want to handle it.
4) Get to know your tools.
It’s very humbling knowing just how much I don’t know about my own security tools. It seems that I uncover new features, tricks, and findings every time I run them. Spend a good amount of time learning your tools. Get on YouTube to see what others have shared. Look at the blogs and take part in the vendor support communities. Everything you need to know is at your disposal if you’re willing to put in the time and you’re not afraid to ask questions.
Like I’ve discovered in my own work, I guarantee you you’re not doing all you can to get the most out of your security vulnerability testing. Focus on these areas you’ll no doubt be more effective in discovering the security flaws on your network that truly matter to your business.