Pen Tests and Vulnerability Assessments

Required for financial companies; good idea for everyone

By Chuck Smith, Locknet Senior Security Engineer, CISSP

I remember watching a construction project and looking at this sling looped around a giant culvert as it was being lifted into place. It’s just some slim wire rope, yet it’s charged with this incredibly critical job. One unseen flaw and the rope could break, endangering lives and equipment below.

Given the enormity of the risk, I don’t think any of us are surprised to hear that those ropes get a visual inspection every time they’re used and professional testing from an outside vendor at least once a year—at 125% the rated load.

So I like to think about a company’s network as if it were a construction sling. Sure, a network breach isn’t likely to create a life-and-death situation for your customers, but it can kill your business.

Identity theft causes massive disruption in people’s lives, and you don’t want to be the source of those headaches. Even if a breach caused minimal consumer losses, would your reputation ever recover?

And just like a construction sling, those kinds of disasters can be prevented with proper ongoing network maintenance and regular testing.

Guidelines for financial institutions recommend annual penetration tests and vulnerability assessments. We recommend these tests for any business concerned about protecting customer and employee information and keeping their networks up and running.

Penetration tests (pen tests, for short) involve testing your network from the outside—the Internet side—to make sure someone or something can’t enter the network.

We run tests on your firewall and gateway devices to make sure the proper configurations are in place. Your open ports, for example, should only allow the correct traffic through.

Vulnerability assessments, on the other hand, involve testing the internal network and checking all the devices that have an IP address for problems—whether it’s a configuration issue, missing patches, or some open weakness. Basically, we’re looking for problems that could be exploited by someone or something on your internal network.

These assessments can be done remotely, using a variety of scanners and tools. Some tools search for open ports, other try to apply known hacks to your network, and still others search for vulnerabilities and missing patches.

Now I’d like to think that most of those construction slings pass their annual test with flying colors. Unfortunately, that’s not the case with the networks we test.

For vulnerability assessments, we find issues 100% of the time. That’s right, every time we run a test, we find issues that need to be mitigated in some fashion. I would classify as many as 85-90% of those as major concerns.

For penetration tests, we find issues about 75% of the time, of which about 35% are considered significant.

You may be doing everything right—securing your firewall, downloading patches, monitoring your network and hardening it after every change—but still you don’t really know your network is secure unless you test it.

And if you’re not doing everything right, these tests show you just where the vulnerabilities are.

You can imagine the public outrage if an accident happened on a construction site and a review discovered the company had failed to test its equipment. How could they NOT test the equipment, right? So now I ask you, are you willing to face the same challenges for not testing yours?