Topics > Vulnerability Assessment

IT Security












A vulnerability assessment on an enterprise network can be a major undertaking, but it's an important part of securing a network. Vulnerability assessment can be done by inside professionals (i.e. network administrators), but is usually outsourced to Managed Security Service Providers (MSSP). Each MSSP provides different solutions, has a different background, and different areas of expertise. It's crucial to select an MSSP that offers exactly what is needed. A couple of factors that determine what may be needed. First, how much of the network to assess and which parts? Second, what constitutes a vulnerability? Determining what needs to be left vulnerable is as important as what needs to be locked-down. The only hacker-proof network is one that's been turned off, but obviously that's not the best business plan either. The level of network security decreases with every application that allows the network to be accessible. A balance must be struck between security and accessibility for customers, partners, and employees.


Vulnerability Assessment Preparation (SLA)

Though each MSSP offers different solutions, most offer some sort of Service Level Agreement (SLA). The SLA should cover at least these topics: Security Management, Monitoring, Incident Response, Response Time Escalation, and Documentation. Most agreements will allow for security tests including detailed audits and penetration assessment and they should also detail their security processes including authentication, access control, and auditing. Two major parts of the SLA deal with access to systems, and information and behavior during an attack. The first part pertains to how much of a network the MSSP should assess and what parts are considered too confidential for outsiders. Also, it is important to make sure partner and customer systems are not inadvertently scanned. There are a few different ways to handle an attack and it's important to fully understand the implications of each before committing to an MSSP. MSSPs will usually do one of three things: post attack audit, on-the-spot consultation, or take full responsibility for real-time response. If the MSSP is monitoring, this is the time to decide whether they should take it upon themselves to deter a hacker or wait for instructions from an administrator or executive.

An important decision to make before a managed attack is deployed is determining from whom the network is being protected. Attacks can come from two places, inside or outside the company. Inside threats have the potential to be most damaging. Because each employee requires access respective to his/her position, assessments must be done at each level of user. An outside attack (or Zero Knowledge Attack) can be as damaging as well depending on the time and money the attacker has to spend, especially if the attacker thinks he/she can find something good. A competitor may find it advantageous to spend many days or even months trying to gain access to compromising information. An attack from an outside hacker, not a competitor, is usually not as prolonged due to lack of funds and interest. If a hacker cannot easily gain access with the few tricks he knows, he is more likely to move on to an easier target than continue trying, especially if he doesn't expect much from the site. Properly identifying potential risks is necessary to those performing the penetration assessment.


Penetration Assessment

The penetration assessment usually consists of four steps, climaxing at the fourth step, exploitation. The first step, Discovery, will determine which networks and more specifically which IP addresses will be assessed. This information can be obtained from the Network Administrator or from the internet by accessing websites, whois databases, and usenet groups. Enumeration, finding detailed information about a server, IP address, or system, is the second step in the assessment. The assessor will try to find User names, operating systems/versions as well as sharing permissions of the workstations. The third step is Vulnerability Mapping where the information that has been gathered thus far is compared to known vulnerabilities. This information is available on product sites, bug tracking sites, and CERT's site. The last phase is Exploitation. The 'map' made in the previous step will be a foundation for attacking the system's vulnerabilities. A dictionary will be run to try to crack passwords. If a password is cracked an account becomes available and the attack now comes from the 'inside'. The assessor will also try to gain privileged access through vulnerabilities in operating systems or applications running on the server.