Executing the Various IT Security Tests in Your Own Environment - dummies

Executing the Various IT Security Tests in Your Own Environment

By Kevin Beaver

A core element of information security testing is knowing what to test and what to look for from hackers. Every organization has its own unique network environment, risk tolerance, and requirements. Therefore, not all security assessments are the same. Some assessments are broad to include everything with an IP address or URL, while others may only focus on servers, wireless networks, or specific web applications.

Regardless of the size of your organization or the industry in which it operates, following are the key areas of any given network that are often exploited by criminal hackers and rogue insiders:

  • People

  • Physical security

  • Passwords

  • Network infrastructure systems

  • Wireless networks

  • Mobile devices

  • Operating systems

  • Messaging systems

  • Web applications

  • Databases and storage systems

These areas must be reviewed for the “low-hanging fruit” that ends up exploited and getting so many businesses into trouble. Your vulnerability scans, penetration testing, and related exercises might focus on one or more of these areas at any given time. You might actually kill two birds with one stone.

For example, by testing your operating systems on servers and workstations, you’ll likely uncover password weaknesses in those systems at the same time. The same goes for social engineering and physical security as they often overlap one another.

During your security tests, be sure to look for the most common security flaws such as:

  • Open network ports and services prone to exploits such as FTP, HTTP proxies, and Microsoft SQL Server

  • Missing software patches, including patches for third-party software such as Java and Adobe Reader

  • Open network shares that expose sensitive information

  • Web flaws such as cross-site scripting and SQL injection

  • Weak passwords on firewalls, operating systems, and database servers

  • Susceptibility of overly-trusting users to click malicious links or attachments in unsolicited e-mails and to let unauthorized people into the building

Look for these vulnerabilities from multiple perspectives: from the Internet as an untrusted outsider as well as from inside the network as a trusted user. The more angles the better.

Look at practically all of the big data breaches that make the headlines and you’ll see that it’s almost always one of these security vulnerabilities that was overlooked by IT and security staff and subsequently exploited by someone with ill intent. Your goal is to track down these weaknesses and fix them so that you and your business don’t end up becoming a statistic.