by Carl Herberger
Previous Guest Columns

Trust the chip advantage
by Steven Sprague
July 2005

How to manage telecom expenses
by David C. Perdue
June 2005

VoIP for the SMB
by Dan Murray
May 2005

Manage your network security
by Carl Herberger
April 2005

Hosted telephony pays off
by Alaric Silviera
March 2005

Simplify your distributed network
by Doron Abrahami
February 2005

Leave it to the experts
by Chuck Machlin
January 2005

Emerging wireless: Who’s on first?
by Chris Couper and Marilyn Murphy
December 2004

Collapse of the ‘Web tier’
by Craig Stouffer
November 2004

Service-continuity goals important
by Malcolm Fry
October 2004

Trends in WAN outsourcing
by Vab Goel
September 2004

The patching game
by Eric Vasbinder
August 2004

Policy-based networks: Why not further along?
by Steve Pettit
July 2004

Solve the bandwidth dilemma
by Teejay Riedl
June 2004

 Identify your storage options
by Paul Mayer
May 2004

Visualize the virtual network
by James Leach
April 2004

Maximize the power of fax
by Tom Linhard
March 2004

Who will dominate Web conferencing?
by Ian Widger
February 2004

NAS gains traction
by Joe Disher
January 2004


Manage your network security

Differences between poor security and technical vulnerabilities are monumental.

Vulnerability management is not the most important component of a security management program. Poor security is at least as large a problem as technical vulnerabilities in gaining unauthorized access to an enterprise’s network. The differences may sound minor, but they are monumental in practice.

Security is process related and vulnerabilities are technically related. Examples of vulnerabilities are problems with application code, operating systems or system architecture that can allow unauthorized access. Examples of poor security are processes that lead to faults and flaws–bad passwords, default installations of applications/operating systems, lackluster compliance.

Security is not a device or software–it is a process. As such, all the defenses in the world are useless if they are not properly managed. In fact, having superior technology and a great vulnerability management program will only carry you so far–like having indestructible walls that are only two feet high.

A vulnerability test reviews and itemizes possible flaws. A penetration test, on the other hand, attempts to gain unwelcome access in order to show that it can, in fact, be done. After that, a penetration test report will show exactly how access was achieved.

A penetration test measures the time to get to a selected target and seeks to ensure that an organization’s detection controls were effective in noticing and recording the action. So, a penetration test should demonstrate that an organization’s potential vulnerabilities have been minimized to the point they are not detrimental, and that the organization became aware of the attempted break.

At a minimum, a well-designed penetration test should start with defined targets–which should be critical and confidential information and systems–and the reason security is necessary and deployed within a company. Typical targets include: private customer information; financial information; personal information of key executives; personal employee information; critical data flows between applications; critical applications; and B2B connections and data flows.

From there, discuss and understand the access vector that is being tested, which is often internal or external test, but rarely both. The deliverable should be simple and include:

  • a list of the desired targets and individual statements on access success or failure;

  • a list of the notable strengths of the security posture that was witnessed;

  • a diagram of how each successful access was achieved, including each propagated access step, along with a discussion of how difficult each step was to accomplish;

  • a technical walk-through of each propagated access point; and

  • a list of all notable vulnerabilities and suggested remedies.

Vulnerability tests present a complete picture of an organization’s technical vulnerabilities. They provide both a baseline of the environment to be used for future analysis and a demonstration tool for process effectiveness within the overall security posture. Vulnerability assessments, however, are most useful when combined with a program assessment to detail the “why” behind the “what.”

Vulnerability management is at the crux of an organization’s ability to sense and then respond to changes in the security environment. It should include taking an inventory of an organization’s existing technology to get an assessment of vulnerabilities, and devising a plan for improvement. Vulnerability management is about a proactive approach to inherent technological risk, threats and practices.

To improve vulnerability management, regularly conduct routine vulnerability assessments (network and application architecture, operating system configuration, and internal and external reviews) and third-party penetration testing. Become aware of real-time changes in the technical vulnerability landscape and understand the implications on your enterprise systems. Maintain a proactive patch-management program and combine that with strong configuration-management.

For more information from Sungard:
www.rsleads.com/504cn-250

Carl Herberger manages the professional services security practice at SunGard Availability Services, Wayne, Pa. Send comments for publication to guest@comnews.com.